Getting Data In

winEventLogs and XmlWinEventLogs _TCP_ROUTING

willsy
Path Finder

hello, 

i am trying to send wineventlogs from my machines to my clustered indexer and also send the same event logs but in Xml format to a heavy forwarder for third party. 

my inputs.conf looks like this

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = false

[WinEventLog://security]
disabled = 0
renderXml = true
_TCP_ROUTING = heavy1

my outputs.conf is the following

[tcpout:group1]
indexerDiscovery = idxc1
autoLBVolume = 65536

[indexer_discovery:idxc1]
master_uri = https://serverip:serverport
pass4SymmKey = xxxx
cxn_timeout = 300

[tcpout:heavyforwarder]
defaultGroup = heavy1

[tcpout:heavy1]
server = serverip:serverport

does anyone know why it now does not send to my clustered indexers? know that i did put _TCP_ROUTING = group1 under the non Xml event logs in inputs.conf and still didnt work. 

cheers in advance

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are two stanzas by the same name.  Splunk merges the settings from both stanzas into a single one with the second set of setting overwriting the first.  The outcome looks like this:

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = true
_TCP_ROUTING = heavy1

That would explain why no data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.

willsy
Path Finder

So if thats the case, how do i have two different stanzas when that is the information that i am gathering? That stanza is the location of the information, it is the file path to the information that i need.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...