Splunk Search

Add original host to windows security event syslog header

agarrison
Path Finder

I want to export windows security events to syslog.
The following works but it shows the events all originate from splunk.
I want to replace the syslog header with the original host or at least tag the original host on the event.

Props.conf
[WinEventLog:Security]
TRANSFORMS-routing = ms_strm_dev

Outputs.conf
[syslog:ms_strm_dev]
server = 10.4.4.200:12468
type=tcp

Transforms.conf
[win_strm]
REGEX = (?msi)Security
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ms_strm_dev

It looks like I could add something like this to my transforms, but how would I format the transform twice?
DEST_KEY = MetaData:Host
REGEX = (.+)
FORMAT = host::$1

0 Karma

sbbadri
Motivator
0 Karma

agarrison
Path Finder

I want to be about to filter AND route, this shows how to do either, but doesn't look like both to the same data. Unless I can route it to one transform, then back through another once it goes through the first.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...