Ok, so for reasons beyond this discussion we are unable to use the universal forwarder. So, we have decided to bring in our data using Snare. Has anyone had any experience with creating a sourcetype for snare forwarded messages?
There is pretrained sourcetype for this already. Last one in the table. Just make sure to set your sourcetype manually to 'windows_snare_syslog'.
http://docs.splunk.com/Documentation/Splunk/5.0/Data/Listofpretrainedsourcetypes
