mstopa-splunk
commented
5 months ago Hi @lakshman237, I've begun working on this issue. I've read both the Splunk add-on source config files and its documentation, as well as the vendor documentation.
What's still unclear to me is the precise format of Squid logs as received by SC4S. I need to verify if it adheres to RFC5424 and how it manages the Squid appliance's hostname.
Please provide us with a PCAP file containing Squid Proxy events collected from the machine running SC4S.
lakshman237
What is the sc4s version ? 3.17
Is there a pcap available? sample files 705686136.023 logformat=splunk_recommended_squid duration=19 src_ip=172.xx.2.1 src_port=62838 dest_ip=15.xx.5x.xx dest_port=443 local_time=[19/Jan/2024:17:42:16 +0000] http_method=POST request_method_from_client=POST request_method_to_server=POST url="https://sig.xxx.com/xxx/ReportManagement.asmx" status=200 vendor_action=TCP_MISS dest_status=HIER_DIRECT http_content_type="text/xml" bytes=2732 bytes_in=993 bytes_out=1739 sni="xx.yy-software.com"
What the vendor name? Squid Proxy
What's the product name? Proxy
Feature Request description: Need to have parser to support this product
Should it support TCP or UDP? UDP
Do you want to have it for local usage or prepare a github PR? both please. Currently, customer uses https://splunkbase.splunk.com/app/2965 to onboard.