Trying to find a solution to my problem:
http://answers.splunk.com/questions/13139/wineventlogsecurity-filtering-does-not-work
I've checked my metris.log file and I think I've found the problem, all my universal forwarders are connecting sending cooked data:
03-28-2011 16:53:54.609 -0400 INFO Metrics - group=tcpin_connections, xxx.xxx.xxxx.xxxx:3244:9995, connectionType=cooked, sourcePort=3244, sourceHost=xxx.xxx.xxxx.xxxx, sourceIp=xxx.xxx.xxxx.xxxx, destPort=9995, _tcp_Bps=53.03, _tcp_KBps=0.05, _tcp_avg_thruput=0.01, kb=1.61, _tcp_Kprocessed=13.00, _tcp_eps=0.10, build=96430, version=4.2, os=Windows, arch=Intel, hostname=SERVERNAME, guid=933005E8-DBF9-4567-827A-E1D13E264568, fwdType=uf, ssl=false, lastIndexer=xxx.xxx.xxxx.xxxx:9995, ack=false
Isn't a universal forwarder suposed to send unparsed data?
If my indexer sees cooked data it won't apply any transforms to it. What can I do about this?
... View more