Community:CreateSyslogNGRules
From Splunk Wiki
Create syslog-ng rules to send data to Splunk
The information in this topic works with syslog-ng version 2.x. an awesome Splunk user made a long-ago blog post that includes examples of working with syslog-ng version 3.x. note that this blog post also references Splunk version 3.x, but the syslog-ng 3.x foo should be helpful, regardless:
blog post is here: http://piyush.me/2009/06/23/centralized-logging-using-syslog-ng-splunk-indexing-search/
Note FIFO has been deprecated in Splunk so this information is out of date. Current best practice is to save to file from syslog-ng and have splunk monitor those files. Log rotation can then delete the files after a reasonable period.
Syslog-ng ("next generation") goes beyond standard syslog. It accepts and sends both TCP and UDP input and has four types of rules available for its configuration file: source, filter, destintation and log.
As an example, this rule configures a source that reads remote syslog events on port 514 UDP:
source src_udp { udp(ip (0.0.0.0) port(514)); };
Then, add a filter for events that match MSWinEventLog:
filter f_windows { match("MSWinEventLog"); };
Next, add a FIFO destination.
destination winFIFO { pipe("/var/log/splunk/syslog-ng/winFIFO"); };
Finally, this last rule will send all MSWinEventLog
events that come in on port 514 to a FIFO from which Splunk can load them at high speed.
log { source(src_udp); filter(f_windows); destination(winFIFO); };
Configure Splunk's syslogFIFO
input module to load the events from the FIFO. You can add regular expressions to create meta data values such as severity::
for each event.