Not sure why it is there exactly but I understand the idea. I do not like the out of the box "syslog" sourcetype for many things, I prefer to instead create sourcetypes specific to the syslogs from the sources I am dealing with at each new client. Their are multiple syslog patterns used by various vendors and on top of that often I see them modified during collection/centalization. There is a bunch of questionable stuff in the nix TA though, look at the eventtypes.conf for some terrible examples of eventtype searches. Ever looked at your logs and wondered why the os and unix and error tags show up on such a wide variety of things? Nix TA eventtypes out of the box is the answer. Also not forcing more care to be take with the broad ingestion of directories like /var/log/ results in forcing Splunk to do a lot of sourcetype guessing and, in most places I have been, initially results in many incorrect sourcetypings.
... View more
