search

satiex / splunk_synology_TA

A Synology Technical Add-On for Splunk
GNU General Public License v3.0
12 stars 4 forks source link

Log Samples #1

Open rhart211 opened 2 years ago

rhart211 commented 2 years ago

Sorry for making this an issue, but I had some questions that I'm repeating from Reddit.

  1. How did you generate all of the example logs you have on your github repo?
  2. Does your NAS always have the date printed twice in each log? When I enable log sending using BSD as the format, the date is only printed once at the beginning of the log.
satiex commented 2 years ago

Hi there,

I’m new to GitHub so let me know if you receive this reply.

Please note that I haven’t worked on this project in a few months, I would love to finish it soon when I find the time. There isn’t a complete coverage of log types yet.

  1. The example logs were generated by going into DSM and clicking things and receiving the raw logs in Splunk. I’ve asked Synology for a complete list of logs, but they didn’t know what I was talking about and were not interested in helping. There are definitely a lot more log samples needed before we have a complete list of every log type.
  2. Yeah my logs are always printed twice from memory.

Let me know if you’re interested in helping me finish the project, I need some motivation in getting it done!

Kind regards, Satiex

From: rhart211 @.> Sent: Tuesday, 7 December 2021 11:30 AM To: satiex/splunk_synology_TA @.> Cc: Subscribed @.***> Subject: [satiex/splunk_synology_TA] Log Samples (Issue #1)

Sorry for making this an issue, but I had some questions that I'm repeating from Reddit.

  1. How did you generate all of the example logs you have on your github repo?
  2. Does your NAS always have the date printed twice in each log? When I enable log sending using BSD as the format, the date is only printed once at the beginning of the log.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/satiex/splunk_synology_TA/issues/1, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFL66HDFIKVLKXESUW5IXALUPVISLANCNFSM5JP6S4MA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

rhart211 commented 2 years ago

Hey There. I did get an email notification. That's interesting how the time shows up twice in your log samples. Since you pulled them out of Splunk, do you see the same result when run tcpdump?

For example, when I run 'tcpdump -Avvvnni ens160 host ' on my Splunk server, the logs from my Synology NAS look like the following:

<14>Nov 29 09:04:21 Vincent Connection: User [<user>] from [<client_ip>] via [CIFS(SMB3)] accessed shared folder [Lab].

Except is my user and is my desktop's IP address. The time is only written once per the RFC.

I am interested in helping, I just need to find time.

diogofgm commented 2 years ago

The double timestamp shows up because when collecting logs directly to splunk via TCP/UDP splunk adds the time stamp and host to the event. This is useful in some situations where the original data source does not contain a proper timestamp/host information. You can configure splunk to not append this extra timestamp and host in inputs.conf using the no_appending_timestamp = <boolean> attribute. You can check the details about this atribute in docs here: https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Inputsconf

satiex commented 2 years ago

Howdy Diogo,

Thanks a lot for the heads up! I’m hoping to spend some time in the next few weeks on the project getting it finished, so hopefully I’ll have some updates soon.

Craig

From: Diogo Silva @.> Sent: Wednesday, 22 December 2021 12:48 AM To: satiex/splunk_synology_TA @.> Cc: Craig Bourne @.>; Comment @.> Subject: Re: [satiex/splunk_synology_TA] Log Samples (Issue #1)

The double timestamp its because when collecting logs directly to splunk via TCP/UDP splunk adds the time stamp to the event. This is useful in some situations where the original data source does not contain a proper timestamp. You can configure splunk to not append this extra timestamp and host in inputs.conf using the no_appending_timestamp = attribute. You can check the details about this atribute in docs here: https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Inputsconf

— Reply to this email directly, view it on GitHubhttps://github.com/satiex/splunk_synology_TA/issues/1#issuecomment-998793338, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFL66HGYQX5M6QJW5UV2W23USCAQJANCNFSM5JP6S4MA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you commented.Message ID: @.**@.>>