cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
c240amg
Loves-to-Learn
Member since: ‎04-21-2021
‎04-22-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎2021-21-04
Activity Feed
View All

Re: Sending Wineventlog to logrhythm with differen...

by in Getting Data In
‎04-22-2021 10:00 AM
‎04-22-2021 10:00 AM
Thanks That seems to be working. I still have an issue where the HF is sending (non XML) windows event logs to the thirdparty (logrhythm) server. Any idea how I can convert (on the HF) the output to be XML for windows Event logs? On the HF I've tried in outputs.conf [tcpout] defaultGroup = default-autolb-group indexAndForward = 0 [tcpout:default-autolb-group] server = <server>:514 renderXml=true sendCookedData = false [tcpout-server://<server>:514] renderXml=true   But I can't get it to send over the input from the UF and send it on as XML.... ... View more

Re: Sending Wineventlog to logrhythm with differen...

by in Getting Data In
‎04-22-2021 06:22 AM
‎04-22-2021 06:22 AM
So I've installed and licensed the heavy forwarder, configured it to send to the logrhythm collector. I think I need to change the props.conf or transforms.conf  file to change the data from the ingressed splunk UF, into a format understandable by logrhythm. Should I be placing that in the etc\system\local directory? So when it sends the data onwards, it's in a format logrhythm can understand? ... View more

Re: Sending Wineventlog to logrhythm with differen...

by in Getting Data In
‎04-21-2021 09:54 AM
‎04-21-2021 09:54 AM
Tried and failed 😞 We are sending directly from the UF -> Splunk cloud. I was thinking of configuring all the Windows UFs to send to a heavy forwarder, which can then send to the logrhythm collector - I guess I should be able to parse that data and mangle it so that logrhythm can understand it. We don't want the parent company anywhere near our server estate, so no Logrhythm collector on the servers ;D   ... View more

Sending Wineventlog to logrhythm with different in...

by in Getting Data In
‎04-21-2021 09:09 AM
‎04-21-2021 09:09 AM
Hi all, I have hundreds of UF (universal forwarders) setup and sending wineventlogs to our splunk cloud instance. There is a requirement to also send the wineventlogs to our parent company, but they have logrhythm. I have setup a separate app under apps/logrhythm and it's successfully sending data to both splunk cloud and the logrhythm collector. The log rhythm collector sadly can't parse the data, so tried to change the it to XML via the renderXML directive via the below. C:\Program Files\SplunkUniversalForwarder\etc\apps\logrhythm\default\inputs.conf     [WinEventLog://Application] index = wineventlog renderXml = true disabled = 0 [WinEventLog://Security] index = wineventlog renderXml = true disabled = 0 [WinEventLog://System] index = wineventlog renderXml = true disabled = 0     C:\Program Files\SplunkUniversalForwarder\etc\apps\logrhythm\default\inputs.conf     [tcpout] defaultGroup = logrhythm,splunkcloud [tcpout:logrhythm] server = <Servername>:514 sendCookedData = falsecompressed = false dnsResolutionInterval = 60       Sadly, this also sends XML format windows event logs to our splunk instance in the cloud - this completely mangles it and doesn't match all our other data sent with wineventlog What is the best way to send wineventlog data, as set previously, to splunk cloud and XML wineventlog data to logrhythm??   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-22-2021 02:28 PM