Hello everyone!
I'm trying to use props/ transforms to set a sourcetype and change the hostname of my devices. Currently they are coming in as sourcetype=syslog
My event looks like this:
**Apr 3 22:37:36 10.77.265.178 1 1491277141.711671730 NAME_LOC_FW1 events Site-to-site VPN: notification INVALID-ID-INFORMATION received in informational exchange.**
I want to extract "NAME_LOC_FW1" and change the sourcetype to meraki as well as change the host to "NAME_LOC_FW1"
I have the following props:
**[syslog]
TRANFORMS-changesourcetypes = NAME_LOC_FW1**
**[syslog]
TRANSFORMS-changehost = NAME_LOC_FW1_HOST**
And the following transforms:
**[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki**
**[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (?)(NAME_LOC_FW1)
FORMAT = host::$1**
This isn't working... Can anyone tell me what I'm doing wrong?
Also, this is implemented on a Heavy Forwarder.
Thanks a lot!
JG
↧
