I'm trying to route syslog messages that contain the term "nc3ldaprealm" to an index other than main. I'm using the setup below, but I'm seeing odd behavior.
If I use (.*) for the regex I get a second copy of the original msg in my "nc3sec" index.
If I use the regex below I'm not seeing any message in my "nc3sec" index...although the regex parses the msg correctly when I test with an external tool. I would like the msg that matches the regex to appear in the "nc3sec" index, but not main. Any ideas? thx.
Msgs are being sent directly from syslog to udp:514. There's no forwarder involved so the confs are setup on the indexer.
props.conf: [syslog]
TRANSFORMS-vpn_user_log = VPNUSERLOG
transforms.conf:
[VPNUSERLOG]
SOURCE_KEY = MetaData:Sourcetype
REGEX =^(.*nc3ldaprealm.*)
DEST_KEY = _MetaData:Index
FORMAT = nc3sec
WRITE_META = true
Here's an example of the msg:
Apr 26 18:02:05 206.15.126.232 Juniper: id=firewall time="2011-04-26 18:05:03" pri=6 fw=206.15.126.232 vpn=sb117ncvp02 user=testuser13 realm="nc3ldaprealm" roles="" proto=auth src=205.203.130.22 dst= dstname= type=vpn op= arg="" result= sent= rcvd= agent="" duration= msg="AUT23457: Login failed using auth server nc3ldap (LDAP Server). Reason: Failed"
I think I answered my own question. The problem was with the SOURCE_KEY = MetaData:Sourcetype. I think the regex was being applied against the sourcetype instead of the msg as when I removed it (defaults to _raw) my routing worked correctly.