How can I forward "windows security events" to a third party Syslog server without indexing it to the Splunk.
Hi jawahir007,
Take a look at the docs https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Replicate_a_subset... and leave out the routeAll
in props.conf
. Do this configuration on a heavy weight forwarder or an indexer, restart and new events will be sent to your third party system.
Hope this helps ...
cheers, MuS
Hi jawahir007,
Take a look at the docs https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Replicate_a_subset... and leave out the routeAll
in props.conf
. Do this configuration on a heavy weight forwarder or an indexer, restart and new events will be sent to your third party system.
Hope this helps ...
cheers, MuS