We use the nxlog agent on out Windows domain controllers/Exchange servers/IIS servers and forward to a centralized rsyslog server.
Would it be possible to install the Splunk Forwarder on the centralized rsyslog server and filter the syslogs that would be forwarded from the centralized rsyslog server to our Splunk indexer to help filter out the unwanted events?
Thx
Yeah, provided you use a heavy forwarder instead of a universal forwarder.
Note, you can have your indexer(s) filter data regardless of where it came from.