Inputs.conf _SYSLOG_ROUTING only

ng1p · ‎07-25-2012

For my windows servers I have set them up to send via syslog to Loglogic and also send to the Splunk indexer. Currently I am sending the Security, System and Application logs to both Loglogic and Splunk using a heavyforwarder.

The issue is in some cases I would like to only send the application and system logs to Splunk but have all 3 logs continue to Loglogic.

Anyway to disable some logs from going to the indexers but keep all 3 logs going via syslog?
Here is my inputs.conf:

[WinEventLog:Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

index = win

_SYSLOG_ROUTING = log_logic

[WinEventLog:Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

index = win

_SYSLOG_ROUTING = log_logic

[WinEventLog:System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

index = win

_SYSLOG_ROUTING = log_logic

ng1p · ‎07-30-2012

Looks like the answer to this one is simple..

In the inputs.conf under the sourcetype you dont want to get indexed just add the following line:
_TCP_ROUTING = blackhole

Assuming blackhole is not used in an output group it will not get indexed.

Inputs.conf _SYSLOG_ROUTING only

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Inputs.conf _SYSLOG_ROUTING only

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience