I would like to know the best method and recommended way to forward the syslogs.
1. syslog-ng -> Indexer
2. syslogn-ng with UF --> Indexer
3. syslog-ng with UF ---> HF ---> Indexer
4. syslog-ng ---> HF ----> Indexer
Number 1 is not possible.
Number 2 is best.
Number 3 is discouraged.
Number 4 is good if you need to transform or filter the data before indexing.
View solution in original post