All,
My Windows Event Log items are coming in as sourcetype=WinEventLog and not sourcetype=WinEventLog:Security as it set in my inputs.conf
# inputs.conf
[WinEventLog://Security]
source = WinEventLog:Security
sourcetype=WinEventLog:Security
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false
On my intermediate servers I have a props.conf file
[source::WinEventLog:Security]
sourcetype=WinEventLog:Security
TRANSFORMS-winsourceeventlogsecurity = st_wineventlog_security,route_stubhinfo_to_es
[WinEventLog:Security]
TRANSFORMS-wineventlogsecurity = route_stubhinfo_to_es
#props.conf
[route_stubhinfo_to_es]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=lvssplunkes
My indexers do not have any props.conf settings.
My search heads do not have search time sourcetype renaming enabled.
Any idea where I might be messing up? How I can troubleshoot this farther?
↧