Hey Gang,

First, the basics. We are running a Splunk Enterprise 6.6.4 infrastructure on Red Hat Linux. We are attempting to collect data from a Cloud Foundry Log Drain, as documented here: https://docs.cloudfoundry.org/devguide/services/integrate-splunk.html

We have almost everything working properly, however, for some reason, we are receiving the HTTP header information (about 7 lines of it), but we are not receiving the body of the message. We have confirmed by using TCP packet captures that complete messages are being sent to my Splunk Heavy Forwarder, but when I look in Splunk at the index I've created for this purpose, the body of the messages are not being received.

I have several concerns. First, we are running the 1.1 version of the RFC5424_Syslog, and there haven't been any updates to this app since 2014. Second, the "Splunk Compatibility" of this app only goes through version 6.1 (which I'm sure was probably the current version back in 2014 when the last update was made).

Is anyone familiar with this app? Has anyone had an issue with losing the body of the message while using this app? Any help would be appreciated.

Sincerely,
Matthew Granger