These are the logs coming from splunk to my alienvault SIEM Sensor but my SIEM is unable to read those logs. I have checked all the confs like props.conf, transform.conf, input.conf, output.conf but I couldn't understand the issue. The main issue is in each key value pair in logs, value is being #015#012 this kind of weird. All events are from Windows. At first I thought there may be data Anonymizing but there is not **TRANSFORMS-annonymize entry in props.conf. Please help, Thanks in advanced.**
Mar 17 23:00:03 172.16.8.145 TEC-R90M6PGD Type=NetworkAdapter#015#012Name="Microsoft Wi-Fi Direct Virtual Adapter #2"#015#012Manufacturer="Microsoft"#015#012ProductName="Microsoft Wi-Fi Direct Virtual Adapter"#015#012Status=""#015#012MACAddress="36:F3:9A:3D:28:1D"Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=1 G:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=2 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
Mar 17 23:00:02 172.16.8.145 TECSRVEXMBX02 20190317230049.314638#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=3 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
This looks like a slightly odd encoding/escaping of octal \015 \012
which is the same as \r\n
( and \0
which is null
)
I would rewrite both #0#015#012
and #015#012
as a literal space as you ingest the data.
Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.
This looks like a slightly odd encoding/escaping of octal \015 \012
which is the same as \r\n
( and \0
which is null
)
I would rewrite both #0#015#012
and #015#012
as a literal space as you ingest the data.
Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.
Thank for your explanation @nickhillscpl , but what should be the workaround to this issue.
How are you sending data to AlienVault?