Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure Splunk to recognize logs sent in syslog CEF format?

danje57
Path Finder
‎03-06-2015 12:10 AM

Hi all,

I've configured a Splunk Universal Forwarder to receive logs that are sent by other syslog in CEF format by our security devices, but when the Indexer receive the data, I saw in the GUI that data are not well parsed...

CEF:0|Apache|apache|||10.10.10.10 www.mysite.com - - [06/Mar/2015:08:55:09 +0100] "GET / HTTP/1.1" 200 5628 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ip-label)"|Unknown| eventId=1069062516 app=http proto=TCP customerURI=/myuri catdt=Web Server art=fsfsdfsdfs rt=dfssdfsfsd dhost=hostname dproc=apache cs1=apache_access_log cs1Label=Module cs2Label=Host OS cs5Label=Mutex cs6Label=Facility cn3Label=ThreadId c6a2Label=Source IPv6 Address c6a3Label=Destination IPv6 Address ahost=hostname agt=10.10.10.11 agentZoneURI=/alluri av=7.0.5.7132.0 atz=Europe/Luxembourg aid=34AG-TzoBABCAAvKFbubdTg\=\= at=syslog dvchost=devhostname dtz=Europe/Luxembourg deviceProcessName=apache_access_log customerName=mycustomer _cefVer=0.1

Splunk recognizes some field that are preceded by the = (equal sign).

However, if data that are after the = sign contains a space, data is not well parsed.

For example:

c6a2Label=Source IPv6 Address

is recognized as 

c6a2Label=Source

IPv6 Address is not recognized for that field.

And this part is totally ignored by Splunk

 CEF:0|Apache|apache|||10.10.10.10 www.mysite.com - - [06/Mar/2015:08:55:09 +0100] "GET / HTTP/1.1" 200 5628 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ip-label)"|Unknown|

How to configure Splunk to recognized that format?

Thanks in advance

Reply
1 Solution
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 08:12 PM

If you can't adjust the log entries at the source, you'll have to create field extractions for this sourcetype.

View solution in original post

Reply
Solved! Jump to solution

Fatimabegum12
Engager
‎10-02-2015 12:55 PM

how to install and configure CEF app?

0 Karma
Reply
Solved! Jump to solution

grantsales
Engager
‎04-08-2015 12:53 PM

https://splunkbase.splunk.com/app/487/

Use the TA for CEF. It seems to work pretty well for me, but if you're sending Syslog CEF you may have a syslog header that you need to strip off first.

0 Karma
Reply
Solved! Jump to solution

danje57
Path Finder
‎04-08-2015 10:18 PM

Thx for the answer. But I don't understand where to install and how to configure the TA?

0 Karma
Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 08:12 PM

If you can't adjust the log entries at the source, you'll have to create field extractions for this sourcetype.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...