It was discovered that the beginning of each event is getting cut off. The event time, hostname, future_use1 field, and half of receive time field are missing. Please see examples below. The current non-default field extractions would break for all new (correctly formatted) events. We need to find a way to modify all old events before fixing the rsyslog configs and switching to default extractions.
Cut off event being forwarded to production:
18:27:50,008501000455,TRAFFIC,drop,0,2015/11/24 18:27:50,XXX.XXX.XXX.XXX,XXX.XXX.XXX.XXX,0.0.0.0,0.0.0.0,DenyAll,,,not-applicable,vsys1,inside,inside,ethernet1/23.400,,Splunk,2015/11/24 18:27:50,0,1,137,137,0,0,0x0,udp,deny,96,96,0,1,2015/11/24 18:27:50,0,any,0,17884590490,0x0,SRA,SRA,0,1,0,policy-deny,12,0,0,0,,SC02-FW01-S101,from-policy
Full event being captured by tcpdump:
Nov 24 00:27:28 our.hostname.com 1,2015/11/24 00:27:28,008501000455,SYSTEM,userid,0,2015/11/24 00:27:28,,connect-ldap-sever,XXX.XXX.XXX.XXX,0,0,general,informational,"ldap cfg grp_mapping connected to server XXX.XXX.XXX.XXX636, initiated by: XXX.XXX.XXX.XXX",12423214,0x8000000000000000,0,0,0,0,,SC02-FW01-S101
Any ideas on how best to do this would be greatly appreciated. Thanks!
↧