Splunk Enterprise

How to merge segmented syslog events into one?

MD5
New Member

We are currently facing the issue that we are indexing syslog data from beyond trust.

The product splits it's syslog messages if the event is bigger than 1kb.
(see docu: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/message-segmentation.htm )

Example:


1st Message:
Jun 12 15:09:03 beyondtrust.instance 1 2023-06-12T15:09:03+02:00 btrs BG 22595 - [meta sequenceId="891"] 1427:01:02:site=beyondtrust.instance ;when=1686575343;who=Test User (testuser);who_ip=10.0.0.1;event=api_account_changed;old_bearer_token_long_lived=0;old_client_id=b0mm90956f58a2529gfh414681d877e3a694579b;old_client_secret=***NEW***;old_comments=;old_ecm_group=1;old_enabled=1;old_failed_login_attempts=0;old_failed_login_expiration=1680168524;old_id=3;old_ip_addresses=10.0.0.0/8,10.1.0.0/8;old_name=api-testuser;old_permissions:backup=1;new_permissions:backup=0;old_permissions:command=full_access;old_permissions:configuration=1;old_permissions:configuration_vault_account=1;old_permissions:ecm=0;old_permissions:real_time_state=0;old_permissions:reporting:archive=0;old_permissions:reporting:license=0;old_permissions:reporting:presentation=0;old_permissions:reporting:support=0;old_permissions:reportin


2nd Message:
Jun 12 15:09:03 beyondtrust.instance 1 2023-06-12T15:09:03+02:00 btrs BG 22595 - [meta sequenceId="892"] 1427:02:02:g:syslog=0;old_permissions:reporting:vault=0;old_permissions:scim=0;old_permissions:vault_backup=0


The only thing that indicated that an event was segmened are the "Segment Number" and the "Total Segments" fields in the header along with a field that seems to be some kind of "Message ID" - is there a way to index those two events as one by creating a custom source type? Since every event has its own timestamp this seems not possible?

Maybe there's a way to merge those two events at search-time into one since I need the whole payload to be displayed on a dashboard?

 

 

Thanks for your help! 🙂

 

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...