This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6
Syslog-ng ("next generation") goes beyond standard syslog . It accepts and sends both TCP and UDP input and has four types of rules: source, filter, destintation and log.
As an example, this rule configures a source that reads remote syslog events on port 514 UDP:
source src_udp { udp(ip (0.0.0.0) port(514)); };
Then, add a filter for events that match MSWinEventLog:
filter f_windows { match("MSWinEventLog"); };
Next, add a FIFO destination.
destination winFIFO { pipe("/var/log/splunk/syslog-ng/winFIFO"); };
Finally, this last rule will send all MSWinEventLog events that come in on port 514 to a FIFO from which Splunk can load them at high speed.
log { source(src_udp); filter(f_windows); destination(winFIFO); };
Configure Splunk's syslogFIFO input module to load the events from the FIFO. You can add regular expressions to create meta data values such as serverity:: for each event.