Hello,
Our setup is as follows:
Windows/Unix UF -> HF -> IDX Clusters
Currently we are sending everything to IDX cluster and 1 copy of the logs to a 3rd party syslog server from the HF.
What we are trying to achieve is to send everything to the 3rd party syslog server and only send filtered logs to the idx clusters.
Given the scenario of the following sourcetype:
a) wineventlog
b) linux_secure
c) cisco:asa
I am trying to figure out how we can :
a) Send everything to the 3rd party syslog
b) Drop events with the eventcode 4624 for example in wineventlog from being send to indexer.
c) Drop events with "ssh" keyword for example in linux_secure from being send to the indexer.
d) send all cisco:asa events to the indexer.
↧