Activity Feed
- Posted Re: Syslog ng cut the logs of Fortigate on Getting Data In. 03-07-2023 05:44 AM
- Karma Re: Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations? for mookiie2005. 06-05-2020 12:47 AM
- Karma Why am I getting "Error in HTTP server: shutting down" when starting splunkweb? for letsrumbl. 06-05-2020 12:47 AM
- Karma Re: Need to make advanced query for Cisco Ironport Logs for mcronkrite_splu. 06-05-2020 12:46 AM
- Karma Concurrency group by clause for cmiles416. 06-05-2020 12:46 AM
Topics I've Started
No posts to display.
03-07-2023
05:44 AM
Have you done a a tcpdump? just to make sure the issue is not with the sender. What's interesting is the logs in the image seem to be missing several line breaks between events. the <189>date=... should be in the beginning of the event and you have more than 1 occurrence per line meaning more than one event in the same line. Also the number before the <189> (e.g. 605) looks like a line/event count and I don't think that's expected from this source. Are you receiving this directly from the Fortigate or do you have anything in between? Something I found that seems to be related but ended up not being a syslog-ng issue: https://lists.balabit.hu/pipermail/syslog-ng/2022-August/026516.html
... View more
