Hello,
I have a problem with daktrace collector.
Monitor logs Darktrace
[monitor:///srv/syslogdata/darktrace/]
disabled = false
recursive = true
index = darktrace
sourcetype = darktrace:syslog
whitelist = \.log$
host_segment = 4
The data arrives in Splunk However the field of extraction does not work.
the conf props.conf in .../Darktrace/defaults/ in syslog is:
[darktrace]
pulldown_type = true
KV_MODE = json
category = Structured
description = Darktrace JSON syslog format.
SEDCMD-remove_header = s/^[^\{]+//
I have an architecture with utility server, search head, cluster indexers, syslog+UF (darktrace).
I need some help, please.
Thank you in advance.
Hi All,
Was the issue resolved. I ask as I currently have extractions issues but not having any luck with resolving it.
Hello,
How are you sending Darktrace logs to Splunk? When I deployed the connector I have used a TCP port to perform the input. The props.conf in default folder is just like yours. But in the local folder there are some other configs:
local/props.conf:
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false
My inputs.conf:
[tcp://5515]
connection_host = dns
index = darktrace
sourcetype = darktrace