Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why the logs coming from Splunk to Alienvault SIEM sensor, are not readable?

ginstinct
New Member
‎03-18-2019 06:28 AM

These are the logs coming from splunk to my alienvault SIEM Sensor but my SIEM is unable to read those logs. I have checked all the confs like props.conf, transform.conf, input.conf, output.conf but I couldn't understand the issue. The main issue is in each key value pair in logs, value is being #015#012 this kind of weird. All events are from Windows. At first I thought there may be data Anonymizing but there is not **TRANSFORMS-annonymize entry in props.conf. Please help, Thanks in advanced.** 

Mar 17 23:00:03 172.16.8.145  TEC-R90M6PGD Type=NetworkAdapter#015#012Name="Microsoft Wi-Fi Direct Virtual Adapter #2"#015#012Manufacturer="Microsoft"#015#012ProductName="Microsoft Wi-Fi Direct Virtual Adapter"#015#012Status=""#015#012MACAddress="36:F3:9A:3D:28:1D"Mar 17 23:00:02 172.16.8.145  TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=1 G:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015

Mar 17 23:00:02 172.16.8.145  TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=2 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015

Mar 17 23:00:02 172.16.8.145  TECSRVEXMBX02 20190317230049.314638#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=3 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 09:44 AM

This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.

Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 09:44 AM

This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.

Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

ginstinct
New Member
‎03-18-2019 10:39 AM

Thank for your explanation @nickhillscpl , but what should be the workaround to this issue.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-18-2019 10:41 AM

How are you sending data to AlienVault?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...