Getting Data In

Why collect Syslog via universal forwarder vs sending to Splunk directly?


Hi all,

I've been reading quite a bit on syslog collection via a Splunk Universal Forwarder. In particular answer #28680. I understand the reasons behind using SUF or another syslog collector as opposed to sending to Splunk directly. I haven't, however, been able to figure out how to perform an approach such as:

syslog device (rsyslog - linux client) -> SUF -> Splunk

Can someone point me in the right direction?

I apologize if this question has been answered before, but my google-fu isn't helping me.

Thank you.

0 Karma


Your devices send syslog events to the rsyslog server. Rsyslog writes the events to disk. SUF monitors said disk file(s) and forwards the events to Splunk. Does that help?

If this reply helps you, Karma would be appreciated.


I see. Makes sense. I was under the impression SUF could act as sort of a relay, and I would be able to just point to it. That being said, is there a sample config (inputs/outouts.conf) for SUF on how to deal locally stored rsyslog files?

0 Karma


Try this, but make sure to change the monitor path to point to your log file location, change the index and sourcetype




defaultGroup = default-autolb-group

disabled = false
server = Indexer1:9997,Indexer2:9997
Get Updates on the Splunk Community!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Want a chance to win $500 to the Splunk shop? Take our IT Incident Management Survey!

  Top Trends & Best Practices in Incident ManagementSplunk is partnering up with Constellation Research to ...