Getting Data In

PingOne/PingIdentity log subscription ingestion - logs unreadable

Engager

I am sending logs from PingOne to my heavy forwarder. The logs are being streamed to the forwarder via TCP. The logs are configured to be in the 'SPLUNK_AUDIT' format. The logs showing up in splunk are not readable.

alt text

Here is the relevant documentation from Ping Identity regarding this format:

Format (Required) -- The subscription format to use. This can be one of the following:

AUDIT - The PingOne audit event format (JSON).
SPLUNK_AUDIT - The PingOne audit event format wrapped with the fields needed for processing by Splunk (JSON).

Here are my inputs.conf and props.conf configurations.

-- inputs.conf --
[tcp://:10000]
index = main
sourcetype = pingid

-- props.conf --
[pingid]
SHOULDLINEMERGE=false
TIME
PREFIX="timestamp":
TIMEFORMAT=%s
KV
MODE = false
INDEXED_EXTRACTIONS = json

Does anyone have any ideas on how I can adjust my ingestion settings so that these logs are readable? Or is this indicative of a problem with how I've set up the logs to be sent from PingOne (it is a pretty straightforward process so I am doubtful of this personally). I am expecting to see pretty generic JSON data coming through. I have played around with the JSON parsing options in splunk (KV_MODE = json), but I don't believe that this is a JSON parsing issue. I have also experimented with specifying differing CHARSETs in my props.conf, thinking that perhaps the logs are coming in a non-UTF8 format, but also to no avail.

0 Karma
1 Solution

Engager

Turns out my load balancer was re-encrypting the logs before pushing them to my forwarders. Disabling the encryption resolved the issue.

View solution in original post

0 Karma

Engager

Turns out my load balancer was re-encrypting the logs before pushing them to my forwarders. Disabling the encryption resolved the issue.

View solution in original post

0 Karma