Getting Data In

Juniper SSG20 logs showing up as multi-line chunks in interface

mikaelwitt
New Member

Possible Duplicate:
Juniper Netscreen TCP Syslog messages not breaking properly

Hi, I have an SSG20 sending syslog over tcp to a windows-based Splunk installation. Strangely enough the log shows up in large "chunks" in the interface, aprox. 100-200 log-lines each. The strange thing is that Splunk seems to recognize the correct number of individual event in the event-count, but does not show the individual log-lines.

I have tried the solution suggested in this post http://answers.splunk.com/questions/603/juniper-netscreen-tcp-syslog-messages-not-breaking-properly , but without success.

Im really new to Splunk and a novice in regexp, etc, so please go easy on me:-).

Best regards /Micke

Update:

This is a default installation on Windows, and the search is the very simple search that is performed when selection a log-source in the main search window. I have tried you suggestion and defined this as the pre-defined syslog format, but without the correct result. I have included a link to a screen-shot of how it turns out.

https://docs.google.com/leaf?id=0B1Lli7Sh6poXY2NjMTNiYmQtMDMxZi00NDg0LTk3YjItZjRkZWRlNmRkZDYz&hl=sv

Best regards /Micke

Tags (1)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This is probably this:

http://answers.splunk.com/questions/603/juniper-netscreen-tcp-syslog-messages-not-breaking-properly

I would define a new sourcetype (don't use syslog)and set a line breaker. The one in the above question is fine, but I would probably just change it to:

LINE_BREAKER = (\x00+)
SHOULD_LINEMERGE = false

The other problem you will have is that you do not have the timestamp and hostname extracted. You probably should also set:

TIME_PREFIX = start_time=\"
TIME_FORMAT = %Y-%m-%d %H:%M:%S

It will probably work just fine without setting that, but it will be better if you do. You will probably also have to create a transform to get the host name and set it in Splunk (especially if you are going to have more than one device send to Splunk).

0 Karma

Simeon
Splunk Employee
Splunk Employee

It sounds like the events are not being broken properly, or you are using some sort of transaction based search. You should supply your search query in combination with sample events.

If all the events are syslog style and they are all single lines, you could try applying the "syslog" transforms to this source. You can simply copy the syslog stanza settings from the $SPLUNK_HOME/etc/system/default/props.conf file and place them under a newly created stanza (in the local props.conf) that applies to your SSG20 logs.

A quick fix to test if the settings will work, is to apply the "syslog" sourcetype to this input. Data for your SSG20 logs will show up as sourcetype=syslog, but you will be able to test if the breaking parameters are successful.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yeah, examples of what the data looks like will help.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It would also be helpful to know how you configured the Splunk input port, whether there are delimiters between events and what they are, and whether the events arrive at Splunk with date-time stamps already on them.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...