exim4 + splunk yes. syslog is shot over udp and the ordering can be weird and stuff can be lost, because well, that's udp. but, just for fun, let's throw our mail logs over to a splunk server. and to the local system. exim4 only allows for two places to plop logs, so be mindful i'm runng ubuntu 12.02.1 lts. it has rsyslogd (default conf) and exim4. regarding syslog facilities, do recall: main log is mapped to LOG_INFO reject log is mapped to LOG_NOTICE panic log is mapped to LOG_ALERT you'll need to uncomment out those and have them forwarded to @loghost . first thing, edit /etc/exim4/update-exim4.conf to your liking. make sure dc_use_split_config='true' is set. at the very end of: /etc/exim4/conf.d/main/02_exim4-config_options place: .ifndef LOG_FILE_PATH LOG_FILE_PATH = syslog : /var/log/exim4/%slog .endif log_file_path = LOG_FILE_PATH those variable definitions are important. no definitions mean no application. then issue: update-exim4.conf and: /etc/init.d/exim4 restart to see if exim4 for real took that setting, issue: exim4 -bP log_file_path and it should look like: log_file_path = syslog : /var/log/exim4/%slog send some mail and check mainlog and splunk. yeah. awesome.