Deployment Architecture
Highlighted

seeing meta tags with log entries

New Member

Hello:

I am very new to splunk - I have configured a lightforwarder to forward syslogs to splunk collector on a specific port which has its own indexer.

I am not sure if _internal index is also getting indexed with my custom syslog index ?

I am seeing entires such as this, first entry is clean while subsequent entires are getting padded (below reverse chronological order):

# 12/22/10 1:12:49.000 PM

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x13sourcetype::fwd-hb\x00\x00\x00\x00\x10MetaData:Source\x00\x00\x00\x00\xFsource::fwd-hb\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00\x00\x00\x1\xCC\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00LDec 22 13:12:49 localhost user: I am running as root again and again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 2 12/22/10 1:12:33.000 PM

\x00\x00\x1\xC2\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00BDec 22 13:12:33 localhost user: I am running as root again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 3 12/22/10 1:12:07.000 PM

Dec 22 13:12:07 localhost user: I am running as root

Any thoughts/help would be great.

Thanks Dev

Tags (1)
0 Karma
Highlighted

Re: seeing meta tags with log entries

Splunk Employee
Splunk Employee

Could you provide forwarder's outputs.conf and indexer's inputs.conf. Seems like on indexer, the receiving port is misconfigured. Please see that it is configured as

[splunktcp://9997]
Highlighted

Re: seeing meta tags with log entries

Splunk Employee
Splunk Employee

yes. I would suspect that the input is configured as just [tcp:NNNN].

0 Karma