I have an Ironport log file that looks like the following:
Thu Nov 17 16:11:20 2016 Info: MID 123456789 ICID 123456789 To: Rejected by Receiving Control
Thu Nov 17 16:11:20 2016 Info: MID 123456789 queued for delivery
Thu Nov 17 16:11:20 2016 Info: MID 123456789 Outbreak Filters: verdict negative
Thu Nov 17 16:11:20 2016 Info: Message finished MID 123456789 aborted
Thu Nov 17 16:11:20 2016 Info: Message aborted MID 123456789 Receiving aborted by sender
I have configured the props.conf on the indexer under the /opt/splunk/etc/system/local as the following but I am still getting the "Failed to parse timestamp" errors.
[source::/var/log/proxy/ironport/*/mail.*@*.s]
SHOULD_LINEMERGE = false
TIME_FORMAT = %a %b %_d %H:%M:%S %Y
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
The full error message is
11-17-2016 17:09:58.593 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Nov 17 16:22:07 2016). Context: source::/var/log/proxy/ironport/mail.text.mariner.yyy.corp.com.@20161117T162003.s|host::xxxxxslg01.xxxx.company.com|cisco_esa|376273
Remove the time_format and time_prefix settings. Splunk will read that timestamp correctly. I copied/pasted your log data into a file, uploaded it, and timestamps were extracted auto-magically.
Thank you!
I just realized this is still out there. Sorry I missed that.
Have you seen:
http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance
This might be the easiest thing to do, as Cisco_WSA_squid is a known sourcetype, and should make you life alot easier.
We have already configured the Ironport feeds with a rename of the sourcetype to cisco:esa:legacy and linked it to the CIM model so any change is not possible. I have approached Splunk Support and they have referred me back to Splunk Answers since this is not a break fix. However, this is not working as prescribed so we are looking for some help to resolve this issue
It seemed to be working for awhile but I am seeing the same message again