Getting Data In
Highlighted

Route Windows events in RFC3614 format to splunk and Syslog format to syslog reciever.

Path Finder

hi,

we are trying to route windows security event logs from UF's to Splunk indexers and also to a syslog aggregator.

we would like to read the event log only once on the UF and are using a HF as interim relay to route data to desired locations.

On UF we have the SplunkTAWindows application deployed

On HF we have a outputs.conf:
[tcpout]
connectionTimeout = 45
defaultGroup = all_indexers
forwardedindex.0.whitelist = .*

[tcpout:all_indexers]
autoLB = true
server = IDX1:9997, IDX2:9997

[syslog]
connectionTimeout = 45

[syslog:clfsysloggroup]
server = Syslog1:514

Props.conf
[WinEventLog:Security]
TRANSFORMS-routing = WinSecEvent-Splunk,WinSecEvent-Syslog
SEDCMD = s/[\t\n\r]/ /g
TRUNCATE = 0

Transforms.conf

[WinSecEvent-Splunk]
REGEX = (.)
DESTKEY = _TCPROUTING
FORMAT = all_indexers

[WinSecEvent-Syslog]
REGEX = (.)
DESTKEY = _SYSLOGROUTING
FORMAT = clfsysloggroup

The above configuration works fine until the part where it routes data to different output groups.

However, I would like the splunk indexed logs would still be in the RFC 3614 or splunk parsed format but have events on syslog as normalized using above props.

is this a possibility? how do we apply two parsing patterns for one sourcetype? - maybe based on the output group?

please advise.

Thanks.

0 Karma