Kiwi syslog is pretty good, Splunk can be setup to listen on UDP port 514 to take in syslog information.
Syslog setup is pretty simple:
Configuration > Report Settings > Syslog
Check 'Enable syslog messages'
Normally a good idea to choose a source interface that is on the same subnet as your syslog server
Check 'Enable' and enter the IP address of your syslog server, the port (514), and the facilities (LOCAL0 is fine) and then choose the type of item you want to track
- Event log - event log entries
- Traffic log - traffic log entries
- TCP - syslog over TCP
Setting a source address is good when you are using a syslog server setup that segregates logs by host. For example, we use a FreeBSD syslog server that places logs from each device in a directory with each host having a log name like host1.log, host2.log, host3.log, etc
I set 'Source interface' to my Trust interface on the SSG because I want the logs to come from the same source IP that my syslog server is expecting to see them from (i.e. IP 192.168.1.1 is 'host3' so the log will be 'host3.log' on my syslog server).
Syslog is pretty straight forward so any syslog server will work fine, one that automatically rotates the logs for you after a certain size or at a set interval is nice as well.