We have a custom Windows Event Forwarding deployment, with specific channels (i.e. not all goes to ForwardedEvents).
FWD/Application, FWD/System, and so on.
We use Splunkforwarder (7.2.1) to get this all into splunk. It reads the sources just fine, with source::WinEventLog:FWD-name of channel.
Windows TA (5.0) is not very fond of this, as it searches for source::WinEventLog:Security or a known, standard channel name.
No matter, override [source::WinEventLog:FWD-Security] for example, and apply there the transforms (custom app to override this goes in forwarder, indexers and search head). This works just fine. All transforms are applied.
Since we like to have the host as the source machine, we add a meta field, wec_host, for troubleshooting purposes.
[set-wef-forwarding-host]
REGEX = (?m)host::(.*)$
SOURCE_KEY = MetaData:Host
FORMAT = wec_host::$1
WRITE_META = true
Works like a charm. Then, we want to apply another transform to add the original channel it was received from to the metadata, which is present in the source:
[set-wef-channel]
REGEX = WinEventLog:(.*)
SOURCE_KEY = MetaData:Source
FORMAT = wef_channel::$1
WRITE_META = true
After that, we apply the usual transforms from Windows TA to fix the source and sourcetype:
[source::WinEventLog:FWD-Security]
TRANSFORMS-t1-add_forwarder_for_wef = set-wef-forwarding-host
**TRANSFORMS-t2-add_channel_for_wef = set-wef-channel**
TRANSFORMS-t3-change_xml_host_for_windows_wef = WinEventXmlHostOverride
TRANSFORMS-t4-fix_source_and_sourcetype = ta-windows-fix-xml-source,ta-windows-fix-sourcetype
Taking into account top to bottom, and precedence, checking with btool, it appears the transforms should be applying in the right order, but by the time the set-wef-channel transform hits, the MetaData:Source no longer contains WinEventLog:FWD-Security and is empty as the regex doesn't match.
What are we missing?
Thanks in advance.
... View more