Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure Splunk to recognize logs sent in syslog CEF format?

danje57
Path Finder
‎03-06-2015 12:10 AM

Hi all,

I've configured a Splunk Universal Forwarder to receive logs that are sent by other syslog in CEF format by our security devices, but when the Indexer receive the data, I saw in the GUI that data are not well parsed...

CEF:0|Apache|apache|||10.10.10.10 www.mysite.com - - [06/Mar/2015:08:55:09 +0100] "GET / HTTP/1.1" 200 5628 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ip-label)"|Unknown| eventId=1069062516 app=http proto=TCP customerURI=/myuri catdt=Web Server art=fsfsdfsdfs rt=dfssdfsfsd dhost=hostname dproc=apache cs1=apache_access_log cs1Label=Module cs2Label=Host OS cs5Label=Mutex cs6Label=Facility cn3Label=ThreadId c6a2Label=Source IPv6 Address c6a3Label=Destination IPv6 Address ahost=hostname agt=10.10.10.11 agentZoneURI=/alluri av=7.0.5.7132.0 atz=Europe/Luxembourg aid=34AG-TzoBABCAAvKFbubdTg\=\= at=syslog dvchost=devhostname dtz=Europe/Luxembourg deviceProcessName=apache_access_log customerName=mycustomer _cefVer=0.1

Splunk recognizes some field that are preceded by the = (equal sign).

However, if data that are after the = sign contains a space, data is not well parsed.

For example:

c6a2Label=Source IPv6 Address

is recognized as 

c6a2Label=Source

IPv6 Address is not recognized for that field.

And this part is totally ignored by Splunk

 CEF:0|Apache|apache|||10.10.10.10 www.mysite.com - - [06/Mar/2015:08:55:09 +0100] "GET / HTTP/1.1" 200 5628 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ip-label)"|Unknown|

How to configure Splunk to recognized that format?

Thanks in advance

Reply
1 Solution
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 08:12 PM

If you can't adjust the log entries at the source, you'll have to create field extractions for this sourcetype.

View solution in original post

Reply
Solved! Jump to solution

Fatimabegum12
Engager
‎10-02-2015 12:55 PM

how to install and configure CEF app?

0 Karma
Reply
Solved! Jump to solution

grantsales
Engager
‎04-08-2015 12:53 PM

https://splunkbase.splunk.com/app/487/

Use the TA for CEF. It seems to work pretty well for me, but if you're sending Syslog CEF you may have a syslog header that you need to strip off first.

0 Karma
Reply
Solved! Jump to solution

danje57
Path Finder
‎04-08-2015 10:18 PM

Thx for the answer. But I don't understand where to install and how to configure the TA?

0 Karma
Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 08:12 PM

If you can't adjust the log entries at the source, you'll have to create field extractions for this sourcetype.

Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top