Hi,
I am trying to forward the Windows events from Splunk to a 3rd party syslog system. I checked the docs and also several answers here.
I have a Search head, an Indexer and Universal Forwarder (UF) agents on the source Windows servers. (Splunk version 7.1.3)
The UFs forward all the events to the indexer with no problems. The IX forwards all(?) — or at least most —of the required events to the 3rd party system, but also is forwarding some other syslog messages (received from VMware vcenter) which it should not do.
What am I doing wrong?
The outputs.conf on the IX:
[syslog]
[syslog:external]
server=192.168.10.134:514
priority=NO_PRI
The transforms.conf on the IX:
[send_to_syslog]
REGEX = .
DEST_KEY=_SYSLOG_ROUTING
FORMAT=external
I am using Windows TA v4.8.4. I tried to found how to configure to forward all the system/application/security events and nothing else.
So I added the the following code to several place in props.conf:
TRANSFORMS-external = send_to_syslog
Regards,
István
Hi @ikulcsar,
Can you please provide props.conf configuration from Indexers?
You need to configure props.conf on Indexer for only those sourcetype from which you want to send traffic to 3rd party.
For example if you want to forward only WinEventLog:Application
and WinEventLog:Security
to syslog server in that case props.conf should be like this.
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
Hi @ikulcsar,
Can you please provide props.conf configuration from Indexers?
You need to configure props.conf on Indexer for only those sourcetype from which you want to send traffic to 3rd party.
For example if you want to forward only WinEventLog:Application
and WinEventLog:Security
to syslog server in that case props.conf should be like this.
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
Hi,
Thx. I found the problem which caused the non-requested syslog forwarding... I forget to delete some config from the prev. test...
The Windows TA v4.8.4 a little messy, at least for me. I didn't find 3 identical stanzas for the System/App/Security events...
Finally, these are I choose:
[source::WinEventLog:System]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[source::*:Security]
TRANSFORMS-external = send_to_syslog
So far looks good. Thx.
You can use below configuration in props.conf which is easy to understand because all 3 stanza uses sourcetypes.
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
[WinEventLog:System]
TRANSFORMS-external = send_to_syslog
Thx, works.