Hello,
As the question states, i'm looking to send events from a universal forwarder to a heavy forwarder to have filtered. Once filtered, i'd like to change the sourcetype. I have not implemented this yet. This is for me to propose to upper management to agree on. I want to make sure the props/transforms piece is correct. I think the filtering is good, however i just want to make sure the syntax is all good.
I've listed my config and config details:
ON UNIVERSAL FORWARDER
inputs.conf
---------------
[monitor://c:\program files\app1\web.log]
_TCP_ROUTING = filter_heavy_forwarders
index = cmis_index
sourcetype = app1_web_logs
--------------------------------------------------------------
ON UNIVERSAL FORWARDER
outputs.conf
-----------------
[tcpout]
defaultGroup=infosec_indexers
[tcpout:infosec_indexers]
autoLB = true
server = infosec_server1:9997,infosec_server2:9997,infosec_server3:9997…,infosec_server16:9997
[tcpout:cmis_indexers]
autoLB = true
server = cmis_server1:9997
[tcpout:filter_heavy_forwarders]
autoLB = true
Server = filter_hvyfwd1:9998,filter_hvyfwd2:9998
--------------------------------------------------------------
ON HEAVY FORWARDER
props.conf
--------------
[app1_web_logs]
TRANSFORMS-routing = app1_web_filter
TRANSFORMS-changest = app1_cmis_web
--------------------------------------------------------------
ON HEAVY FORWARDER
transforms.conf
-----------------------
[app1_web_filter]
REGEX = (Events|To|Filter)
DEST_KEY = _TCP_ROUTING
FORMAT = cmis_indexers
[app1_cmis_web_st]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::app1_cmis_web
--------------------------------------------------------------
ON HEAVY FORWARDER
outputs.conf
------------------
[tcpout]
defaultGroup=none
[tcpout:cmis_indexers]
autoLB = true
server = cmis_server1:9997
--------------------------------------------------------------
↧