I trying to retrieve all login/off/fail on my inderxer from UniversalForwarder filtered by Heavy forwarder :
UF v5.0.5 (All Security logs) > HF v5.0.5 (Filtering only 4642/4625/4634 events) > Indexer v6.0 (just index)
UF : Basic install with only Security logs configured to be send
HF : Listen on and forward only
**Props.conf :** [WinEventLog:Security] TRANSFORMS-routing=winEvents_stanza **Transforms.conf** [winEvents_stanza] REGEX=.* DEST_KEY=_TCP_ROUTING FORMAT=winEvents_group **outputs.conf** [tcpout] defaultGroup=defaultGroup [tcpout:defaultGroup] [tcpout:winEvents_group] server = X.X.X.X:xxxx sendCookedData = 0
Indexer : index received data
If i don't configure the HF (props/transforms/outpouts) the Inderxer receive all Security logs but when I try to only filter on "WinEventLog:Security", the indexer will not receive the security logs.
Is HF able to understand the sourcetype WinEventLog:Security ?
Any Idea ?
if you have old Win2003 servers, double check that the sourcetype is not WinEventLog:security (with lower case).
Thanks for your reply, finally I've change my configuration for : [host::*] and in my transforms.conf I keep only the needed events.
In fact I've old Win03 but I have win08R2 on the same environement and i need to catch both events.
Othewise for WinEventLog only, another option is to create 2 version of the stanza in props.conf