Juniper admin , firewall & idps logs are not parsed correctly #2643
Assignees
Labels
bug
Something isn't working
Comments
|
pcap attached to splunk support case # CASE [3621290] |
|
Hi @rjha-splunk @sbylica-splunk any update on this ? |
|
Hi @imsidr, looking into it, I will post an update once we have something more. |
|
@imsidr so we decided to add parsing logs with an RT_SYSTEM tag, with a sourcetype |
|
@imsidr yeah, logs with RT_SYSTEM tag would be assigned to a |
|
@imsidr can you attach an example of RT_FLOW log that is not being parsed properly? I don't see any in the pcap file that was attached. |
|
I asked Ravi from support to setup a call to show this issue, can we connect on this ?
I am sure all sorts of logs were captured in both the pcaps , I am not sure how I capture it for a particular log.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Wednesday, December 4, 2024 5:58 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
@imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!s8_bMQv-sPJ0aAksfaKi7k0qNUtU3RAuH_VOkbTFQtLqpWcyNrYbSsEzitM2iZtuFxuYiihQI3tqV_JJkvU70kG5ZLf_xTQQnQ$> can you attach an example of RT_FLOW log that is not being parsed properly? I don't see any in the pcap file that was attached.
Logs with RT_FLOW tag should be parsed correctly since we have a rule for that.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2517211402__;Iw!!JJ-tOIoKdBzLSfV5jA!s8_bMQv-sPJ0aAksfaKi7k0qNUtU3RAuH_VOkbTFQtLqpWcyNrYbSsEzitM2iZtuFxuYiihQI3tqV_JJkvU70kG5ZLdUnM0YCw$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX4GSSR46Y2TGTPQQJT2D3YLNAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMJXGIYTCNBQGI__;!!JJ-tOIoKdBzLSfV5jA!s8_bMQv-sPJ0aAksfaKi7k0qNUtU3RAuH_VOkbTFQtLqpWcyNrYbSsEzitM2iZtuFxuYiihQI3tqV_JJkvU70kG5ZLekQaW9lQ$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
@imsidr Yeah, we can setup a call. What would be a possible time for it? |
|
@imsidr today probably not, could we arrange for it tomorrow or next week? |
|
Hey @imsidr, so we have two follow-up questions for now:
|
|
Hi Szymon ,
I have attached the pcap in spluk support case.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Wednesday, December 11, 2024 3:01 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
Hey @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!oMKnsmnGeILH8pITmDFWMv1Iiarkq2cIsDJ8rH9GWK8gFN-cpy-gKYgBhMuFzm_bDNZTRyeJ-wqsVU8oSkxeMlQ8H8gr6-1zUQ$>, so we have two follow-up questions for now:
* Can we get a .pcap file with an example of logs with RT_FLOW tag, like the one we saw on a meeting with the customer?
* Were the logs getting parsed earlier? Was there any noticeable trigger point that led to this issue?
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2535302054__;Iw!!JJ-tOIoKdBzLSfV5jA!oMKnsmnGeILH8pITmDFWMv1Iiarkq2cIsDJ8rH9GWK8gFN-cpy-gKYgBhMuFzm_bDNZTRyeJ-wqsVU8oSkxeMlQ8H8ikEbPAaA$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX5G5KDBQ7JEEYNGSVT2FAA6HAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZVGMYDEMBVGQ__;!!JJ-tOIoKdBzLSfV5jA!oMKnsmnGeILH8pITmDFWMv1Iiarkq2cIsDJ8rH9GWK8gFN-cpy-gKYgBhMuFzm_bDNZTRyeJ-wqsVU8oSkxeMlQ8H8gtt6911w$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
@imsidr thanks, could you also ask for a screenshot from the Splunk side? We would like to see the message and the sc4s_tags field. |
|
Hi @imsidr, maybe I missed it but was there any response to this question? Also, a new version of SC4S with the fix for RT_SYSTEM logs was released, can the customer upgrade to this version? |
|
Hi Szymon,
It was being parsed when we were onboarding it using legacy method. Also we have Juniper Add-on installed with some additional configs from out side but it is not related to parsing.
Also the issue is not related to RT_SYSTEM only , none of the events are parsed.
But I will still go ahead and upgrade it.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Thursday, December 12, 2024 6:58 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
Hi @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WE_pvSdNg$>, maybe I missed it but was there any response to this question?
Were the logs getting parsed earlier? Was there any noticeable trigger point that led to this issue?
Also, a new version of SC4S with the fix for RT_SYSTEM logs was released, can the customer upgrade to this version?
https://github.com/splunk/splunk-connect-for-syslog/releases/tag/v3.33.0<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/releases/tag/v3.33.0__;!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WEzXBqVFw$>
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2538920279__;Iw!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WFHbV7MKw$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX7SC2KSU5DSGDR7RUD2FGFNHAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZYHEZDAMRXHE__;!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WECMuxbrQ$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
Hi @imsidr, So, it was being parsed correctly using the legacy method? Do we have a configuration/description of this method? Ok, let's see if updating fixes this issue, keep me updated. |
|
We are using syslog-ng relay to get the data and forward it to the splunk cloud, we have juniper TA(customized) which is doing all the parsing & extraction stuff , I will attach the copy on support case.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Friday, December 13, 2024 3:23 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
Hi @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!tOLxBRTxVvuNhPaStQCEy14UtlNMzG4-bhVIDjbjSOEF_QzuUXgTjdLZCmc0075oZNEaqVxWF36U00nrMyBCNjYa3stqY5h5FQ$>, So, it was being parsed correctly using the legacy method? Do we have a configuration/description of this method? Ok, let's see if updating fixes this issue, keep me updated.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2541025418__;Iw!!JJ-tOIoKdBzLSfV5jA!tOLxBRTxVvuNhPaStQCEy14UtlNMzG4-bhVIDjbjSOEF_QzuUXgTjdLZCmc0075oZNEaqVxWF36U00nrMyBCNjYa3ssadf2LyA$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX4YYJQTISHQA5TEUVD2FKVBRAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBRGAZDKNBRHA__;!!JJ-tOIoKdBzLSfV5jA!tOLxBRTxVvuNhPaStQCEy14UtlNMzG4-bhVIDjbjSOEF_QzuUXgTjdLZCmc0075oZNEaqVxWF36U00nrMyBCNjYa3svtIFI92A$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: If your issue is not a bug or a feature request, please raise a support ticket through our support portal (Splunk.com > Support > Support Portal). This will help us resolve your issue more efficiently and provide you with better assistance. For more information on how to work with the Splunk Support, please refer to this guide.
Was the issue replicated by support? no
What is the sc4s version ? 3.27.0
Which operating system (including its version) are you using for hosting SC4S? Ubuntu
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? yes
Is the issue related to the environment of the customer or Software related issue? Software related issue
Is it related to Data loss, please explain ? No
Protocol? Hardware specs?
Last chance index/Fallback index? sc4s
Is the issue related to local customization? yes
Do we have all the default indexes created? yes
Describe the bug
Juniper admin , firewall & idps logs are not parsed correctly
To Reproduce
Steps to reproduce the behavior:
The text was updated successfully, but these errors were encountered: