search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
152 stars 108 forks source link

A new parser for Dell Avamar logging #2341

Closed RichardHEB closed 5 months ago

RichardHEB commented 7 months ago

What is the sc4s version ? pr-2259 Is there a pcap available? Yes What the vendor name? Dell What's the product name? Avamar Feature Request description: Need a parser created for Avamar logs Should it support TCP or UDP? UDP Do you want to have it for local usage or prepare a github PR? local and github PR

ikheifets-splunk commented 7 months ago

Hello, @RichardHEB !

What is the sc4s version ? pr-2259

Please use release version (for example 3.19.0 or latest), we asking customer test dev version only for test Pull Request is it working before release :)

Is there a pcap available? Yes

Please send me on email: ikheifets@splunk.com

ikheifets-splunk commented 7 months ago

Hello, @RichardHEB ! Haven't got pcap from you!

RichardHEB commented 7 months ago

Hi @ikheifets-splunk I had asked Andre (Splunk) to send it to you. He's had it since day one, I can email it to your Splunk email, do not want to posted open in public here. Am checking with Andre as well.

ikheifets-splunk commented 7 months ago

thanks @RichardHEB finally received it, Andre shared with me.

RichardHEB commented 6 months ago

Hi Ilya, any updates on this one?

ikheifets-splunk commented 6 months ago

Hello, @RichardHEB ! Please upgrade on our dev build to check that our parser working for you: docker pull ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2393

We parsed your log message (I hide here sensitive data like ip, emails):

<141> Apr 05 18:19:55 MCS:BS::BACKUP::EDIT: <Code> 22555 <Type> AUDIT <Severity> PROCESS <Category> SECURITY <User> email@my.com <HwSource> amavar <Summary> Changed backup expiration. <path> /clients/Dev-Cert/Windows/test.com <createtime> 2024-02-03 02:32:09 CST <plugin> 3001 <labelnum> 388 <expiration> 2024-02-16 <requestor> <requestor domain="/" host="1.1.1.1" product="test" role="Administrator" user="email@my.com"/>

Will look at Splunk like this:

Screenshot 2024-04-05 at 18 58 47
ikheifets-splunk commented 5 months ago

Hello, @RichardHEB ! I've got your email that is working for you and question about release. If we talking about official release 7-10 days, because we have a process of review and release.

If you need it today and don't want to wait, please embed parser that provided on PR as local parser.

For that:

  1. Use latest SC4S version (3.22.3)
  2. place parser that I mentioned here /opt/sc4s/local/config/app-parsers
  3. check that you mounting to docker container this folder /opt/sc4s/local
RichardHEB commented 5 months ago

Ilya, we tested as instructed above and also ran a load test, everything is working as it should with the latest SC4S version 3.22.3; we put the parser in this folder:/opt/sc4s/local/config/app-parsers and our docker is mounted to /opt/sc4s/local Let me know when it is merged with main and in the latest version. Thanks Richard

ikheifets-splunk commented 5 months ago

@RichardHEB It will be released during 24h

RichardHEB commented 5 months ago

@ikheifets-splunk Hi Ilya, any word? I still don't see it merged to main and we were hoping to deploy to cert then prod today. Thanks!

ikheifets-splunk commented 5 months ago

It has been released https://github.com/splunk/splunk-connect-for-syslog/releases/tag/v3.23.0