syslog-ng-program-split-example.conf

# Do some normalization of program names
rewrite rewrite_program {
        subst("CRON", "cron", value("PROGRAM"));
        subst("/usr/sbin/cron", "cron", value("PROGRAM"), flags(ignore-case));
        subst("postfix/anvil", "postfix-anvil", value("PROGRAM"));
        subst("postfix/cleanup", "postfix-cleanup", value("PROGRAM"));
        subst("postfix/pickup", "postfix-pickup", value("PROGRAM"));
        subst("postfix/qmgr", "postfix-qmgr", value("PROGRAM"));
        subst("postfix/scache", "postfix-scache", value("PROGRAM"));
        subst("postfix/smtp", "postfix-smtp", value("PROGRAM"));
        subst("postfix/smtpd", "postfix-smtpd", value("PROGRAM"));
};

# List of programs for which we want to change the source type
filter known_program { 
    program("cron") or
    program("CRON") or
    program("anacron", type(string)) or
    program("authmgr", type(string)) or
    program("cfgm", type(string))
    # [...] if you want the full list let me know
  }

# Accept logs from a unix (xenopsychology in this case)  
source syslog_in_xenopsychology {
    udp(ip("log-xenopsychology.example.com") port(514));
    tcp(ip("log-xenopsychology.example.com") port(601));
};

# For programs in the known program list; write the logs to a file for that program so the sourcetype can be set in the input stanza
log {
    source(syslog_in_xenopsychology);
    filter(known_program);
    rewrite(rewrite_program);
    destination(files_xenopsychology_known);
    flags(final);
};

# catch-all for infrequently seen programs or programs whose logs we haven't sourcetyped yet
log {
    source(syslog_in_xenopsychology);
    destination(files_xenopsychology_unknown);
};