https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/567348#M100784 <P>We have configured zScaler logs to send logs to a syslog server, where rsyslog intercepts the feed and writes it to a file. HF is deployed to forward logs from file to Indexers. The setup works fine. However, rsyslog upon receiving the logs does some funny things such as&nbsp;</P><P>&nbsp;</P><P>2021-09-1704:12:27 reason=Allowed event_id=7008750744672403548 pr<BR />2021-09-17T14:12:52.976915+10:00 10.24.12.5 otocol=HTTP_PROXY action=Allowed transactionsize=130 responsesize=65&nbsp;requestsize=65 urlcategory=Corporate Marketing serverip=52.13.15.12 clienttranstime=0 requestmethod=CONNECTrefererURL="None" useragent=Unknown product=NSS location=</P><P>As you can see the feed is broken in to two lines (log length is not causing the break)</P><P>Is there an rsyslog config I can use to remediate this issue</P><P>The zScaler format we have used is below</P><P>%d{yy}-%02d{mth}-%02d{dd}%02d{hh}:%02d{mm}:%02d{ss}\treason=%s{reason}\tevent_id=%d{recordid}\tprotocol=%s{proto}\taction=%s{action}\ttransactionsize=%d{totalsize}\tresponsesize=%d{respsize}\trequestsize=%d{reqsize}\turlcategory=%s{urlcat}\tserverip=%s{sip}\tclienttranstime=%d{ctime}\trequestmethod=%s{reqmethod}\trefererURL="%s{ereferer}"\tuseragent=%s{ua}\tproduct=NSS\tlocation=%s{location}\tClientIP=%s{cip}\tstatus=%s{respcode}\tuser=%s{login}\turl="%s{eurl}"\tvendor=Zscaler\thostname=%s{ehost}\tclientpublicIP=%s{cintip}\tthreatcategory=%s{malwarecat}\tthreatname=%s{threatname}\tfiletype=%s{filetype}\tappname=%s{appname}\tpagerisk=%d{riskscore}\tdepartment=%s{dept}\turlsupercategory=%s{urlsupercat}\tappclass=%s{appclass}\tdlpengine=%s{dlpeng}\turlclass=%s{urlclass}\tthreatclass=%s{malwareclass}\tdlpdictionaries=%s{dlpdict}\tfileclass=%s{fileclass}\tbwthrottle=%s{bwthrottle}\tservertranstime=%d{stime}\tmd5=%s{bamd5}\tcontenttype=%s{contenttype}\ttrafficredirectmethod=%s{trafficredirectmethod}\trulelabel=%s{rulelabel}\truletype=%s{ruletype}\tmobappname=%s{mobappname}\tmobappcat=%s{mobappcat}\tmobdevtype=%s{mobdevtype}\tbwclassname=%s{bwclassname}\tbwrulename=%s{bwrulename}\tthrottlereqsize=%d{throttlereqsize}\tthrottlerespsize=%d{throttlerespsize}\tdeviceappversion=%s{deviceappversion}\tdevicemodel=%s{devicemodel}\tdevicemodel=%s{devicemodel}\tdevicename=%s{devicename}\tdevicename=%s{devicename}\tdeviceostype=%s{deviceostype}\tdeviceostype=%s{deviceostype}\tdeviceosversion=%s{deviceosversion}\tdeviceplatform=%s{deviceplatform}\tclientsslcipher=%s{clientsslcipher}\tclientsslsessreuse=%s{clientsslsessreuse}\tclienttlsversion=%s{clienttlsversion}\tserversslsessreuse=%s{serversslsessreuse}\tservertranstime=%d{stime}\tsrvcertchainvalpass=%s{srvcertchainvalpass}\tsrvcertvalidationtype=%s{srvcertvalidationtype}\tsrvcertvalidityperiod=%s{srvcertvalidityperiod}\tsrvocspresult=%s{srvocspresult}\tsrvsslcipher=%s{srvsslcipher}\tsrvtlsversion=%s{srvtlsversion}\tsrvwildcardcert=%s{srvwildcardcert}\tserversslsessreuse="%s{serversslsessreuse}"\tdlpidentifier="%d{dlpidentifier}"\tdlpmd5="%s{dlpmd5}"\tepochtime="%d{epochtime}"\tfilename="%s{filename}"\tfilesubtype="%s{filesubtype}"\tmodule="%s{module}"\tproductversion="%s{productversion}"\treqdatasize="%d{reqdatasize}"\treqhdrsize="%d{reqhdrsize}"\trespdatasize="%d{respdatasize}"\tresphdrsize="%d{resphdrsize}"\trespsize="%d{respsize}"\trespversion="%s{respversion}"\ttz="%s{tz}"\n</P><P>&nbsp;</P><P>Thanks</P> Fri, 17 Sep 2021 04:51:35 GMT asridhara 2021-09-17T04:51:35Z https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/567348#M100784 <P>We have configured zScaler logs to send logs to a syslog server, where rsyslog intercepts the feed and writes it to a file. HF is deployed to forward logs from file to Indexers. The setup works fine. However, rsyslog upon receiving the logs does some funny things such as&nbsp;</P><P>&nbsp;</P><P>2021-09-1704:12:27 reason=Allowed event_id=7008750744672403548 pr<BR />2021-09-17T14:12:52.976915+10:00 10.24.12.5 otocol=HTTP_PROXY action=Allowed transactionsize=130 responsesize=65&nbsp;requestsize=65 urlcategory=Corporate Marketing serverip=52.13.15.12 clienttranstime=0 requestmethod=CONNECTrefererURL="None" useragent=Unknown product=NSS