Hello,
I'm trying to send windows events using an Universal Forwarder to a 3rd party system.
I configured outputs.conf as shown below:
***[tcpout]
defaultGroup = primary_indexers***
***[tcpout:primary_indexers]
server = indexer1:9997,indexer2:9997, etc
autoLB = true
compressed = true***
***[tcpout:exernal]
server=10.10.10.10:514
sendCookedData=false***
The forwarder has an inputs.conf which looks for WinEvent:Security. The events are reaching the splunk indexers successfully...but not the 3rd party server. The 3rd party server is only receiving splunk internal events, which tells me that the outputs.conf stanza is correct and i have connectivity between the 2 machines.
Is there anything specific i need to configure in order to forward the windows events to the 3rd party server as well? I only need to send the raw events, no other parsing/transformation is needed. Any suggestion would be highly appreciated.
Thanks!
↧