I was wondering if it's possible for the below:
Server A - Contains the Event logs... i.e a domain controller Server B - Splunk Pulls all the Event Logs from Server A and Filters them, then Forwards them to Server C (where splunk is running in a recieve mode) Server C - Receives the filtered logs from Server B.
Now... for the tricky bit... I would then like to refilter with a different set of criteria on server C and then forward anything that matches to a Syslog Server that our Administrators use....
So far I haven't been able to accomplish this... and I'm not sure whether that's because it can't be done as the logs wheren't received in a syslog format form Server A, or more likely because I'm stuffing up the config on Server C....
I am trying to use the below....
TRANSFORMS-wmi = Syslog
REGEX = (?msi)^EventCode=(632)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ORION
defaultGroup = nullGroup
indexAndForward = 1
disabled = false
server = 220.127.116.11:514
If anyone can point me in the right direction it would be appreciated!
So basically you have the logs on Server C, where Splunk is also running, and you want Splunk to forward those logs to another server? I'm not aware of Splunk having this capability to forward to another non Splunk server. If you're using linux you could check out syslog-ng or rsyslogd.
Splunk forwarder LWF and UF) can only forward as splunk format
Splunk indexer can forward events as :
- syslog (udp or tcp)
- tcp raw
- splunk format (to another splunk server)
If you want to setup parsing rules (like filtering) it is only possible on an indexer or an heavy forwarder.
So if in your case, the intermediate server can be an heavy forwarder, and filter the events before forwarding them.