- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can you help me forward Windows events to a 3rd pa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to forward the Windows events from Splunk to a 3rd party syslog system. I checked the docs and also several answers here.
I have a Search head, an Indexer and Universal Forwarder (UF) agents on the source Windows servers. (Splunk version 7.1.3)
The UFs forward all the events to the indexer with no problems. The IX forwards all(?) — or at least most —of the required events to the 3rd party system, but also is forwarding some other syslog messages (received from VMware vcenter) which it should not do.
What am I doing wrong?
The outputs.conf on the IX:
[syslog]
[syslog:external]
server=192.168.10.134:514
priority=NO_PRI
The transforms.conf on the IX:
[send_to_syslog]
REGEX = .
DEST_KEY=_SYSLOG_ROUTING
FORMAT=external
I am using Windows TA v4.8.4. I tried to found how to configure to forward all the system/application/security events and nothing else.
So I added the the following code to several place in props.conf:
TRANSFORMS-external = send_to_syslog
Regards,
István
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ikulcsar,
Can you please provide props.conf configuration from Indexers?
You need to configure props.conf on Indexer for only those sourcetype from which you want to send traffic to 3rd party.
For example if you want to forward only WinEventLog:Application and WinEventLog:Security to syslog server in that case props.conf should be like this.
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ikulcsar,
Can you please provide props.conf configuration from Indexers?
You need to configure props.conf on Indexer for only those sourcetype from which you want to send traffic to 3rd party.
For example if you want to forward only WinEventLog:Application and WinEventLog:Security to syslog server in that case props.conf should be like this.
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thx. I found the problem which caused the non-requested syslog forwarding... I forget to delete some config from the prev. test...
The Windows TA v4.8.4 a little messy, at least for me. I didn't find 3 identical stanzas for the System/App/Security events...
Finally, these are I choose:
[source::WinEventLog:System]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[source::*:Security]
TRANSFORMS-external = send_to_syslog
So far looks good. Thx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use below configuration in props.conf which is easy to understand because all 3 stanza uses sourcetypes.
[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog
[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
[WinEventLog:System]
TRANSFORMS-external = send_to_syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx, works.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
