Odd behaviour with some udp syslog input from a Panorama device (palo alto management device) and ArcSight connector using the same udp input port. Input settings as follows
disabled = false
sourcetype = threat_events
index = myindex
TZ = UTC
SHOULD_LINEMERGE = False
Linemerge settings were set to false for the sourcetype as seen above, however events merged at together sometimes. Is this an example of getting the right LINE_BREAKER= correct for the device?
One workaround was to use separate network ports for the different devices, curious to hear the answer though.
LINE_BREAKER by default is
([\r\n]+), that is, any sequence of newlines and carriage returns. In addition, the end of a UDP packet will also end an event. It's not clear to my why you would have merged events in this case. Was there any pattern or commonality to the merged events?
They were getting merged events where a arcsight event would come through and multiple panorama event (starting with CEF) would get merged one after another ( client info removed )
Mar 4 18:47:25 somehost.com Mar 4 18:48:06 1,2010/03/048:48:06,0004A100609,THREAT,url,46,2010/03/04 18:48:05,10.170.133.122,184.108.40.206,0.0.0.0,0.0.0.0,ProxyAccess-A2,,,web-browsing,xtxs1,Int-FW,Int-FW-Proxy blah....de....blah....informational,0 (<---first event should end here)
CEF:0|Palo Alto|Panorama|||THREAT|Unknown| eventId=1428238 proto=UDP art=1267728483290 rt=1267728481000 shost=somehost.com src=10.97.3.55 sourceZoneURI=/zzz Zones/System Zones/Private Address Space dst=220.127.116.11 blah ....de...blah...dtz=Asia/xyz deviceFacility=IPS (<--- Second event should end here)
CEF:0|Palo Alto|Panorama (<---they continued to get multiple CEF Panorama device events all merged with the above)
look to me then that
SHOULD_LINEMERGE = false wasn't taking effect. (And therefore default
BREAK_ONLY_BEFORE_DATE = true was in effect.) I always use lower-case
false instead of upper-case
False. I have no idea if that makes a difference.
Use a stanza name:
We don't have any support for that syntax, and it shouldn't be in the docs anywhere (I can see how you might think there would be, of course).
Thus you should have:
[threat_events] TZ = UTC SHOULD_LINEMERGE = False