Juniper Netscreen TCP Syslog messages not breaking properly
Hi, I have an SSG20 sending syslog over tcp to a windows-based Splunk installation. Strangely enough the log shows up in large "chunks" in the interface, aprox. 100-200 log-lines each. The strange thing is that Splunk seems to recognize the correct number of individual event in the event-count, but does not show the individual log-lines.
I have tried the solution suggested in this post http://answers.splunk.com/questions/603/juniper-netscreen-tcp-syslog-messages-not-breaking-properly , but without success.
Im really new to Splunk and a novice in regexp, etc, so please go easy on me:-).
Best regards /Micke
This is a default installation on Windows, and the search is the very simple search that is performed when selection a log-source in the main search window. I have tried you suggestion and defined this as the pre-defined syslog format, but without the correct result. I have included a link to a screen-shot of how it turns out.
Best regards /Micke
This is probably this:
I would define a new sourcetype (don't use
syslog)and set a line breaker. The one in the above question is fine, but I would probably just change it to:
LINE_BREAKER = (\x00+) SHOULD_LINEMERGE = false
The other problem you will have is that you do not have the timestamp and hostname extracted. You probably should also set:
TIME_PREFIX = start_time=\" TIME_FORMAT = %Y-%m-%d %H:%M:%S
It will probably work just fine without setting that, but it will be better if you do. You will probably also have to create a transform to get the host name and set it in Splunk (especially if you are going to have more than one device send to Splunk).
It sounds like the events are not being broken properly, or you are using some sort of transaction based search. You should supply your search query in combination with sample events.
If all the events are syslog style and they are all single lines, you could try applying the "syslog" transforms to this source. You can simply copy the syslog stanza settings from the $SPLUNK_HOME/etc/system/default/props.conf file and place them under a newly created stanza (in the local props.conf) that applies to your SSG20 logs.
A quick fix to test if the settings will work, is to apply the "syslog" sourcetype to this input. Data for your SSG20 logs will show up as sourcetype=syslog, but you will be able to test if the breaking parameters are successful.
It would also be helpful to know how you configured the Splunk input port, whether there are delimiters between events and what they are, and whether the events arrive at Splunk with date-time stamps already on them.