Graham,
We are using our internal splunk instance to ingest Amazon instance data from both Public and VPC housed instances. On our public instances, Chef installs the Universal Forwarder on the instances which have an outputs.conf sending them to heavy forwarders in the cloud which sends data via ssl connection to heavy forwarders on our environments DMZ which then forwards the data to our internal indexers. This seems to be the easiest way to receive basic log data from Linux Hosts (we monitor the /var/log* directory and can source type on the indexer side).
Hope that helps!
Nate
... View more