I am looking to change the sourcetype of events originating from the source = WinEventLog:Microsoft-Windows-Windows Defender/Operational logs that are coming in through the Forwarded Events log on one of our WEC's thats collected via UF.
I want to send them to their own index and have that unique sourcetype so I can use it with the TA-microsoft-windefender.
Is there way to configure the inputs to use the source to find then set the sourcetype and index?
Anyway, try something like this:
[your_original_sourcetype] REGEX = <your_regex> FORMAT = sourcetype::<your_custom_sourcetype_value> DEST_KEY = MetaData:Sourcetype
but remember that using the original TA_Windows you already have all the fields correctly defined, instead if you override it, you have to redefine all of them.
Thank you! Will give this a shot.
Is there a way to also send it to a unique index?
If your data has already been indexed there is not way to change the source type. You would need to delete it and reindex. Try this
Thanks for the input..not trying to re-index data though
From your windows TA on your UF and in the local folder, find the relevant monitor in
And simply add the
index name you wish to route to there. This works similarly to defining to which index a specific file monitor goes to.
Let me know if this works out for you.
I have the index specified for the monitoring stanza already.
I have Windows Security/System/WinDefender/Bitlocker events all going to the Forwarded Events on a WEC.
I was looking for a way to break out my WinDefender and Bitlocker events from that monitoring stanza by sourcetype and also put them in their own index.
The WEC that is collecting these events doesnt have WinDefender or Bitlocker installed so their respective log locations dont exist.
In that case since the data is already mixed up, the only way to split the results is to route it to a different index on the indexing layer, nothing to be done on the UF layer for Splitting it out :