I'm sending CEF messages to a Splunk forwarder listening on TCP:9999. The lines are not being individually being identified when it makes it to the Splunk Search. I would like to do the parsing work here at the forwarder. I tried various iterations and ended up with the following based on other answers.
connection_host = none
sourcetype = ArcsightCEF
LOOKAHEAD = 3000
LINE_BREAKER = (CEF:0)
SHOULD_LINEMERGE = false
disabled = 0
The lines are still not breaking to individual lines. Please help.
If the configuration files are set as lephino says, then change LINE_BREAKER to BREAK_ONLY_BEFORE
I believe that LINE_BREAKER and BREAK_ONLY_BEFORE are applied prior to the SHOULD_LINEMERGE
You might also try using just SHOULD_LINEMERGE alone, without specifying either LINE_BREAKER or BREAK_ONLY_BEFORE
Also, did you know that there is a free app on Splunkbase to help with ArcSight-formatted CEF events? It is called
CEF (Common Event Format) Extraction Utilities
Download it and see what it can do for you.
Just to clarify, you have the following as your inputs.conf:
[tcp://9999] connection_host = none sourcetype = ArcsightCEF disabled = 0
then you have the following in your props.conf?
[ArcsightCEF] LOOKAHEAD = 3000 LINE_BREAKER = (CEF:0) SHOULD_LINEMERGE = false
CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=184.108.40.206 spt=1232CEF:0|security|threatmanager|1.0|100|Port Scan Detected|10|src=10.0.0.2 dst=220.127.116.11 spt=1233