All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Splunk Add-on for Cisco Sourcefire: Why is the wrong year extracted from events?

ramsanga
Explorer
โ€Ž02-04-2015 05:38 AM

I am currently investigating issue where "_time" has year extracted from last octet from the syslog source IP. The logs are from sourcefire and sending syslog without year.

the raw syslog from two source DCs

Feb 4 10:52:22 SIGIPSDC01 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:52:21 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

Feb 4 10:50:51 SIGIPSDC02 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:50:51 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

These logs are forwarded by heavy forwarder and actual logs from search head looks like:

time
2/4/14 9:50:51.000 PM Feb 4 21:50:51 10.0.12.14Feb 4 10:50:51 SIGIPSDC02 ipsdetect00: [119:31:1] httpinspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:50:51 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

time
2/4/13 9:52:22.000 PM Feb 4 21:52:22 10.0.12.13 Feb 4 10:52:22 SIGIPSDC01 ipsdetect00: [119:31:1] httpinspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:52:21 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

This issue occurs only if last octet of source syslog device ends with .10 or .11 or .12 or .13 or .14 or .15

0 Karma
Reply

jaivijay_rio
Explorer
โ€Ž11-22-2019 11:16 AM

I have the exact same issue with cisco sourcefire logs where splunk assumes a random year on the timestamp.
There is no year information in the logs.

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
โ€Ž02-21-2015 05:58 PM

We've filed a bug for this and will address.

Reply

jcoates_splunk
Splunk Employee
Splunk Employee
โ€Ž03-01-2015 09:56 AM

following up... this was discovered to be a Splunk configuration issue that we can't address well from within the Add-on, so we've updated the documentation: http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Troubleshooting#Data_truncation_issues

0 Karma
Reply