Hello Splunkers,
I need help with change sourcetype in logs.
There is UF installed on Win server. I would like to collect Windows log, so Splunk add-on for Windows is installed on UF. There is no config change in add-on itself, only I made separate app for collectin Application log wit simple input.conf file:
# Windows platform specific input processor.
[WinEventLog://Application]
index = windows_app
disabled = 0
renderXml=false
Log is going from UF to HF. On HF I would like to change sourcetype for part of Win log, namely for Citrix FAS log. So I made app on HF with this content:
props.conf
[WinEventLog]
TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype
transforms.conf
[citrix_fas_sourcetype]
REGEX = SourceName=Citrix\.Authentication\.FederatedAuthenticationService
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::citrix_fas
Splunk add-on for Windows is installed on HF as well.
Problem is log is indexed with sourcetype=WinEventLog, so my app on HF is manifestly ineffective. Of course, my app has Global permissions and is enabled. And REGEX in transforms.conf should be OK. Could you someone help me point out what is wrong? AFAIK it should be working...
Thank in advance for help.
Regards
Lukas
@lukasmecir, on props.conf you can try with source stanza which has higher precedence.
props.conf
[source::WinEventLog:Application]
TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype
Hi all,
finally I used solution proposed by @scelikok - and it works! Problem solved. I would like to thank you all for your effort and Marry Christmas and Happy New Year to all!
It seems the actual sourcetype is not WinEventLog. The original sourcetype is "WinEventLog:Application".
It is being renamed as wineventlog during the search time. Please find below the props.conf for renaming from the TA.
[WinEventLog:Application]
rename = wineventlog
@lukasmecir, on props.conf you can try with source stanza which has higher precedence.
props.conf
[source::WinEventLog:Application]
TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype
Hi @lukasmecir,
the only not correcy thing I see is that in the regex you didn't escaped = but it should be not relevant.
Couls you share a sample of your logs?
Also configurations on HF should seem OK.
A final stupid question: are you sure that those logs pass through the HF?
Ciao.
Giuseppe
Hi Giuseppe,
here is log sample:
12/17/2020 03:25:13 PM
LogName=Application
SourceName=Citrix.Authentication.FederatedAuthenticationService
EventCode=105
EventType=4
Type=Information
ComputerName=TV1EPVFD2001.acme.com
TaskCategory=None
OpCode=Info
RecordNumber=5200505
Keywords=Classic
Message=[S105] Server [CSINT\TV1EPVSF1003$] issued identity assertion [upn: tt-60807@ext.com, role Default, Security Context: []]. [correlation: 15ed3202-3d19-4bc2-8060-371dcbaf2dca]
Hi @lukasmecir,
viewing the sample you sent the regex seems to be correct (escaping "="):
REGEX = SourceName\=Citrix\.Authentication\.FederatedAuthenticationService
As hinted by @scelikok, it could be a good idea to use Source instead Sourcetype as stanzas header:
[source::WinEventLog:Application]
this is caused by the different classification of Windows events.
Did you checked if all the logs pass through the HF?
If not, put the same props.conf and transforms.conf stanzas also on Indexers.
Ciao.
Giuseppe