Hello Community,

i hope you can support. I have a CloudFoundry Environment which send all logs to my splunk-forwarder on which i have installed syslog-ng 4.6. On the Splunk Server Side the Splunk App for RFC5424 has been installed and configured as documented.

My current syslog-ng.conf (without RFC5424) looks as follows (with syslog-ng 3.23):

@version:3.23

options {
    flush_lines(0);
    time_reopen(10);
    log_fifo_size(16384);
    chain_hostnames(off);
    use_dns(no);
    use_fqdn(no);
    create_dirs(yes);
    keep_hostname(yes);
    owner();  dir-owner();
    group();  dir-group();
    perm(-1);     dir-perm(-1);
    keep-timestamp(no);
    threaded(yes);
};

source s_tcp555 { tcp (ip("0.0.0.0") port(555) keep-alive(yes) max-connections(100) log-iw-size(10000)); };

destination env_logs { file("/var/log/syslog2splunk/env/${LOGHOST}/${HOST}/${YEAR}-${MONTH}-${DAY}_${HOUR}.log" template("${UNIXTIME} ${MSGHDR} ${MESSAGE}\n") frac-digits(3) time_zone("UTC") owner("splunk") dir-owner("splunk") group("splunk") dir-group("splunk")); };

log { source(s_tcp514); destination(env_logs); };

The inputs.conf:

[default]
host = my-splk-fwd
index = <my-splk-index-xxx>

[monitor:///var/log/syslog2splunk/env/*/*/*.log]
disabled = false
sourcetype = CF:syslog
host_segment = 6
crcSalt = <SOURCE>

You see that my CloudFoundry Environment is sending syslog over port 514 to the splunk forwarder which is then shipping them to the splunk server.

Now i have configured RFC5424 in syslog-ng.conf and also in the inputs.conf. My CF syslogs should be only formatted to RFC5424 and therefore i do not want to have in my syslog-ng.conf 2 sources/destinations and a new port. I would only like that my current syslogs will be formatted to rfc5424. But i also know that in the inputs.conf its not possible to configure 2 sourcetypes. So therefore i need to know how to configure those both files that my almost incoming syslog files will be formatted with rfc5424. I do not want to have two directories with exactly the same logs.

Here is my syslog-ng.conf (with syslog-ng 4.6):

@version: 4.6

options {
    flush_lines(0);
    time_reopen(10);
    log_fifo_size(16384);
    chain_hostnames(off);
    use_dns(no);
    use_fqdn(no);
    create_dirs(yes);
    keep_hostname(yes);
    owner(); dir-owner();
    group(); dir-group();
    perm(-1); dir-perm(-1);
    keep-timestamp(no);
    threaded(yes);
};

source s_tcp514 { tcp (ip("0.0.0.0") port(514)); };

destination env_logs { file("/var/log/syslog2splunk/env/${LOGHOST}/${HOST}/${YEAR}-${MONTH}-${DAY}_${HOUR}.log" template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} ${STRUCTURED-DATA} ${MESSAGE}\n") frac-digits(3) time_zone("UTC") owner("splunk") dir-owner("splunk") group("splunk") dir-group("splunk")); };

destination rfc5424_logs { file("/var/log/syslog2splunk/rfc5424/${LOGHOST}/${HOST}/${YEAR}-${MONTH}-${DAY}_${HOUR}.log" template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} ${STRUCTURED-DATA} ${MESSAGE}\n") frac-digits(3) time_zone("UTC") owner("splunk") dir-owner("splunk") group("splunk") dir-group("splunk")); };

# Log routing
log { source(s_tcp514); destination(env_logs); };

==> do i need here to add an additional source/destination or is this conf ok?

The new inputs.conf looks as follows:

[default]
host = my-splk-fwd
index = my-splk-index_xxx

[monitor:///var/log/syslog2splunk/env/*/*/*.log]
disabled = false
sourcetype = ENV:syslog
host_segment = 6
crcSalt = <SOURCE>

[monitor:///var/log/syslog2splunk/rfc5424/*/*/*.log]
disabled = false
sourcetype = rfc5424_syslog
host_segment = 6
crcSalt = <SOURCE>

With the syslog-ng.conf and inputs.conf i can see the source-type for rfc but from my opinion it is exactly the same output as before - so i do not recognize any difference.