We have onboard a firewall log from Forcepoint, and they were not parsing properly in Splunk. We try to find add-on to ingest the log but we found none. Is there any way we can do to solved this issue.
Here is example for our current fw log;
Feb 17 10:25:09 172.XX.XX0.XX0 "2022-02-17 10:25:51","3350841932","172.XX.XXX.XXX","Packet Filtering","Notification","New connection","Allow","123.XXX.XXX.XX","113.XX.XXX.XXX","DNS (UDP)","17","52129","53","4372.39","123.XXX.XXX.XXX","17X.XXX.XXX.XX","52129","53",,"129",,,,,,,,,,,,,,"DC-Node-01",,"2097953.17",,,"2022-02-17 10:25:51","Firewall","Connection_Allowed",,,"6899901665942596693",,,,
Please advise.
Adding on to what @SanjayReddy was saying on the props.conf configurations, best practice is to include the minimum configurations below.
I'm assuming your events starts off with the date format, (Feb 17 10:25:09), so here is an example of the big 6/8 configs depending what Splunk host is sending or ingesting the data; put the props on the HF/IDX for parsing. I think you're sending the logs via syslog since I notice two timestamps and I'm going to use the timestamps inside the double quotes for the event time.
props.conf
# Assuming your time prefix is the first set that starts with double quotes
TIME_PREFIX = ^[^"]+
MAX_TIMESTAMP_LOOKAHEAD = 20
# Assuming your hours is in 24 hour notation (%T)
TIME_FORMAT = %F %T
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}
TRUNCATE = 10000
# Use the following attributes to handle better load balancing from UF.
# Please note the EVENT_BREAKER properties are applicable for Splunk Universal
# Forwarder instances only. Valid with forwarders > 6.5.0
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}
Hi @syazwani
found this add- on on splunkbase, will this help
https://splunkbase.splunk.com/app/2966/#/details
https://docs.splunk.com/Documentation/AddOns/latest/WebsenseCG/About
also from log file you mentioned , what are are event bundraries , where event event starts and end
if above addon wont work , using props.conf we can able to parse the data properly