Hi Folks - testing the product out and trying to figure out this scenario.
Windows Server w/ Universal Forwarder --> Heavy Forwarder --> Specific Index on Indexer
Most of the above works and I have filtering based on specific events and account names are working too, the next step is getting traffic to a specific **index** on my indexer.
How do I do this? Referenced articles are not working.
On the indexer, I've created a new index `'winevents'`
On props.conf
[source::*:Security]
TRANSFORMS-set = setnull,seclog
On my transforms.conf I've got:
[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue
From what I understand 'format' should equal the new index name? `FORMAT = winevents`
That's not working.
↧