We have updated our Terms of Service, Code of Conduct, and Addendum.

Empty/broken Windows XML and Classic messages

Options
Daurena Akilbekov
Daurena Akilbekov Posts: 3
edited August 2023 in Stream

Currently I'm ingesting Windows Classic and Windows Sysmon XML using Splunk UF, and apply corresponding packs to convert to JSON and some custom modifications. Until few days everything worked, but now we are receiving empty or broken messages.

I'm running Splunk UFs 9.0.4/Splunk Cloud 9.0.2209.4 and Cribl 4.2.2.

Config on UFs, as recommended in the docs. On Cribl Worker s2s is v4.

[tcpout]
disabled = false
defaultGroup = cribl-worker-1

[tcpout:cribl-worker-1]
sendCookedData = true
server=x.x.x.x:9997

I noticed that Cribl defaults to fallback event breaker. No error/warnings in Cribl logs.

2.jpg


1.jpg


Best Answer

  • Daurena Akilbekov
    Daurena Akilbekov Posts: 3
    Answer ✓
    Options

    Just for someone who have the same issue, changing s2s from v4 to v3 solved the issue.

Answers

  • Johan Woger
    Johan Woger Posts: 16
    Options

    Did this issue start after you upgraded to 4.2.2? Any other changes around the same time that you noticed this issue?

  • Daurena Akilbekov
    Daurena Akilbekov Posts: 3
    Options

    There were some errors regarding s2s, which were solved by upgrading from 4.1.X to 4.2.2, but event braking problems were there before the upgrade.

  • Daurena Akilbekov
    Daurena Akilbekov Posts: 3
    Answer ✓
    Options

    Just for someone who have the same issue, changing s2s from v4 to v3 solved the issue.

This discussion has been closed.

Categories