Getting Data In

Route Windows events in RFC3614 format to splunk and Syslog format to syslog reciever.

Path Finder


we are trying to route windows security event logs from UF's to Splunk indexers and also to a syslog aggregator.

we would like to read the event log only once on the UF and are using a HF as interim relay to route data to desired locations.

On UF we have the SplunkTAWindows application deployed

On HF we have a outputs.conf:
connectionTimeout = 45
defaultGroup = all_indexers
forwardedindex.0.whitelist = .*

autoLB = true
server = IDX1:9997, IDX2:9997

connectionTimeout = 45

server = Syslog1:514

TRANSFORMS-routing = WinSecEvent-Splunk,WinSecEvent-Syslog
SEDCMD = s/[\t\n\r]/ /g


REGEX = (.)
FORMAT = all_indexers

REGEX = (.)
FORMAT = clfsysloggroup

The above configuration works fine until the part where it routes data to different output groups.

However, I would like the splunk indexed logs would still be in the RFC 3614 or splunk parsed format but have events on syslog as normalized using above props.

is this a possibility? how do we apply two parsing patterns for one sourcetype? - maybe based on the output group?

please advise.


0 Karma