the default port is UDP 4739 ... View more

sourcetype should be pan_log. ... View more

On older version of the Windows app we were using a LOOKUP to find the SID of event. This is no longer the case as of 4.1. To resolve this error, edit the default/props.conf file in your windows app to the following: # Applying GUID, SID traslation to the "event_guid, event_sid" fields in WinEventLog sourcetype events # [source::WinEventLog...] # LOOKUP-GUID = guid_lookup guid_lookup AS guid_to_trans OUTPUT dcName AS guid_dcname # LOOKUP-SID = sid_lookup sid_lookup AS sid_to_trans OUTPUT cn AS sid_cn dcName as sid_dcname # Applying GUID, SID traslation to the "guid_raw, sid_raw" fields in WMI WinEventLog sourcetype events. # By looking up the values of those two fields, two new fields are generated, guid_name, sid_name # [source::WMI:WinEventLog...] # LOOKUP-GUID = guid_lookup guid_lookup AS guid_to_trans OUTPUT dcName AS guid_dcname # LOOKUP-SID = sid_lookup sid_lookup AS sid_to_trans OUTPUT cn AS sid_cn dcName as sid_dcname ... View more

since the hostname is extract via a transform stanza itself, you cannot call the routing transform based on host. here are the configuration changes you should make: props.conf: [wmi] TRANSFORMS-FIELDS = wmi-host, wmi-source, wmi-sourcetype, wmi-foo1, wmi-foo2 #notice the wmi-foo1 and wmi-foo2 transforms are called AFTER the wmi-host transform transforms.conf: #make everything from this host go to a different index [wmi-foo1] SOURCE_KEY = MetaData:Host REGEX = <the host you want to route> DEST_KEY = _MetaData:Index FORMAT = foo #now revert the index for the events you DON'T want to in the foo index for the host [wmi-foo2] SOURCE_KEY = _raw REGEX = <some regex here based on raw text event> DEST_KEY = _MetaData:Index FORMAT = <non foo index> ... View more