Dear All,   can you please help me. Tried to solve the below question, but up to this moment it seems I could not find the precise solution.   3 machines in the Splunk system. Machine 1: Windows server, Search Head and Indexer server Machine 2: Windows Domain Controller with deployed heavy forwarder on it (only local Windows log collection). Machine 3: syslog server   The goal to send the local logs from heavy forwarder (Machine 2) to: -syslog server (all the local logs - Windows Security logs as well - and the line breaks should be changed to “;”) -Search Head Server (only the Windows Security logs without any modification) Modified the .conf files in the C:\Program Files\Splunk\etc\system\ on heavy forwarder server. Of course I can see the Windows logs on the heavy forwarder, and some logs are sent to syslog / Search Head server, but not what I want…   outputs.conf ... [tcpout:indexer_group] server=<searchheadserveripaddress>:9997 [syslog:syslog_group] server=<syslogserveripaddress>:514 type=tcp ... transforms.conf ... [send_to_syslog] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslog_group [send_to_indexer] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=indexer_group ...   props.conf ... [source::WinEventLog:Security] TRANSFORMS-routing=send_to_indexer, send_to_syslog priority=5 [host::*] TRANSFORMS-routing=send_to_syslog SEDCMD=s/[\n\r]/;/g priority=10 ...   Thank you. ... View more