I am sending logs from PingOne to my heavy forwarder. The logs are being streamed to the forwarder via TCP. The logs are configured to be in the 'SPLUNK_AUDIT' format. The logs showing up in splunk are not readable.
Here is the relevant documentation from Ping Identity regarding this format:
Format (Required) -- The subscription format to use. This can be one of the following:
AUDIT - The PingOne audit event format (JSON).
SPLUNK_AUDIT - The PingOne audit event format wrapped with the fields needed for processing by Splunk (JSON).
Here are my inputs.conf and props.conf configurations.
-- inputs.conf --
[tcp://:10000]
index = main
sourcetype = pingid
-- props.conf --
[pingid]
SHOULD_LINEMERGE=false
TIME_PREFIX="timestamp":
TIME_FORMAT=%s
KV_MODE = false
INDEXED_EXTRACTIONS = json
Does anyone have any ideas on how I can adjust my ingestion settings so that these logs are readable? Or is this indicative of a problem with how I've set up the logs to be sent from PingOne (it is a pretty straightforward process so I am doubtful of this personally). I am expecting to see pretty generic JSON data coming through. I have played around with the JSON parsing options in splunk (KV_MODE = json), but I don't believe that this is a JSON parsing issue. I have also experimented with specifying differing CHARSETs in my props.conf, thinking that perhaps the logs are coming in a non-UTF8 format, but also to no avail.
Turns out my load balancer was re-encrypting the logs before pushing them to my forwarders. Disabling the encryption resolved the issue.
Turns out my load balancer was re-encrypting the logs before pushing them to my forwarders. Disabling the encryption resolved the issue.