I have a requirement to send certain windows events to BOTH the indexers AND a remote syslog using TCP.
- The indexers should receive the events in standard Windows multiline format
- The remote syslog should receive the events in single line format
I have a configuration that works, forwarding all events in one or the other formats (Windows multiline, or syslog single line) but not both. How can I write props.conf so the same event is sent to the indexers in one format, and the syslog in another? If I remove the SEDCMD, everything is received in both locations in Windows format. If I include, everything is single line. How can have both depending on destination, not source?
PROPS.CONF
[default]
TRANSFORMS-routing=Everything
[source::WinEventLog:*]
TRANSFORMS-routing=send_to_syslog
SEDCMD-rmlines=s/[\n\r\t]/ /g
↧