SC4S: Aruba HTTPD events does not parser

[Jo-Ng]

Notice below events seems doesn’t process correctly. Please advice.

PRI=139
MESSAGE=<XX_XX_XX_03 11.11.11.11> httpd[23571]: Could not retrieve the CSRF token from db, called from arci_cgi
host = XX_XX_XX_03source = sc4ssourcetype = aruba:syslog

whereby rest on events didn’t see such issues

2023-03-07T08:37:24+00:00 2023 XX_XX_XX_03 authmgr[3747]: <124006> <3747> <WARN> <XX_XX_XX_03 11.11.11.11>  {22380804} ICMP srcip=11.11.11.11 dstip=11.11.11.11, type=3, code=3, action=deny
host = XX_XX_XX_03source = aruba:authmgrsourcetype = aruba:syslog

2023-03-07T08:37:22+00:00 2023 XX_XX_XX_03 aaa[3647]: <125022> <3647> <WARN> <XX_XX_XX_03 11.11.11.11>  Authentication failed for User admin, Logged in from 11.11.11.11 port 20430, Connecting to 11.11.11.11 port 4343 connection type HTTPS
host = XX_XX_XX_03source = program:aaasourcetype = aruba:syslog

2023-03-07T08:47:22+00:00 2023 XX_XX_XX_03 snmp[3887]: <301135> <3887> <WARN> <XX_XX_XX_03 11.11.11.11>  SNMP V3 Message parse error: Not in life time window failure in case of authoritative local engine id.
host =XX_XX_XX_03source = program:snmpsourcetype = aruba:syslog

Below the configuration RHEL: 8.6 Podman: 3.0.1

cat /apps/sc4s/local/context/splunk_metadata.csv | grep aruba

aruba_ap,index,sc4s_multi

Below the parser from early Splunk PS

cat app-syslog-aruba_ap.conf

block parser app-syslog-aruba_ap() {
 channel {
        rewrite {
            r_set_splunk_dest_default(
                index('netops')
                source('aruba:${PROGRAM}')
                sourcetype('aruba:syslog')
                vendor("aruba")
                product("ap")
            );
        };

   };
};
application app-syslog-aruba_ap[sc4s-syslog-pgm] {
        filter {
        (
            (
                program('authmgr' type(string) flags(prefix))
                or program('stm' type(string) flags(prefix))
                or program('wms' type(string) flags(prefix))
                or program('dot1x-proc' type(string) flags(prefix))
                or program('nanny' type(string) flags(prefix))
            )
            and message('^\<\d+\> \<\d+\> \<[A-Z]+\>')
        )
        or (
            (
                program('sapd' type(string) flags(prefix))
            )
            and message('^\<\d+\> \<[A-Z]+\>')
        )
        ;
        or (
            message('httpd' type(string));
        );
    };

    parser { app-syslog-aruba_ap(); };
};

[bparmar-splunk]

@Jo-Ng, Could you please DM us the latest raw messages to validate ?

[Jo-Ng]

Below obtained when enabled RAWMSG

• Replaced actual host name with SERVER, IP with 10.10.10.42

"RAWMSG":"<139>Mar 6 00:10:39 2023 SERVER__04 <SERVER__04 10.10.10.42> httpd[30092]: Could not retrieve the CSRF token from db inside mod_aruba_auth"

Below with PCAP <139>Mar 9 20:21:38 2023 SERVER__04 <SERVER__04 10.10.10.42> httpd[12007]: Could not retrieve the CSRF token from db inside mod_aruba_auth

[Jo-Ng]

@bparmar-splunk any update?

[bparmar-splunk]

@Jo-Ng, We are working on it because we cannot make use of the resolution provided by you in above message, because there are other vendor(s) who might have same log format. We will keep you posted about further updates.

Thank you

[Jo-Ng]

@bparmar-splunk

Sure. IF that a option not to use custom parser for it, it will be great. As since begin it can't be recognize hence SPlunk PS created the parser (app-syslog-aruba_ap.conf). Look forward

[Jo-Ng]

any update on this?

[bparmar-splunk]

@Jo-Ng, Can you please give it a try with below parser?

block parser app-syslog-aruba_ap() {
 channel {
        rewrite {
            r_set_splunk_dest_default(
                index('netops')
                source('aruba:${PROGRAM}')
                sourcetype('aruba:syslog')
                vendor("aruba")
                product("ap")
            );
        };

   };
};
application app-syslog-aruba_ap[sc4s-syslog] {
    filter {
        (
            (
                program('authmgr' type(string) flags(prefix))
                or program('stm' type(string) flags(prefix))
                or program('wms' type(string) flags(prefix))
                or program('dot1x-proc' type(string) flags(prefix))
                or program('nanny' type(string) flags(prefix))
            )
            and message('^\<\d+\> \<\d+\> \<[A-Z]+\>')
        )
        or (
            (
                program('sapd' type(string) flags(prefix))
            )
            and message('^\<\d+\> \<[A-Z]+\>')
        )
        or(
            match('[\d\.]*>\shttpd\[\d+]' value("MESSAGE"))
        )
        ;
    };  

    parser { app-syslog-aruba_ap(); };
};

Please share the findings and let us know in case of any queries.

Thank you.

[Jo-Ng]

@bparmar-splunk the events seem like parsing correctly now. I will have to test in production as those https events only available in Production environment NOT development. Based on normal echo, it aligned rest of flow in events.

Below the output of impacted HTTPD events. 2023-03-28T03:28:16+00:00 2023 xxxxxxxxxx_04 httpd[12007]: Could not retrieve the CSRF token from db, called from arci_cgi AFTER CHANGE 2023-03-28T03:27:59+00:00 2023 xxxxxxxxxx_04 <xxxxxxxxxx_04 11.11.11.42> httpd[12007]: Could not retrieve the CSRF token from db, called from arci_cgi AFTER CHANGE 2023-03-28T03:24:43+00:00 2023 xxxxxxxxxx_04 httpd[27412]: <350008> <27440> <xxxxxxxxxx_03 11.11.11.41> |webserver| SSL Library Error: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure SSL alert number 40 AFTER CHANGE

As such, suggest process close this while I will schedule implement. If any issues will open ticket to follow up.

Thanks.

Look forward for similar that happen for F5 https://github.com/splunk/splunk-connect-for-syslog/issues/2015

[bparmar-splunk]

@Jo-Ng , Thank you for your response. We are closing this issue for now, since it has been resolved at your end.

Please reach out in case of any further queries.