https://community.splunk.com/t5/Getting-Data-In/Syslog-ng-filter-filter-props-transforms-for-data-routing/m-p/446757#M77726 <P>Thank you Casello,</P> <P>That is the syslog file and not sure what kind of regex i have to build. </P> Mon, 10 Sep 2018 17:28:23 GMT Splunk_citizen 2018-09-10T17:28:23Z https://community.splunk.com/t5/Getting-Data-In/Syslog-ng-filter-filter-props-transforms-for-data-routing/m-p/446755#M77724 <P>Hello Splunkers,</P> <P>Earlier we were using central syslog-ng server to capture all /var/log/messages from hosts now we have installed UF on unix servers and we are going with UF monitoring instead of syslog route<BR /> We dont want capture all events in /var/log/messages, below ones is previous filters in syslog-ng.conf files in host.<BR /> So now my question is how i can write a transform/props to reflects same like below syslog-ng.conf file and deploy locally in forwards i order to capture /var/log/messages to monitor.</P> <PRE><CODE># destinations destination d_sshpam { file("/var/adm/syslog/sshd.log"); }; destination d_sshpamb { file("/var/adm/syslog/sshd.log"); }; #destination d_sapdelete { file("/dev/null"); }; #destination d_sapruntime { file("/dev/null"); }; #destination d_emfbackground { file("/dev/null"); }; destination d_messages { file("/var/adm/syslog/syslog.log"); }; destination d_logserver {syslog("xx.xx.xx.xx" transport(tcp)); }; log { source(s_local); filter(f_sshpam); destination(d_sshpam); flags(final); }; log { source(s_local); filter(f_sshpamb); destination(d_sshpamb); flags(final); }; #log { source(s_local); filter(f_sapdelete); destination(d_sapdelete); flags(final); }; # #log { source(s_local); filter(f_sapruntime); destination(d_sapruntime); flags(final); }; #log { source(s_local); filter(f_emfbackground); destination(d_emfbackground); flags(final); }; log { source(s_local); destination(d_messages); destination(d_logserver); }; </CODE></PRE> Sun, 09 Sep 2018 19:04:02 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-ng-filter-filter-props-transforms-for-data-routing/m-p/446755#M77724 Splunk_citizen 2018-09-09T19:04:02Z https://community.splunk.com/t5/Getting-Data-In/Syslog-ng-filter-filter-props-transforms-for-data-routing/m-p/446756#M77725 <P>Hi Splunk_citizen,<BR /> you can filter data on Indexers or on Heavy Forwarders.<BR /> To filter events you can see at <A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad" target="_blank">http://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad</A><BR /> In easy words, you have to:</P> <UL> <LI>identify regexes of the logs you want to index or to discard,</LI> <LI><P>indert in props.con the following row in the sourcetype of your syslog:</P> <P>[my_sourcetype]<BR /> TRANSFORMS-filter = setnull,setparsing</P></LI> <LI><P>insert in transforms.conf the following rows (beware that the stanza's names are the same of TRANSFORMS command:</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue<BR /> [setparsing]<BR /> REGEX = my_regex<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P></LI> </UL> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 21:10:16 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-ng-filter-filter-props-transforms-for-data-routing/m-p/446756#M77725 gcusello 2020-09-29T21:10:16Z https://community.splunk.com/t5/Getting-Data-In/Syslog-ng-filter-filter-props-transforms-for-data-routing/m-p/446757#M77726 <P>Thank you Casello,</P> <P>That is the syslog file and not sure what kind of regex i have to build. </P> Mon, 10 Sep 2018 17:28:23 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-ng-filter-filter-props-transforms-for-data-routing/m-p/446757#M77726 Splunk_citizen 2018-09-10T17:28:23Z