HEC (HTTP Event Collector) host rename using props...

merrelr · ‎03-31-2020

I've setup HEC on a heavy forwarder to gather logs through HEC for Ansible Tower.

Logs are rolling in, but I can't seem to get props/transforms setup correctly to rename the hostname from IP to text.

props.conf

[host::$ipaddress]  
TRANSFORMS-$hostname_rename = host_rename_$hostname

transforms.conf

[host_rename_$hostname]
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$hostname

I've applied these setting to both the HF and to my Indexer cluster and neither place renames the hostname from IP address to text.

Is there something special with HEC or HF that's preventing these changes from taking place?

darrenfuller · ‎04-01-2020

HI Merreir,

Which endpoint are you using to connect to your HEC? /services/collector or /services/collector/event or /services/collector/raw ?

Only data going through /services/collector/event will get affected by props / transforms.

Hope this helps...
./D

harsmarvania57 · ‎04-01-2020

Not /services/collector/event endpoint, if you want to parse data using props/transforms then you need to use /services/collector/raw endpoint.

merrelr · ‎04-01-2020

I'll give that a try and see if I can get it to work that way.

merrelr · ‎04-01-2020

I had to update the props to use 127.0.0.1 instead of it's actual IP. I'm not sure what changed since yesterday with my testing.

I left the endpoint as /services/collector/event and my props/transforms are working.

props.conf

[host::127.0.0.1]
TRANSFORMS-$hostname_rename = host_rename_$hostname

transforms.conf

[host_rename_$hostname]
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$hostname

merrelr · ‎04-01-2020

I'm using the "/services/collector/event" endpoint.

HEC (HTTP Event Collector) host rename using props transforms - ansible tower