I have been tasked with deploying Splunk for an organization that has an extensive syslog (multiple rsyslog & syslog-ng svrs) environment. The problem is with their naming convention. Of the hundreds of syslog sources, only 60% follow a naming convention. The remainder may be (random) IP's, or a hostname that does not align with its events. The logs are not stored in logical directories, AND..... they are unwilling to make the changes necessary to "clean it up".
The REGEX's in inputs.conf if rapidly becoming ugly, and with every change, requires complete re-validation. What do others do in this situation to manage poor syslog naming conventions, and still get the events into the proper indexes without the extensive use of REGEX in inputs.conf, and without touching the syslog conf?
↧