Re: forwarding Windows and syslog event logs to rs...

pil321 · ‎02-09-2014

Need to send certain Windows security and audit files to a RHEL rsyslog server. This is what I have so far (based on this😞

props.conf

[WinEventLog:security]
TRANSFORMS-routing = send_to_syslog

[Perfmon:Network Interface]
TRANSFORMS-routing = send_to_syslog

[syslog]
TRANSFORMS-routing = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs.conf

[syslog:my_syslog_group]
server = 10.0.10.10:514
type = tcp

The logs are getting to the rsyslog server. but the format is not right for the Windows logs:

2014-02-09T16:05:32.437414-05:00 new-host-3.home Value=149.60659940915585
2014-02-09T16:05:32.440373-05:00 new-host-3.home collection="Network Interface"#015
2014-02-09T16:05:32.440373-05:00 new-host-3.home object="Network Interface"#015
2014-02-09T16:05:32.440373-05:00 new-host-3.home counter="Bytes Sent/sec"#015

I'd like to be able to send the files as raw TCP, but haven't been able to do it. I've changed the DEST_KEY in the transforms.conf to _raw, and changed my outputs.conf to [tcpout], but that doesn't seem to work.

Anyone been able to do something similar to this?

sony_pimpale · ‎12-01-2017

Hi

Could you please let me know wat software has to be installed on windows to get logs (tomcat logs ) forwarded to rsyslog (linux)

Thnx

richgalloway · ‎12-01-2017

@sony_pimpale, You're adding on to an old question. Please post a new question describing your problem so you'll have a better chance at getting a solution.

---
If this reply helps you, Karma would be appreciated.

grantsales · ‎01-15-2016

I see this is from last year, but did you ever get this working?

grantsales · ‎01-18-2016

I already have the splunk agent feeding the indexer, the issue I have is I also need this data somewhere else that isn't splunk. I thought I could use the existing agent to dual feed, 1 straight to splunk and 1 to my syslog server.

Doesn't seem to be working with windows events however.

Reading up in answers.splunk, I'd have to do some reformatting of the data prior to sending it off, but this would impact what splunk is getting.

Richfez · ‎01-18-2016

Great, a valid use case. 🙂

Lots of folks don't pay much attention to older answers and it's unlikely you'll get too much activity through this thread. I'd suggest compiling up your precise use case and what behavior you are trying to get, along with what you are actually seeing instead, and create a new post asking about that.

I'll be looking forward to that, I may be able to replicate whatever you are seeing later this week if I had a good writeup of what you are seeing.

Richfez · ‎01-15-2016

Is there a reason to have an intermediate step of converting to syslog and back again?

The direct ingestion of Windows events as forwarded by a Universal Forwarder into Splunk works fantastically well and is generally problem free. Unless you have some constraint you can't get lifted or get permission to work around, I'd normally recommend just letting the forwarder forward directly to the indexer.

Richfez · ‎01-17-2016

grantsales,

Sorry, I moved my comment to here - I got mixed up on dates and who did what when. 😞

The comment was directed toward you - is there a reason you need to use syslog specifically?

forwarding Windows and syslog event logs to rsyslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation