All our windows servers are sending security event logs to a central syslog server - they are not in Windows event log format, they are converted to syslog (by Corelog).
Our central syslog server receives the converted Windows security event logs and places them in a unique file /var/log/windows. At this point a Splunk light forwarder sends the data to our Splunk indexer.
The Splunk indexer receives the Windows syslog where I've defined a new sourcetype (based from the source file /var/log/windows), and filtered for only certain event ID's by defining a new field windows_error_code
My question(s) is this - has anyone defined any apps that will read syslog data that is actually created from Windows Event logs?
Any suggestions on how I can use the windows/syslog data without too much re-inventing the wheel?
Thanks!
Without seeing the exact format of the syslog entries it sounds like you are going to be forced into working up a number of regex extractions for your new sourcetype. Is there a reason such as license limitation that you are not just deploying the universal forwarder with the windows TA to the systems you want logs from?