Hello,

Our Windows servers have the universal forwarder installed and it is working just fine. However, we also have Windows Servers with SQL installed and we are trying to monitor the SQL Audit. We have configured the SQL Audit to send to Windows Event Logs' Application Log and we are now getting both SQL Audit and WinEvent in the same index. However, I want to split it so that SQL logs can be on a separate index than Windows logs.

Currently this is what I have setup on the UF:
inputs.conf

[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = 33205
index = mssql
renderXml=false
sourcetype = mssql:winevent
source = mssql:audit

[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
blacklist1 = 33205
index = windows
renderXml=false


[WinEventLog://Security]
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = windows
renderXml=false

[WinEventLog://System]
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
renderXml=false

###### Windows Update Log ######
[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
index = windows

outputs.conf

[tcpout]
defaultGroup = all_heavy_forwarders

[tcpout:all_heavy_forwarders]
server = <<IP List>>

forceTimebasedAutoLB=true

autoLB = true

I put 2 application stanzas to try and split it at the UF and have different sourcetypes/indexes from that point forward, however, it doesn't seem to work.

If I run a TCP dump, there are zero logs with EventCode 33205 that make it to the heavy forwarders. However, the rest of the logs do make it. Additionally, if I disable the first inputs stanza, then I get 33205 events.