I'm trying to set up Windows Event Log collection via chained Universal Forwarders to my Indexer. I'm not able to set the index in inputs.conf so am trying to set it on the indexer but with no luck. I'm also manipulating the source ype and host field to show the original values, which is working fine.
So far I have:
props.conf [source::WinEventLog:ForwardedEvents] TRANSFORMS-Index = Set-Index TRANSFORMS-Host = Set-Host-ComputerName TRANSFORMS-LogName = Set-Sourcetype-LogName transforms.conf [Set-Index] SOURCE_KEY = MetaData:Source REGEX source::WinEventLog:ForwardedEvents DEST_KEY = _MetaData:Index FORMAT = index::MyIndex** [Set-Host-ComputerName] REGEX = (?m)ComputerName=(.*)?\b DEST_KEY = MetaData:Host FORMAT = host::$1 [Set-Sourcetype-LogName] REGEX = (?m)LogName=(.*)?\b DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::WinEventLog:$1
My struggle is with setting the index at index time.
Okay... next weird thing, the
_MetaData:Index key doesn't want an
index:: prefix - and I'm guessing the
** is not actually in your conf?
OK, I now have this:
[Set-Index] SOURCE_KEY = MetaData:Source REGEX = source::WinEventLog:ForwardedEvents DEST_KEY = _MetaData:Index FORMAT = MyIndex
The logs are still hitting the main index.
You need something that matches - could be what you have now, could just be this:
[Set-Index] REGEX = . DEST_KEY = _MetaData:Index FORMAT = MyIndex
That'd match "raw event has at least one char", ie every event.