Hello,
when using syslog-ng with splunk you can control the index and sourcetype etc in the app inputs.conf that is pushed to your forwarder.
of course this implies you are using a splunk enterprise on prem deployment server to push apps to your endpoints forwarders.
for example
firewall sends its log to syslog-ng
syslog-ng.conf has filters configured for each type of device sending logs, it checks through those filters until it finds a match for the log received from the firewall. lets say it is using subnet to identify this is a firewall.
once it matches the filter it then checks the log rule which tells it which destination rule to use to place the log in the folder structure and naming convention that has been configured in the destination rule for this device type
lets say it puts the log in "/home/syslog/logs/firewall/$HOST/$YEAR-$MONTH-$DAY-firewall.log"
you will note that in the path that is configured in the destination rule for this log the hostname will be the 5th folder in the path
so in your inputs.conf file for whichever app you use for this devicetypes logs you would need to tell it that the 5th position is where the hostname is. splunk will then be able to find the logs using that name with the host=host name
example in my example the syslog_firewall_inputs\local\ inputs.conf file would look like this
Firewall Logs sent to syslog-ng
[monitor:///home/syslog/logs/firewall//.log]
host_segment = 5
sourcetype = fgt_log
index = firewall
disabled = false
note that the sourcetype was one we created ourselves for our environment so be sure all settings are for your own environment.
as you can see it is in this file where you can specify which index and which sourcetype splunk UF will associate with the log.
I hope this is helpful. your description was not 100% clear so I am hoping this is what you need
... View more
