syslog-ng cannot send logs to Splunk via splunk-hec destination and gets back a 400 HTTP error with "Error in handling indexed fields" when either syslog() protocol is used or the logs sent from syslog-ng Agent.
Use the following workaround in the configuration to sanitize the SDATA parts, so Splunk accepts it.
Insert the following line into the splunk-hec destination:
fields("fields=literal($(format-json --scope none .SDATA.win@18372.4.* --shift-levels 4 .SDATA.meta.* --shift-levels 3 .* --shift-levels 2))")
The configuration could look like this:
d_splunk_hec {
splunk_hec(
index("")
token("")
url("http://your-splunk-server:8088/services/collector/event")
fields("fields=literal($(format-json --scope none .SDATA.win@18372.4.* --shift-levels 4 .SDATA.meta.* --shift-levels 3 .* --shift-levels 2))")
);
};
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center