Allow me to try to restate what it is you have said - please correct as appropriate! You have syslog coming in to Splunk. You would like to forward these to another syslog system, in addition to in...
See more...
Allow me to try to restate what it is you have said - please correct as appropriate! You have syslog coming in to Splunk. You would like to forward these to another syslog system, in addition to ingesting them into Splunk. So devices send syslog to a Splunk heavy forwarder instance, and you'd like that HF to send those incoming syslogs both to Splunk (as cooked data) and to yet another syslog instance (as syslog). Hopefully that sounds like what you are doing. Some questions then - 1) How is the HF receiving syslog? Directly with the Splunk syslog app, or via some "Regular syslog app" on the system? Also this seems like a lot of work and re-work. Why can't you just send syslog from the source devices to two separate entities? And even if you can't, hopefully the answer to the above question is you are using syslog-ng (which I'm positive can duplicate syslog as it comes in) so you can break this problem into two pieces - one of receiving syslog and forwarding it, and another of Splunk reading the files the syslog server creates.