I want to export windows security events to syslog.
The following works but it shows the events all originate from splunk.
I want to replace the syslog header with the original host or at least tag the original host on the event.
Props.conf
[WinEventLog:Security]
TRANSFORMS-routing = ms_strm_dev
Outputs.conf
[syslog:ms_strm_dev]
server = 10.4.4.200:12468
type=tcp
Transforms.conf
[win_strm]
REGEX = (?msi)Security
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ms_strm_dev
It looks like I could add something like this to my transforms, but how would I format the transform twice?
DEST_KEY = MetaData:Host
REGEX = (.+)
FORMAT = host::$1
I want to be about to filter AND route, this shows how to do either, but doesn't look like both to the same data. Unless I can route it to one transform, then back through another once it goes through the first.