Skip to main content

Dear all, 

This is not really a question, but rather a memento, waiting for an official fix to be rolled out, for those of you who have ever hit your head, as has happened to me over the past few months, with the following problem when sending logs via CF.

Scenario: you have just set up a new log type to send via CF, which you have done several times, no big deal. Only the logs don't make it into the DB, you look for them in the SecOps UI but there is no trace of them. You then decide to give it some time and wait a while.

When you came back a some hours later you find that all your logs are being delayed, arriving 30min/1 hr late. What the on earth happened??

After some investigation you find the Forwarder docker log (“docker logs --since=60m cfps”) full of error messages like:

E0917 07:40:40.287215 489 syslog.go:545] strconv.Atoi: parsing "8205337b-7ff5-4a3e-8e29-1250c8c74701,": invalid syntax.
 
You also notice that the actual original log (within double quotes) is reported as truncated, at different lengths.
 
 
Long story short: all the new source logs give error in Forwader and this clogs the output pipeline. After cleaning everything up and restoring the previous settings, I opened a ticket with support and we finally figured out that because the logs start with a digit, Forwarder interprets them as an octet count message, which is not true.
 
Avaiable solutions: send the logs via direct injection, OR change them so that they do not start with a digit.
Hope this can help some unfortunate fellow like me.
 
Cheers,
 
A
 

Thank you so much for sharing your experience. I hope others will find this and get some value out of it.

Hi @nathanael_s ,

One out of context question, is the Mandiant security validation tool still active or is it integrated with other suite and not active as a standalone tool. I wanted to get more overview on the tool for proposing to client requirements.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.