Deployment Architecture

seeing meta tags with log entries

initconf
New Member

Hello:

I am very new to splunk - I have configured a lightforwarder to forward syslogs to splunk collector on a specific port which has its own indexer.

I am not sure if _internal index is also getting indexed with my custom syslog index ?

I am seeing entires such as this, first entry is clean while subsequent entires are getting padded (below reverse chronological order):

# 12/22/10 1:12:49.000 PM

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x13sourcetype::fwd-hb\x00\x00\x00\x00\x10MetaData:Source\x00\x00\x00\x00\xFsource::fwd-hb\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00\x00\x00\x1\xCC\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00LDec 22 13:12:49 localhost user: I am running as root again and again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 2 12/22/10 1:12:33.000 PM

\x00\x00\x1\xC2\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00BDec 22 13:12:33 localhost user: I am running as root again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 3 12/22/10 1:12:07.000 PM

Dec 22 13:12:07 localhost user: I am running as root

Any thoughts/help would be great.

Thanks Dev

Tags (1)
0 Karma

jkerai
Splunk Employee
Splunk Employee

Could you provide forwarder's outputs.conf and indexer's inputs.conf. Seems like on indexer, the receiving port is misconfigured. Please see that it is configured as

[splunktcp://9997]

gkanapathy
Splunk Employee
Splunk Employee

yes. I would suspect that the input is configured as just [tcp:NNNN].

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...