We have the event logs of many Windows servers getting indexed via universal forwarders into a number of different index names. The data inputs for each of these sources were originally configured using the default tcp-raw sourcetype because we also have other OSes and devices forwarding data to the same indexes. Now, I would like all of the Windows machines to have WinEventLog:Security, WinEventLog:Application, and WinEventLog:System sourcetypes applied instead of tcp-raw to take advantage of some of the Windows apps. What would be the best way to go about this?
Did you specifically set the sourcetype to something in inputs.conf on the forwarders, because they will default to the (correct) sourcetype names that you mention in your question. Or did you make some index-time transform to change it into
You probably can't apply the new (correct) names properly, for already indexed data. It's like un-mixing purple paint into blue and red.
For getting the correct sourcetype for new events coming in, you should remove the
sourcetype=tcp-raw setting under each
[WinEventLog:Security] stanza in inputs.conf on all forwarders. The same for
Application, of course.
Or if you're doing a transform, remove that.
Other than that, you could have a look at this piece of doc, but it won't help too much I'm afraid.
Don't know what you mean by 'options are disabled'? Did you mean to say that in props.conf on the indexer you have a stanza like:
In that case, just remove that and the new events coming in should be fine.
No, nothing was set on the forwarders to specify a sourcetype and nothing was defined in transforms.conf. On the indexer in inputs.conf, it's set to sourcetype=tcp-raw for each source and also all of the WinEventLog options are disabled.