Splunk receiving what appears to be encrypted or garbage data from the ProxySG
Article ID: 172182
Updated On:
Products
Issue/Introduction
Customer is seeing what appears to be either encrypted or garbage data in certain fields within the access log
example entry (note the original IP addresses have been replaced by dummy IP addresses also for legibility the lines have been broken up )
2ND:49:02.115772+01:00 2.2.2.2 3RfVjEiOiAiYiIsIlRlc3QtRmxpZ2h0c2lPU1Byb2RUZXN0X1YyIjogImIiLCJUZXN0LUZzc19OZXdTZWFyY2hDb250cm9sc19WNiI6ICJjIiwiVGVzdC1Gc3Nfc3ByaW5nY2xlYW5fZGF0
ZXBpY2tlcl9WNSI6ICJiIiwiVGVzdC1IRkVfU29jaWFsVmFsaWRhdGlvbl9WMiI6ICJiIiwiVGVzdC1ITlRfQW5kcm9pZF9USURfRXhwb25lbnRpYWxfQmFja29mZl9WNSI6ICJvZmYiLC
JUZXN0LUhmZV9PZmZpY2lhbFBhcnRuZXJfSXQyX1YyIjogImIiLCJUZXN0LUhmZV9QcmljZVBlck5pZ2h0X1YyIjogImIiLCJUZXN0LUhvdGVsX1NvcnRpbmdfSW1wYWN0X0ZhY3
RvcnNfVjkiOiAiYyIsIlRlc3QtSHNjX0NoaWxkcmVuQWdlVmlld19WMTAiOiAiYiIsIlRlc3QtSHNjX01leGljYW5 Ub0FTMl9WNCI6ICJiIiwiVGVzdC1PVFJfSW1hZ2VTaGFyZV9Vc2VEZWVwTGlua0dlbmVyYXRvcl9WOSI6ICJvbiIsIlRlc3QtU1RBUktfaU9TX1VzZVdhbGxldEFzc2V0U2VydmljZUZv
ckxveWFsdHlDYXJkc19WNyI6ICJvbiIsIlRlc3QtVENTX1NlbmRfU2VhcmNoaW5nX0VtYWlsX1Y0IjogImIiLCJUZXN0LVRyZXhfT0NGbGV4U3VnZ2VzdGlvbnNfVjIzIjogImEiLCJUZXN
0LVRyZXhfT0NTZWFyY2hDb250cm9sc19WNDEiOiAiYiIsIlRlc3QtVHJleF9PQ1NlYXJjaENvbnRyb2xzX0RheVZpZXdfVjkiOiAiYiIsIlRlc3QtVXNlU2tpcHB5TG9nZ2luZ19WMyI6ICJhI
iwiVGVzdC1VdGlkVHJhdmVsbGVySWRlbnRpdHlfVjExIjogImIiLCJUZXN0LVZFU19BbmRyb2lkX0NvdW50cnlFdmVyeXdoZXJlRmVlZF9WMTIiOiAib24iLCJUZXN0LVdQVF9SZWFj
dDE2X3VwZ3JhZGVfVjIiOiAiYiIsIlRlc3QtV2ViX21pZ3JhdGlvbl9EaXNjb3ZlcnlTaGVsdmVzT0NfVjQiOiAiYSIsIlRlc3QtYXBwaW5zcF9WRVNfVVNFX0JST1dTRV9QUk9YWV9WNCI6
ICJvbiIsIlRlc3QtY3BhX2hvdGVsX2NhcmRfVjYiOiAiYiIsIlRlc3QtZGJvb2tfY2F0aF90cmFmZmljY29udHJvbF9hbGxfd2ViX1YyIjogImEiLCJUZXN0LWRib29rX2RyYWdfdHJhZmZpY2N
vbnRyb2xfYWxsX3dlYl9WMiI6ICJhIiwiVGVzdC1kYm9va19mbG90X3RyYWZmaWNjb250cm9sX1YxMiI6ICJhIiwiVGVzdC1kYm9va19zaWxrX3RyYWZmaWNjb250cm9sX3dlYl9hZ
GRpdGlvbmFsX1YxIjogImEiLCJUZXN0LWRib29rX3NreXBfdHJhZmZpY2NvbnRyb2xfdWtfd2ViX1Y0IjogImEiLCJUZXN0LWRib29rX3RrcnVfdHJhZmZpY2NvbnRyb2xfcnVfd2ViX1Y
yIjogImEiLCJUZXN0LWRib29rX3Z1ZWxfdHJhZmZpY2NvbnRyb2xfd2ViX1YyIjogImEiLCJUZXN0LWZid19lbmFibGVfc2Fhc3F1YXRjaF9zaGFyZV9saW5rc19WNCI6ICJhIiwiVGVzd
C1mYndfc3VtbWFyeV9jb21wb25lbnRzX1Y0IjogImIiLCJUZXN0LWZwc19sdXNfY2xpZW50X3F1b3RlX3NlcnZpY2Vfc3BsaXRfdHJhZmZpY19WMjI1IjogImIiLCJUZXN0LWZwc19sdX
NfcXNzX2F1dG9tYXRpY19ydWxlc19WMTkiOiAiYSIsIlRlc3QtZnBzX2x1c19zZW5kX3F1b3Rlc190b19zbGlwc3RyZWFtX1YyNSI6ICJub2V4cGVyaW1lbnQiLCJUZXN0LWZwc19tYm
1kX1YxMSI6ICJiIiwiVGVzdC1mcHNfcXVvdGVyZXRyaWV2YWxfYXdzX1YxMTUiOiAiYXdzIiwiVGVzdC1mcHNfcm91dGVfc3VtbWFyeV90cmFmZmljX3NoaWZ0X1Y2IjogImIiLCJUZ
XN0LWZzc19UaG9yX1RyYWZmaWNUZXN0X1YzMCI6ICJiIiwiVGVzdC1nbHVfc3ByaW5nQ2xlYW5Sb2xsb3V0X1YyIjogImEiLCJUZXN0LXJ0c19tYWdwaWVfc29vd19kYXRhX2Nv
bGxlY3Rpb25fVjUiOiAiYnVkZ2V0c2NoZWR1bGVkIiwiVGVzdC1ydHNfd3RhX3JlbGVhc2VfVjE2IjogImIiLCJUZXN0LXJ0c193dGFfc2hhZG93dHJhZmZpY19WMzY3IjogImIiLCJUZX
N0LXNjYWZmb2xkX3dpcmV1cF9kb250X2RlbGV0ZV9WMSI6ICJiIiwiT3JpZ2luIENvZGUgTGVnIDIiOiAiT1BPIiwiRGVzdGluYXRpb24gQ29kZSBMZWcgMiI6ICJNQU4iLCJEYXRlIE
xlZyAyIjogIjIwMTktMDUtMjgiLCJ0b2tlbiI6ICIyNDM0NzQ4OTU0YzMwY2NjNTAxN2ZhYTQ1NmZhM2QzOCJ9fQ%3D%3D&ip=1&_=1530622142440
Certificate Kerberos - "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" 1.1.1.1 473 19152 - "none" "none" 1fd61d1a7edfd6a0-000000020a02964a-000000005b3b70bd - "{ %22expect_sandbox%22: false }"#015
No errors
Cause
Splunk had been setup to only except 8K of data from the ProxySG, this was sufficient for the majority of fields but needed to be increased to allow for these specific sites
Environment
ProxySG is configured to send access logs to a Splunk server
SGOS 6.5.10.4
Resolution
Increasing the amount of data that Splunk would accept resolved the issue.
Feedback
