Need to send certain Windows security and audit files to a RHEL rsyslog server. This is what I have so far (based on this😞
[WinEventLog:security] TRANSFORMS-routing = send_to_syslog [Perfmon:Network Interface] TRANSFORMS-routing = send_to_syslog [syslog] TRANSFORMS-routing = send_to_syslog
[send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group
[syslog:my_syslog_group] server = 10.0.10.10:514 type = tcp
The logs are getting to the rsyslog server. but the format is not right for the Windows logs:
2014-02-09T16:05:32.437414-05:00 new-host-3.home Value=149.60659940915585 2014-02-09T16:05:32.440373-05:00 new-host-3.home collection="Network Interface"#015 2014-02-09T16:05:32.440373-05:00 new-host-3.home object="Network Interface"#015 2014-02-09T16:05:32.440373-05:00 new-host-3.home counter="Bytes Sent/sec"#015
I'd like to be able to send the files as raw TCP, but haven't been able to do it. I've changed the DEST_KEY in the transforms.conf to _raw, and changed my outputs.conf to [tcpout], but that doesn't seem to work.
Anyone been able to do something similar to this?
Could you please let me know wat software has to be installed on windows to get logs (tomcat logs ) forwarded to rsyslog (linux)
@sony_pimpale, You're adding on to an old question. Please post a new question describing your problem so you'll have a better chance at getting a solution.
I see this is from last year, but did you ever get this working?
I already have the splunk agent feeding the indexer, the issue I have is I also need this data somewhere else that isn't splunk. I thought I could use the existing agent to dual feed, 1 straight to splunk and 1 to my syslog server.
Doesn't seem to be working with windows events however.
Reading up in answers.splunk, I'd have to do some reformatting of the data prior to sending it off, but this would impact what splunk is getting.
Great, a valid use case. 🙂
Lots of folks don't pay much attention to older answers and it's unlikely you'll get too much activity through this thread. I'd suggest compiling up your precise use case and what behavior you are trying to get, along with what you are actually seeing instead, and create a new post asking about that.
I'll be looking forward to that, I may be able to replicate whatever you are seeing later this week if I had a good writeup of what you are seeing.
Is there a reason to have an intermediate step of converting to syslog and back again?
The direct ingestion of Windows events as forwarded by a Universal Forwarder into Splunk works fantastically well and is generally problem free. Unless you have some constraint you can't get lifted or get permission to work around, I'd normally recommend just letting the forwarder forward directly to the indexer.
Sorry, I moved my comment to here - I got mixed up on dates and who did what when. 😞
The comment was directed toward you - is there a reason you need to use syslog specifically?