Hi,
We have had this working in the past, but for some reason, now, i am unable to forward filtered events to one Tcp group.
Both the output groups receive all events.
To summarize, the UF to send winevent:security to tcpout:hf group, HF to route winevent security logs based on the eventcode filters to indexers and syslog archivers.
but i am receiving all event codes to indexers as well as syslog.
On UF:
Inputs:
[WinEventLog://Security]
_TCP_ROUTING=HF
disabled = false
index=idx1
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
[WinEventLog://Application]
disabled = 0
index = idx1
start_from = oldest
current_only = 0
checkpointInterval = 5
Outputs:
[tcpout]
defaultGroup = indexers
forceTimebasedAutoLB=true
useACK = true
autoLBFrequency=15
[tcpout:indexers]
server = idx1:9997, idx2:9997, idx3:9997, idx4:9997, idx5:9997, idx6:9997
[tcpout:HF]
autoLB=true
server = HF1:9997,HF2:9997
HF Outputs
[tcpout]
defaultGroup = indexers
forceTimebasedAutoLB=true
useACK = true
autoLBFrequency=15
forwardedindex.2.whitelist = (_audit|_introspection|_telemetry|_internal)
[indexAndForward]
index=false
[tcpout:indexers]
server = idx1:9997, idx2:9997, idx3:9997, idx4:9997, idx5:9997, idx6:9997
[syslog] ## syslog outputs for archive##
[syslog:syslogGroup]
disabled=false
server=syslog:514
HF Transforms
[WinSecEvent-Splunk-SubSet]
REGEX = (?m)^EventCode=(4634|4776) # need to forward selected events to indexers
REGEX = (?m)^(.EventCode=(4634|4776).)
DEST_KEY=_TCP_ROUTING
FORMAT=indexers
[WinSecEvent-Syslog-All]
REGEX = (.) # Archive all event codes on a syslog archive
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
What am i missing 😕
Thanks in Advance!!
... View more