Deployment Architecture

seeing meta tags with log entries

New Member

Hello:

I am very new to splunk - I have configured a lightforwarder to forward syslogs to splunk collector on a specific port which has its own indexer.

I am not sure if _internal index is also getting indexed with my custom syslog index ?

I am seeing entires such as this, first entry is clean while subsequent entires are getting padded (below reverse chronological order):

# 12/22/10 1:12:49.000 PM

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x13sourcetype::fwd-hb\x00\x00\x00\x00\x10MetaData:Source\x00\x00\x00\x00\xFsource::fwd-hb\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00\x00\x00\x1\xCC\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00LDec 22 13:12:49 localhost user: I am running as root again and again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 2 12/22/10 1:12:33.000 PM

\x00\x00\x1\xC2\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00BDec 22 13:12:33 localhost user: I am running as root again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 3 12/22/10 1:12:07.000 PM

Dec 22 13:12:07 localhost user: I am running as root

Any thoughts/help would be great.

Thanks Dev

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Could you provide forwarder's outputs.conf and indexer's inputs.conf. Seems like on indexer, the receiving port is misconfigured. Please see that it is configured as

[splunktcp://9997]

Splunk Employee
Splunk Employee

yes. I would suspect that the input is configured as just [tcp:NNNN].

0 Karma