topic Re: Windows Event Forwarding in Getting Data In

Windows Event Forwarding

Rhidian — Wed, 21 Apr 2021 16:26:45 GMT

I have Windows Event Forwarding Configured and have installed a Universal Forwarder to send events to a Heavy Forward which then sends them on to the Indexers. I only have a basic configuration on the UF but I need to override a couple of fields such as computer name and index etc. I have setup the input.conf, props.conf and transforms.conf as detailed here https://community.splunk.com/t5/Getting-Data-In/how-can-we-split-forwarded-windows-event-logs-by-host/m-p/61463 on the HF but the configuration seems to get ignored.

I have also simplified this to just having the following in the input.conf on the HF but it makes no difference as events still go to the main index.

[WinEventLog://ForwardedEvents]
index=winevtlog
disabled = 0

Re: Windows Event Forwarding

richgalloway — Wed, 21 Apr 2021 16:49:15 GMT

The inputs.conf changes should go on the UF because that is where the input takes place.

Re: Windows Event Forwarding

Rhidian — Wed, 21 Apr 2021 18:59:28 GMT

Is there not a way to change the index from the HF?

Re: Windows Event Forwarding

richgalloway — Wed, 21 Apr 2021 20:24:58 GMT

Yes, there is, but it's much easier and less fragile to set the index on the UF. IMO, the intermediate HF should be avoided when possible.

Re: Windows Event Forwarding

Rhidian — Wed, 21 Apr 2021 21:10:26 GMT

Perfect thanks, any idea why the rest of the transform isn't working all my events are shown as coming from the WEC and not their actual devices also the source is ForwardedEvents and I would like that to be the actual log they came from, can this be done from the HF?

Re: Windows Event Forwarding

richgalloway — Thu, 22 Apr 2021 12:57:04 GMT

I can't help with the transform. Try posting a new question with the transform in it.