Hello Giuseppe, a new file is being created for each syslog event. Attached is my rsyslog configuration. I have been considering changing $FileOwner and $FileGroup to "splunk." ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on") ### Entry by n37w0rk module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="50514") $template remote-incoming-logs,"/home/splunk/syslog/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?remote-incoming-logs & ~ ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog krgds Björn  ... View more

Hello Giuseppe, thank you for your response. I had already tested that and now I have switched it back to BATCH and manually deleted all syslog files. After a system restart, the syslog files are being incremented again and not deleted. Krgds Björn ... View more

It can be that easy. I was 100% sure I tested it. Now it's funny. Thanks for the quick help krgds Björn ... View more