imsidr
commented
9 months ago Closed imsidr closed 8 months ago
imsidr
commented
9 months ago 
mstopa-splunk
commented
8 months ago @imsidr I can't find Thales Vormetric documentation regarding syslog. Without the documentation it's hard for me to understand logs from the attached file and write the parser. Do you have documentation regarding syslog message format in Vormetric? If not, can you request it from Thales?
imsidr
commented
8 months ago @mstopa-splunk the message format is RFC5424
mstopa-splunk
commented
8 months ago @imsidr thank you, but I still need to check if this vendor can be distinguished based on the message.
If there are unique, distinguishable parts of each log message, we write message-based parsers: https://splunk.github.io/splunk-connect-for-syslog/main/sources/#standard-syslog-using-message-parsing
In some cases standard syslog is also generic and can not be disambiguated from other sources by message content alone: https://splunk.github.io/splunk-connect-for-syslog/main/sources/#standard-syslog-vendor-product-by-source https://splunk.github.io/splunk-connect-for-syslog/main/sources/#unique-listening-ports
Can you please check with Vormetric if they have their message format documented? Like for example Prisma team: https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-wan-sites-and-devices/use-external-services-for-monitoring/syslog-server-support-in-prisma-sd-wan/syslog-flow-export
imsidr
commented
8 months ago hi @mstopa-splunk document attached vormetric_doc.pdf
imsidr
commented
8 months ago pg 74-84 has all the details regarding logging.
imsidr
commented
8 months ago @mstopa-splunk do we have any update on this
mstopa-splunk
commented
8 months ago Hi @imsidr, the PR will be ready in the middle of next week. Unfortunately, Vormetric didn't implement RFC5424 correctly; there are issues with the timestamp format and a missing field. I need to write an almost-syslog parser to correct messages on the wire.
mstopa-splunk
commented
8 months ago @imsidr my bad, the issue was with one particular example from Vormetric documentation, but in general they did everything well.
I have attached the PR that is now waiting for the review.
If you'd like to, please feel free to test it on your end and share feedback: ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2312@sha256:ebee59d2a26b5c158d4ed4e45aa75e791dfe4a7d1446fbf54899d597e4252669
imsidr
commented
8 months ago @mstopa-splunk i cant access ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2312@sha256:ebee59d2a26b5c158d4ed4e45aa75e791dfe4a7d1446fbf54899d597e4252669. Also i am really new to this, how can i test this without upgrading sc4s? and what version of sc4s parser for thales would be avaiable ?
mstopa-splunk
commented
8 months ago @imsidr, this should be released tomorrow so you will be able to test a new version and open a new issue in case of further requests.
To test without upgrading please place this config: https://github.com/splunk/splunk-connect-for-syslog/blob/7cde0ecd790a97d920d9dea96528cd689a499bd1/package/etc/conf.d/conflib/syslog/app-syslog-vormetric.conf in /opt/sc4s/local/config/app_parsers and restart SC4S
mstopa-splunk
commented
8 months ago Thales Vormetric support has been added in the new release 3.18.0
What is the sc4s version ? latest
Is there a pcap available? NA
What the vendor name? Thales
What's the product name? Vormetric
** Feature Request description: Want to onboard thales (vormetric) appliance logs to splunk
** Should it support TCP or UDP? - yes
Do you want to have it for local usage or prepare a github PR?