Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why the logs coming from Splunk to Alienvault SIEM...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are the logs coming from splunk to my alienvault SIEM Sensor but my SIEM is unable to read those logs. I have checked all the confs like props.conf, transform.conf, input.conf, output.conf but I couldn't understand the issue. The main issue is in each key value pair in logs, value is being #015#012 this kind of weird. All events are from Windows. At first I thought there may be data Anonymizing but there is not **TRANSFORMS-annonymize entry in props.conf. Please help, Thanks in advanced.**
Mar 17 23:00:03 172.16.8.145 TEC-R90M6PGD Type=NetworkAdapter#015#012Name="Microsoft Wi-Fi Direct Virtual Adapter #2"#015#012Manufacturer="Microsoft"#015#012ProductName="Microsoft Wi-Fi Direct Virtual Adapter"#015#012Status=""#015#012MACAddress="36:F3:9A:3D:28:1D"Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=1 G:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=2 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
Mar 17 23:00:02 172.16.8.145 TECSRVEXMBX02 20190317230049.314638#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=3 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.
Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.
Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank for your explanation @nickhillscpl , but what should be the workaround to this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you sending data to AlienVault?
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
