Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

VMWare user access gate way: How do I override source types on a per-event basis?

youngsuh
Contributor
‎07-27-2022 12:18 PM

Solved: How to seperate different Sourcetype logs from sin... - Splunk Community

Configure Unified Access Gateway System Settings (vmware.com)

Syslog Formats and Events (vmware.com)

Trying to override syslog and created props.conf & transform.conf.  It is not working.  What I am doing wrong?  initially getting an error:  Undocumented key used in transforms.conf; stanza='vmware:uag:admin' setting='DEST_KEY' key='MetaData:SourceType'  but, found link here that help solve.

but, still not working.  I am not search at HF.  I set the setting the HF.

props.conf

 

 

[syslog::/var/log/%hostname%/syslog]
TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

transforms.conf

 

 

[vmware:uag:admin]
REGEX = :\d\d\s+\w{5}\w{4}\suag-admin\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = :\d\d\s+\w{5}\w{4}\suag-audit\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = :\d\d\s+\w{5}\w{4}\suag-esmanager\:(.+)\n
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-20-2022 01:10 AM

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-27-2022 12:50 PM

Are your props.conf stanzas literally say "syslog-host1", "syslog-host2" and so on?

Are your sourcetypes really named that?

On which component did you put those entries?

Reply
Solved! Jump to solution

youngsuh
Contributor
‎09-19-2022 07:28 AM

@PickleRick Or @gcusello 

Are your sourcetypes really named that?  No, It's coming the monitoring has sorucetype=syslog

On which component did you put those entries?

Here is the inputs.conf

 

 

 

[monitor:///var/log/$mask_host1$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host2$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host3$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

 

 

 

Props.conf on the HF

 

[uag:syslog]
category = Custom
TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

 

Transform.conf on the HF

 

[vmware:uag:admin]
REGEX = uag-admin\:
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = uag-audit\:
FORMAT = sourcetype::vmware:uag:audit
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = uag-esmanager\:
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

@PickleRick , does that answer your question?  Is my approach wrong?   

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-20-2022 01:10 AM

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...