Hi all,
For some reason, I need forward "wineventlog" to syslog-ng from splunk enterprise.
Since I have 2 source ip in wineventlog, I want to separate source ip by port.
I don't know how to get this to work, even by attempting to force it, as per below
props.conf
[wineventlog]
TRANSFORMS-routing = routeHostA, routeHostB
transforms.conf
[routeHostA]
REGEX=(10\.1\.12\.1)
DEST_KEY=_TCP_ROUTING
FORMAT=HostA
[routeHostB]
REGEX=(10\.1\.12\.2)
DEST_KEY=_TCP_ROUTING
FORMAT=HostB
outputs.conf
[tcpout]
defaultGroup=nothing
[tcpout:routeHostA]
disabled=false
sendCookedData=false
server=10.2.12.1:514
[tcpout:routeHostB]
disabled=false
sendCookedData=false
server=10.2.12.2:515
Two problems,
(1) When I forward [sourcetype=wineventlog] to syslog-ng, I found any others of sourcetype lose at the same time, even can not search in splunk.
(2) When I run and run a unix command netstat -an | grep tcp, there are only 514 port can ESTABLISHED.
Is there anything I miss? Thanks in advance!
↧