Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure props.conf and transforms.conf on Windows heavy forwarder to remove unwanted characters in rsyslog logs?

feliz
New Member
‎11-12-2014 06:59 AM

Hi there,

We have a Windows Heavy Forwarder which gets Windows logs. We want to send these logs to an external Rsyslog Server, using transforms.conf and props.conf:

transforms.conf

[syslog_routing]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = rsyslog

props.conf

`[syslog_test]

TRANSFORMS-routing = syslog_routing`

outputs.conf

`[syslog]
defaultGroup = rsyslog

[syslog:rsyslog]
server = rsyslog_server:514
type=tcp
timestampformat = %b %e %H:%M:%S`

On the rsyslog, we get these kind of entries:

Nov 12 15:46:34 192.168.135.10 #011Source Port:#011#0118089#015#015
Nov 12 15:46:34 192.168.135.10 #011Destination Address:#01110.0.0.1#015#015
Nov 12 15:46:34 192.168.135.10 #011Destination Port:#011#01164756#015#015
Nov 12 15:46:34 192.168.135.10 #011Protocol: #011#0116#015#015

So the question is, how to get rid of all the #11 and #15?

Thanks!

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-12-2014 03:09 PM

If the #11 an d #15 are in your initial raw data, try a sedcmd in the props.

0 Karma
Reply

feliz
New Member
‎11-14-2014 05:27 AM

Hey, thanks for your answer.

We tried to add SEDCMD-fix_space = s/#011/ /g, with no success...
We also tried to send with stanza tcpout, both on Heavy Forwarder and Indexer , as

`[tcpout]
defaultGroup=syslog_routing
indexAndForward=true
sendCookedData=false

[tcpout:raw_tcp_receiver]
server=rsyslog_server:514`

with no luck.

Edit: same result with SEDCMD-fix_space = s/\#011/ /g, in case that the # character was not interpreted.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...