Best way to keep up with a lot of new Linux syslog sources?
What features of ESM/Receiver are you using to keep up with a lot of new Linux servers being dropped into an environment? What auto-learning options are available and useful without having so many downsides you don't want to use them?
If the hosts can also send to a syslog server in addition to the receiver, is it better to use syslog relay options and just monitor the syslog server?
I sense there are several ways to do this, but curious what's working for various folks.