This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

splunk vs unquoted src_mac field in firewall logs

Hi All,

I'm testing out sophos logging into Splunk, and have just noticed that splunk is getting a bit confused about the src_mac field.

The logs XG is generating contain the src_mac field unquoted, which would be fine except that an unknown mac address looks like 00: 0:00: 0:00: 0, with 3 field delimiters (spaces) in it.

Is this a known bug?

James

This thread was automatically locked due to age.

Parents

0 FloSupport over 6 years ago

Hi jamesharper

Which log files are you referring to when you mention, "The logs XG is generating contain the src_mac field unquoted"?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 jamesharper over 6 years ago in reply to FloSupport

Firewall logs exported by syslog is where i've noticed it. There may be others.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jamesharper over 6 years ago in reply to FloSupport

Firewall logs exported by syslog is where i've noticed it. There may be others.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data