All Apps and Add-ons

Ever since I installed this app, nothing else has been showing data on udp:514?

bcdatacomm
Explorer

When I installed the app and set it up using the guide, I also set it up to use it's own index. I set it up to send the data over https. But for some reason now, nothing is showing in my regular index that udp:514 is sent to. I stopped getting entries at the exact time I installed this app. What did it do to hijack udp:514?

:/etc# lsof -i :514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
splunkd 13946 root 37u IPv4 2709215 0t0 TCP *:shell (LISTEN)
splunkd 13946 root 44u IPv4 2709220 0t0 UDP *:syslog

0 Karma
1 Solution

TonyLeeVT
Builder

Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.

[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))

-to-

[syslog]

TRUNCATE=0

SHOULD_LINEMERGE = true

LINE_BREAKER = ((?!))

Thanks to bcdatacomm for bringing this issue to our attention.

View solution in original post

bcdatacomm
Explorer

Thanks again for the quick help and resolution!

0 Karma

TonyLeeVT
Builder

Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.

[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))

-to-

[syslog]

TRUNCATE=0

SHOULD_LINEMERGE = true

LINE_BREAKER = ((?!))

Thanks to bcdatacomm for bringing this issue to our attention.

TonyLeeVT
Builder

No problem. I will look at props in the mean time and try to shuffle what I believe to be the offenders to a lower stanza. Then I will test the app and see if it breaks anything. Thanks for bringing this to our attention.

0 Karma

bcdatacomm
Explorer

Wow, talk about a fast response! Thanks! I'll email you shortly.

0 Karma

TonyLeeVT
Builder

It is most likely because the app accepts traffic as syslog and then parses it into different sourcetypes. Some of the regex may be catching some of your other traffic. If you email me directly via the feedback dropdown in the app, we can set up a webex and figure out what is going on. Then we can fix it for you and others.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...