I have:
two existing OpenBSD Centralized Syslog loghosts (one is syslog-ng, one is syslogd)
a new dedicated server for running Splunk
I would like to leave the central loghosts in place and move the data to my new splunk server for analysis.
From what I have read, it seems like my options are:
use syslog-ng on both loghosts and write/forward to a syslog-ng server on the splunk server
use a splunk forwarder on loghosts to send data to splunk server
set up an rsync/cron process from the loghosts to the splunk server
set up a fifo on the loghost filesystems that writes locally and forwards to the splunk server
write logs to shared storage that both loghosts and splunk server have access to
I started on option #1 but stopped when I couldn't get the syslog-ng port to compile with "--enable-spoof-source" under OpenBSD 4.9.
Any recommendations or other options I should be considering?
Thanks,
-Tom
... View more