PingOne/PingIdentity log subscription ingestion - logs unreadable

kschiemo — Tue, 29 Sep 2020 20:47:29 GMT

I am sending logs from PingOne to my heavy forwarder. The logs are being streamed to the forwarder via TCP. The logs are configured to be in the 'SPLUNK_AUDIT' format. The logs showing up in splunk are not readable.

Here is the relevant documentation from Ping Identity regarding this format:

Format (Required) -- The subscription format to use. This can be one of the following:

AUDIT - The PingOne audit event format (JSON).
SPLUNK_AUDIT - The PingOne audit event format wrapped with the fields needed for processing by Splunk (JSON).

Here are my inputs.conf and props.conf configurations.

-- inputs.conf --
[tcp://:10000]
index = main
sourcetype = pingid

-- props.conf --
[pingid]
SHOULD_LINEMERGE=false
TIME_PREFIX="timestamp":
TIME_FORMAT=%s
KV_MODE = false
INDEXED_EXTRACTIONS = json

Does anyone have any ideas on how I can adjust my ingestion settings so that these logs are readable? Or is this indicative of a problem with how I've set up the logs to be sent from PingOne (it is a pretty straightforward process so I am doubtful of this personally). I am expecting to see pretty generic JSON data coming through. I have played around with the JSON parsing options in splunk (KV_MODE = json), but I don't believe that this is a JSON parsing issue. I have also experimented with specifying differing CHARSETs in my props.conf, thinking that perhaps the logs are coming in a non-UTF8 format, but also to no avail.

Re: PingOne/PingIdentity log subscription ingestion - logs unreadable

kschiemo — Wed, 22 Aug 2018 19:40:20 GMT

Turns out my load balancer was re-encrypting the logs before pushing them to my forwarders. Disabling the encryption resolved the issue.

topic Re: PingOne/PingIdentity log subscription ingestion - logs unreadable in Getting Data In

PingOne/PingIdentity log subscription ingestion - logs unreadable

Re: PingOne/PingIdentity log subscription ingestion - logs unreadable