Hi Team,
Need help in parsing AWS Managed Active Directory
AD Team is writing logs to cloudwatch, and we have Splunk Addon for AWS which consumes these logs through Kinesis stream.
I have props config to convert the logs to xmlwineventlog sourcetype after which data is parsed but not all the fields. I want the addon to parse using the source [xmlwineventlog:security] but that is not happening,
Here is my props config
[source://*securitylogs]
Transforms-Index=override_st_props,override_source_props
And transforms as below
[override_st_props]
REGEX=.
FORMAT = sourcetype::xmlwineventlog
DEST_KEY = MetaData:Sourcetype
[override_source_props]
REGEX = .
FORMAT = source::xmlwineventlog:security
DEST_KEY = MetaData:Source
It is getting changed on sourcetype and source, but parsing is happening based on sourcetype as per windows addon and not on source
Hope i made it clear, please help