Hello,
I trying to retrieve all login/off/fail on my inderxer from UniversalForwarder filtered by Heavy forwarder :
UF v5.0.5 (All Security logs) > HF v5.0.5 (Filtering only 4642/4625/4634 events) > Indexer v6.0 (just index)
UF : Basic install with only Security logs configured to be send
HF : Listen on and forward only
**Props.conf :**
[WinEventLog:Security]
TRANSFORMS-routing=winEvents_stanza
**Transforms.conf**
[winEvents_stanza]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=winEvents_group
**outputs.conf**
[tcpout]
defaultGroup=defaultGroup
[tcpout:defaultGroup]
[tcpout:winEvents_group]
server = X.X.X.X:xxxx
sendCookedData = 0
Indexer : index received data
If i don't configure the HF (props/transforms/outpouts) the Inderxer receive all Security logs but when I try to only filter on "WinEventLog:Security", the indexer will not receive the security logs.
Is HF able to understand the sourcetype WinEventLog:Security ?
Any Idea ?
Thanks.