mstopa-splunk
commented
10 months ago @twellinghurst thank you for reporting this. Can you provide an example message to reproduce? I couldn't reproduce this behaviour with our testing data:
Closed twellinghurst closed 10 months ago
mstopa-splunk
commented
10 months ago @twellinghurst thank you for reporting this. Can you provide an example message to reproduce? I couldn't reproduce this behaviour with our testing data:
twellinghurst
commented
10 months ago Thanks for the quick response:
Here is a raw message captured using tcpdump on the SC4S server -
09:30:16.191278 IP (tos 0x0, ttl 251, id 22614, offset 0, flags [none], proto UDP (17), length 207) lo0.xxxxxxxxx.xxx.xx.xxx.xxx.51204 > host.xx.xxx.xxx.syslog: SYSLOG, length: 179 Facility local7 (23), Severity notice (5) Msg: 387769: Oct 12 09:31:00.661 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user_account] [Source: 1.1.1.1] [localport: 22] at 09:31:00 EDT Thu Oct 12 2023
And here are the results from this mesasge in Splunk-
mstopa-splunk
commented
10 months ago @twellinghurst this event worked for me:
echo "<13> Oct 12 09:31:00.661 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user_account] [Source: 1.1.1.1] [localport: 22] at 09:31:00 EDT Thu Oct 12 2023" > /dev/udp/0.0.0.0/514but I am missing two of your tags and still didn't reproduce the host issue. Do you use local configuration or context files or extra settings in env_file?
mstopa-splunk
commented
10 months ago all right, I understand, you use SC4S_USE_REVERSE_DNS and you'd like SC4S' FixHostResolver to pass full root domain to be assigned to host. Let me check the reason of the current design
mstopa-splunk
commented
10 months ago @twellinghurst thank you for reporting this, I will add additional property for fetching full dns
twellinghurst
commented
10 months ago Do you have any ETA on when the additional property will be added? @mstopa-splunk
mstopa-splunk
commented
10 months ago Hello, we've got a bit on our plate at the moment, but his should be ready in up to 3 weeks
twellinghurst
commented
10 months ago @mstopa-splunk - Thank you for resolving this issue!! Do you know when this will be merged into main?
mstopa-splunk
commented
10 months ago @twellinghurst this has been now merged, please use SC4S_REVERSE_DNS_KEEP_FQDN=yes to go from:
to:
Was the issue replicated by support? No What is the sc4s version ? 3.4.5 Is there a pcap available? Yes Is the issue related to the environment of the customer or Software related issue? both Is it related to Data loss, please explain ? Protocol? Hardware specs? The domain name is being stripped off the cisco:ios logs by "splunk-connect-for-syslog\package\etc\conf.d\conflib_splunk\fix_dns.conf"
Last chance index/Fallback index? No Is the issue related to local customization? No Do we have all the default indexes created? Yes Describe the bug The syslog messages are being forwarded to Splunk, however, SC4S is stripping the domain name off of the device names, causing issues with interfaces that are sending log messages.
For example, the host - "hostname.contoso.com", will have the host= hostname, while the hostname "lo0.hostname.contoso.com.", will have the host = lo0.
To Reproduce Steps to reproduce the behavior: Send cisco:ios logs to SC4S with a hostname such as lo0.contoso.com