Getting Data In

LINE_BREAKER settings works when adding input manually but not through props.conf

att35
Builder

Hi,

I am trying to add Snort data into Splunk by monitoring barnyard2.alert file using Universal Forwarders.

 

[monitor:///var/log/barnyard2/barnyard2.alert]
sourcetype=snort_unified2
index=snort

 

As explained here https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-line-breaking-a-single-IDS-Alert-event... , I added same settings to props.conf(Indexer and SH) but Splunk still ends up breaking each line as a separate event, as shown below:Snort_1.png

props.conf

 

[snort_unified2]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\[\*\*\]
TIME_PREFIX = ^([^\r\n]+[\r\n]+){2}
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %m/%d-%H:%M:%S.%6N
category = Network & Security

 

But when I try these settings by manually adding same input it works just fine.

snort_manual.png

Any ideas on what could be going wrong with props.conf?

Thanks,

~Abhi

 

Labels (1)

kbehl
Explorer

This is an index time setting and therefore not required at universal forwarder.

 

Here is what you can try:

SHOULD_LINEMERGE= true

Along with one of:
BREAK_ONLY_BEFORE,
BREAK_ONLY_AFTER



0 Karma

samcyber20
Explorer

Hi @att35 ,

check props.conf on your UF or try using btool command.

Please let  me know if it helps or you found solution already.

Thanks

Sam

att35
Builder

Hi @samcyber20 

App that we pushed on the endpoints to collect these logs does not have any props.conf. Only inputs.conf with one stanza as I mentioned above.

Does it need a props as well with any of the entries that I added on the Indexer side?

Thanks,

~ Abhi

0 Karma

samcyber20
Explorer

Hi @att35,

use btool command mentioned by @isoutamo  .

It will give you much more idea. 

 

Thanks

Sam 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Have you any HF between UF and indexer? If yes the you must put props.conf to the first HF counting from UF. If not then, please try what the next command said
splunk btool props list -debug snort_unified2
r. Ismo

richgalloway
SplunkTrust
SplunkTrust

Did you restart the indexers after changing the props.conf file?

---
If this reply helps you, Karma would be appreciated.

att35
Builder

Hi @richgalloway ,

Yes. Both Indexer and the Search Head were restarted after making the props.conf change.

Thanks,

~ Abhi

Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...