Greetings!
Sorry I am a newbie and might be a simple question but I couldn't find any answer works for me.
I'm trying to forward a set of logs to a 3rd party SIEM server using these settings:
::::::::::::::
outputs.conf
::::::::::::::
[tcpout]
forwardedindex.4.blacklist = (_internal|_audit|_telemetry|_introspection)
[tcpout:tcp_qradar_172_x_x_x_514]
disabled = false
sendCookedData = false
server = 172.x.x.x:514
::::::::::::::
props.conf
::::::::::::::
[google:gcp:pubsub:message]
TRANSFORMS-routing = send_to_qradar_tcp_172_x_x_x_514
::::::::::::::
transforms.conf
::::::::::::::
[send_to_qradar_tcp_172_x_x_x_514]
DEST_KEY = _TCP_ROUTING
FORMAT = tcp_qradar_172_x_x_x_514
REGEX = .
However Splunk forwarded all the logs to the SIEM server, ignoring the filter in props.conf which is "sourcetype=google:gcp:pubsub:message".
Thanks in advance!
↧