Getting Data In

Converting Windows Event Log to rsyslog format

mgalos
New Member

I am trying to aggregate our windows and Linux logs from universal forwarders to a heavy forwarder, finally, to our internal Splunk indexer as well as to a third-party syslog server. I was able to split up the routing and ports to enable logs to go where they need to (_TCP_ROUTING and _SYSLOG_ROUTING), but the syslog server receives the windows event logs as multiple events (each key value seems to get its own line).

How can I use props.conf/transforms.conf to parse only the data being forwarded from the windows port on the heavy forwarder to the windows syslog port?

-windows universal forwarder is using [WinEventLog://Security] in inputs.conf and [tcpout://server:]

-heavy forwarder is using
inputs.conf
[splunktcp://]
configure_host = dns
_TCP_ROUTING = WindowsTCP
_SYSLOG_ROUTING = WindowsSyslog

outputs.conf
[syslog]
defaultGroup = WindowsSyslog

[syslog:WindowsSyslog]
server = syslogserver:514
type = tcp

-receiving Linux server is using rsyslog port 514/tcp.

0 Karma
1 Solution

FrankVl
Ultra Champion

Well, Splunk just sends the raw events over syslog. And yes, if those raw events are multiline (which windows events are), a typical syslog daemon will treat every line as a separate event.

I guess your best bet is to see if your syslog daemon has any options to better handle multiline events, or perhaps look into alternative syslog daemons and see if those have better multiline support.

Unless Splunk actually adds a syslog header in front of every line, but I thought it just sends the raw data only?

View solution in original post

0 Karma

ikulcsar
Communicator

Hi,

I also try to forward Windows events to a 3rd party syslog server. In my case I use syslog-ng.
(https://answers.splunk.com/answers/687843/can-you-help-me-forward-windows-events-to-a-3rd-pa.html)

My current config:
props.conf

[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog

[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog

[WinEventLog:System]
TRANSFORMS-external = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = external

outputs.conf

[tcpout]
defaultGroup=nothing

[syslog]
[syslog:external]
server=syslog.server:514
type = tcp

Everything is configured on the indexer. UF in on default config (Windows TA v4.8.4)

At first sight, I received events in a single line, but the syslog header not perfect...

István

0 Karma

FrankVl
Ultra Champion

Well, Splunk just sends the raw events over syslog. And yes, if those raw events are multiline (which windows events are), a typical syslog daemon will treat every line as a separate event.

I guess your best bet is to see if your syslog daemon has any options to better handle multiline events, or perhaps look into alternative syslog daemons and see if those have better multiline support.

Unless Splunk actually adds a syslog header in front of every line, but I thought it just sends the raw data only?

0 Karma

mgalos
New Member

After a lot of digging I would have to agree that its easier to manipulate the logs on the receiving syslog end than it is trying to format them from the forwarder. I ended up switching to syslog-ng instead of rsyslog.

0 Karma

FrankVl
Ultra Champion

Cool 🙂

Any lessons you can share on benefits you got from switching to NG?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...