I have windows event logs coming into a heavy forwarder, which I don’t need to index. All I need to do is select a couple of windows event ids, reparse them and send them to a 3rd party as single line events. I’ve read a lot of articles about forwarding and similar types of posts, but I cannot seem to get this to work. Any help would be greatly appreciated!
This is what I have so far:
inputs.conf
[tcp://9997]
sourcetype = for3rdparty
queueSize = 50KB
persistentQueueSize=200MB
queue = parsingQueue
outputs.conf
[tcpout:3rdparty]
server = 1.1.1.1:1111
sendCookedData = false
props.conf
[for3rdparty]
SEDCMD-rmlines = s/[\n\t\r]/ /g
TRANSFORMS-1capture = capture_for_3rdparty
TRANSFORMS-2reparse = reparse_for_3rdparty
TRANSFORMS-3route = route_to_3rdparty
transforms.conf
[capture_for_3rdparty]
REGEX=(?ms)^EventCode=(111|222|333)(.*)
DEST_KEY=_raw
[reparse_for_3rdparty]
REGEX =
FORMAT = $1::$2
DEST_KEY = _raw
[route_to_3rdparty]
REGEX =.
DEST_KEY=_TCP_ROUTING
FORMAT= for3rdparty
↧