Yes, this question has been asked a hundred times. I have looked at all of the examples, but my grasp of the different conf files and their interactions is lacking.
First:
I have a Windows device.
It has the Universal forwarder installed. (Version 6.3)
My destination device is a syslog server (TIBCO Loglogic, accepts standard syslog)
My config files are as follows: (This is the entire config, not snippits)
**inputs.conf**
[default]
host = $decideOnStartup
connection_host = "ip"
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 1
[WinEventLog://Security]
index = winevt
disabled = 0
current_only = 0
**transforms.conf**
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group
**props.conf**
[host::10*]
TRANSFORMS-mine = send_to_syslog
[source:*]
SEDCMD-rmlines=s/[\n\r\t]/ /g
**outputs.conf**
[tcpout:group1]
server=172.17.1.12:514
sendCookedData = false
[syslog:my_syslog_group]
server = 172.17.1.12:514
type = tcp
timestampformat = %b %e %H:%M:%S
The problems I am having:
1. I was hoping for something much more simple. Just something in the outputs.conf: Winevent in, syslog out.
2. I get a lot of junk information (it looks like splunk application info) with "INFO" or "WARN" that has nothing to do with Windows events.
3. Most importantly: My Windows logs are broken into newlines! A single winevent takes 15 or so lines. My transforms.conf seems to do nothing, nor any of the other examples I have seen.
So yes, I am getting Windows logs as syslog, but the data is not usable to the end user due to the newlines.
Any help would be greatly appreciated!
↧