I got it working using:
outputs.conf
[syslog:ms_strm_dev]
server = 10.164.4.200:12468
type = tcp
props.conf
[syslog]
TRANSFORMS-routing = win_strm, win_index, FilterSecurityEvents, trunkEventDesc1, trunkEventDesc2, UserFilter, LogonFilter
transforms.conf
[win_index]
REGEX = ^(\d\d)\/(\d\d)\/(\d\d\d\d)\s(\d\d):(\d\d):(\d\d)\s\w\w
FORMAT = TimeGenerated::$2/$1/$3 $4
DEST_KEY = queue
FORMAT = indexQueue
[win_strm]
REGEX = EventCode=
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ms_strm_dev
But the data comes across with extra information, the event starts with <13> or some other two digit variable that the appliance does not seem to be expecting as well as the host name, which I am going to need them to parse to know where the event originated.
<13> EXCHANGE 03/04/2016 11:01:54 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=EXCHANGE.domain
TaskCategory=Logon
OpCode=Info
RecordNumber=251551525
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: domain\jdoe
Account Name: jdoe
Account Domain: domain
Logon ID: 0x91E86B45
Logon GUID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 10.0.0.250
Source Port: 60790
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
The appliance is apparently looking for the information following this regex:
(?:<(\d+)>\s?(\w{3} \d{2} \d{2}:\d{2}:\d{2}) (\S+) )?(\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}[AP]M)
I made the following regex that works
(?:<(\d+)>\s(?P\w+) (?P\d{2}\/\d{2}\/\d{4}) (?P\d{2}:\d{2}:\d{2}\ \w+))
But I don't think there is any way to change the regex the appliance uses.
I am using a Juniper JSA appliance, here is the manual, there is a Splunk section but it is not helpful, their document states to see the Splunk documentation
https://www.juniper.net/techpubs/en_US/jsa2014.4/information-products/topic-collections/jsa-configuring-dsm.pdf
... View more