Getting Data In

_TCP _ROUTING - windows event – will this work?

pete222
New Member

Hi
I was wondering how you go about extracting and forwarding certain field values to a third party system and whether the below would work.

The goal is to extract a few field values (timestamp, username and IP) from WindowsEventID4624 and forward them to ‘device1’. EventID462 must also be stored on the indexer. The app below would be installed on the indexer.

outputs.conf:
[tcpout:Device1]
server = 1.1.1.1.1:5514
sendCookedData = false

props.conf:
[WinEventLog:Security]
TRANSFORMS-foo = WinEventID4624

transforms.conf:
[WinEventID4624]
REGEX = (?gmsi)(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s(?:PM|AM)?).*EventCode=\b4624\b.*Account Name:\s*([^\r\n\@]\S+).*?Source\sNetwork\sAddress:\s(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY = _TCP_ROUTING
FORMAT = Time::$1,AccountName::$2,IP::$3

Thanks!

0 Karma

somesoni2
Revered Legend

I don't think something like that is possible (sending only specific portion/fields to third party system). The transforms.conf you've, the FORMAT should provide the value for the attribute defined by DEST_KEY, and probably won't do anything (may be few warning/errors in internal logs). You would be able to send the whole raw log for a particular event code (based on regex specified in REGEX) to a third party system where you'd specify the _TCP_ROUTING group for that system in your FORMAT setting.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...