I know there are many similar posts to this, and i have read a lot but i cant seem to get it to work.
I am trying to manually change the sourcetype. I have a LWF and a indexer. im trying to change my iptables logs sourcetype to "iptables". i've tried several different things. I probably have several things wrong, if someone could point me in the right direction or tell me exactly what to do that would be great. here is some stuff I have at the moment.
on my LWF:
inputs.conf: [monitor:///var/log/kern.log] sourcetype = test [monitor:///var/log/syslog] sourcetype = test
on my indexer:
props.conf: [test] REPORT-iptables = iptables
-also tried TRANSFORMS
transforms.conf: [iptables] DEST_KEY = MetaData:sourcetype REGEX = \bIN\w*\b.*\bTCP\b FORMAT = sourcetype::sourcetype
all my iptables logs have either INBOUND TCP or INPUT TCP, im trying to use an easy regex, as i havent used it before.
here is an example of a log:
Aug 6 10:50:03 VM2 kernel: [ 9468.989438] INBOUND TCP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.232.1 DST=192.168.232.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=UDP SPT=138 DPT=138 LEN=209
if there is something i didn't post that would be helpful let me know.
There are two issues here:
TRANSFORMS-iptables = iptablesas opposed to