Hi there,
I'm struggling with the following:
On a heavy forwarder I get two types of data: windows events and firewall logs and I need to forward the data to an archive, as well as to the indexer tier. But I also need the get rid of the line breaks of the windows events, before I send them to the archive (which is syslog-ng btw)
So when I clone the data with defaultGroups like this in the outputs.conf
[tcpout]
defaultGroup = indexers, syslog-ng-tls
indexAndForward = false
The data gets forwarded to both destinations, but I have no chance to remove the linebreaks since tcpout:syslog-ng-tls has no options for altering the data.
But when I do it via props.conf and transforms.conf like this:
props.conf:
[host::*]
SEDCMD-rmlines=s/[\n\r\t]/ /g
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256
TRANSFORMS-syslog = syslog_routing
transforms.conf
[syslog_routing]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = syslog-ng-tls
outputs.conf:
[tcpout]
defaultGroup = indexers
indexAndForward = false
[tcpout:indexers]
server = *.*.*.*:9997,*.*.*.*:9997
sslVersions = tls1.2
[tcpout:syslog-ng-tls]
server = *.*.*.*:1516
sendCookedData = false
useSSL = true
sslVerifyServerCert = false
Then the default group is being ignored and the events are being sent only to the syslog-server.
The latter way works on an indexer, but apperently not on a heavy forwarder.
So I wonder: is there a way to send the data unaltered to the indexers and transformed to the archive on a heavy forwarder?
Thanks for your help!
... View more