Besides forwarding the syslog events to a third-party syslog server, I am also forwarding certain syslog events to the indexer. I'm also using tcpout to send Windows event logs to port 9997 of the indexer.
transforms.conf
[send_to_both]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_siem, syslog_indexer
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_siem
outputs.conf
[syslog]
defaultGroup = syslog_everything
[syslog:syslog_siem]
type = tcp
server = <IP>:<port>
[syslog:syslog_indexer]
type = udp
server = <IP>:<port>
[syslog:syslog_everything]
[tcpout]
defaultGroup = send_to_indexer
[tcpout:send_to_indexer]
server = <IP>:9997
[tcpout-server://<IP>:9997]
... View more