Concurrent mode works just fine for me; however, my list of 'source' files is exploding. Under Search Summary -> Sources, each file (e.g. each alert) shows up as a different source.
Beyond that, it's not too bad. I actually have mlogc sending logs to an Audit Console server AND splunk indexing the data directory (where the concurrent logs are stored).
Just for reference, I'm using Splunk 4.3.3 and ModSecurity-App 1.3. No special configuration settings, beyond the changes to the Field aliases 'modsec_audt : FIELDALIAS-realip' (mentioned in the documentation to support non load balanced servers).
... View more