Hi
I am trying to use Real Time Output App to generate CEF format log from syslog but not getting the clue how I can setup the search and assign the designated source file to this app. Anyone there to help me out on usage of this app.
Thanks in advance.
What are you trying to do exactly?
The app looks for specifically named fields which it will then translate into cef field names, and that is pretty much it.
How we've used it is to output specific events that match a splunk query.
Create a new output select cef and syslog. Choose your destination ip/port/procotol.
Don't use the output assistant just make your own cef fields. There are some default ones that will be translated automatically. You can see a list of these in SplunkRealTimeOutput/bin/real_time_output/cef/ceftool.py
Example : You MUST put the word "search" at the front of your query! If you use cef_field_map you can make other fields map to cef fields that aren't explicitly named in the ceftool.py script.
search index=main sourcetype="WinEventLog:Security" (EventCode=540 OR EventCode=538) NOT User_Name="ANONYMOUS LOGON"
| eval cef_sid=EventCode | eval cef_name=name
| rename User_Name AS affected_user
| rename Source_Network_Address AS src_ip
| eval end_time=_time . "000"
| eval splunk_cn1_label="Logon_Type"
| eval cef_sid= SourceName . ":" . EventCode
| eval cef_field_map="Workstation_Name:shost,Logon_Type:cn1,splunk_cn1_label:cn1_label"