Dear,
I'm getting CEF type logs, but Splunk is not parsing correctly.
I installed the App Splunk App for CEF, but it does not work. I also installed the CEF Extraction Add-on for Splunk app but it is not working either.
I tried parsing in the indexer by props.conf and transforms.conf, but it did not work:
props.conf
[host :: XXXXX]
EXTRACT-cef-message = CEF
transforms.conf
[CEF]
REGEX = \ d \ | (? [^ \ |] +) \ | (< [^ \ |] +) \ | (<< vendor_severity> [^ \ |] + (\ \ Ssquc \ srequestCookies \ = (\ S +) \, \ siPlanetDirectoryPro \, \ sJSESSIONID = (\ S +) \ srequest \ \ scs \ w \ s \ w \ s \ w \ s \ w \ s \ w \ w \ w \ w \ w \ w \ w \ w \ s] +) \ scs \ w + Label \ +) \ scs \ w + \ = ([\ w \ s] +) \ scs \ w + \ = ([\ w \ s] +) \ s
DEST_KEY = MetaData: Host
Splunk is doing the parse as follows:
aact
aamlbcookie
acat
acn1Label
acn5Label
acs1
acs1Label
acs2
acs2Label
acs3
acs3Label
acs4
acs4Label
acs5
acs5Label
acs6
acs6Label
adate_month
adate_wday
aeventtype
ahost
aindex
aiPlanetDirectoryPro
aJSESSIONID
amsg
aprimefaces_download
apunct
areason
arequest
arequestCookies
arequestMethod
asource
asourcetype
asplunk_server
asplunk_server_group
asrc
asuser
Can someone help me?
Hi @wvalente,
Installing "CEF Extraction Add-on for Splunk" app won't help if you are not using the field extractions it provides. Please see usage examples in the app's README.
--Igor