Getting Data In

VMWare user access gate way: How do I override source types on a per-event basis?

youngsuh
Contributor

Solved: How to seperate different Sourcetype logs from sin... - Splunk Community

Configure Unified Access Gateway System Settings (vmware.com)

Syslog Formats and Events (vmware.com)

Trying to override syslog and created props.conf & transform.conf.  It is not working.  What I am doing wrong?  initially getting an error:  Undocumented key used in transforms.conf; stanza='vmware:uag:admin' setting='DEST_KEY' key='MetaData:SourceType'  but, found link here that help solve.

but, still not working.  I am not search at HF.  I set the setting the HF.

props.conf

 

 

[syslog::/var/log/%hostname%/syslog]
TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

transforms.conf

 

 

[vmware:uag:admin]
REGEX = :\d\d\s+\w{5}\w{4}\suag-admin\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = :\d\d\s+\w{5}\w{4}\suag-audit\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = :\d\d\s+\w{5}\w{4}\suag-esmanager\:(.+)\n
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

0 Karma
1 Solution

PickleRick
Ultra Champion

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

View solution in original post

PickleRick
Ultra Champion

Are your props.conf stanzas literally say "syslog-host1", "syslog-host2" and so on?

Are your sourcetypes really named that?

On which component did you put those entries?

youngsuh
Contributor

@PickleRick Or @gcusello 

Are your sourcetypes really named that?  No, It's coming the monitoring has sorucetype=syslog

On which component did you put those entries?

Here is the inputs.conf

 

 

 

[monitor:///var/log/$mask_host1$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host2$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host3$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

 

 

 

Props.conf on the HF

 

[uag:syslog]
category = Custom
TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

 

Transform.conf on the HF

 

[vmware:uag:admin]
REGEX = uag-admin\:
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = uag-audit\:
FORMAT = sourcetype::vmware:uag:audit
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = uag-esmanager\:
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

@PickleRick , does that answer your question?  Is my approach wrong?   

0 Karma

PickleRick
Ultra Champion

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...