When I installed the app and set it up using the guide, I also set it up to use it's own index. I set it up to send the data over https. But for some reason now, nothing is showing in my regular index that udp:514 is sent to. I stopped getting entries at the exact time I installed this app. What did it do to hijack udp:514?
:/etc# lsof -i :514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
splunkd 13946 root 37u IPv4 2709215 0t0 TCP *:shell (LISTEN)
splunkd 13946 root 44u IPv4 2709220 0t0 UDP *:syslog
Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.
[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))
-to-
[syslog]
SHOULD_LINEMERGE = true
Thanks to bcdatacomm for bringing this issue to our attention.
Thanks again for the quick help and resolution!
Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.
[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))
-to-
[syslog]
SHOULD_LINEMERGE = true
Thanks to bcdatacomm for bringing this issue to our attention.
No problem. I will look at props in the mean time and try to shuffle what I believe to be the offenders to a lower stanza. Then I will test the app and see if it breaks anything. Thanks for bringing this to our attention.
Wow, talk about a fast response! Thanks! I'll email you shortly.
It is most likely because the app accepts traffic as syslog and then parses it into different sourcetypes. Some of the regex may be catching some of your other traffic. If you email me directly via the feedback dropdown in the app, we can set up a webex and figure out what is going on. Then we can fix it for you and others.