adding a source to the existing syslog-ng.conf

[jpcapone]

I am a super newbie when it comes to syslog-ng but I am here asking for help. I think what i need help with is understanding how I can modify the existing syslog-ng.conf -the default one provided by the stack - to have it receive from a truenas installation and also send logs to Splunk. I would appreciate any input, thanks

[lux4rd0]

@jpcapone Welcome to the world of logging!! It sounds like you already have this project set up to receive from Truenas - the issue is how to set up two forwarders? One to Loki and one to Splunk? I've found a few blog posts, but they're particular to how you want to use them. You can have Splunk simply scrape files that SyslogNG writes out to a file system - or use another intermediate. It also looks like Splunk only handles Syslog as a collector with their Enterprise version.

Can you share a bit more about what the end result should look like?

[jpcapone]

@lux4rd0 Thanks for getting back to me! "the issue is how to set up two forwarders? One to Loki and one to Splunk?" Yes and Yes! I can tell that the truenas logs are being ingested by Loki. I assume I would need to add two items to the syslog-ng.conf

1. Something like this as a destination entry

};
destination d_net_splunk {
tcp(“192.168.1.1” throttle(20000) log_disk_fifo_size(4194304));
};

2. update the existing log entry

log {
        source(s_local);
        source(s_network);
        destination(d_loki);
	destination(d_net_splunk);
};

Also, fresh install and I am getting no data for Counts by host. Any help would be appreciated.