location=</P><P>As you can see the feed is broken in to two lines (log length is not causing the break)</P><P>Is there an rsyslog config I can use to remediate this issue</P><P>The zScaler format we have used is below</P><P>%d{yy}-%02d{mth}-%02d{dd}%02d{hh}:%02d{mm}:%02d{ss}\treason=%s{reason}\tevent_id=%d{recordid}\tprotocol=%s{proto}\taction=%s{action}\ttransactionsize=%d{totalsize}\tresponsesize=%d{respsize}\trequestsize=%d{reqsize}\turlcategory=%s{urlcat}\tserverip=%s{sip}\tclienttranstime=%d{ctime}\trequestmethod=%s{reqmethod}\trefererURL="%s{ereferer}"\tuseragent=%s{ua}\tproduct=NSS\tlocation=%s{location}\tClientIP=%s{cip}\tstatus=%s{respcode}\tuser=%s{login}\turl="%s{eurl}"\tvendor=Zscaler\thostname=%s{ehost}\tclientpublicIP=%s{cintip}\tthreatcategory=%s{malwarecat}\tthreatname=%s{threatname}\tfiletype=%s{filetype}\tappname=%s{appname}\tpagerisk=%d{riskscore}\tdepartment=%s{dept}\turlsupercategory=%s{urlsupercat}\tappclass=%s{appclass}\tdlpengine=%s{dlpeng}\turlclass=%s{urlclass}\tthreatclass=%s{malwareclass}\tdlpdictionaries=%s{dlpdict}\tfileclass=%s{fileclass}\tbwthrottle=%s{bwthrottle}\tservertranstime=%d{stime}\tmd5=%s{bamd5}\tcontenttype=%s{contenttype}\ttrafficredirectmethod=%s{trafficredirectmethod}\trulelabel=%s{rulelabel}\truletype=%s{ruletype}\tmobappname=%s{mobappname}\tmobappcat=%s{mobappcat}\tmobdevtype=%s{mobdevtype}\tbwclassname=%s{bwclassname}\tbwrulename=%s{bwrulename}\tthrottlereqsize=%d{throttlereqsize}\tthrottlerespsize=%d{throttlerespsize}\tdeviceappversion=%s{deviceappversion}\tdevicemodel=%s{devicemodel}\tdevicemodel=%s{devicemodel}\tdevicename=%s{devicename}\tdevicename=%s{devicename}\tdeviceostype=%s{deviceostype}\tdeviceostype=%s{deviceostype}\tdeviceosversion=%s{deviceosversion}\tdeviceplatform=%s{deviceplatform}\tclientsslcipher=%s{clientsslcipher}\tclientsslsessreuse=%s{clientsslsessreuse}\tclienttlsversion=%s{clienttlsversion}\tserversslsessreuse=%s{serversslsessreuse}\tservertranstime=%d{stime}\tsrvcertchainvalpass=%s{srvcertchainvalpass}\tsrvcertvalidationtype=%s{srvcertvalidationtype}\tsrvcertvalidityperiod=%s{srvcertvalidityperiod}\tsrvocspresult=%s{srvocspresult}\tsrvsslcipher=%s{srvsslcipher}\tsrvtlsversion=%s{srvtlsversion}\tsrvwildcardcert=%s{srvwildcardcert}\tserversslsessreuse="%s{serversslsessreuse}"\tdlpidentifier="%d{dlpidentifier}"\tdlpmd5="%s{dlpmd5}"\tepochtime="%d{epochtime}"\tfilename="%s{filename}"\tfilesubtype="%s{filesubtype}"\tmodule="%s{module}"\tproductversion="%s{productversion}"\treqdatasize="%d{reqdatasize}"\treqhdrsize="%d{reqhdrsize}"\trespdatasize="%d{respdatasize}"\tresphdrsize="%d{resphdrsize}"\trespsize="%d{respsize}"\trespversion="%s{respversion}"\ttz="%s{tz}"\n</P><P>&nbsp;</P><P>Thanks</P> Fri, 17 Sep 2021 04:51:35 GMT https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/567348#M100784 asridhara 2021-09-17T04:51:35Z https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/594555#M103913 <P>Hello,&nbsp;</P><P>I was curious if you received any feedback on the issue or if you found a solution? Thank you.</P> Wed, 20 Apr 2022 23:37:13 GMT https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/594555#M103913 da 2022-04-20T23:37:13Z https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/594559#M103914 <P>Hi,</P><P>Unfortunately we still have not found a solution or a workaround for these logs</P><P>&nbsp;</P> Thu, 21 Apr 2022 00:24:23 GMT https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/594559#M103914 asridhara 2022-04-21T00:24:23Z https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/594576#M103915 <P>Firstly, we don't know what syslog daemon you use and what is its confiiguration.</P><P>Secondly, I'd start with dumping the incoming traffic to see how the zscaler sends those logs.</P> Thu, 21 Apr 2022 04:51:29 GMT https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/594576#M103915 PickleRick 2022-04-21T04:51:29Z https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/628672#M107889 <P>Did you get a response? We are having the same issue</P> Fri, 27 Jan 2023 19:33:32 GMT https://community.splunk.com/t5/Getting-Data-In/zScaler-logs-via-Syslog-causing-problems-with-line-breaks-at/m-p/628672#M107889 joshuasolman 2023-01-27T19:33:32Z