winEventLogs and XmlWinEventLogs _TCP_ROUTING

willsy · ‎10-08-2020

hello,

i am trying to send wineventlogs from my machines to my clustered indexer and also send the same event logs but in Xml format to a heavy forwarder for third party.

my inputs.conf looks like this

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = false

[WinEventLog://security]
disabled = 0
renderXml = true
_TCP_ROUTING = heavy1

my outputs.conf is the following

[tcpout:group1]
indexerDiscovery = idxc1
autoLBVolume = 65536

[indexer_discovery:idxc1]
master_uri = https://serverip:serverport
pass4SymmKey = xxxx
cxn_timeout = 300

[tcpout:heavyforwarder]
defaultGroup = heavy1

[tcpout:heavy1]
server = serverip:serverport

does anyone know why it now does not send to my clustered indexers? know that i did put _TCP_ROUTING = group1 under the non Xml event logs in inputs.conf and still didnt work.

cheers in advance

richgalloway · ‎10-08-2020

There are two stanzas by the same name. Splunk merges the settings from both stanzas into a single one with the second set of setting overwriting the first. The outcome looks like this:

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = true
_TCP_ROUTING = heavy1

That would explain why no data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.

willsy · ‎10-08-2020

So if thats the case, how do i have two different stanzas when that is the information that i am gathering? That stanza is the location of the information, it is the file path to the information that i need.

winEventLogs and XmlWinEventLogs _TCP_ROUTING

heavy forwarder

indexer

inputs.conf

universal forwarder

XML

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration