Hello,
I trying to retrieve all login/off/fail on my inderxer from UniversalForwarder filtered by Heavy forwarder :
UF v5.0.5 (All Security logs) > HF v5.0.5 (Filtering only 4642/4625/4634 events) > Indexer v6.0 (just index)
UF : Basic install with only Security logs configured to be send
HF : Listen on and forward only
**Props.conf :**
[WinEventLog:Security]
TRANSFORMS-routing=winEvents_stanza
**Transforms.conf**
[winEvents_stanza]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=winEvents_group
**outputs.conf**
[tcpout]
defaultGroup=defaultGroup
[tcpout:defaultGroup]
[tcpout:winEvents_group]
server = X.X.X.X:xxxx
sendCookedData = 0
Indexer : index received data
If i don't configure the HF (props/transforms/outpouts) the Inderxer receive all Security logs but when I try to only filter on "WinEventLog:Security", the indexer will not receive the security logs.
Is HF able to understand the sourcetype WinEventLog:Security ?
Any Idea ?
Thanks.
if you have old Win2003 servers, double check that the sourcetype is not WinEventLog:security (with lower case).
if you have old Win2003 servers, double check that the sourcetype is not WinEventLog:security (with lower case).
Oh we can do that ! Nice, maybe i will do change for it.
Thanks for your help.
It works.
Othewise for WinEventLog only, another option is to create 2 version of the stanza in props.conf
[WinEventLog:Security]
TRANSFORMS-routing=winEvents_stanza
[WinEventLog:security]
TRANSFORMS-routing=winEvents_stanza
Hi,
Thanks for your reply, finally I've change my configuration for : [host::*] and in my transforms.conf I keep only the needed events.
In fact I've old Win03 but I have win08R2 on the same environement and i need to catch both events.