We are forwarding IIS logs from UFs to a heavy forwarder, and the heavy forwarder is supposed to send them on to a 3rd party. I've confirmed using packet captures that the UFs are getting the logs to the heavy forwarder, but for some reason, the HF isn't sending them on. It is, however, sending other data sources I've configured, like WinEventLogs and DHCP logs. Does anyone know what might be causing those specific logs to stall at the HF? I'm really stumped by this one. There is one caveat, further below, where we can get it to work, but it's not optimal. Here's basically how we have it configured: UFs clone all data by using two tcpout groups: (1) send to indexers and (2) send to HF HFs does this: [indexAndForwarder] is set to "false" Supposed to send only WinEventLog, DHCP logs, and IIS logs, filtering out everything else ## props.conf ## [source::WinEventLog:*] - this works TRANSFORMS-routing = 3rdpartyOut [DhcpSrvLog] - this works TRANSFORMS-routing = 3rdpartyOut [ms:iis:auto] - does not work - also tried using the source instead of using sourcetype TRANSFORMS-routing = 3rdpartyOut ## transforms.conf ## [3rdpartyOut] REGEX = . SOURCE_KEY = MetaData:Host DEST_KEY = _SYSLOG_ROUTING FORMAT = 3rdparty ## outputs.conf ## # Defaults - routes everything to "nothing" by default [syslog] defaultGroup=nothing [syslog:3rdparty] sendCookedData=false server = x.x.x.x:xxxx Couple of random notes: - We are using a separate transforms and props to manually tag all IIS logs with "IISWebLog" (thanks to someone on this forum for help with that) - If we actually use the inputs.conf on the TA we built for UFs, that tells those UFs to clone their data for the heavy forwarder, to start monitoring IIS logs (in other words, not changing anything on the HF), it actually works - the logs get ingested to Splunk, and sent all the way to the 3rd party; but for some reason, they don't get the "IISWebLog" tag. This also gets pushed out to way more servers than we actually want to monitor IIS for, so this wouldn't be ideal anyway. But it's interesting that it somehow gets the logs all the way to the end. Thank you for any help!
... View more