ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Splunk receiving what appears to be encrypted or garbage data from the ProxySG

book

Article ID: 172182

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Customer is seeing what appears to be either encrypted or garbage data in certain fields within the access log

example entry (note the original IP addresses have been replaced by dummy IP addresses also for legibility the lines have been broken up )


2ND:49:02.115772+01:00 2.2.2.2 3RfVjEiOiAiYiIsIlRlc3QtRmxpZ2h0c2lPU1Byb2RUZXN0X1YyIjogImIiLCJUZXN0LUZzc19OZXdTZWFyY2hDb250cm9sc19WNiI6ICJjIiwiVGVzdC1Gc3Nfc3ByaW5nY2xlYW5fZGF0

ZXBpY2tlcl9WNSI6ICJiIiwiVGVzdC1IRkVfU29jaWFsVmFsaWRhdGlvbl9WMiI6ICJiIiwiVGVzdC1ITlRfQW5kcm9pZF9USURfRXhwb25lbnRpYWxfQmFja29mZl9WNSI6ICJvZmYiLC

JUZXN0LUhmZV9PZmZpY2lhbFBhcnRuZXJfSXQyX1YyIjogImIiLCJUZXN0LUhmZV9QcmljZVBlck5pZ2h0X1YyIjogImIiLCJUZXN0LUhvdGVsX1NvcnRpbmdfSW1wYWN0X0ZhY3

RvcnNfVjkiOiAiYyIsIlRlc3QtSHNjX0NoaWxkcmVuQWdlVmlld19WMTAiOiAiYiIsIlRlc3QtSHNjX01leGljYW5 Ub0FTMl9WNCI6ICJiIiwiVGVzdC1PVFJfSW1hZ2VTaGFyZV9Vc2VEZWVwTGlua0dlbmVyYXRvcl9WOSI6ICJvbiIsIlRlc3QtU1RBUktfaU9TX1VzZVdhbGxldEFzc2V0U2VydmljZUZv

ckxveWFsdHlDYXJkc19WNyI6ICJvbiIsIlRlc3QtVENTX1NlbmRfU2VhcmNoaW5nX0VtYWlsX1Y0IjogImIiLCJUZXN0LVRyZXhfT0NGbGV4U3VnZ2VzdGlvbnNfVjIzIjogImEiLCJUZXN

0LVRyZXhfT0NTZWFyY2hDb250cm9sc19WNDEiOiAiYiIsIlRlc3QtVHJleF9PQ1NlYXJjaENvbnRyb2xzX0RheVZpZXdfVjkiOiAiYiIsIlRlc3QtVXNlU2tpcHB5TG9nZ2luZ19WMyI6ICJhI

iwiVGVzdC1VdGlkVHJhdmVsbGVySWRlbnRpdHlfVjExIjogImIiLCJUZXN0LVZFU19BbmRyb2lkX0NvdW50cnlFdmVyeXdoZXJlRmVlZF9WMTIiOiAib24iLCJUZXN0LVdQVF9SZWFj

dDE2X3VwZ3JhZGVfVjIiOiAiYiIsIlRlc3QtV2ViX21pZ3JhdGlvbl9EaXNjb3ZlcnlTaGVsdmVzT0NfVjQiOiAiYSIsIlRlc3QtYXBwaW5zcF9WRVNfVVNFX0JST1dTRV9QUk9YWV9WNCI6

ICJvbiIsIlRlc3QtY3BhX2hvdGVsX2NhcmRfVjYiOiAiYiIsIlRlc3QtZGJvb2tfY2F0aF90cmFmZmljY29udHJvbF9hbGxfd2ViX1YyIjogImEiLCJUZXN0LWRib29rX2RyYWdfdHJhZmZpY2N

vbnRyb2xfYWxsX3dlYl9WMiI6ICJhIiwiVGVzdC1kYm9va19mbG90X3RyYWZmaWNjb250cm9sX1YxMiI6ICJhIiwiVGVzdC1kYm9va19zaWxrX3RyYWZmaWNjb250cm9sX3dlYl9hZ

GRpdGlvbmFsX1YxIjogImEiLCJUZXN0LWRib29rX3NreXBfdHJhZmZpY2NvbnRyb2xfdWtfd2ViX1Y0IjogImEiLCJUZXN0LWRib29rX3RrcnVfdHJhZmZpY2NvbnRyb2xfcnVfd2ViX1Y

yIjogImEiLCJUZXN0LWRib29rX3Z1ZWxfdHJhZmZpY2NvbnRyb2xfd2ViX1YyIjogImEiLCJUZXN0LWZid19lbmFibGVfc2Fhc3F1YXRjaF9zaGFyZV9saW5rc19WNCI6ICJhIiwiVGVzd

C1mYndfc3VtbWFyeV9jb21wb25lbnRzX1Y0IjogImIiLCJUZXN0LWZwc19sdXNfY2xpZW50X3F1b3RlX3NlcnZpY2Vfc3BsaXRfdHJhZmZpY19WMjI1IjogImIiLCJUZXN0LWZwc19sdX

NfcXNzX2F1dG9tYXRpY19ydWxlc19WMTkiOiAiYSIsIlRlc3QtZnBzX2x1c19zZW5kX3F1b3Rlc190b19zbGlwc3RyZWFtX1YyNSI6ICJub2V4cGVyaW1lbnQiLCJUZXN0LWZwc19tYm

1kX1YxMSI6ICJiIiwiVGVzdC1mcHNfcXVvdGVyZXRyaWV2YWxfYXdzX1YxMTUiOiAiYXdzIiwiVGVzdC1mcHNfcm91dGVfc3VtbWFyeV90cmFmZmljX3NoaWZ0X1Y2IjogImIiLCJUZ

XN0LWZzc19UaG9yX1RyYWZmaWNUZXN0X1YzMCI6ICJiIiwiVGVzdC1nbHVfc3ByaW5nQ2xlYW5Sb2xsb3V0X1YyIjogImEiLCJUZXN0LXJ0c19tYWdwaWVfc29vd19kYXRhX2Nv

bGxlY3Rpb25fVjUiOiAiYnVkZ2V0c2NoZWR1bGVkIiwiVGVzdC1ydHNfd3RhX3JlbGVhc2VfVjE2IjogImIiLCJUZXN0LXJ0c193dGFfc2hhZG93dHJhZmZpY19WMzY3IjogImIiLCJUZX

N0LXNjYWZmb2xkX3dpcmV1cF9kb250X2RlbGV0ZV9WMSI6ICJiIiwiT3JpZ2luIENvZGUgTGVnIDIiOiAiT1BPIiwiRGVzdGluYXRpb24gQ29kZSBMZWcgMiI6ICJNQU4iLCJEYXRlIE

xlZyAyIjogIjIwMTktMDUtMjgiLCJ0b2tlbiI6ICIyNDM0NzQ4OTU0YzMwY2NjNTAxN2ZhYTQ1NmZhM2QzOCJ9fQ%3D%3D&ip=1&_=1530622142440

Certificate Kerberos - "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" 1.1.1.1 473 19152 - "none" "none" 1fd61d1a7edfd6a0-000000020a02964a-000000005b3b70bd - "{ %22expect_sandbox%22: false }"#015

No errors

Cause

Splunk had been setup to only except 8K of data from the ProxySG, this was sufficient for the majority of fields but needed to be increased to allow for these specific sites

Environment

ProxySG is configured to send access logs to a Splunk server
SGOS 6.5.10.4

Resolution

Increasing the amount of data that Splunk would accept resolved the issue.