Greetz,
Please can someone tell me if these events every minute are raw universal forwarder heartbeat data?
» 5/28/12
8:10:28.000 PM
\x16\x3\x00\x00D\x1\x00\x00@\x3\x00O\xC3\xC0\x94r\xBB\xB9m\x9C<[\xA9\xFC\xE4\x9C(\xAC\x108\xB5\x85\xEDP$\xF8\xB0\x1Bx/\xBC\x00\x00\x18\x009\x008\x005\x003\x002\x00/\x00\x16\x00\x13\x00\x00\x5\x00\x4\x00\xFF\x2\x1\x00
host=collector Options|
sourcetype=ds:ad Options|
source=tcp:50000 Options
No it's not. This was in actual fact connection data from the deployment client to a raw TCP input and the forwarder has been configured to "sendCookedData = false".
No it's not. This was in actual fact connection data from the deployment client to a raw TCP input and the forwarder has been configured to "sendCookedData = false".
I had the same question. I erased all the configuration apps and inputs.conf from the universal forwarder and found out that this pattern kept going. Still believe is a heartbeat.
That (looks) like a normal tcp receiver that is being fed data from a forwarder in splunktcp
(cooked) format.
This was the problem.
No it's not. This was in actual fact connection data from the deployment client to a raw TCP input and the forwarder has been configured to "sendCookedData = false".