Does both Enterprise (supported) and free rsyslog support wildcarding?
Does rsyslog work well with Splunk?
Is Rsyslog supported on PowerPC running LINUX?
First, let me say that there is no "enterprise" version of rsyslog, at least for the time being. There is just one very capable version, but you can purchase support with it (what, of course, I appreciate ;)).
I don't see any reason why rsyslog should not run on PowerPC. Did you try a compile and it failed? If so, please let me know what happened. I do not have a PowerPC environment to test myself.
We use rsyslog. All networking equipment send it's logs to a central syslog server(*) that then uses this rule:
We then grab them with an inputs.conf that looks like this:
[monitor:///var/log/syslog] index = syslog sourcetype = syslog host_regex = /var/log/syslog/system-(.*).log*
(*) It's actually a VIP that goes to a load balancer, but that's not really important to this discussion.
I'm not sure what you mean by wildcarding in this context.
But this is a splunk message board and I can only comment on how splunk interacts with rsyslog.
As far as source goes, if you're using syslog, you're not going to get much more than source=syslog anyway.
If you want more specific sourcetypes, I can give you examples of that.
I'd check the rsyslog web site with regards to what it supports or what it doesn't.
If it's a flavor of *syslog, then Splunk can consume it directly (not recommended in my opinion), or if it can write to a log and then have Splunk consume that log (little more failsafe).