Skip to content

app-parser enabling according to destination #2710

New issue
New issue
Open
Feature
Open
app-parser enabling according to destination#2710
Feature
Assignees
ikheifets-splunk
Labels
Applicationcore dependency in sc4s
@HassanEwida

Description

@HassanEwida
HassanEwida
opened on Feb 18, 2025

Hi all,

In my workspace, I have a Windows machine sending Windows event logs to an SC4S machine, which parses those logs and reformats them into a custom format before sending them to the Splunk indexer/AIO machine. This setup is working perfectly.

However, I now have a new requirement: I need to send the same logs to a different destination. This new machine has syslog-ng installed, and the requirement is to send the logs in their raw format (without parsing them) while still sending the parsed data to splunk machine.

I would really appreciate any help with this matter. :)

Here is the app-parser that I wrote:

# /opt/sc4s/local/config/app_parsers/syslog/app-syslog-winevents.conf

block parser app-syslog-winevents() {
    channel {
        parser {
            regexp-parser(
                prefix(".windows.")
                patterns('MSWinEventLog\s+(?<priority>\d+)\s+(?<logname>\S+)\s+(?<eventid>\d+)\s+(?<raw_timestamp>\w+\s+\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\d{4})\s+(?<eventcode>\d+)\s+(?<sourcename>(?:[^\s]+(?:\s+[^\s]+)*?))\s+(?<accountname>\S+)\s+(?<severity>\S+)\s+(?<computername>\S+)\s+(?<category>\d+)\s+(?<message>.+)')
            );

            date-parser(
                format("%a %b %d %H:%M:%S %Y")
                template("${.windows.raw_timestamp}")
            );
        };

        rewrite {
            # Format timestamp
            set("`$(format-date \"${.windows.raw_timestamp}\" \"%m/%d/%Y %I:%M:%S %p\")`" value(".windows.formatted_time"));

            # Construct message with only extracted fields and default values for required fields
            set("${.windows.formatted_time}
LogName=${.windows.logname}
EventCode=${.windows.eventcode}
EventType=0
ComputerName=${.windows.computername}
SourceName=${.windows.sourcename}
Type=${.windows.severity}
RecordNumber=${.windows.eventid}
Keywords=-
TaskCategory=0
OpCode=-
Message=${.windows.message}" value("MESSAGE"));

            # Set Splunk metadata
            set("windows-logs" value(".splunk.index"));
            set("WinEventLog" value(".splunk.sourcetype"));
            set("WinEventLog:${.windows.logname}" value(".splunk.source"));
            set("Microsoft" value(".splunk.vendor"));
            set("Windows" value(".splunk.product"));
        };
    };
};

application syslog-winevents[sc4s-network-source] {
    filter {
        message('MSWinEventLog');
    };

    parser {
        app-syslog-winevents();
    };
};

Metadata

Metadata

Assignees

Labels

Applicationcore dependency in sc4s

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions