To get the logs into Splunk (or any other big data or log management solution), you'll need to be able to read them, and that means you're eventually going to have to trust some process to read them and transmit them. That doesn't mean you have to have splunk do it; it's not uncommon to see a whole lot of syslog routing being done before the first forwarder. ... View more

@vr2312 that's correct , if its in /local (ie: $SPLUNK_HOME/etc/system/local/ , or $SPLUNK_HOME/etc/apps//local/ it will not be overwritten when you upgrade. ... View more

Yes. The Splunk forwarder typically gets data in two ways: By Running commands such as netstat to get information about system state (scripted inputs) By reading the contents of log files written by other applications, including those written by syslogd . If you disable the local syslog daemon, then syslog data will not be be written to a file for Splunk to read. You would still be able to capture logs from applications that do not use syslog. For example, you'd still be able to get Apache access logs. ... View more