This topic appears throughout "Answers", and have tried variations of all of the great examples, but cannot make this work. My HF's sit between the clustered indexers and remote UF's. At the HF's, I need to send a copy of certain Windows Security Events to a remote syslog. The requirement is that the events be received in a single line (not the Windows multi-line), and must use TCP.
My configuration does this. The problem is that is also changes the Windows format being sent to the indexers to the same single line (no carriage returns). What changes do I need to make in my configuration so that the indexers continue to receive ALL Windows events in the original format, and the Syslog receiver receives gets filtered events in "single line" format.
-----------------------------------------
OUTPUTS.CONF
-----------------------------------------
[tcpout:indexers]
server = *********
[tcpout]
defaultGroup = indexers
indexAndForward = false
useACK=true
[syslog:syslog]
server = :5166
type = tcp
-----------------------------------------
PROPS.CONF
-----------------------------------------
[default]
TRANSFORMS-routing = Everything
[host::B*]
TRANSFORMS-routing = send_to_syslog
SEDCMD-rmlines=s/[\n\r\t]/ /g
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256
----------------------------------------
TRANFORMS.CONF
-----------------------------------------
[Everything]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=indexers
[send_to_syslog]
REGEX=(?msi)^EventCode=(4740|4769|1102|4768|4725)\\D
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog
↧