Inputs.conf _SYSLOG_ROUTING only

ng1p · ‎07-25-2012

For my windows servers I have set them up to send via syslog to Loglogic and also send to the Splunk indexer. Currently I am sending the Security, System and Application logs to both Loglogic and Splunk using a heavyforwarder.

The issue is in some cases I would like to only send the application and system logs to Splunk but have all 3 logs continue to Loglogic.

Anyway to disable some logs from going to the indexers but keep all 3 logs going via syslog?
Here is my inputs.conf:

[WinEventLog:Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

index = win

_SYSLOG_ROUTING = log_logic

[WinEventLog:Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

index = win

_SYSLOG_ROUTING = log_logic

[WinEventLog:System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

index = win

_SYSLOG_ROUTING = log_logic

ng1p · ‎07-30-2012

Looks like the answer to this one is simple..

In the inputs.conf under the sourcetype you dont want to get indexed just add the following line:
_TCP_ROUTING = blackhole

Assuming blackhole is not used in an output group it will not get indexed.

Inputs.conf _SYSLOG_ROUTING only

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

Are you a member of the Splunk Community?

Inputs.conf _SYSLOG_ROUTING only

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal