Hello all. I feel this should be simple, but not working for me. I receive lots of different data types on one port. For one particular type, I want to just forward it on, completely untouched, to a different host on a different port as JSON. I am using the TCP JSON output. The issue is, Cribl is setting the metadata and parsing fields, such as _raw. I don't want any parsing, no fields, no metadata- just the raw data. I must be missing something? Thanks in advance for any suggestions.
Page 2 / 2
but the quotes are still there, so now my outgoing starts with "":"
let me give that a try, thanks
It's raw TCP in
from Vectra
So I am using raw tcp source, JSON output
Sorry I meant syslog source
it's JSON via raw tcp, but Vectra doesn't follow RFC, there are no syslog headers of any kind, just raw json over TCP
I think that worked Josh, I could swear I tried that earlier, but I must have had some other rules going
ahh, interesting. if you are using syslog source, I'd expect to not see host and _time, according to our syslog doc - but if it is breaking those out, I'll notify our docs team. See here for what fields to expect from the syslog source: https://docs.cribl.io/stream/sources-syslog#what-fields-to-expect
Yep - just ran a test - I'll verify internally and let the docs team know. The pipeline I shared above should work for your use case
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.