Forum Discussion
Christian_15126
Nov 14, 2013Nimbostratus
So this turned out to be a completely managed solution issue with splunk and the vendor who was managing it. They were doing some crazy regex filters to segregate traffic between indexes, and the regexes couldn't handle the BIG-IP adding in the local/ into the syslog messages and was unable to parse them properly. We were able to manually remove the local/ from the syslog-ng.conf file, but as you guys know everytime you restart the syslog-ng service (or reboot and restart all services), the file gets overwritten and the local/ came back). In the end it was a moot point as once we brought splunk in-house and used a traditional indexing design without funky regexes, the issue went away. Thx for the help though!