- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Forward Splunk WMIEventLog:Security to syslog_ng with backend MYSQL
I am new to Splunk and am attempting to forward Splunk WMIEventLog:Security to syslog_ng with a backend MYSQL. This is a requirement for our log archives.
I can setup a forwarder to Forward Splunk data via TCP, but the message Field is blank.
Can anyone assit me with How to Forward Splunk WMIEventLog:Security data to syslog_ng with a backend MYSQL?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following configuration is for a heavy forwarder on the windows box, it will forward your Windows Security event log in syslog format to the syslog_ng server you define in the outputs.conf.
inputs.conf:
[WinEventLog:Security]
disabled = 0
outputs.conf
[syslog:syslog_ng]
server = 12.34.56.78:514
type = udp
props.conf
[host::*]
TRANSFORMS-routing = syslog_ng
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_ng
I'm assuming you already have the syslog-ng backend configured to push the data into your mysql database, but if not those directions can be found here: http://sqls.net/wiki/howto:syslog-ng_to_mysql
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should it not be "TRANSFORMS-routing = send_to_syslog"?
