- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why the logs coming from Splunk to Alienvault SIEM...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are the logs coming from splunk to my alienvault SIEM Sensor but my SIEM is unable to read those logs. I have checked all the confs like props.conf, transform.conf, input.conf, output.conf but I couldn't understand the issue. The main issue is in each key value pair in logs, value is being #015#012 this kind of weird. All events are from Windows. At first I thought there may be data Anonymizing but there is not **TRANSFORMS-annonymize entry in props.conf. Please help, Thanks in advanced.**
Mar 17 23:00:03 172.16.8.145 TEC-R90M6PGD Type=NetworkAdapter#015#012Name="Microsoft Wi-Fi Direct Virtual Adapter #2"#015#012Manufacturer="Microsoft"#015#012ProductName="Microsoft Wi-Fi Direct Virtual Adapter"#015#012Status=""#015#012MACAddress="36:F3:9A:3D:28:1D"Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=1 G:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
Mar 17 23:00:02 172.16.8.145 TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=2 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
Mar 17 23:00:02 172.16.8.145 TECSRVEXMBX02 20190317230049.314638#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=3 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.
Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.
Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank for your explanation @nickhillscpl , but what should be the workaround to this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you sending data to AlienVault?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
