Getting Data In

forwarding Windows and syslog event logs to rsyslog

pil321
Communicator

Need to send certain Windows security and audit files to a RHEL rsyslog server. This is what I have so far (based on this😞

props.conf

[WinEventLog:security]
TRANSFORMS-routing = send_to_syslog

[Perfmon:Network Interface]
TRANSFORMS-routing = send_to_syslog

[syslog]
TRANSFORMS-routing = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs.conf

[syslog:my_syslog_group]
server = 10.0.10.10:514
type = tcp

The logs are getting to the rsyslog server. but the format is not right for the Windows logs:

2014-02-09T16:05:32.437414-05:00 new-host-3.home Value=149.60659940915585
2014-02-09T16:05:32.440373-05:00 new-host-3.home collection="Network Interface"#015
2014-02-09T16:05:32.440373-05:00 new-host-3.home object="Network Interface"#015
2014-02-09T16:05:32.440373-05:00 new-host-3.home counter="Bytes Sent/sec"#015

I'd like to be able to send the files as raw TCP, but haven't been able to do it. I've changed the DEST_KEY in the transforms.conf to _raw, and changed my outputs.conf to [tcpout], but that doesn't seem to work.

Anyone been able to do something similar to this?

Tags (2)
0 Karma

sony_pimpale
New Member

Hi

Could you please let me know wat software has to be installed on windows to get logs (tomcat logs ) forwarded to rsyslog (linux)

Thnx

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@sony_pimpale, You're adding on to an old question. Please post a new question describing your problem so you'll have a better chance at getting a solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma

grantsales
Engager

I see this is from last year, but did you ever get this working?

0 Karma

grantsales
Engager

I already have the splunk agent feeding the indexer, the issue I have is I also need this data somewhere else that isn't splunk. I thought I could use the existing agent to dual feed, 1 straight to splunk and 1 to my syslog server.

Doesn't seem to be working with windows events however.

Reading up in answers.splunk, I'd have to do some reformatting of the data prior to sending it off, but this would impact what splunk is getting.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Great, a valid use case. 🙂

Lots of folks don't pay much attention to older answers and it's unlikely you'll get too much activity through this thread. I'd suggest compiling up your precise use case and what behavior you are trying to get, along with what you are actually seeing instead, and create a new post asking about that.

I'll be looking forward to that, I may be able to replicate whatever you are seeing later this week if I had a good writeup of what you are seeing.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Is there a reason to have an intermediate step of converting to syslog and back again?

The direct ingestion of Windows events as forwarded by a Universal Forwarder into Splunk works fantastically well and is generally problem free. Unless you have some constraint you can't get lifted or get permission to work around, I'd normally recommend just letting the forwarder forward directly to the indexer.

0 Karma

Richfez
SplunkTrust
SplunkTrust

grantsales,

Sorry, I moved my comment to here - I got mixed up on dates and who did what when. 😞

The comment was directed toward you - is there a reason you need to use syslog specifically?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...