Getting Data In

How to configure Splunk to not merge Juniper VPN logs in one event?

scottsavaresevi
Path Finder

I am currently sending my Juniper VPN logs to splunk. Periodically I see multiple log entries from the VPN appear as one entry in Splunk. So, I decided to send the logs to rsyslog on a Linux server to look for differences. My assumption was that the Juniper is not adding a return character at the end of the log entry, but that doesn't appear to be the case.

In Splunk, I see this entry:

189 <134>Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.190 <134>Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

However in rsyslog, I see those entries like this:

Aug 27 12:34:09 myjunmag01 Juniper: 2014-08-27 12:34:09 - myjunmag01 - [127.0.0.1] MYDOMAIN\user1(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 1.2.3.4  for user 'MYDOMAIN\user1'.
Aug 27 12:34:14 myjunmag01 Juniper: 2014-08-27 12:34:14 - myjunmag01 - [127.0.0.1] MYDOMAIN\user2(Company laptops)[] - Host Checker policy 'Company Laptop' passed on host 2.3.4.5  for user 'MYDOMAIN\user2'.

So it definitely looks like Splunk is doing something to the logs. Questions:

How can I tell splunk to no longer merge those log entries? What is the "189 <134>" and "190 <134>" bits that get added where the front of the line should be?

My props and transforms files are stock. I haven't made any changes there. All logs come in to tcp and udp port 514.

Thanks,
Scott

0 Karma

aholzel
Communicator

This is not a Splunk problem but a Juniper SA problem.

This is a bug in the syslog via TCP implementation in the Juniper SA. The problem is that the SA is buffering the logging and is not sending it out one at the time as it happens (live stream). I created a support ticket for this back in November and Juniper confirmed my findings. Juniper has solved this problem in version 8.1R1 (released in December).

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...