then if this answered you question please accept the answer for those having similar question.Thanks.

ok, so setting the activityLog key to true has made it send some info for AFS into the system log. thanks for that, MarioM. There are some options in that prefs file that imply that it should log file/folder actions but I don't see any being logged.

But really this a question for Apple forums as if there is no data available anywhere then there is nothing that splunk can do

or this:
to enable AFP logging you have to open with root privileges

/Library/Preferences/com.apple.AppleFileServer.plist

and set

activityLog

to

have you try that to enable looging?
-Open NetInfo Manager (found in the Applications/Utilities folder).
-In NetInfo Manager, choose /config/AppleFileServer.
-Choose the "activity_log" property. Change its value from "0" to "1".
-Choose "Save" from the NetInfo Manager "Domain" menu.
-Stop and restart File Sharing in System Prefs.
-Find your log in /Library/Logs/ApplefileService/AppleFileServiceAccess.log

you would think so, no?

so here is where it gets hinky. in OS X 10.7 Server, Apple has removed the log settings from the file sharing UI and it looks like nothing is getting logged into the AFS log, nor is there an SMBd log that I can see.

so, the original question is where I'm still at. how to configure syslogd to be grabbing these events and sending them out to splunk. as I said before, some AFS events have shown up in the system.log but my test connections haven't. and, how can we enable the AFS/SMB logging when it seems like Apple has taken away those knobs and dials?