Need help routing all Windows events to syslog but...

umd06 · ‎09-04-2025

I’m trying to split my Windows events so that:

All events get forwarded to a syslog server.
Only certain Event IDs (ex: 5156) get indexed in Splunk.
Here’s what I’ve done so far:
props.conf
```
[source::XmlWinEventLog...]
TRANSFORMS-win = send_to_syslog
```
transforms.conf
```
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group
```
outputs.conf
[syslog:my_syslog_group] server = loghost.example.com:514
That part works — all events are being forwarded to syslog.
But when I try to add a second transform to only index a few events, Splunk still indexes everything:
props.conf

[source::XmlWinEventLog...] TRANSFORMS-win = send_to_syslog, filter_to_splunk
transforms.conf

[filter_to_splunk] REGEX = (5156) DEST_KEY = _TCP_ROUTING FORMAT = my_splunk_group

I also tried nullQueue first, then forwarding, but either:
Everything gets filtered out from both syslog and Splunk, or
Everything still goes to both syslog and Splunk.
In short:
👉 I want all events → syslog
👉 Only some events → Splunk
But I can’t get the routing to separate correctly.

gcusello · ‎09-04-2025

did you tried to crete two inputs?

one for all logs but not EventCode=5156 (blacklisting this EventCode), assigning only _SYSLOG_ROUTING
one only for EventCode=5156 log (whitelisting this EventCode)
, assigning both _SYSLOG_ROUTING and _TCP_ROUTING

Ciao.

Giuseppe

PickleRick · ‎09-04-2025

I assume you're talking about HF.

Try setting the _TCP_ROUTING to a non-existent group for the events you want to drop.

Need help routing all Windows events to syslog but only selected Event IDs to Splunk