Hi all,

I want to send logs (which are part from our sourcetype [kube_audit]) from my HeavyForwarder to a third-party system (in my case SIEM) in syslog-format, and only those, which are caught with the regex defined. Everything else should be sent normally to my Indexers. There exists a documentation, but for my use-case there is no further description. (https://docs.splunk.com/Documentation/Splunk/9.1.3/Forwarding/Routeandfilterdatad#Filter_and_route_e... , https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd )

I tried to follow the documentation and tried many things. But I end up with my third-party host receiving ALL logs of my sourcetype [kube_audit] instead only a part of it. I checked my regex, as I suspected this would be my point of failure, but there must be some other configurations I am missing, as in a simple setup, the regex works as it is.

My setup for outputs, transforms and props.conf:

props.conf:

[kube_audit]
TRANSFORMS-routing = route_to_sentinel

transforms.conf:

[route_to_sentinel]
REGEX = (?<sentinel>"verb":"create".*"impersonatedUser".*"objectRef":\{"resource":"pods".*"subresource":"exec")
DEST_KEY = _SYSLOG_ROUTING
FORMAT = sentinel_forwarders

outputs.conf:

[tcpout]
defaultGroup = my_indexers
forwardedindex.filter.disable = true
indexAndForward = false
useACK = true
backoffOnFailure = 5
connectionTTL = 3500
writeTimeout = 100
maxConnectionsPerIndexer = 20

[tcpout:my_indexers]
server=<list_of_servers>

[syslog]
defaultGroup = sentinel_forwarders

[syslog:sentinel_forwarders]
server = mythirdpartyhost:514
type = udp

Am I missing something? Any notable things I did miss? Any help is appreciated!

Best regards