https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753656#M119650 <P>I would say that "user friendly" and "easier to maintain" is highly subjective <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P> Fri, 26 Sep 2025 16:10:53 GMT PickleRick 2025-09-26T16:10:53Z https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753608#M119640 <P>I need to onboard CISCO IOS switch logs with splunk, we have a syslog-ng installed on HF, could somebody explain the exact configurations to be made in syslog-ng.conf?</P><P>Thanks in Advance</P> Thu, 25 Sep 2025 11:22:45 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753608#M119640 maheshnc 2025-09-25T11:22:45Z https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753613#M119641 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/312895">@maheshnc</a>&nbsp;,</P><P>at first I hint to use rsyslog instead of syslog-ng because it's newer.</P><P>anyway you can find a guide for syslog-ng at <A href="https://syslog-ng.github.io/" target="_blank">https://syslog-ng.github.io/</A>&nbsp;and for rsyslog at&nbsp;<A href="https://www.rsyslog.com/doc/index.html" target="_blank">https://www.rsyslog.com/doc/index.html</A></P><P>If you choose to use rsyslog, I can help you.</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Thu, 25 Sep 2025 12:13:46 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753613#M119641 gcusello 2025-09-25T12:13:46Z https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753616#M119642 <P>While I'm a big fan of rsyslog myself, you can't say that it's "newer" than rsyslog.</P><P>Depending on your metric, they are either both relatively aged already (1998 vs 2004) or both quite fresh (16th July vs 10th June).</P><P>But they have huge differences in how they work internally and how they are configured. (And I'm not gonna advocate in this thread for or against any of them).</P><P>So if you already have a significantly sized environment based on one of those solutions you're unlikely to migrate to the other one due to required time and effort (but I've known an organization which migrated a huge setup; it was painful).</P> Thu, 25 Sep 2025 16:19:57 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753616#M119642 PickleRick 2025-09-25T16:19:57Z https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753630#M119645 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/312895">@maheshnc</a>&nbsp;</P><P>You can use rsyslog or syslog-ng based on your comfort and your system setup. Personally i have seen rsyslog is giving better performance for high volume environments and syslog-ng is more user friednly and easier to maintain the configs.</P><P>To your question, basic structure looks something like this for syslog-ng</P><LI-CODE lang="markup"># 1. Source: listen for UDP 514 source s_cisco { udp(port(514)); }; # 2. Destination: write logs to a dedicated file per device destination d_cisco { file("/var/log/cisco/$HOST/ios.log" perm(0644) create_dirs(yes)); }; # 3. Filter: accept from cisco switch IP's filter f_cisco { host("10.10.10.1") or host("10.10.10.2"); }; # 4. Log path log { source(s_cisco); filter(f_cisco); destination(d_cisco); };</LI-CODE><P>&nbsp;</P><P>Regards,<BR />Prewin<BR />If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Fri, 26 Sep 2025 07:09:12 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753630#M119645 PrewinThomas 2025-09-26T07:09:12Z https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753656#M119650 <P>I would say that "user friendly" and "easier to maintain" is highly subjective <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P> Fri, 26 Sep 2025 16:10:53 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-ng-configuration/m-p/753656#M119650 PickleRick 2025-09-26T16:10:53Z