search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
154 stars 111 forks source link

New Source: Aruba Wireless Controllers #1765

Closed Jaxjohnny closed 2 years ago

Jaxjohnny commented 2 years ago

sourcetype comes in as cef and the index main

raw logs from the syslog-ng ingest Jul 25 12:53:03 10.254.201.9 CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=dot1x-proc:2 dvcpid=4387 dvchost=7205-SC msg=2[4387]: <522275> <4387> |dot1x-proc:2| User Authentication failed. username\=nicole userip\=0.0.0.0 usermac\=gg:gg:f9:03:dd:c5 authmethod\=802.1x servername\=Radius_Cluster serverip\=10.255.168.30 apname\=TCHQAP03.04 bssid\=00:4e:35:b Jul 25 12:53:18 10.254.201.9 CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=authmgr dvcpid=3726 dvchost=7205-SC msg=<522274> <3726> |authmgr| Mgmt User Authentication failed. username\=amp-admin userip\=10.255.170.10 servername\=Radius_Cluster serverip\=10.255.168.30 Jul 25 12:53:24 10.254.201.9 CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=dot1x-proc:2 dvcpid=4387 dvchost=7205-SC msg=2[4387]: <520002> <4387> |dot1x-proc:2| Authentication server request Timeout, username\=nicole userip\=0.0.0.0 usermac\=gg:gg:f9:03:dd:c5 servername\= Radius_Cluster server-group\=Private_dot1_svg serverip\= 10.255.168.30 bssid\=gg:gg:35:bb:14:30 apname\=TCHQA Jul 25 12:53:25 10.254.201.9 CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=authmgr dvcpid=3726 dvchost=7205-SC msg=<522274> <3726> |authmgr| Mgmt User Authentication failed. username\=amp-admin userip\=10.255.170.10 servername\=Radius_Cluster serverip\=10.255.168.30

similar events from the splunk _raw

CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=dot1x-proc:2 dvcpid=4387 dvchost=7205-SC msg=2[4387]: <520002> <4387> |dot1x-proc:2| Authentication server request Timeout, username\=Cassidy. userip\=0.0.0.0 usermac\=gg:gg:4a:bc:30:45 servername\= Radius_Cluster server-group\=Private_dot1_svg serverip\= 255.255.168.30 bssid\=gg:gg:35:b8:e4:10 apname\=TCHQA CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=authmgr dvcpid=3726 dvchost=7205-SC msg=<522274> <3726> |authmgr| Mgmt User Authentication failed. username\=amp-admin userip\=255.255.170.10 servername\=Radius_Cluster serverip\=255.255.168.30 CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=snmp dvcpid=3873 dvchost=7205-SC msg=<399816> <3873> |snmp| ../unix/../shared/notifyv3.c:304 Host's 255.255.172.20 engine ID not discovered. Traps do not get queued up. CEF:0|Aruba|A72xx|79813|log|SystemEvent|3|deviceProcessName=dot1x-proc:2 dvcpid=4387 dvchost=7205-SC msg=2[4387]: <520002> <4387> |dot1x-proc:2| Authentication server request Timeout, username\=nicole userip\=0.0.0.0 usermac\=gg:gg:f9:03:dd:c5 servername\= Radius_Cluster server-group\=Private_dot1_svg serverip\= 255.255.168.30 bssid\=gg:gg:35:b9:87:90 apname\=TCHQA

rjha-splunk commented 2 years ago

This is working as expected, only aruba_ap and aruba_syslog is supported as of now , please use a postfilter to assign right metadata/index , please use following example to configure it.

#/opt/sc4s/local/config/filters/app-postfilter-silverpeak_splunk.conf
block parser app-dest-rewrite-peplink_syslog-postfilter() {    
 channel {

        rewrite {
            r_set_splunk_dest_default(
                index('silverpeak')
                sourcetype('silverpeak:edgeconnect')
                vendor('silverpeak')
                product('edgeconnect')
                template('t_msg_only')
            );              
        };       
   };
};
application app-dest-rewrite-peplink_syslog-postfilter[sc4s-postfilter] {
 filter {
         host("dfa*ec*" type(glob) flags(ignore-case))
    };    

    parser { app-dest-rewrite-peplink_syslog-postfilter(); };   
};