Getting Data In

VMWare user access gate way: How do I override source types on a per-event basis?

youngsuh
Contributor

Solved: How to seperate different Sourcetype logs from sin... - Splunk Community

Configure Unified Access Gateway System Settings (vmware.com)

Syslog Formats and Events (vmware.com)

Trying to override syslog and created props.conf & transform.conf.  It is not working.  What I am doing wrong?  initially getting an error:  Undocumented key used in transforms.conf; stanza='vmware:uag:admin' setting='DEST_KEY' key='MetaData:SourceType'  but, found link here that help solve.

but, still not working.  I am not search at HF.  I set the setting the HF.

props.conf

 

 

[syslog::/var/log/%hostname%/syslog]
TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

transforms.conf

 

 

[vmware:uag:admin]
REGEX = :\d\d\s+\w{5}\w{4}\suag-admin\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = :\d\d\s+\w{5}\w{4}\suag-audit\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = :\d\d\s+\w{5}\w{4}\suag-esmanager\:(.+)\n
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Are your props.conf stanzas literally say "syslog-host1", "syslog-host2" and so on?

Are your sourcetypes really named that?

On which component did you put those entries?

youngsuh
Contributor

@PickleRick Or @gcusello 

Are your sourcetypes really named that?  No, It's coming the monitoring has sorucetype=syslog

On which component did you put those entries?

Here is the inputs.conf

 

 

 

[monitor:///var/log/$mask_host1$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host2$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host3$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

 

 

 

Props.conf on the HF

 

[uag:syslog]
category = Custom
TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

 

Transform.conf on the HF

 

[vmware:uag:admin]
REGEX = uag-admin\:
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = uag-audit\:
FORMAT = sourcetype::vmware:uag:audit
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = uag-esmanager\:
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

@PickleRick , does that answer your question?  Is my approach wrong?   

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...