splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Splunk_cooked does not work with certain data

Open mshensg opened this issue 2 years ago • 11 comments

  1. it appears some multiline events cannot be processed properly. Only the first line is taken in.
  2. Some data is not properly processed. 1 line is process in normal approach while the other is processed using splunk_cooked. image
  3. as Splunk_cooked has lower priority than other parsers, once the content (especially if the content is generated from a none standard data source), the event might not be able to reach to the parser. suggest to rename the file name to 1_splunk_cooked so to ensure it is the first parser.

mshensg avatar Mar 10 '22 14:03 mshensg

I tested multline with windows events can you confirm the problem on a non splunk source?

ryanfaircloth avatar Mar 10 '22 14:03 ryanfaircloth

Can you share me the splunk side configuration? I am not using mock up Python script, I am testing in a real splunk environment. by the way, as I tried on the instance with the Python script, it works greatly. I can see _introspection got truncated, multiline event got truncated, and stash collected events may be processed wrongly (I actually thinking give all program based parser a p prefix, all regex based parser a r prefix so to ensure all program based parser will be executed on top of regex based. )

mshensg avatar Mar 10 '22 23:03 mshensg

yes this is here. I need to get this into a doc page https://gist.github.com/rfaircloth-splunk/fe0f051fbedfefd13c5f56dfeb0a8b3b

ryanfaircloth avatar Mar 11 '22 14:03 ryanfaircloth

Thanks I will do some more testing. I tried using the test script to ingest. It works fine. But when using Splunk to send, there are various issues. Let me do some more tests and let you know. Do you have the code for UDP as well as this kind of traffic needs to be in UDP. We will directly use S2S if tcp is present. The syslog output will be tricky and this might be the issue I am facing.

mshensg avatar Mar 11 '22 17:03 mshensg

I performed some test (using tcpout, did not test UDP syslog out yet). I found Windows event (in traditional mode), _internal log, and _inspection log arrives successfully while I did not count whether there is any missing. However, the other logs including the data I send to certain index using collect command did not arrive: Instead, there are a lot of error messages reported by sc4s.

image

mshensg avatar Mar 12 '22 01:03 mshensg

UDP would limtit the event to about 1200 bytes its just unusable only tcp can really be used

ryanfaircloth avatar Mar 14 '22 21:03 ryanfaircloth

Also I could use a pcap of an event that produces the invalid frame header

ryanfaircloth avatar Mar 14 '22 21:03 ryanfaircloth

so far as we tested, UDP limits on 65KB data which Windows Perform MultiKV will need to change to singleKV and nix add-on ps.sh will need to be updated to avoid being exceeding the limit. Using this approach is majorly before the connection does not have TCP (like data diode) so only UDP can be used. I will try disable HTTPS and then do a pcap and see if can find any clues. will post with updates

mshensg avatar Mar 15 '22 07:03 mshensg

is the splunk host linux or windows?

ryanfaircloth avatar Mar 15 '22 16:03 ryanfaircloth

AWS Linux 2. And Centos 7. No Splunk Enterprise on Windows. Only UF for Windows to collect Event Logs and forward via 9997

mshensg avatar Mar 16 '22 05:03 mshensg

Any more update here ?

rjha-splunk avatar Jul 11 '22 10:07 rjha-splunk

As there is no update on the issue we are closing it.

rjha-splunk avatar Aug 29 '22 12:08 rjha-splunk