Best practices on multiple syslog sources

Hi all,

Just asking some expert opinions here, my main objective currently is to ingest syslogs from multiple sources (assuming there are 10 different brands and syslog streams).

I understand that there are ways to add tags and conditions to "differentiate" the sources (if its all coming from the same port). From lab testing, the pipelines and overall configuration seem to be abit more complex to manage as it forms a "single" large file.

On the other hand, if we somehow force these syslog to send on different ports (Brand A = port 514, Brand B = port 515, Brand C = port 516, etc..). This design seem to be easier to manage. However, all of these are based on lab testing, and not real world environment.

In actual production environment, is there a "better" way between those 2 methods that I mentioned above to do this? What are some of the syslog deployment method that you see in your experience?

I find it easiest to send to different ports - as long as it's documented.