Getting Data In

CEF log messages are not coming on one line. Messages are run together.

Explorer

I'm sending CEF messages to a Splunk forwarder listening on TCP:9999. The lines are not being individually being identified when it makes it to the Splunk Search. I would like to do the parsing work here at the forwarder. I tried various iterations and ended up with the following based on other answers.

inputs.conf

[tcp://9999]

connectionhost = none

sourcetype = ArcsightCEF

LOOKAHEAD = 3000

LINE
BREAKER = (CEF:0)

SHOULD_LINEMERGE = false

disabled = 0

The lines are still not breaking to individual lines. Please help.

0 Karma

Legend

If the configuration files are set as lephino says, then change LINE_BREAKER to BREAK_ONLY_BEFORE

BREAK_ONLY_BEFORE=CEF:0

I believe that LINE_BREAKER and BREAK_ONLY_BEFORE are applied prior to the SHOULD_LINEMERGE

You might also try using just SHOULD_LINEMERGE alone, without specifying either LINE_BREAKER or BREAK_ONLY_BEFORE

0 Karma

Legend

Also, did you know that there is a free app on Splunkbase to help with ArcSight-formatted CEF events? It is called

CEF (Common Event Format) Extraction Utilities

Download it and see what it can do for you.

0 Karma

Legend

Doesn't a standard CEF event look like

Aug 19 08:26:10 host CEF:version message

And are all of your CEF messages single line?

0 Karma

Builder

Just to clarify, you have the following as your inputs.conf:

[tcp://9999]
connection_host = none
sourcetype = ArcsightCEF
disabled = 0

then you have the following in your props.conf?

[ArcsightCEF]
LOOKAHEAD = 3000
LINE_BREAKER = (CEF:0)
SHOULD_LINEMERGE = false
0 Karma

Explorer

CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232CEF:0|security|threatmanager|1.0|100|Port Scan Detected|10|src=10.0.0.2 dst=2.1.2.3 spt=1233

0 Karma

Legend

Could you please provide an example CEF event?

0 Karma