Is there a config available that would push out the same format as Snare from a Heavy Forwarder? i.e. UniversalForwarder->HeavyForwarder->ForkTo:
You cant reformat the data which would be sent over a raw socket with a transform - it would always be sent as a 'Splunk Formatted' message, but with a little bit of netcat/grep/awk/sed fun you could probably get the data into any format you like - but probably a PITA!
I have just done a very quick google, and it seems that snare can accept syslog messages so this seems like the way to go.
in your outputs/conf
[syslog] defaultGroup=syslogGroup [syslog:syslogGroup] server = <your syslog server>:514
I think thats all it takes!
You cant reformat the data, however you can send a copy of the raw event via a TCP socket, or alternatively as Syslog.
I am not familiar with Snare, but it sounds like the second option would be most appropriate for you.