Trying to find a solution to my problem:
http://answers.splunk.com/questions/13139/wineventlogsecurity-filtering-does-not-work
I've checked my metris.log file and I think I've found the problem, all my universal forwarders are connecting sending cooked data:
03-28-2011 16:53:54.609 -0400 INFO Metrics - group=tcpin_connections, xxx.xxx.xxxx.xxxx:3244:9995, connectionType=cooked, sourcePort=3244, sourceHost=xxx.xxx.xxxx.xxxx, sourceIp=xxx.xxx.xxxx.xxxx, destPort=9995, _tcp_Bps=53.03, _tcp_KBps=0.05, _tcp_avg_thruput=0.01, kb=1.61, _tcp_Kprocessed=13.00, _tcp_eps=0.10, build=96430, version=4.2, os=Windows, arch=Intel, hostname=SERVERNAME, guid=933005E8-DBF9-4567-827A-E1D13E264568, fwdType=uf, ssl=false, lastIndexer=xxx.xxx.xxxx.xxxx:9995, ack=false
Isn't a universal forwarder suposed to send unparsed data? If my indexer sees cooked data it won't apply any transforms to it. What can I do about this?
The universal forwarder does send unparsed data. In this context, "cooked" merely means that blocks of data have been tagged with default fields, such as source, sourcetype and host. Both parsed and unparsed data are considered "cooked":
http://www.splunk.com/base/Documentation/latest/Deploy/Aboutforwardingandreceivingdata#Types_of_data
"Raw" data is totally unprocessed -- no tagging at all.
The universal forwarder does send unparsed data. In this context, "cooked" merely means that blocks of data have been tagged with default fields, such as source, sourcetype and host. Both parsed and unparsed data are considered "cooked":
http://www.splunk.com/base/Documentation/latest/Deploy/Aboutforwardingandreceivingdata#Types_of_data
"Raw" data is totally unprocessed -- no tagging at all.
Thank you, wasn't aware of that fact.