This option allows us to split the network feed by the Program or process involved as defined in the message. This can be useful to segregate by sshd, ftp, docker, etc. if that is something that is required.

Log Receiver requirement: To receive events over UDP:514 from various devices on the network and split by ‘Program

Using the Log Receiver dashboard, we have created;

  • a Rule called Syslog Server
  • a Source called syslog_UDP
  • a Destination called syslog_UDP_dest
  • a Destination Filename called syslog_UDP.log

We have enabled the ‘Program’ option from the Log File Splitting selector to create separate sub-directories containing events with different program/process values, for example;

/opt/sbox/data/syslog_UDP/sshd/syslog_UDP.log
/opt/sbox/data/syslog_UDP/ftp/syslog_UDP.log
/opt/sbox/data/syslog_UDP/dockerd/syslog_UDP.log