I have setup a transform to ideally set the hostname and sourcetype for syslog traffic, however I'm encountering problems.
I have the following in the transforms.conf:
[firepass_sourcetyper] REGEX =
(?:192.168.249.106) DEST_KEY =
MetaData:sourcetype FORMAT =
sourcetype::firepass_log
[firepass_hostnamer] REGEX =
(?:192.168.249.106) DEST_KEY =
MetaData:host FORMAT =
host::rm.markerstudy.com
And I have the following in my props.conf file:
[source::udp:514]
TRANSFORMS-firepasssoucetype = firepass_sourcetyper
TRANSFORMS-firepasshostname = firepass_hostnamer
I'm not sure if it's possible to do multiple transforms for a single source as I am trying, however for the purpose of testing this I have commented out the second transforms statement.
Can anybody help as to why this isn't working?
Thanks,
Neil
... View more