Hey guys, I just stumbled over the same issues. Besides remembering the WEC Host name I wanted to have a field with the original (custom) Channel Name. After some playing around I got this config on my indexers and it seems to work fine for me. props.conf [WinEventLog:ForwardedEvents]
TRANSFORMS-change_host_for_windows_wef = WinEventRememberHost, WinEventHostOverride
[XmlWinEventLog:ForwardedEvents]
TRANSFORMS-change_xml_host_for_windows_wef = WinEventRememberHost, WinEventXmlHostOverride
[(?::){0}WinEventLog:*]
TRANSFORMS-1-SaveOrigChannel = WinEventSetOrigChannelName
[(?::){0}XmlWinEventLog:*]
TRANSFORMS-1-XmlSaveOrigChannel = WinEventSetOrigChannelName transforms.conf [WinEventHostOverride]
DEST_KEY = MetaData:Host
REGEX = (?m)ComputerName=(.*)?\b
FORMAT = host::$1
[WinEventXmlHostOverride]
DEST_KEY = MetaData:Host
REGEX = <Computer>(.*).*?<\/Computer>
FORMAT = host::$1
[WinEventRememberHost]
SOURCE_KEY = MetaData:Host
REGEX = host::(.+)
FORMAT = host_UF::$1
WRITE_META = true
[WinEventSetOrigChannelName]
REGEX = WinEventLog:(.*)
SOURCE_KEY = MetaData:Source
FORMAT = original_channel::$1
WRITE_META = true
... View more
