I want to send Windows event log data from several domain controllers to Splunk to be indexed as well as an external syslog collector. I am currently receiving the logs in Splunk with no issues. The problem arises when I attempt to forward the WinEvent data to my syslog server. Once I enable the syslog service, I get flooded with all of my data being forwarded to the external collector. I only want the data from the domain controllers.
-Windows data is being sent via a universal forwarder with no issues.
-The data (only Windows data) needs to be indexed and forwarded over to an external syslog collector.
-Created new outputs.conf, props.conf and transforms.conf to output data to external collector.
-When the syslog service is enabled it is flooded with ALL of the data being sent to Splunk.
-Syslog Server IP: xx.xx.xxx.xx
-Port: TCP 514
-Splunk Version 6.3.3
[syslog] defaultGroup = SymantecMSS [syslog:SymantecMSS] server = xx.xx.xxx.xx:514 type = tcp priority = <13> timestampformat = %b %d %H:%M:%S maxEventSize = 16384
[SymantecMSSStanza] # This is stanza name which is defined in props.conf in point 1. REGEX= . DEST_KEY=_SYSLOG_ROUTING FORMAT=SymantecMSS # This group name has to be same as defined in outputs.conf file
You have not discriminated for your domain controllers in the
transforms.conf. The period character says, "if the event has at least 1 character", then send it. You need to build a RegEx that says "if the event contains a hostname like this or an IP address like that", then send it.
Yes, of course, you have been doing just exactly that! But for this to benefit you, you would have to have the Domain Controllers sending to one sourcetype and everything else to another.