I am trying to configure a heavy forwarder to route all of data to SyslogNG while route some data to null queue.
I need my data flow as below:
For Data Archive: HF -> all of data -> SyslogNG For Daily Search: HF -> NullQueue -> Indexer
My issue is, when logs go to nullqueue, they do not go to syslogNG at all. Is there any way to send to syslog while not indexing?
Also, I can not use these in inputs.conf:
SYSLOG_ROUTING = primarySyslogs _TCP_ROUTING = somethingThatDoesntExistInOutputsConf
The reason is I use checkpoint lea app to get data, this app do not need to config regular inputs.conf.
Here is what I configured in props.conf, transforms.conf:
props.conf [opsec] TRANSFORMS-route = RouteToNG, RouteToNullQueue
transforms.conf [RouteToNG] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = syslogNG
[RouteToNullQueue] REGEX = action=accept DEST_KEY = queue FORMAT = nullQueue
outputs.conf [tcpout] defaultGroup = default-autolb-group
[tcpout-server://indexer:9997]
[tcpout:default-autolb-group] disabled = false server = indexer:9997
[syslog:syslogNG] server = x.x.x.x:514
... View more