splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Unable to parse Juniper firewall logs ingested via SC4S server

Open gshah123 opened this issue 2 years ago • 1 comments

IHAC facing an issue while parsing Juniper firewall logs ingested via the SC4S server Splunk TA juniper: 1.5.5-rfb1b492 Splunk Cloud Version: 9.0.2208.1 Customer Description: “We have integrated Juniper Firewall logs by using syslog port 514 TCP with Structured Syslog format. We used Splunk connect for syslog to get the logs and configured the metadata files as it was suggested in Splunk SC4S docs. - https://splunk.github.io/splunk-connect-for-syslog/1821/sources/vendor/Juniper/junos/ But we are not able to parse the logs properly in Splunk cloud. Line break is not working properly which causes the multiple events becomes the part of single event in splunk.” sourcetype=juniper:junos:firewall

gshah123 avatar Sep 28 '22 03:09 gshah123

we need pcap/raw data on the wire to reproduce the scenario, we haven't noticed this issue in any of our tests.

rjha-splunk avatar Sep 28 '22 05:09 rjha-splunk

@gshah123, We did not hear anything from you about this issue. Closing this issue for now. Feel free to reach out in case of any further queries.

Thank you.

bparmar-splunk avatar Dec 02 '22 08:12 bparmar-splunk