So I'm trying to get to a HEC/syslog type environment. Please don't tell me that sending WinEvents via syslog is dumb. I have a global policy issue at work where all log data must be collected and stored in syslog for 2 years, and that includes my WinEvents. Here's my situation. I have a syslog-ng (3.13) server that receives Snare WIndows Events. It then sends on data to a splunk Heavy Forwarder (currently using the stock syslog "log {};" command). I've installed both the Snare Explanded Syslog TA and the Splunk_Windows TA (6.0) on the HF and the SH. I have also modified the inputs and props for the Windows TA to enable the data I want and do some cleanup (I did read setup for the Windows TA).

However, my data in the SH is still listed with the correct host (in this example a domain controller), the source is the TCP port I'm receiving data on in splunk, and the sourcetype is syslog. Not snare_syslog, not winevent_syslog (or whatever that sourcetype is).

I'm confused and stuck. Even if I migrate to a syslog-http-HEC environment (it's in dev right now) how do I get splunk to properly format the incoming data with extracted fields and the correct sourcetype in this design?