I see a lot of Splunk Answers about multiple lined entries being broken up into separate events. I have the opposite problem: multiple events being reported as a single entry.
I have two (identically configured?) Suricata boxes logging with fast.log enabled. Using universal forwarders. On one, each alert event gets recorded as a single line (as it should), but the other is combining different alert events (with different time-stamps) into a single Splunk event. Apologies if the formatting below doesn't allow this to presented correctly, but you get the idea...example:
Time Event
7/11/16
2:10:36.000 PM
07/11/2016-14:10:36.353417 [**] [1:12053001:1] test jabberwocky [**] [Classification: (null)] [Priority: 3] {TCP} 10.15.9.202:2285 -> 209.135.140.78:80
07/11/2016-14:10:36.504980 [**] [1:12053001:1] test jabberwocky [**] [Classification: (null)] [Priority: 3] {TCP} 10.15.9.202:2285 -> 209.135.140.78:80
This was working before -- it just started it after re-pointing these boxes to a new indexer cluster... (yes, removed pointers to the old instance, and confirmed).
Thots?
Thanks,
Mike
↧