I am being asked to forward events from a Heavy Forwarder, to a remote ArcSight server as raw events. Our HF's receive events from UF's un-indexed, and they pass-through the HF's un-indexed. Is this possible what I am trying to do? Below the config from one of our HF's, with my basic forwarding config (will refine once I make it work).
-----------------------------------------
OUTPUTS.CONF
-----------------------------------------
[tcpout:site-hub]
server = *********
sslPassword = password
sslCertPath = ********
sslRootCAPath = ********
[tcpout]
defaultGroup = site-hub
indexAndForward = false
useACK=true
maxQueueSize=128MB
useClientSSLCompression = true
sslVersions = tls1.1, tls1.2
heartbeatFrequency=167
autoLBFrequency = 10
[syslog:windows_events_alert]
server = :5166
type = tcp
-----------------------------------------
PROPS.CONF
-----------------------------------------
[default]
TRUNCATE = 100000
[source::WinEventLog:Security]
TRANSFORMS-windows_security_events = send_to_arcsight
----------------------------------------
TRANFORMS.CONF
-----------------------------------------
[send_to_arcsight]
REGEX = "EventCode=4725"
DEST_KEY = _SYSLOG_ROUTING
FORMAT = windows_events_alert
↧