I'm trying to forward a subset of log messages (/var/log/secure and windows security events) from a heavy forward to a syslog-ng server which is listening over TLS.
I've got this working for `syslog` sources with a combination of a `[tcpout]` and a transform which sets `_TCP_ROUTING` to my `tcpout`:
(outputs.conf)
[tcpout:remote-syslog]
server = host:6514
sslCertPath = $SPLUNK_HOME/etc/auth/...
...
(props.conf)
[source::/var/log/secure...]
TRANSFORMS-routing=remote_syslog_routing
[XmlWinEventLog:Security]
TRANSFORMS-routing=remote_syslog_routing
(transforms.conf)
[remote_syslog_routing]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=remote-syslog
CLONE_SOURCETYPE=remote_syslog_logs
However the log messages from `XmlWinEventLog:Security` come through as raw XML with no syslog header, which the remote end has difficulty parsing. I'd like to ensure that these non-syslog events are prefixed with a syslog header before sending them to the remote server.
I understand that if I was using a `[syslog]` output, I would use the `timestampformat` property to get splunk to automatically prefix these messages with a timestamp and hostname. However the syslog output does not appear to support any form of TLS/SSL connections, so I'm forced to use a TCP output.
I have got the hostname prefixed by applying the following transform:
[hostnamePrefix]
SOURCE_KEY=MetaData:Host
REGEX=^(.*)$
DEST_KEY=_raw
FORMAT=$1 $0
But there do not appear to be builtin keys or fields containing enough information to construct the rest of the syslog header (the date and time in a format like `Sep 28 23:38:13`). The `_time` key is the number of seconds since the unix epoch and seems ideal, except I can't seem to get a `strftime` working in a transform - it seems to only work in `EVAL-*` statements, which are only applied at search time and not index time.
How do I get a syslog (or syslog-like) header appearing in the forwarded log messages to the TCP output before the XML security events? Or alternatively, is there a way to get a syslog output connected over TLS?
↧