Solved: Re: VMWare user access gate way: How do I override...

youngsuh · ‎07-27-2022

Trying to override syslog and created props.conf & transform.conf. It is not working. What I am doing wrong? initially getting an error: Undocumented key used in transforms.conf; stanza='vmware:uag:admin' setting='DEST_KEY' key='MetaData:SourceType' but, found link here that help solve.

but, still not working. I am not search at HF. I set the setting the HF.

props.conf

[syslog::/var/log/%hostname%/syslog]
TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

transforms.conf

[vmware:uag:admin]
REGEX = :\d\d\s+\w{5}\w{4}\suag-admin\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = :\d\d\s+\w{5}\w{4}\suag-audit\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = :\d\d\s+\w{5}\w{4}\suag-esmanager\:(.+)\n
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

PickleRick · ‎09-20-2022

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

View solution in original post

PickleRick · ‎07-27-2022

Are your props.conf stanzas literally say "syslog-host1", "syslog-host2" and so on?

Are your sourcetypes really named that?

On which component did you put those entries?

youngsuh · ‎09-19-2022

@PickleRick Or @gcusello

Are your sourcetypes really named that? No, It's coming the monitoring has sorucetype=syslog

On which component did you put those entries?

Here is the inputs.conf

[monitor:///var/log/$mask_host1$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host2$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host3$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

Props.conf on the HF

[uag:syslog]
category = Custom
TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

Transform.conf on the HF

[vmware:uag:admin]
REGEX = uag-admin\:
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = uag-audit\:
FORMAT = sourcetype::vmware:uag:audit
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = uag-esmanager\:
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

@PickleRick , does that answer your question? Is my approach wrong?

PickleRick · ‎09-20-2022

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

VMWare user access gate way: How do I override source types on a per-event basis?

heavy forwarder

props.conf

sourcetype

transforms.conf

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation