You might want to use Fluentd to filter logs at the edge. Here's a full configuration that might work for you (it assumes that you are listening to syslog over UDP at port 5140. # collecting syslog <source> @type syslog port 5140 tag system </source> # adding hostname <filter system.**> @type record_transform <record> hostname "#{Socket.gethostname}" </record> # filtering based on the given condition </filter> <filter system.**> @type grep <regexp> key hostname pattern ^192.168.105. </regexp> <regexp> key message pattern vmhba </regexp> </filter> This is just one example of the type of "smart filtering/routing" Fluentd can bring to the edge. For example, you can configure Fluentd so that Splunk only sees error/warn messages (to save on the bandwidth) like this: <source> @type syslog port 5140 tag splunk </source> <match splunk..{error,warn}> @type splunk # other config parameters </match> <match splunk.*> @type s3 # archive the rest in Amazon S3, say, for cheaper storage </match> Again, if you are looking to use Fluentd in a production environment, check out Fluentd Enterprise by Treasure Data ... View more