I have windows event logs coming into a heavy forwarder, which I don’t need to index. All I need to do is select a couple of windows event ids, reparse them and send them to a 3rd party as single line events. I’ve read a lot of articles about forwarding and similar types of posts, but I cannot seem to get this to work. Any help would be greatly appreciated!
This is what I have so far:
inputs.conf
[tcp://9997]
sourcetype = for3rdparty
queueSize = 50KB
persistentQueueSize=200MB
queue = parsingQueue
outputs.conf
[tcpout:3rdparty]
server = 1.1.1.1:1111
sendCookedData = false
props.conf
[for3rdparty]
SEDCMD-rmlines = s/[\n\t\r]/ /g
TRANSFORMS-1capture = capture_for_3rdparty
TRANSFORMS-2reparse = reparse_for_3rdparty
TRANSFORMS-3route = route_to_3rdparty
transforms.conf
[capture_for_3rdparty]
REGEX=(?ms)^EventCode=(111|222|333)(.*)
DEST_KEY=_raw
[reparse_for_3rdparty]
REGEX = <regex>
FORMAT = $1::$2
DEST_KEY = _raw
[route_to_3rdparty]
REGEX =.
DEST_KEY=_TCP_ROUTING
FORMAT= for3rdparty
Is there any reason not using _TCP_ROUTING
in inputs.conf? I meant, does below implementation works?
inputs.conf:
[tcp://9997]
sourcetype = for3rdparty
whitelist = 111, 222, 333
_TCP_ROUTING = for3rdparty
persistentQueueSize=200MB
Props.conf:
[for3rdparty]
SEDCMD-rmlines = s/[\n\t\r]/ /g
Outputs.conf:
[tcpout:for3rdparty]
server = 1.1.1.1:1111
sendCookedData = false
Is there any reason not using _TCP_ROUTING
in inputs.conf? I meant, does below implementation works?
inputs.conf:
[tcp://9997]
sourcetype = for3rdparty
whitelist = 111, 222, 333
_TCP_ROUTING = for3rdparty
persistentQueueSize=200MB
Props.conf:
[for3rdparty]
SEDCMD-rmlines = s/[\n\t\r]/ /g
Outputs.conf:
[tcpout:for3rdparty]
server = 1.1.1.1:1111
sendCookedData = false
Hi
Apologies for the slow response. I did as you suggested, used _TCP_ROUTING in inputs.conf and everything works as it should. Thanks!