topic Event logs from Snare not organized like Windows Universal Forwarder does? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Event-logs-from-Snare-not-organized-like-Windows-Universal/m-p/80971#M16698 <P>I have been using the Snare agent to send my Windows Event logs to syslog-ng then off to Splunk with the Linux Universal forwarder. Everything is working great but the event logs that show up in Splunk are not organized how the regular Windows Universal forwarder sends them. With the setup I have now the entire event log is all squished together, with the Windows universal forwarder it puts everything on its own line in a very organized and easy to read fashion. I also noticed that the universal forwarder gets rid of the paragraph long informational junk that is with certain event logs.</P> <P>Is there anyway to fix this? I assume this is more of a Snare issue but other people must have had this problem before.</P> Fri, 05 Oct 2012 05:50:42 GMT johns3 2012-10-05T05:50:42Z Event logs from Snare not organized like Windows Universal Forwarder does? https://community.splunk.com/t5/Getting-Data-In/Event-logs-from-Snare-not-organized-like-Windows-Universal/m-p/80971#M16698 <P>I have been using the Snare agent to send my Windows Event logs to syslog-ng then off to Splunk with the Linux Universal forwarder. Everything is working great but the event logs that show up in Splunk are not organized how the regular Windows Universal forwarder sends them. With the setup I have now the entire event log is all squished together, with the Windows universal forwarder it puts everything on its own line in a very organized and easy to read fashion. I also noticed that the universal forwarder gets rid of the paragraph long informational junk that is with certain event logs.</P> <P>Is there anyway to fix this? I assume this is more of a Snare issue but other people must have had this problem before.</P> Fri, 05 Oct 2012 05:50:42 GMT https://community.splunk.com/t5/Getting-Data-In/Event-logs-from-Snare-not-organized-like-Windows-Universal/m-p/80971#M16698 johns3 2012-10-05T05:50:42Z Re: Event logs from Snare not organized like Windows Universal Forwarder does? https://community.splunk.com/t5/Getting-Data-In/Event-logs-from-Snare-not-organized-like-Windows-Universal/m-p/80972#M16699 <P>No, this is how Snare formats its logs. It cannot use newlines in its messages because that would violate the syslog standard. I've found no way of reliably finding points in these messages where you can exchange certain whitespace characters for newlines.</P> Fri, 05 Oct 2012 06:50:53 GMT https://community.splunk.com/t5/Getting-Data-In/Event-logs-from-Snare-not-organized-like-Windows-Universal/m-p/80972#M16699 Ayn 2012-10-05T06:50:53Z