Hi, On 09/30/2014 08:34 PM, wiskbroom@hotmail.com wrote:

Hello;

I have syslog clients that I would like to configure to send log-data to a middle-man/intermediary syslog-NG server. Once received on the intermediary, I want to immediately fork that data onto a different log-server, not syslog-NG; satisfying a requirement to feed two systems.

Well, with this design there is a SPoF (single point of failure), the syslog-ng relay. If it fails for some reason you'll loose logs. If the second log system scales for multiple log sources just like syslog-ng then you should configure the syslog-ng clients to send logs to both systems. Of course with such a design network load could duplicate unless you're using UDP multicast - but that involves another factor, log transport reliability which isn't the best with UDP to say at least. So you've got to consider all possible scenarios and then make a choice which is the best for your needs. It is easy to set up either the syslog-ng clients or syslog-ng server/relay to send logs to multiple destinations.

The reason for the fork is because the non-syslog-NG-server is running a proprietary logging system, and it must, at least for now, be capable of seeing *most* of my logs. It, the non-syslog-NG-server, is incapable of retransmitting to my syslog-NG server, nor would I trust it to do so.

My questions to the list are, 1. Has anyone successfully done something similar?

yes, but see above for the caveats

2. Any recommendations/gotchas I should be aware of?

see above

3. Can I also configure syslog-NG to also resend Splunk data? Or do I have to run a Splunk Univ Forwarder configured similarly to my intermediary syslog-NG server to achieve that? (Yes, I know, OT question, sorry...)

Without understanding how splunk works internally I can't really help here, my understanding is that it is a log store / search engine so doesn't forward data to external systems. If it has a forwarder then it can feed other systems but in this case splunk would be the SPoF. hth, Sandor