Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CEF log messages are not coming on one line. Messages are run together.

mlulmer
Explorer
‎08-10-2011 11:48 AM

I'm sending CEF messages to a Splunk forwarder listening on TCP:9999. The lines are not being individually being identified when it makes it to the Splunk Search. I would like to do the parsing work here at the forwarder. I tried various iterations and ended up with the following based on other answers.

inputs.conf

[tcp://9999]

connection_host = none

sourcetype = ArcsightCEF

LOOKAHEAD = 3000

LINE_BREAKER = (CEF:0)

SHOULD_LINEMERGE = false

disabled = 0

The lines are still not breaking to individual lines. Please help.

0 Karma
Reply

lguinn2
Legend
‎08-21-2011 09:09 AM

If the configuration files are set as lephino says, then change LINE_BREAKER to BREAK_ONLY_BEFORE

BREAK_ONLY_BEFORE=CEF:0

I believe that LINE_BREAKER and BREAK_ONLY_BEFORE are applied prior to the SHOULD_LINEMERGE

You might also try using just SHOULD_LINEMERGE alone, without specifying either LINE_BREAKER or BREAK_ONLY_BEFORE

0 Karma
Reply

lguinn2
Legend
‎08-23-2011 03:47 PM

Also, did you know that there is a free app on Splunkbase to help with ArcSight-formatted CEF events? It is called

CEF (Common Event Format) Extraction Utilities

Download it and see what it can do for you.

0 Karma
Reply

lguinn2
Legend
‎08-18-2011 11:00 PM

Doesn't a standard CEF event look like

Aug 19 08:26:10 host CEF:version message

And are all of your CEF messages single line?

0 Karma
Reply

bbingham
Builder
‎08-18-2011 01:25 PM

Just to clarify, you have the following as your inputs.conf:

[tcp://9999]
connection_host = none
sourcetype = ArcsightCEF
disabled = 0

then you have the following in your props.conf?

[ArcsightCEF]
LOOKAHEAD = 3000
LINE_BREAKER = (CEF:0)
SHOULD_LINEMERGE = false
0 Karma
Reply

mlulmer
Explorer
‎08-10-2011 12:57 PM

CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232CEF:0|security|threatmanager|1.0|100|Port Scan Detected|10|src=10.0.0.2 dst=2.1.2.3 spt=1233

0 Karma
Reply

Ayn
Legend
‎08-10-2011 11:53 AM

Could you please provide an example CEF event?

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...