https://community.splunk.com/t5/Getting-Data-In/Selective-Filtered-Indexing-and-Forwarding-to-3rd-party-syslog/m-p/476114#M81713 <P>Hi</P> <P>I am thinking of putting the following on the HF</P> <H4>outputs.conf</H4> <P><CODE></CODE></P> <PRE><CODE>[tcpout] defaultGroup = primary_indexers ### this setting will send all the logs to third party syslog server. This setting seems to be working fine. [syslog] defaultGroup = EverythingtoSyslog [syslog:EverythingtoSyslog] #sendCookedData=false server=1.2.3.4:514 type=udp maxEventSize=5096 </CODE></PRE> <H4>props.conf</H4> <PRE><CODE># For wineventlog sourcetype , i tried to put the following plus the transforms below..but it did not drop the event. [wineventlog] TRANSFORMS-set=wineventlog-setnull,wineventlog-setparsing </CODE></PRE> <H3>transforms.conf</H3> <PRE><CODE>### this following setting should drop events with the eventcode 4624 for example in wineventlog from being send to indexer. The rest of the logs should be sent to primary_indexers. This should not conflict with linux_secure or cisco filtering # For wineventlog sourcetype , i tried to put the following plus the props above..but it did not drop the event. [wineventlog-setparsing] REGEX = . DEST_KEY = queue FORMAT = indexQueue [wineventlog-setnull] REGEX=EventCode=(4624) DEST_KEY = queue FORMAT = nullQueue ### the following setting should Only send events with "ssh" keyword for example in linux_secure to the indexer. Other events in linux_secure sourcetype should not be sent to the indexer. This should not conflict with the wineventlog or cisco filtering. not sure what to put here ### This should send all cisco:asa events to the indexer. This should not conflict with the above 2 settings. not sure what to put here </CODE></PRE> <P></P> Wed, 08 Jan 2020 12:04:48 GMT archme 2020-01-08T12:04:48Z https://community.splunk.com/t5/Getting-Data-In/Selective-Filtered-Indexing-and-Forwarding-to-3rd-party-syslog/m-p/476112#M81711 <P>Hello,</P> <P>Our setup is as follows:</P> <P>Windows/Unix UF -&gt; HF -&gt; IDX Clusters</P> <P>Currently we are sending everything to IDX cluster and 1 copy of the logs to a 3rd party syslog server from the HF.</P> <P>What we are trying to achieve is to send everything to the 3rd party syslog server and only send filtered logs to the idx clusters.</P> <P>Given the scenario of the following sourcetype:<BR /> a) wineventlog<BR /> b) linux_secure<BR /> c) cisco:asa</P> <P>I am trying to figure out how we can :<BR /> a) Send everything to the 3rd party syslog<BR /> b) Drop events with the eventcode 4624 for example in wineventlog from being send to indexer. <BR /> c) Only send events with "ssh" keyword for example in linux_secure to the indexer. Other events in linux_secure sourcetype should not be sent to the indexer.<BR /> d) send all cisco:asa events to the indexer.</P> Wed, 30 Sep 2020 03:32:29 GMT https://community.splunk.com/t5/Getting-Data-In/Selective-Filtered-Indexing-and-Forwarding-to-3rd-party-syslog/m-p/476112#M81711 archme 2020-09-30T03:32:29Z https://community.splunk.com/t5/Getting-Data-In/Selective-Filtered-Indexing-and-Forwarding-to-3rd-party-syslog/m-p/476113#M81712 <P>Event filtering is one of the primary reasons to use an HF as an intermediate forwarder. Your license is not impacted until data reaches the IDX. Why not blacklist the undesired traffic there? </P> Tue, 07 Jan 2020 20:51:59 GMT https://community.splunk.com/t5/Getting-Data-In/Selective-Filtered-Indexing-and-Forwarding-to-3rd-party-syslog/m-p/476113#M81712 mydog8it 2020-01-07T20:51:59Z https://community.splunk.com/t5/Getting-Data-In/Selective-Filtered-Indexing-and-Forwarding-to-3rd-party-syslog/m-p/476114#M81713 <P>Hi</P> <P>I am thinking of putting the following on the HF</P> <H4>outputs.conf</H4> <P><CODE></CODE></P> <PRE><CODE>[tcpout] defaultGroup = primary_indexers ### this setting will send all the logs to third party syslog server. This setting seems to be working fine. [syslog] defaultGroup = EverythingtoSyslog [syslog:EverythingtoSyslog] #sendCookedData=false server=1.2.3.4:514 type=udp maxEventSize=5096 </CODE></PRE> <H4>props.conf</H4> <PRE><CODE># For wineventlog sourcetype , i tried to put the following plus the transforms below..but it did not drop the event. [wineventlog] TRANSFORMS-set=wineventlog-setnull,wineventlog-setparsing </CODE></PRE> <H3>transforms.conf</H3> <PRE><CODE>### this following setting should drop events with the eventcode 4624 for example in wineventlog from being send to indexer. The rest of the logs should be sent to primary_indexers. This should not conflict with linux_secure or cisco filtering # For wineventlog sourcetype , i tried to put the following plus the props above..but it did not drop the event. [wineventlog-setparsing] REGEX = . DEST_KEY = queue FORMAT = indexQueue [wineventlog-setnull] REGEX=EventCode=(4624) DEST_KEY = queue FORMAT = nullQueue ### the following setting should Only send events with "ssh" keyword for example in linux_secure to the indexer. Other events in linux_secure sourcetype should not be sent to the indexer. This should not conflict with the wineventlog or cisco filtering. not sure what to put here ### This should send all cisco:asa events to the indexer. This should not conflict with the above 2 settings. not sure what to put here </CODE></PRE> <P></P> Wed, 08 Jan 2020 12:04:48 GMT https://community.splunk.com/t5/Getting-Data-In/Selective-Filtered-Indexing-and-Forwarding-to-3rd-party-syslog/m-p/476114#M81713 archme 2020-01-08T12:04:48Z