I am trying to aggregate our windows and Linux logs from universal forwarders to a heavy forwarder, finally, to our internal Splunk indexer as well as to a third-party syslog server. I was able to split up the routing and ports to enable logs to go where they need to (_TCP_ROUTING and _SYSLOG_ROUTING), but the syslog server receives the windows event logs as multiple events (each key value seems to get its own line).
How can I use props.conf/transforms.conf to parse only the data being forwarded from the windows port on the heavy forwarder to the windows syslog port?
-windows universal forwarder is using [WinEventLog://Security] in inputs.conf and [tcpout://server:]
-heavy forwarder is using
inputs.conf
[splunktcp://]
configure_host = dns
_TCP_ROUTING = WindowsTCP
_SYSLOG_ROUTING = WindowsSyslog
outputs.conf
[syslog]
defaultGroup = WindowsSyslog
[syslog:WindowsSyslog]
server = syslogserver:514
type = tcp
-receiving Linux server is using rsyslog port 514/tcp.
Well, Splunk just sends the raw events over syslog. And yes, if those raw events are multiline (which windows events are), a typical syslog daemon will treat every line as a separate event.
I guess your best bet is to see if your syslog daemon has any options to better handle multiline events, or perhaps look into alternative syslog daemons and see if those have better multiline support.
Unless Splunk actually adds a syslog header in front of every line, but I thought it just sends the raw data only?
Hi,
I also try to forward Windows events to a 3rd party syslog server. In my case I use syslog-ng.
(https://answers.splunk.com/answers/687843/can-you-help-me-forward-windows-events-to-a-3rd-pa.html)
My current config:
props.conf
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
[WinEventLog:System]
TRANSFORMS-external = send_to_syslog
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = external
outputs.conf
[tcpout]
defaultGroup=nothing
[syslog]
[syslog:external]
server=syslog.server:514
type = tcp
Everything is configured on the indexer. UF in on default config (Windows TA v4.8.4)
At first sight, I received events in a single line, but the syslog header not perfect...
István
Well, Splunk just sends the raw events over syslog. And yes, if those raw events are multiline (which windows events are), a typical syslog daemon will treat every line as a separate event.
I guess your best bet is to see if your syslog daemon has any options to better handle multiline events, or perhaps look into alternative syslog daemons and see if those have better multiline support.
Unless Splunk actually adds a syslog header in front of every line, but I thought it just sends the raw data only?
After a lot of digging I would have to agree that its easier to manipulate the logs on the receiving syslog end than it is trying to format them from the forwarder. I ended up switching to syslog-ng instead of rsyslog.
Cool 🙂
Any lessons you can share on benefits you got from switching to NG?