HOW TO CREATE A PIPE - FIFO FROM SYSLOG-NG TO SPLUNK: FIFO - First In First Out mkfifo man page http://linux.die.net/man/3/mkfifo mkfifo creates a special file- a named pipe, entered into the file system which needs to be opened on one end to read and another to write. Note that I haven't used this method yet, but this is how I would do it: su 1. Create the pipe: mkfifo /var/log/syslog-ng_splunk 2. Add the pipe to syslog-ng: pico /etc/syslog-ng/syslog-ng.conf Paste in at the bottom: # Pipe to splunk source remote { udp(); }; destination splunk { pipe("/var/log/syslog-ng_splunk"); }; log { source(remote); destination(splunk); }; # Log host sending to syslog-ng destination hosts { file("/var/log/hosts/$HOST/messages" owner(root) group(adm) perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(remote); destination(hosts); }; 3. Add the pipe to Splunk: cat /opt/splunk/etc/system/local/README ls -al /opt/splunk/etc/system/README/inputs.* -r--r--r-- 1 splunk splunk 5418 2010-07-15 06:10 inputs.conf.example -r--r--r-- 1 splunk splunk 20569 2010-07-15 06:10 inputs.conf.spec pico /opt/splunk/etc/system/README/inputs.conf.spec Search for (Ctrl +w): fifo Has this: #******* # FIFO: #******* [fifo://] * This directs Splunk to read from a FIFO at the specified path. Change to: #******* # FIFO: #******* [fifo:///var/log/syslog-ng_splunk] sourcetype = syslog * This directs Splunk to read from a FIFO at the specified path. (no need to chmod file) 4. Restart splunk and syslog-ng: /opt/splunk/bin/splunk restart /etc/init.d/syslog-ng restart Settings for per hosts logs: http://mysfitt.net/tutorials/splunk1_fifo.php#configure-syslog destination hosts { file("/var/log/hosts/$HOST/messages" owner(root) group(logs) perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(remote); destination(hosts); }; Settings for Windows syslog-ng.conf: http://www.splunk.com/wiki/Deploy:CreateSyslogNGRules