Hi - i am in the process of configuring routing 3 sourcetypes from 2 different directories to 3x indexers.

i have an access.log, secure.log and a cisco_ironport_web.log ( i have renamed the sourcetypes)

the access and secure logs are being monitored from the same directory /opt/log/www*
the cisco log is in /opt/log/cisco_1/cisco_ironport_web.log

i have created the props.conf

[source::opt/log/cisco_router1/cisco_ironport_web.log]
TRANSFORMS-sourcetype = ciscoweblog

[web_log]
TRANSFORMS-a = access_log
TRANSFORMS-b = secure_log

TRANSFORMS

[access_log]
SOURCE_KEY = MetaData:Sourcetype
REGEX = "status=*"
DEST_KEY = MetaData:Index
FORMAT = web

[secure_log]
SOURCE_KEY = MetaData:Sourcetype
REGEX = "invalid user"
DEST_KEY = _MetaData:Index
FORMAT = security

[ciscoweblog]
SOURCE_KEY = MetaData:Sourcetype
REGEX =
DEST_KEY = _MetaData:Index
FORMAT = network

from with in the REGEX fields i believe you can specify a string or a phrase which contains within the log.

but i am not entirely sure whether if what i am doing here is correct and whether how you can generate correct Regex's for these sourcetypes...

This is the monitored file for the network log

[monitor:///opt/log/cisco_router1/cisco_ironport_web.log]
disabled = 0
host_segment = 3
sourcetype = ciscoweblog
index = network

i have specified a single stanza to monitor both the access/secure logs.

[monitor:///opt/log/www*/*.log]
disabled = 0
host_segment = 3
sourcetype = web_log
index = web

Can someone assist me to whether if i am in the right direction or completely wrong and how i can correct these conf files?

Thanks