OK, progress... how is your regex? 😉 renderXML won't work on an output stanza. Somehow we need to pipe the feed into a (hopefully native) XML transformation. Or possibly do it the other way around... rendering XML at the UFWs and reconstructing to a "normal" event on the HFW side. I'm not sure which is better or worse TBH. I don't have a Windows box to play with either. Now that I think of it... Your appetite may vary... what about doing native Windows Event Forwarding to the intermediate forwarder you just created... take your feed from there with LogRhythm and leave Splunk out of the equation. Your UFW config would go back to the way it was, sending data straight to Splunk Cloud, and you use the WEF feed to do what needs to be done for the corporate/parent company requirement.
... View more