For my windows servers I have set them up to send via syslog to Loglogic and also send to the Splunk indexer. Currently I am sending the Security, System and Application logs to both Loglogic and Splunk using a heavyforwarder.
The issue is in some cases I would like to only send the application and system logs to Splunk but have all 3 logs continue to Loglogic.
Anyway to disable some logs from going to the indexers but keep all 3 logs going via syslog?
Here is my inputs.conf:
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = win
_SYSLOG_ROUTING = log_logic
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = win
_SYSLOG_ROUTING = log_logic
[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = win
_SYSLOG_ROUTING = log_logic
Looks like the answer to this one is simple..
In the inputs.conf under the sourcetype you dont want to get indexed just add the following line:
_TCP_ROUTING = blackhole
Assuming blackhole is not used in an output group it will not get indexed.