Hello
We want to forward (and index in Splunk) some Events (Windows Event Logs) to Nessus Security Center Log Correlation Engine.
I've tried the following settings on the Indexer:
"D:\splunk\etc\system\local\props.conf"
[WinEventLog://Application]
TRANSFORMS-routing1=nessus
[WinEventLog://Security]
TRANSFORMS-routing2=nessus
[WinEventLog://System]
TRANSFORMS-routing3=nessus
"D:\splunk\etc\system\local\transforms.conf"
[nessus]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=nessusforwarder
"D:\splunk\etc\system\local\outputs.conf"
[tcpout]
defaultGroup = nothing
disabled = 0
[tcpout:nessusforwarder]
disabled = 0
server = xx.xx.xx.xx:9445
sendCookedData = false
indexAndForward = true
Does't work like this, any hints what's wrong in my config?
as you have discovered, this only works on forwarders. Not indexers.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd
indexAndForward is a bit misleading. It only works on heavy forwarders and peers in a cluster can't also be heavy forwarders.
as you have discovered, this only works on forwarders. Not indexers.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd
indexAndForward is a bit misleading. It only works on heavy forwarders and peers in a cluster can't also be heavy forwarders.
thank you jkat54. 😕