Getting Data In

How to Forward Splunk WMIEventLog:Security to syslog_ng with backend MYSQL

smile_4u_2
New Member

I am new to Splunk and am attempting to forward Splunk WMIEventLog:Security to syslog_ng with a backend MYSQL. This is a requirement for our log archives.
I can setup a forwarder to Forward Splunk data via TCP, but the message Field is blank.

Can anyone assit me with How to Forward Splunk WMIEventLog:Security data to syslog_ng with a backend MYSQL?

Tags (3)
0 Karma

solarboyz1
Builder

The following configuration is for a heavy forwarder on the windows box, it will forward your Windows Security event log in syslog format to the syslog_ng server you define in the outputs.conf.

inputs.conf:

        [WinEventLog:Security]
        disabled = 0 

outputs.conf

        [syslog:syslog_ng]
        server  = 12.34.56.78:514
        type = udp

props.conf

        [host::*]
        TRANSFORMS-routing = syslog_ng

transforms.conf

        [send_to_syslog]
        REGEX = .
        DEST_KEY = _SYSLOG_ROUTING
        FORMAT = syslog_ng

I'm assuming you already have the syslog-ng backend configured to push the data into your mysql database, but if not those directions can be found here: http://sqls.net/wiki/howto:syslog-ng_to_mysql

ephemeric
Contributor

Should it not be "TRANSFORMS-routing = send_to_syslog"?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...