Hello,
I am working on a PoC env. I have a Universal Forwarder monitoring a directory for new data, tagging with a sourcetype and sending to a Heavy Forwarder.
When I try to send data from a UF to a HF with sourcetype `iis2` it works, however, if I try with sourcetype `iis` it doesn't work.
I use syslogSourceType and dest_key syslog_routing, I presume the whole setup is incompatible with sourcetype `iis` and should be handled differently. I'm simply interested in forwarding this data to a local service (port 44444) for a test. The data I'm feeding for my test is actual IIS log data that I add little by little to simulate a real IIS log.
Can you guide me on how to configure this properly to forward/transform iis as if it was syslog to a local socket?
Here is my working setup:
CentOS 6.7
Package versions:
Splunk Universal Forwarder 6.3.1 (build f3e41e4b37b2)
Splunk 6.2.5 (build 272645)
**Universal Forwarder** 10.24.0.210
*/opt/splunkforwarder/etc/system/local/inputs.conf*
[monitor:///var/log/test]
sourcetype=iis2 crcSalt =version1
disabled = 0
*/opt/splunkforwarder/etc/system/local/outputs.conf*
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.24.0.206:9997
**Heavy Forwarder** 10.24.0.206
*/opt/splunk/etc/system/local/props.conf*
[iis2]
TRANSFORMS-nyc = TRANSFORMS-act
*/opt/splunk/etc/system/local/transforms.conf*
[TRANSFORMS-act]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ACTFormat
*/opt/splunk/etc/system/local/outputs.conf*
[syslog:ACTFormat]
disabled = false
server = 127.0.0.1:44444
type = tcp
priority = NO_PRI
syslogSourceType = sourcetype::iis2
maxEventSize = 1000
Thanks in advance.
↧