I get events from a universal forwarder. If "alertd[123456]: ABC:" be in the event, i would like to index it. All other events can be ignored.
Do you have a solution?
2019-01-23T14:22:45+01:00 host kernel: [123456.789101] ll header: yf:ff:ff:ef:ff:ff:00:00:00:00:88:05:01:00
2019-01-23T14:22:49+01:00 host alertd[456789]: get_db_c(): ......
2019-01-23T14:22:50+01:00 host alertd[123456]: CEF:0|abcdef|host|....
2019-01-23T14:22:59+01:00 host alertd[456789]: abc_send(): ......
I have tried the following configuration on the Indexer, but it didn't work:
props.conf
[source::C:\Users\test\testsource.log]
TRANSFORMS-set = setnull,setparsing
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (alertd\[\d{1,6}\]\:\s\w{3}\:)
DEST_KEY = queue
FORMAT = indexQueue
Thanks for your solutions.
↧