Realizing this was posted many moons ago, here is the solution I found for telling eStreamer where to put it's logs. If the app ever gets upgraded, it will be overwritten, but I don't think that is going to happen anytime soon. In the eStreamer/bin directory you can edit client_check.py and change the log_file directive as shown below. Works like a charm. And add the find command to your cron.daily to point to the directory you have moved your logs to and you are good to go.
# Set the rest of the paths relative to the splunk_path
app_path = os.path.join(splunk_path, 'etc', 'apps', 'eStreamer')
app_bin_path = os.path.join(app_path, 'bin')
config_file = os.path.join(app_path, 'local', 'estreamer.conf')
log_file = ('/var/log/syslog-ng/estreamer/estreamer.log')
pid_file = os.path.join(app_bin_path, 'estreamer_client.pid')
script_file = os.path.join(app_bin_path, 'estreamer_client.pl')
... View more