How to handle staggered logs

jadengoho · ‎04-28-2020

Hi ,
Basically their server send logs one line at a time. When it came to Splunk it ingest automatically and not following the line breaker configuration. Out target is to line break the logs before "C:\Users\localserver>systeminfo".
Can Splunk wait for the line breaker to be visible before it linebreak ? Or what is the best way to handle this issue.

Example log:

C:\Users\localserver>systeminfo
    Host Name:                 localserver
    OS Name:                   Microsoft Windows 10 Enterprise
    OS Version:                10.0.18362 N/A Build 18362
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          company
    Registered Organization:   OOO
    Original Install Date:     01/01/2020, 7:10:02 PM
    System Boot Time:          4/28/2020, 12:43:21 PM
    System Model:              HP Samplebook
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
    Windows Directory:         C:\WINDOWS
    System Directory:          C:\WINDOWS\system32
    Boot Device:               \Device\HarddiskVolume1

    C:\Users\localserver>
    Host Name:                 localserver
    OS Name:                   Microsoft Windows 10 Enterprise
    OS Version:                10.0.18362 N/A Build 18362
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          company
    Registered Organization:   OOO
    Original Install Date:     01/01/2020, 7:10:02 PM
    System Boot Time:          4/28/2020, 12:43:21 PM
    System Model:              HP Samplebook
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
    Windows Directory:         C:\WINDOWS
    System Directory:          C:\WINDOWS\system32
    Boot Device:               \Device\HarddiskVolume1

Here's the situation that their server sending the logs, every 1minute it will sent the nextline.

C:\Users\localserver>systeminfo <After 1min it will send the next line>
Host Name:                 localserver <After 1min it will send the next line>
OS Name:                   Microsoft Windows 10 Enterprise <After 1min it will send the next line>
OS Version:                10.0.18362 N/A Build 18362 <After 1min it will send the next line>
OS Manufacturer:           Microsoft Corporation <After 1min it will send the next line>
OS Configuration:          Member Workstation <After 1min it will send the next line>

Props.conf

[sourcetype_name]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = (C\:\\Users)
TRUNCATE = 8000

If i ingest the log as a bulk it will show the "GREEN BOX" in the picture whole and complete.
But in my case it's staggered and ingesting 1line per minute "RED BOX".

to4kawa · ‎04-28-2020

| makeresults 
| eval _raw="C:\Users\localserver>systeminfo
     Host Name:                 localserver
     OS Name:                   Microsoft Windows 10 Enterprise
     OS Version:                10.0.18362 N/A Build 18362
     OS Manufacturer:           Microsoft Corporation
     OS Configuration:          Member Workstation
     OS Build Type:             Multiprocessor Free
     Registered Owner:          company
     Registered Organization:   OOO
     Original Install Date:     01/01/2020, 7:10:02 PM
     System Boot Time:          4/28/2020, 12:43:21 PM
     System Model:              HP Samplebook
     System Type:               x64-based PC
     Processor(s):              1 Processor(s) Installed.
     Windows Directory:         C:\WINDOWS
     System Directory:          C:\WINDOWS\system32
     Boot Device:               \Device\HarddiskVolume1

C:\Users\localserver>
     Host Name:                 localserver
     OS Name:                   Microsoft Windows 10 Enterprise
     OS Version:                10.0.18362 N/A Build 18362
     OS Manufacturer:           Microsoft Corporation
     OS Configuration:          Member Workstation
     OS Build Type:             Multiprocessor Free
     Registered Owner:          company
     Registered Organization:   OOO
     Original Install Date:     01/01/2020, 7:10:02 PM
     System Boot Time:          4/28/2020, 12:43:21 PM
     System Model:              HP Samplebook
     System Type:               x64-based PC
     Processor(s):              1 Processor(s) Installed.
     Windows Directory:         C:\WINDOWS
     System Directory:          C:\WINDOWS\system32
     Boot Device:               \Device\HarddiskVolume1
 "
| rex mode=sed "s/(?ms)[\r\n]+^C:/#C/g"
| makemv delim="#" _raw
| stats count by _raw

props.conf

[sourcetype_name]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+^)C:
TRUNCATE = 0

jadengoho · ‎04-28-2020

Will this work even their server send data 1 line per minute, cause that's my problem?

to4kawa · ‎04-28-2020

The problem was that HF was sending more than one event at a time.
If the event breaks up, there's no problem.

jadengoho · ‎04-28-2020

The problem was that HF was sending more than one event at a time.
- How can i set the HF to not send the logs if it doesn't saw the linebreaker ?

Also the client want to see the logs as a complete not line by line..

to4kawa · ‎04-28-2020

https://answers.splunk.com/answers/458237/setting-up-propsconf-at-the-heavy-forwarders.html
set props.conf on HF

jadengoho · ‎04-28-2020

I do know how to setup the props on heavy forwarder using deployment server.

The question is How can i make HF not send the logs if it doesn't saw the linebreaker?
OR how to make the HF wait until he saw the linebreaker?

jadengoho · ‎04-28-2020

@to4kawa i've tried your code and it shows similar output.
When i ingest the log as whole - it shows complete - please see GREEN BOX
but in my case it send 1line per minute shows line per line - please see RED BOX

PavelP · ‎04-28-2020

can you post your props and inputs?

jadengoho · ‎04-28-2020

i'll update the question to include the current props.conf

PavelP · ‎04-28-2020

are the events coming one in time (say 1 event/minute) or multiple are send at once?

please try:
[sourcetype_name]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)C:
TRUNCATE = 8000

jadengoho · ‎04-28-2020

hi @PavelP - it s 1 line per minute

PavelP · ‎04-30-2020

Hi @jadengoho,

I've just checked it successfully with this configuration:

[sourcetype_name]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)C:
TRUNCATE = 8000

don't forget to debug/refresh or restart Splunk after you changed the configuration.

jadengoho · ‎04-30-2020

@PavelP - yes this works on bulk ingestion even logs 1second apart.
But in my case logs are being ingested 1minute apart.

I resolve the issue by using "inputs.conf" time_before_close

to4kawa · ‎04-28-2020

what a many slashes!

@jadengoho
what's your inputs.conf
I don't understand why commands displays and is logging.

PavelP · ‎04-28-2020

as @to4kawa mentioned, too many backslashes - I've corrected, the simplified LINE_BREAKER with C: will work, I've just tested successfully with your data

jadengoho · ‎04-28-2020

hi @PavelP -the configuration works for "one time ingestion", please see the GREEN BOX in the image.
But when the staggered data came it doesn't follow the linebreaking - please see the RED BOX.

jadengoho · ‎04-28-2020

we don't have inputs. their server is sending logs to our HF .

How to handle staggered logs

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?