I'm sending CEF messages to a Splunk forwarder listening on TCP:9999. The lines are not being individually being identified when it makes it to the Splunk Search. I would like to do the parsing work here at the forwarder. I tried various iterations and ended up with the following based on other answers.
inputs.conf
[tcp://9999]
connection_host = none
sourcetype = ArcsightCEF
LOOKAHEAD = 3000
LINE_BREAKER = (CEF:0)
SHOULD_LINEMERGE = false
disabled = 0
The lines are still not breaking to individual lines. Please help.
If the configuration files are set as lephino says, then change LINE_BREAKER to BREAK_ONLY_BEFORE
BREAK_ONLY_BEFORE=CEF:0
I believe that LINE_BREAKER and BREAK_ONLY_BEFORE are applied prior to the SHOULD_LINEMERGE
You might also try using just SHOULD_LINEMERGE alone, without specifying either LINE_BREAKER or BREAK_ONLY_BEFORE
Also, did you know that there is a free app on Splunkbase to help with ArcSight-formatted CEF events? It is called
CEF (Common Event Format) Extraction Utilities
Download it and see what it can do for you.
Doesn't a standard CEF event look like
Aug 19 08:26:10 host CEF:version message
And are all of your CEF messages single line?
Just to clarify, you have the following as your inputs.conf:
[tcp://9999]
connection_host = none
sourcetype = ArcsightCEF
disabled = 0
then you have the following in your props.conf?
[ArcsightCEF]
LOOKAHEAD = 3000
LINE_BREAKER = (CEF:0)
SHOULD_LINEMERGE = false
CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232CEF:0|security|threatmanager|1.0|100|Port Scan Detected|10|src=10.0.0.2 dst=2.1.2.3 spt=1233
Could you please provide an example CEF event?