I have a universal forwarder running on my Domain Controller which only captures logon/logff events.
inputs.conf
```
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
```
In my Splunk server I set up forwarding to a 3rd party.
outputs.conf
```
[tcpout]
defaultGroup = nothing
[tcpout:foobar]
server = 10.2.84.209:9997
sendCookedData = false
[tcpout-server://10.2.84.209:9997]
```
props.conf
```
[XmlWinEventLog:Security]
TRANSFORMS-Xml=foo
```
Transforms.conf
```
[foo]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=foobar
```
Before creating/editing these conf files I am still seeing lots of non- Windows events being sent to the destination. With these confs in place I am not seeing any events being forwarded.
What's the easiest fix to my conf files so that I only send XMLs to the 3rd party system?
Thanks, Billy
EDIT: What markup does this forum use? single/triple backticks dont work, nor is <pre></pre>
As you are running Universal Forwarder it does not process the transforms by default.
You could try enabling force_local_processing option for a sourcetype but it's not very well docummented and generally not advisable since it increases load on the UF (which is supposed to be as lightweight as possible).
Hello @billy ,
Can you please use the configuration provided below, where I've added the sourcetype in inputs.conf:
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
sourcetype = XmlWinEventLog:Security
2 - You can also configure the files using source instead of sourcetype
inputs.conf -
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
props.conf -
[source::XmlWinEventLog:Security]
TRANSFORMS-Xml = send_to_3rd_party
transforms.conf
[send_to_3rd_party]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = foobar
If this reply helps you, Karma would be appreciated.
Thanks,
Surbhi