Getting Data In

VMWare user access gate way: How do I override source types on a per-event basis?

youngsuh
Communicator

Solved: How to seperate different Sourcetype logs from sin... - Splunk Community

Configure Unified Access Gateway System Settings (vmware.com)

Syslog Formats and Events (vmware.com)

Trying to override syslog and created props.conf & transform.conf.  It is not working.  What I am doing wrong?  initially getting an error:  Undocumented key used in transforms.conf; stanza='vmware:uag:admin' setting='DEST_KEY' key='MetaData:SourceType'  but, found link here that help solve.

but, still not working.  I am not search at HF.  I set the setting the HF.

props.conf

 

 

[syslog::/var/log/%hostname%/syslog]
TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

transforms.conf

 

 

[vmware:uag:admin]
REGEX = :\d\d\s+\w{5}\w{4}\suag-admin\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = :\d\d\s+\w{5}\w{4}\suag-audit\:(.+)\n
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = :\d\d\s+\w{5}\w{4}\suag-esmanager\:(.+)\n
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

0 Karma
1 Solution

PickleRick
Ultra Champion

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

View solution in original post

PickleRick
Ultra Champion

Are your props.conf stanzas literally say "syslog-host1", "syslog-host2" and so on?

Are your sourcetypes really named that?

On which component did you put those entries?

youngsuh
Communicator

@PickleRick Or @gcusello 

Are your sourcetypes really named that?  No, It's coming the monitoring has sorucetype=syslog

On which component did you put those entries?

Here is the inputs.conf

 

 

 

[monitor:///var/log/$mask_host1$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host2$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host3$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

 

 

 

Props.conf on the HF

 

[uag:syslog]
category = Custom
TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

 

 

Transform.conf on the HF

 

[vmware:uag:admin]
REGEX = uag-admin\:
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = uag-audit\:
FORMAT = sourcetype::vmware:uag:audit
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = uag-esmanager\:
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

 

 

@PickleRick , does that answer your question?  Is my approach wrong?   

0 Karma

PickleRick
Ultra Champion

Apart from the fact that in the pasted configs you use MetaData:Sourcetype and in the log entry you quoted in the initial post there was MetaData:SourceType (this setting is case sensitive!), there doesn't seem to be anything wrong with those props/transforms.

I'm not sure if you're copy-pasting or typing the settings here by hand but I'd suggest you doublecheck the case of your spelling - these settings _are_ case sensitive.

Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...