Getting Data In

How to configure Splunk to not merge Juniper VPN logs in one event?

scottsavaresevi
Path Finder

I am currently sending my Juniper VPN logs to splunk. Periodically I see multiple log entries from the VPN appear as one entry in Splunk. So, I decided to send the logs to rsyslog on a Linux server to look for differences. My assumption was that the Juniper is not adding a return character at the end of the log entry, but that doesn't appear to be the case.

In Splunk, I see this entry:

189 <134>Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.190 <134>Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

However in rsyslog, I see those entries like this:

Aug 27 12:34:09 myjunmag01 Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.
Aug 27 12:34:14 myjunmag01 Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

So it definitely looks like Splunk is doing something to the logs. Questions:

How can I tell splunk to no longer merge those log entries? What is the "189 <134>" and "190 <134>" bits that get added where the front of the line should be?

My props and transforms files are stock. I haven't made any changes there. All logs come in to tcp and udp port 514.

Thanks,
Scott

0 Karma

aholzel
Communicator

This is not a Splunk problem but a Juniper SA problem.

This is a bug in the syslog via TCP implementation in the Juniper SA. The problem is that the SA is buffering the logging and is not sending it out one at the time as it happens (live stream). I created a support ticket for this back in November and Juniper confirmed my findings. Juniper has solved this problem in version 8.1R1 (released in December).

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...