hi,
we are trying to route windows security event logs from UF's to Splunk indexers and also to a syslog aggregator.
we would like to read the event log only once on the UF and are using a HF as interim relay to route data to desired locations.
On UF we have the Splunk_TA_Windows application deployed
On HF we have a outputs.conf:
[tcpout]
connectionTimeout = 45
defaultGroup = all_indexers
forwardedindex.0.whitelist = .*
[tcpout:all_indexers]
autoLB = true
server = IDX1:9997, IDX2:9997
[syslog]
connectionTimeout = 45
[syslog:clf_syslog_group]
server = Syslog1:514
Props.conf
[WinEventLog:Security]
TRANSFORMS-routing = WinSecEvent-Splunk,WinSecEvent-Syslog
SEDCMD = s/[\t\n\r]/ /g
TRUNCATE = 0
Transforms.conf
[WinSecEvent-Splunk]
REGEX = (.)
DEST_KEY = _TCP_ROUTING
FORMAT = all_indexers
[WinSecEvent-Syslog]
REGEX = (.)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = clf_syslog_group
The above configuration works fine until the part where it routes data to different output groups.
However, I would like the splunk indexed logs would still be in the RFC 3614 or splunk parsed format but have events on syslog as normalized using above props.
is this a possibility? how do we apply two parsing patterns for one sourcetype? - maybe based on the output group?
please advise.
Thanks.
