topic Re: Change sourcetype for data coming from UF in Getting Data In

Change sourcetype for data coming from UF

lukasmecir — Fri, 18 Dec 2020 17:17:51 GMT

Hello Splunkers,

I need help with change sourcetype in logs.

There is UF installed on Win server. I would like to collect Windows log, so Splunk add-on for Windows is installed on UF. There is no config change in add-on itself, only I made separate app for collectin Application log wit simple input.conf file:

# Windows platform specific input processor.
[WinEventLog://Application]
index = windows_app
disabled = 0
renderXml=false

Log is going from UF to HF. On HF I would like to change sourcetype for part of Win log, namely for Citrix FAS log. So I made app on HF with this content:

props.conf
[WinEventLog]
TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype

transforms.conf
[citrix_fas_sourcetype]
REGEX = SourceName=Citrix\.Authentication\.FederatedAuthenticationService
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::citrix_fas

Splunk add-on for Windows is installed on HF as well.

Problem is log is indexed with sourcetype=WinEventLog, so my app on HF is manifestly ineffective. Of course, my app has Global permissions and is enabled. And REGEX in transforms.conf should be OK. Could you someone help me point out what is wrong? AFAIK it should be working...

Thank in advance for help.

Regards

Lukas

Re: Change sourcetype for data coming from UF

gcusello — Fri, 18 Dec 2020 17:30:34 GMT

Hi @lukasmecir,

the only not correcy thing I see is that in the regex you didn't escaped = but it should be not relevant.

Couls you share a sample of your logs?

Also configurations on HF should seem OK.

A final stupid question: are you sure that those logs pass through the HF?

Ciao.

Giuseppe

Re: Change sourcetype for data coming from UF

scelikok — Sat, 19 Dec 2020 10:45:09 GMT

@lukasmecir, on props.conf you can try with source stanza which has higher precedence.

props.conf [source::WinEventLog:Application] TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype

Re: Change sourcetype for data coming from UF

saravanan90 — Sat, 19 Dec 2020 16:56:44 GMT

It seems the actual sourcetype is not WinEventLog. The original sourcetype is "WinEventLog:Application".

It is being renamed as wineventlog during the search time. Please find below the props.conf for renaming from the TA.

[WinEventLog:Application]
rename = wineventlog

Re: Change sourcetype for data coming from UF

lukasmecir — Mon, 21 Dec 2020 09:07:19 GMT

Hi Giuseppe,

here is log sample:

12/17/2020 03:25:13 PM
LogName=Application
SourceName=Citrix.Authentication.FederatedAuthenticationService
EventCode=105
EventType=4
Type=Information
ComputerName=TV1EPVFD2001.acme.com
TaskCategory=None
OpCode=Info
RecordNumber=5200505
Keywords=Classic
Message=[S105] Server [CSINT\TV1EPVSF1003$] issued identity assertion [upn: tt-60807@ext.com, role Default, Security Context: []]. [correlation: 15ed3202-3d19-4bc2-8060-371dcbaf2dca]

Re: Change sourcetype for data coming from UF

gcusello — Mon, 21 Dec 2020 11:30:13 GMT

Hi @lukasmecir,

viewing the sample you sent the regex seems to be correct (escaping "="):

REGEX = SourceName\=Citrix\.Authentication\.FederatedAuthenticationService

As hinted by @scelikok, it could be a good idea to use Source instead Sourcetype as stanzas header:

[source::WinEventLog:Application]

this is caused by the different classification of Windows events.

Did you checked if all the logs pass through the HF?

If not, put the same props.conf and transforms.conf stanzas also on Indexers.

Ciao.

Giuseppe

Re: Change sourcetype for data coming from UF

lukasmecir — Tue, 22 Dec 2020 15:07:54 GMT

Hi all,

finally I used solution proposed by @scelikok - and it works! Problem solved. I would like to thank you all for your effort and Marry Christmas and Happy New Year to all!