ikheifets-splunk
commented
6 months ago Hello, @ehlo550 ! Thanks, for the issue. I reproduced this bug. It's very tricky bug and I will let you know about progress
Open ehlo550 opened 7 months ago
ikheifets-splunk
commented
6 months ago Hello, @ehlo550 ! Thanks, for the issue. I reproduced this bug. It's very tricky bug and I will let you know about progress
ehlo550
commented
6 months ago Hi @ikheifets-splunk, Thank you for confirmation.
Regards Stefan
xenogloss
commented
5 months ago I have the same issue.. For now I use "Ingest Actions" to remove them
ikheifets-splunk
commented
5 months ago Hello, @ehlo550 @xenogloss !
Sorry for delay! This error Value names cannot be longer than 255 characters, this value will always expand to the empty string; related with https://github.com/syslog-ng/syslog-ng . I already had direct conversation with syslog-ng author. I not sure that we can fix it very fast.
But I will think probably we can make workaround for this case
Was the issue replicated by support? yes.
What is the sc4s version ? 2.48
Is there a pcap available? yes.
Is the issue related to the environment of the customer or Software related issue? it's related to syslog-ng/sc4s configuration
Describe the bug When I am sending a specific message to sc4s I get sort of an "error" more of an informational message logged from sc4s that
the content that was replaced with XXXXXXXX is base64 encoded and ends with a = character in the original message.
how can i get rid of these error messages?
I am sure that some parser is used on this message and due to the value ending with a
=sc4s is trying to use everything before it as a key and everything after as value.I assume I simply need to add an app parser to stop this behaviour. Belows message is just an example, so this is a general question and independent of sourcetype/vendor_product. Splunk Support told me to open an issue here.
To Reproduce Steps to reproduce the behavior:
echo "<13>Nov 08 12:59:54 1.1.1.1 f5req_forward_clone[-]: F5-REQ-VERSION:v1:date_time='2023-11-08 13:59:54',clientip='1.2.2.2',host='[host.example.com](https://host.example.com/)' ,http_host='[host.example.com](https://host.example.com/)',http_responsecode='200',http_username='makemelongenoughtotriggerAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABASE64CONTENTendingwitha=',http_user-agent='PHP-SOAP-CURL',http_referer='',http_xff='3.3.3.3',http_request_id='',cached='false',virtualname='something',virtualip='4.4.4.4',virtualport='443',http_method='POST',http_path='/bla/blub.asmx',http_query='',http_version='HTTP/1.1',http_response_size='10092',http_response_time='32',nodeip='4.4.4.4',nodeport='443',snatpool='/Common/SNAT_Something_Pool',snatip='6.6.6.6',snatport='34470',pool='/Common/blub.app/blapool8',req_type='response'" | nc -u -w 0 {SC4S_IP} 514