Hello guys,
today i was able to send some syslogs to another non-Splunk instance, however when i tried to send 1 type of sourcetype i failed hard.
These are my outputs.conf, props.conf and transforms.conf and i really have no idea why isn't working. Maybe it's something really simple but i can't figure out what is it.
outputs.conf
[syslog]
defaultGroup = syslogGroup
[syslog:syslogGroup]
server = dest ip:5146
props.conf
[sourcetype::WinEventLog:Security]
TRANSFORMS-mcafee = send_to_syslog
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogGroup
Any kind of help would be appreciate.
↧