https://community.splunk.com/t5/Getting-Data-In/Forward-specific-Events-to-Nessus-Security-Center/m-p/328237#M60922 <P>Hello</P> <P>We want to forward (and index in Splunk) some Events (Windows Event Logs) to Nessus Security Center Log Correlation Engine.</P> <P>I've tried the following settings on the Indexer:</P> <P><STRONG>"D:\splunk\etc\system\local\props.conf"</STRONG></P> <PRE><CODE>[WinEventLog://Application] TRANSFORMS-routing1=nessus [WinEventLog://Security] TRANSFORMS-routing2=nessus [WinEventLog://System] TRANSFORMS-routing3=nessus </CODE></PRE> <P><STRONG>"D:\splunk\etc\system\local\transforms.conf"</STRONG></P> <PRE><CODE>[nessus] REGEX = . DEST_KEY=_TCP_ROUTING FORMAT=nessusforwarder </CODE></PRE> <P><STRONG>"D:\splunk\etc\system\local\outputs.conf"</STRONG></P> <PRE><CODE>[tcpout] defaultGroup = nothing disabled = 0 [tcpout:nessusforwarder] disabled = 0 server = xx.xx.xx.xx:9445 sendCookedData = false indexAndForward = true </CODE></PRE> <P>Does't work like this, any hints what's wrong in my config?</P> Wed, 01 Mar 2017 10:12:42 GMT nicocin 2017-03-01T10:12:42Z https://community.splunk.com/t5/Getting-Data-In/Forward-specific-Events-to-Nessus-Security-Center/m-p/328237#M60922 <P>Hello</P> <P>We want to forward (and index in Splunk) some Events (Windows Event Logs) to Nessus Security Center Log Correlation Engine.</P> <P>I've tried the following settings on the Indexer:</P> <P><STRONG>"D:\splunk\etc\system\local\props.conf"</STRONG></P> <PRE><CODE>[WinEventLog://Application] TRANSFORMS-routing1=nessus [WinEventLog://Security] TRANSFORMS-routing2=nessus [WinEventLog://System] TRANSFORMS-routing3=nessus </CODE></PRE> <P><STRONG>"D:\splunk\etc\system\local\transforms.conf"</STRONG></P> <PRE><CODE>[nessus] REGEX = . DEST_KEY=_TCP_ROUTING FORMAT=nessusforwarder </CODE></PRE> <P><STRONG>"D:\splunk\etc\system\local\outputs.conf"</STRONG></P> <PRE><CODE>[tcpout] defaultGroup = nothing disabled = 0 [tcpout:nessusforwarder] disabled = 0 server = xx.xx.xx.xx:9445 sendCookedData = false indexAndForward = true </CODE></PRE> <P>Does't work like this, any hints what's wrong in my config?</P> Wed, 01 Mar 2017 10:12:42 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-specific-Events-to-Nessus-Security-Center/m-p/328237#M60922 nicocin 2017-03-01T10:12:42Z https://community.splunk.com/t5/Getting-Data-In/Forward-specific-Events-to-Nessus-Security-Center/m-p/328238#M60923 <P>as you have discovered, this only works on forwarders. Not indexers.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd">http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd</A></P> <P>indexAndForward is a bit misleading. It only works on heavy forwarders and peers in a cluster can't also be heavy forwarders.</P> Wed, 01 Mar 2017 11:50:21 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-specific-Events-to-Nessus-Security-Center/m-p/328238#M60923 jkat54 2017-03-01T11:50:21Z https://community.splunk.com/t5/Getting-Data-In/Forward-specific-Events-to-Nessus-Security-Center/m-p/328239#M60924 <P>thank you jkat54. <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Wed, 01 Mar 2017 12:08:04 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-specific-Events-to-Nessus-Security-Center/m-p/328239#M60924 nicocin 2017-03-01T12:08:04Z