Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why the logs coming from Splunk to Alienvault SIEM sensor, are not readable?

ginstinct
New Member
‎03-18-2019 06:28 AM

These are the logs coming from splunk to my alienvault SIEM Sensor but my SIEM is unable to read those logs. I have checked all the confs like props.conf, transform.conf, input.conf, output.conf but I couldn't understand the issue. The main issue is in each key value pair in logs, value is being #015#012 this kind of weird. All events are from Windows. At first I thought there may be data Anonymizing but there is not **TRANSFORMS-annonymize entry in props.conf. Please help, Thanks in advanced.** 

Mar 17 23:00:03 172.16.8.145  TEC-R90M6PGD Type=NetworkAdapter#015#012Name="Microsoft Wi-Fi Direct Virtual Adapter #2"#015#012Manufacturer="Microsoft"#015#012ProductName="Microsoft Wi-Fi Direct Virtual Adapter"#015#012Status=""#015#012MACAddress="36:F3:9A:3D:28:1D"Mar 17 23:00:02 172.16.8.145  TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=1 G:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015

Mar 17 23:00:02 172.16.8.145  TECSRVTP-DB01 20190317230049.310381#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=2 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015

Mar 17 23:00:02 172.16.8.145  TECSRVEXMBX02 20190317230049.314638#015#012CurrentDiskQueueLength=0#015#012DiskBytesPersec=0#015#012Name=3 F:#015#012PercentDiskReadTime=0#015#012PercentDiskTime=0#015#012PercentDiskWriteTime=0#015#012wmi_type=LocalPhysicalDisk#015#012#015
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 09:44 AM

This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.

Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 09:44 AM

This looks like a slightly odd encoding/escaping of octal \015 \012 which is the same as \r\n ( and \0 which is null)
I would rewrite both #0#015#012 and #015#012 as a literal space as you ingest the data.

Edit: I read this question as if it was AlienVault -> Splunk instead of the other way round, but hopefully the explanation still stands.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

ginstinct
New Member
‎03-18-2019 10:39 AM

Thank for your explanation @nickhillscpl , but what should be the workaround to this issue.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-18-2019 10:41 AM

How are you sending data to AlienVault?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...