Getting Data In

How to configure Splunk to not merge Juniper VPN logs in one event?

Path Finder

I am currently sending my Juniper VPN logs to splunk. Periodically I see multiple log entries from the VPN appear as one entry in Splunk. So, I decided to send the logs to rsyslog on a Linux server to look for differences. My assumption was that the Juniper is not adding a return character at the end of the log entry, but that doesn't appear to be the case.

In Splunk, I see this entry:

189 <134>Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.190 <134>Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

However in rsyslog, I see those entries like this:

Aug 27 12:34:09 myjunmag01 Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.
Aug 27 12:34:14 myjunmag01 Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

So it definitely looks like Splunk is doing something to the logs. Questions:

How can I tell splunk to no longer merge those log entries? What is the "189 <134>" and "190 <134>" bits that get added where the front of the line should be?

My props and transforms files are stock. I haven't made any changes there. All logs come in to tcp and udp port 514.

Thanks,
Scott

0 Karma

Communicator

This is not a Splunk problem but a Juniper SA problem.

This is a bug in the syslog via TCP implementation in the Juniper SA. The problem is that the SA is buffering the logging and is not sending it out one at the time as it happens (live stream). I created a support ticket for this back in November and Juniper confirmed my findings. Juniper has solved this problem in version 8.1R1 (released in December).

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!