I am collecting windows machines logs though Universal Forwarder to Splunk Heavy Forwarder.
UF STANZA - outputs.conf
[tcpout]
defaultGroup=windows_index
[tcpout:windows_index]
sendCookedData=false
server=192.168.1.172:9997
Heavy Forwarder STANZA - outputs.conf
[tcpout:win_log_forw]
disabled=false
sendCookedData=false
server-192.168.1.182:514
Then forward log from Splunk Heavy Forwarder to Splunk Indexer and A third party syslog server.
Challenge: Third party Syslog server is receiving data as parsed not the raw data
Goal : need to receive the data on a raw format in the third party Syslog server.
THIRD PARTY SYSLOG RECEVING LIKE BELOW( NOT RAW)
2019-02-21T05:24:16.257287+00:00 192.168.1.172 /2019 09:24:14 PM#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 LogName=Security#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 SourceName=Microsoft Windows security auditing.#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventCode=4648#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventType=0#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 Type=Information#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 ComputerName=WIN-AEG45MM7137#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 TaskCategory=Logon#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 OpCode=Info#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 RecordNumber=782#015
... View more