We are getting /var/log files monitored from the endpoints and sent to Splunk using syslog-ng on a single TCP port. Now when we see the vents in Splunk its combination of all the /var/log/secure, /var/log/messages etc. into a single index and syslog source type.
How can I identify just the /var/log/secure of out it and send to a other index from Splunk side? I am trying make use of props like below but not sure what the regex would be for identifying just /var/log/secure. Any help is appreciated.
####props
[linux_secure]
SOURCE_KEY = _raw
REGEX = ***Need REX for /var/log/secure events****
DEST_KEY = _MetaData:Index
FORMAT = abc_index
... View more