Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CEF log messages are not coming on one line. Messages are run together.

mlulmer
Explorer
‎08-10-2011 11:48 AM

I'm sending CEF messages to a Splunk forwarder listening on TCP:9999. The lines are not being individually being identified when it makes it to the Splunk Search. I would like to do the parsing work here at the forwarder. I tried various iterations and ended up with the following based on other answers.

inputs.conf

[tcp://9999]

connection_host = none

sourcetype = ArcsightCEF

LOOKAHEAD = 3000

LINE_BREAKER = (CEF:0)

SHOULD_LINEMERGE = false

disabled = 0

The lines are still not breaking to individual lines. Please help.

0 Karma
Reply

lguinn2
Legend
‎08-21-2011 09:09 AM

If the configuration files are set as lephino says, then change LINE_BREAKER to BREAK_ONLY_BEFORE

BREAK_ONLY_BEFORE=CEF:0

I believe that LINE_BREAKER and BREAK_ONLY_BEFORE are applied prior to the SHOULD_LINEMERGE

You might also try using just SHOULD_LINEMERGE alone, without specifying either LINE_BREAKER or BREAK_ONLY_BEFORE

0 Karma
Reply

lguinn2
Legend
‎08-23-2011 03:47 PM

Also, did you know that there is a free app on Splunkbase to help with ArcSight-formatted CEF events? It is called

CEF (Common Event Format) Extraction Utilities

Download it and see what it can do for you.

0 Karma
Reply

lguinn2
Legend
‎08-18-2011 11:00 PM

Doesn't a standard CEF event look like

Aug 19 08:26:10 host CEF:version message

And are all of your CEF messages single line?

0 Karma
Reply

bbingham
Builder
‎08-18-2011 01:25 PM

Just to clarify, you have the following as your inputs.conf:

[tcp://9999]
connection_host = none
sourcetype = ArcsightCEF
disabled = 0

then you have the following in your props.conf?

[ArcsightCEF]
LOOKAHEAD = 3000
LINE_BREAKER = (CEF:0)
SHOULD_LINEMERGE = false
0 Karma
Reply

mlulmer
Explorer
‎08-10-2011 12:57 PM

CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232CEF:0|security|threatmanager|1.0|100|Port Scan Detected|10|src=10.0.0.2 dst=2.1.2.3 spt=1233

0 Karma
Reply

Ayn
Legend
‎08-10-2011 11:53 AM

Could you please provide an example CEF event?

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...