Hello,

All our Windows Application, Security & System logs are being forwarded to a central syslog-ng server (1 line per event).  

On the syslog server we have the Splunk Heavy Forwarded installed and I have been forwarding the logs on to Splunk Indexer.

I'm trying to use the Windows TA Add-on and it requires the sourcetype to be WinEventLog and the source to be one of WinEventLog:Application, WinEventLog:Security or WinEventLog:System.

So in the inputs.conf on the heavy forwarder I added the lines to each input;

[monitor:///app/syslog-ng/logs/production-logs/siem_win_sec_log]
sourcetype=WinEventLog
source=WinEventLog:Security
_TCP_ROUTING = SIEMIndexer

[monitor:///app/syslog-ng/logs/production-logs/siem_win_app_log]
sourcetype=WinEventLog
source=WinEventLog:Application
_TCP_ROUTING = SIEMIndexer

[monitor:///app/syslog-ng/logs/production-logs/siem_win_sys_log]
sourcetype=WinEventLog
source=WinEventLog:System
_TCP_ROUTING = SIEMIndexer

Now when I search in the search head I am seeing that 2 or 3 or 4 log entries are being grouped as 1 big entry.  I played around with the source/sourcetype fields and found that the problem is only there when the source starts with WinEventLog.

I found the [source::WinEventLog...] in props.conf and tried commenting it out partially or completely and it did not make any difference.  This was on the indexer and heavy forwarded in the /etc/system/local/props.conf.

Is there anyway to get Windows Event Logs in syslog format in to Splunk in a way that the Windows TA Addon will recognize?  The will eventually be feeding in to Security Essentials.

Thank you,

Dean