https://community.splunk.com/t5/Getting-Data-In/Route-Windows-events-in-RFC3614-format-to-splunk-and-Syslog/m-p/429328#M75217 <P>hi,</P> <P>we are trying to route windows security event logs from UF's to Splunk indexers and also to a syslog aggregator.</P> <P>we would like to read the event log only once on the UF and are using a HF as interim relay to route data to desired locations.</P> <P>On UF we have the Splunk_TA_Windows application deployed</P> <P>On HF we have a outputs.conf:<BR /> [tcpout]<BR /> connectionTimeout = 45<BR /> defaultGroup = all_indexers<BR /> forwardedindex.0.whitelist = .*</P> <P>[tcpout:all_indexers]<BR /> autoLB = true<BR /> server = IDX1:9997, IDX2:9997</P> <P>[syslog]<BR /> connectionTimeout = 45</P> <P>[syslog:clf_syslog_group]<BR /> server = Syslog1:514</P> <P>Props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-routing = WinSecEvent-Splunk,WinSecEvent-Syslog<BR /> SEDCMD = s/[\t\n\r]/ /g<BR /> TRUNCATE = 0</P> <P>Transforms.conf</P> <P>[WinSecEvent-Splunk]<BR /> REGEX = (.)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = all_indexers</P> <P>[WinSecEvent-Syslog]<BR /> REGEX = (.)<BR /> DEST_KEY = _SYSLOG_ROUTING<BR /> FORMAT = clf_syslog_group</P> <P>The above configuration works fine until the part where it routes data to different output groups.</P> <P>However, I would like the splunk indexed logs would still be in the RFC 3614 or splunk parsed format but have events on syslog as normalized using above props.</P> <P>is this a possibility? how do we apply two parsing patterns for one sourcetype? - maybe based on the output group?</P> <P>please advise.</P> <P>Thanks.</P> Wed, 30 Sep 2020 01:37:26 GMT shivarpith 2020-09-30T01:37:26Z https://community.splunk.com/t5/Getting-Data-In/Route-Windows-events-in-RFC3614-format-to-splunk-and-Syslog/m-p/429328#M75217 <P>hi,</P> <P>we are trying to route windows security event logs from UF's to Splunk indexers and also to a syslog aggregator.</P> <P>we would like to read the event log only once on the UF and are using a HF as interim relay to route data to desired locations.</P> <P>On UF we have the Splunk_TA_Windows application deployed</P> <P>On HF we have a outputs.conf:<BR /> [tcpout]<BR /> connectionTimeout = 45<BR /> defaultGroup = all_indexers<BR /> forwardedindex.0.whitelist = .*</P> <P>[tcpout:all_indexers]<BR /> autoLB = true<BR /> server = IDX1:9997, IDX2:9997</P> <P>[syslog]<BR /> connectionTimeout = 45</P> <P>[syslog:clf_syslog_group]<BR /> server = Syslog1:514</P> <P>Props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-routing = WinSecEvent-Splunk,WinSecEvent-Syslog<BR /> SEDCMD = s/[\t\n\r]/ /g<BR /> TRUNCATE = 0</P> <P>Transforms.conf</P> <P>[WinSecEvent-Splunk]<BR /> REGEX = (.)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = all_indexers</P> <P>[WinSecEvent-Syslog]<BR /> REGEX = (.)<BR /> DEST_KEY = _SYSLOG_ROUTING<BR /> FORMAT = clf_syslog_group</P> <P>The above configuration works fine until the part where it routes data to different output groups.</P> <P>However, I would like the splunk indexed logs would still be in the RFC 3614 or splunk parsed format but have events on syslog as normalized using above props.</P> <P>is this a possibility? how do we apply two parsing patterns for one sourcetype? - maybe based on the output group?</P> <P>please advise.</P> <P>Thanks.</P> Wed, 30 Sep 2020 01:37:26 GMT https://community.splunk.com/t5/Getting-Data-In/Route-Windows-events-in-RFC3614-format-to-splunk-and-Syslog/m-p/429328#M75217 shivarpith 2020-09-30T01:37:26Z