Closed imsidr closed 8 months ago
@imsidr I can't find Thales Vormetric documentation regarding syslog. Without the documentation it's hard for me to understand logs from the attached file and write the parser. Do you have documentation regarding syslog message format in Vormetric? If not, can you request it from Thales?
@mstopa-splunk the message format is RFC5424
@imsidr thank you, but I still need to check if this vendor can be distinguished based on the message.
If there are unique, distinguishable parts of each log message, we write message-based parsers: https://splunk.github.io/splunk-connect-for-syslog/main/sources/#standard-syslog-using-message-parsing
In some cases standard syslog is also generic and can not be disambiguated from other sources by message content alone: https://splunk.github.io/splunk-connect-for-syslog/main/sources/#standard-syslog-vendor-product-by-source https://splunk.github.io/splunk-connect-for-syslog/main/sources/#unique-listening-ports
Can you please check with Vormetric if they have their message format documented? Like for example Prisma team: https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-wan-sites-and-devices/use-external-services-for-monitoring/syslog-server-support-in-prisma-sd-wan/syslog-flow-export
hi @mstopa-splunk document attached vormetric_doc.pdf
pg 74-84 has all the details regarding logging.
@mstopa-splunk do we have any update on this
Hi @imsidr, the PR will be ready in the middle of next week. Unfortunately, Vormetric didn't implement RFC5424 correctly; there are issues with the timestamp format and a missing field. I need to write an almost-syslog parser to correct messages on the wire.
@imsidr my bad, the issue was with one particular example from Vormetric documentation, but in general they did everything well.
I have attached the PR that is now waiting for the review.
If you'd like to, please feel free to test it on your end and share feedback: ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2312@sha256:ebee59d2a26b5c158d4ed4e45aa75e791dfe4a7d1446fbf54899d597e4252669
@mstopa-splunk i cant access ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2312@sha256:ebee59d2a26b5c158d4ed4e45aa75e791dfe4a7d1446fbf54899d597e4252669. Also i am really new to this, how can i test this without upgrading sc4s? and what version of sc4s parser for thales would be avaiable ?
@imsidr, this should be released tomorrow so you will be able to test a new version and open a new issue in case of further requests.
To test without upgrading please place this config: https://github.com/splunk/splunk-connect-for-syslog/blob/7cde0ecd790a97d920d9dea96528cd689a499bd1/package/etc/conf.d/conflib/syslog/app-syslog-vormetric.conf in /opt/sc4s/local/config/app_parsers
and restart SC4S
Thales Vormetric support has been added in the new release 3.18.0
What is the sc4s version ? latest
Is there a pcap available? NA
What the vendor name? Thales
What's the product name? Vormetric
** Feature Request description: Want to onboard thales (vormetric) appliance logs to splunk
** Should it support TCP or UDP? - yes
Do you want to have it for local usage or prepare a github PR?