I'm having some issues with a heavy forwarder that I can't explain, and I was hoping someone could help me.
First question:
I have 1 heavy forwarder and 3 separate indexers. How can I define on the heavy forwarder which data stream needs to go where? Now I'm just receiving errors that a certain index does not exist on an indexer (which is correct). If I can just ignore the error, it's also fine, but I was hoping there is a cleaner way of doing it.
Second question:
On the heavy-forwarder I have defined the following
In props.conf:
[WinEventLog:Security]
TRANSFORMS-security = dropadlog, adlog
in transforms.conf
[adlog]
REGEX = (?msi)^EventCode=(4625|4768|4769|4771|4773|4776|4740)
DEST_KEY = queue
FORMAT = indexQueue
[dropadlog]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
So what I want to do here is only allow the eventcodes that are defined and drop the rest. What is weird is that it passes on 4768 and 4769. All other eventcodes get dropped (or at least, they do not reach the index).
Any ideas?
I know I can whitelist this on the Universal forwarder already, but I would like to do it on the heavy forwarder instead if possible.
↧