https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448179#M95425 <P>How are you sending data to AlienVault?</P> Mon, 18 Mar 2019 17:41:43 GMT nickhills 2019-03-18T17:41:43Z https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448176#M95422 <P><STRONG>These are the logs coming from splunk to my alienvault SIEM Sensor but my SIEM is unable to read those logs. I have checked all the confs like props.conf, transform.conf, input.conf, output.conf but I couldn't understand the issue. The main issue is in each key value pair in logs, value is being #015#012 this kind of weird. All events are from Windows. At first I thought there may be data Anonymizing but there is not **TRANSFORMS-annonymize</STRONG> entry in props.conf. Please help, Thanks in advanced.** </P> <PRE><CODE>Mar 17 23:00:03 172.16.8.145 TEC-R90M6PGD Type=NetworkAdapter#015#012Name="Microsoft Wi-Fi Direct Virtual Adapter #2"#015#012Manufacturer="Microsoft"#015#012ProductName="Microsoft Wi-Fi Direct Virtual Adapter"#015#012Status=""#015#012MACAddress="36:F3:9A:3D:28:1D"Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=1 G:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015 Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=2 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015 Mar 17 23:00:02 172.16.8.145 TECSRVEXMBX02 20190317230049.314638#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=3 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015 </CODE></PRE> Mon, 18 Mar 2019 13:28:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448176#M95422 ginstinct 2019-03-18T13:28:11Z https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448177#M95423 <P>This looks like a slightly odd encoding/escaping of octal <CODE>\015 \012</CODE> which is the same as <CODE>\r\n</CODE> ( and <CODE>\0</CODE> which is <CODE>null</CODE>)<BR /> I would rewrite both <CODE>#0#015#012</CODE> and <CODE>#015#012</CODE> as a literal space as you ingest the data.</P> <P>Edit: I read this question as if it was AlienVault -&gt; Splunk instead of the other way round, but hopefully the explanation still stands.</P> Mon, 18 Mar 2019 16:44:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448177#M95423 nickhills 2019-03-18T16:44:18Z https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448178#M95424 <P>Thank for your explanation @nickhillscpl , but what should be the workaround to this issue.</P> Mon, 18 Mar 2019 17:39:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448178#M95424 ginstinct 2019-03-18T17:39:11Z https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448179#M95425 <P>How are you sending data to AlienVault?</P> Mon, 18 Mar 2019 17:41:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-the-logs-coming-from-Splunk-to-Alienvault-SIEM-sensor-are/m-p/448179#M95425 nickhills 2019-03-18T17:41:43Z