I can send a subset of windows data as syslog server by sourcetype and then use the TransFroms to REGEX out the host.
None of this works though if Splunk puts a timestamp server header on each syslog message.
I have tried the
syslogSourceType = sourcetype::WinEventLog:Security, but this doesn't work.
Am I missing anything?
... View more