topic Re: HEC (HTTP Event Collector) host rename using props transforms - ansible tower in Getting Data In

HEC (HTTP Event Collector) host rename using props transforms - ansible tower

merrelr — Tue, 31 Mar 2020 19:33:34 GMT

I've setup HEC on a heavy forwarder to gather logs through HEC for Ansible Tower.

Logs are rolling in, but I can't seem to get props/transforms setup correctly to rename the hostname from IP to text.

props.conf

[host::$ipaddress]  
TRANSFORMS-$hostname_rename = host_rename_$hostname

transforms.conf

[host_rename_$hostname]
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$hostname

I've applied these setting to both the HF and to my Indexer cluster and neither place renames the hostname from IP address to text.

Is there something special with HEC or HF that's preventing these changes from taking place?

darrenfuller — Wed, 01 Apr 2020 13:19:25 GMT

HI Merreir,

Which endpoint are you using to connect to your HEC? /services/collector or /services/collector/event or /services/collector/raw ?

Only data going through /services/collector/event will get affected by props / transforms.

Hope this helps...
./D

merrelr — Wed, 01 Apr 2020 13:26:02 GMT

I'm using the "/services/collector/event" endpoint.

harsmarvania57 — Wed, 01 Apr 2020 13:30:16 GMT

Not /services/collector/event endpoint, if you want to parse data using props/transforms then you need to use /services/collector/raw endpoint.

merrelr — Wed, 01 Apr 2020 13:46:00 GMT

I'll give that a try and see if I can get it to work that way.

merrelr — Wed, 30 Sep 2020 04:48:24 GMT

I had to update the props to use 127.0.0.1 instead of it's actual IP. I'm not sure what changed since yesterday with my testing.

I left the endpoint as /services/collector/event and my props/transforms are working.

props.conf

[host::127.0.0.1]
TRANSFORMS-$hostname_rename = host_rename_$hostname

transforms.conf

[host_rename_$hostname]
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$hostname