Do you mean XenApp and not XenServer? If you installed XenApp on a Unix/Linux system, according to the following article you need to add the user.info and user.notice to the syslog.conf file and then use the ctxcfg to configure the level of logging for the user connect/disconnect/reconnect/logoffs.

http://support.citrix.com/proddocs/topic/ps-unix/ps-unix-deploy-event-logging.html

If you want to collect the logs from within XenServer:

1. Open XenCenter and right click on the XenServer you want to configure to send syslog to Splunk and select Properties.

2. Click on the Log Destination tab

3. Select the Remote selection

4. Enter the IP address of the Splunk server

5. Select OK

6. Repeat the above steps for all remaining XenServers

If you want the server messages, you will need to edit the syslog.conf file.

1. vi /etc/syslog.conf

2. Add the details you want to send to Splunk. Below is an example.

   .crit;.emerg;.info;mail.;authpriv.;cron.;local6.* @splunk.localdomain

W*ithin Splunk, you need to make sure to listen on UDP port 514 to capture Syslog traffic.*

1. Open up Splunk and go to Manager

2. Under Data, select Data inputs

3. Under UDP, select Add new

4. List item

5. In UDP Port, type in 514. Under Source type, set the sourcetype to From list and then in the list choose syslog.

6. List item

7. Click Save

do mean install splunk on a xenserver or collecting xenserver data?