So in some unknown, previous version of Splunk we were able to forward syslog to an Rsyslog machine. The syslog messages began with the date/time and source host/IP of the message. This data was in the standard sysklogd format. It allowed us to write it out straight to a file and have it look like Rsyslog was the one receiving the messages. Current versions do not seem to include this header.
Is there any way to restore this behavior? Our goal is to, at a minimum, get any syslog data that is received by Splunk to be forwarded to our instance of Rsyslog with the original host that sent the data included in the log line.
I'm currently running version 4.0.8. I believe that the previous version was "current" around 2009-08-20.
... View more