Example:
I'd like to run a search on windows logs, do some data transformation and then pipe the output to a syslog listener not on the local host.
sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=2 | Send to syslog IP 10.0.0.12:514
The Splunk App for CEF demonstrates one way of doing this.
Thanks, but I am looking for an alternative to this app.
My current tools are limited to "Searching and Reporting" App and any python scripts I can put on the server.
This maybe sounds strange in the first place; but how about using the route and filter method in props.conf like written in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad#Replicate_a_subset_... Use as regex something like this REGEX = .+EventCode=4624.+Logon_Type=2 and set it on the sourcetype [WinEventLog:Security]
props.conf
REGEX = .+EventCode=4624.+Logon_Type=2
[WinEventLog:Security]
I didn't even know you could do that, it's possible that it could work, my fields are using the Windows app for splunk so I'm not sure if I'd be able to use that regex. Thanks for the tip.
