seeing meta tags with log entries

initconf · ‎12-22-2010

Hello:

I am very new to splunk - I have configured a lightforwarder to forward syslogs to splunk collector on a specific port which has its own indexer.

I am not sure if _internal index is also getting indexed with my custom syslog index ?

I am seeing entires such as this, first entry is clean while subsequent entires are getting padded (below reverse chronological order):

# 12/22/10 1:12:49.000 PM

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x13sourcetype::fwd-hb\x00\x00\x00\x00\x10MetaData:Source\x00\x00\x00\x00\xFsource::fwd-hb\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00\x00\x00\x1\xCC\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00LDec 22 13:12:49 localhost user: I am running as root again and again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 2 12/22/10 1:12:33.000 PM

\x00\x00\x1\xC2\x00\x00\x00\xB\x00\x00\x00\x5_raw\x00\x00\x00\x00BDec 22 13:12:33 localhost user: I am running as root again

* host=localhost   Options|  
* sourcetype=syslog   Options|  
* source=tcp:5140   Options

# 3 12/22/10 1:12:07.000 PM

Dec 22 13:12:07 localhost user: I am running as root

Any thoughts/help would be great.

Thanks Dev

jkerai · ‎04-13-2011

Could you provide forwarder's outputs.conf and indexer's inputs.conf. Seems like on indexer, the receiving port is misconfigured. Please see that it is configured as

[splunktcp://9997]

gkanapathy · ‎04-13-2011

yes. I would suspect that the input is configured as just [tcp:NNNN].

seeing meta tags with log entries

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases