If I have a regulatory requirement to store raw data for audit purposes as well as allowing the possibility of other tools accessing the data how do I do that? The requirement is to maintain all of the information present in the original messages.
Forwarding data to syslog appears to rewrite the PRI field which would obfuscate the message priority and source. This is not an option as the message has changed.
There is an option to forward data to a TCP socket but what do I need on the other end to write the archive and what format is the data in? Has the data been modified by Splunk by this stage? Is the TCP socket data sent before or after any modifications made for indexing and analysis purposes?
The index directories contain files in compressed rawdata format. How would I read these files externally to Splunk?
The solution I have in mind is to have syslog-ng receive the data and then forward it to Splunk whilst at the same time writing to a disk archive but this seems an overly complex solution to me.
... View more