Rsyslog

The Problem The Splunk Universal Forwarder requires glibc. If your log source is running Alpine Linux, a minimal container, an embedded device, or an IoT gateway, you’re out of luck — those environments use musl libc, and the two are binary-incompatible. In my home SOC lab I hit this exact wall. The perimeter firewall VM runs Alpine Linux (chosen for its small footprint and scriptability), and it’s running Suricata generating EVE JSON on the lab-facing interface. I needed that data in Splunk, and the UF wasn’t an option. ...

Why rsyslog to Wazuh? Wazuh normally collects logs through its own agent, but there are situations where syslog forwarding makes more sense: The host can’t run the Wazuh agent (embedded systems, appliances, immutable OSes) You want visibility fast without deploying an agent You’re forwarding from network devices that only speak syslog You need a lightweight option for lab or training environments To prevent log tampering rsyslog gives you a quick path to centralized log collection with minimal footprint on the client. ...