Hi
I was wondering how you go about extracting and forwarding certain field values to a third party system and whether the below would work.
The goal is to extract a few field values (timestamp, username and IP) from WindowsEventID4624 and forward them to ‘device1’. EventID462 must also be stored on the indexer. The app below would be installed on the indexer.
outputs.conf:
[tcpout:Device1]
server = 1.1.1.1.1:5514
sendCookedData = false
props.conf:
[WinEventLog:Security]
TRANSFORMS-foo = WinEventID4624
transforms.conf:
[WinEventID4624]
REGEX = (?gmsi)(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s(?:PM|AM)?).*EventCode=\b4624\b.*Account Name:\s*([^\r\n\@]\S+).*?Source\sNetwork\sAddress:\s(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY = _TCP_ROUTING
FORMAT = Time::$1,AccountName::$2,IP::$3
Thanks!
... View more