Getting Data In

eventgen and outputMode = s2s not working

philwild
Explorer

Hi!

I'm having a real issue trying to get eventgen working.

I'm trying to use the outputMode = s2s but it is bombing out with the below.

 

 

2021-07-28 15:06:42 eventgen        ERROR    MainProcess 'utf-8' codec can't decode byte 0xb3 in position 3: invalid start byte
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/eventgen_core.py", line 304, in _worker_do_work
    item.run()
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/outputplugin.py", line 39, in run
    self.flush(self.events)
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 204, in flush
    m["_time"],
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 173, in send_event
    e = self._encode_event(index, host, source, sourcetype, _raw, _time)
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 124, in _encode_event
    encoded_raw = self._encode_key_value("_raw", _raw)
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 78, in _encode_key_value
    return "%s%s" % (self._encode_string(key), self._encode_string(value))
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 69, in _encode_string
    "utf-8"
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position 3: invalid start byte

 

 

 

My eventgen.conf file looks like this:

 

 

[cisco_asa.sample]
mode = replay
count = -1
timeMultiple = 1
sampletype = raw
# outputMode = tcpout
outputMode = s2s
splunkHost = splunk_search
splunkPort = 9997
source = udp:514
host = boundary-fw1
index = main
sourcetype = cisco:asa
# tcpDestinationHost = splunk_uf1
# tcpDestinationPort = 3333
token.0.token = \w{3} \d{2} \d{2}:\d{2}:\d{2}
token.0.replacementType = replaytimestamp
token.0.replacement = %b %d %H:%M:%S

 

 

 

It works fine with tcpout (the commented out bits above) but not as s2s. 

I'm executing eventgen like this

/usr/bin/python3.7 /usr/bin/splunk_eventgen -v generate /opt/splunk-eventgen/default/eventgen.conf

The reason I'm using s2s is I'd like to generate sample data as if it's coming from many hosts, sources and sourcetypes and I can't do that if I'm using tcpout.

In the above config, splunk_search is a standalone test splunk install. Sending directly to this splunk host via s2s fails.

If I switch back to tcpout, then I'm sending to a Splunk UF with a tcpinput configured which is then sending to splunk_search via tcp/9997

eventgen was installed and configured as per http://splunk.github.io/eventgen/SETUP.html#install

Any suggestions?

Labels (3)
0 Karma

codebuilder
Influencer

That error means you have a character in eventgen.conf that can't be decoded. That's usually a copy/paste problem from Windows/web to linux.

Running dos2unix against the file will usually fix that. yum install -y dos2unix (if you don't have it).

Example:
[root@:~]$ dos2unix /tmp/eventgen.conf
dos2unix: converting file /tmp/eventgen.conf to Unix format...
[root@:~]$

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

philwild
Explorer

Thanks for the suggestion but this hasn't worked.

The error is identical after installing and running the file through dos2unix.

The file was created in vi so I kind of doubted this was the problem.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...