you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.
About the way to receive syslogs you have three ways:
- using SC4S,
- using rsyslog on the Splunk Server (if Linux) and reading the files with Splunk,
- use Splunk to ingest syslogs.
the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.
Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.
In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.
In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?
in this case:
- you have a local cache, so you don't lose logs in case of failure or maintenance,
- you have a bandwidht optimization,
- packets compression,
- and other advantages.
Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.