# syslog-ng

Abuse syslog-ng contextual data https://syslog-ng.github.io/admin-guide/140_Enriching_log_messages_with_external_data/000_Adding_metadata_from_external_file/000_Using_filters_as_selector

To route messages to splunk using hec

i.e.

if you 

for i in {0..10};do echo "<165>$(date +'%b %e %T') localhost test: lets go! - message=$i" | nc -u 127.0.0.1 1514;done

Then syslog-ng will look for matching filters in filters.conf, then set .meta.splunk_index and .meta.splunk_sourcetype, which you can then use in the HEC destination

# Y tho ?

write directly to splunk without intermediate files.
no enormous fishbucket.
huge persistent disk buffers.