We are trying to filter and modify events and have both original and modified event. The original event would go to the indexers and the modified event needs to go to the syslog server.
When we used UF -> HF -> Indexer & Syslog, we are unable to retain the original event. Hence, we have introduced another HF for further filtering and event modification. However, the second HF is not processing events.
Is this correct approach? Please help.
UF -> HF -> Filter for Security events and send it to 2 destinations
1. HF -> Filter and modify data -> Send to syslog
2. Indexer
↧