SC4S parser support for EPP (by CoSoSys, now part of netwrix) logs

[krish-flutter]

What is the sc4s version ? We plan to use the latest stable available version

Is there a pcap available? We could get our security/network team to collect one for us.

What the vendor name? EndPointProtector -> https://www.endpointprotector.com/

What's the product name? EPP

Feature Request description:

• We are in the process of defining/designing the required components to host SC4S containers to collect logs from our network devices / routers / firewalls etc....
• SC4S has been recommended by Splunk SMEs as the go-to solution.
• This would work neatly for all but one case for us as it appears that EPP product https://www.endpointprotector.com/ isn't supported natively in SC4S that would then neccasitate us to put in another vanilla syslog-ng container alongside the sc4s container which is not ideal.
• During a recent brainstorming session with our designated OD Splunk SME, it was suggested to raise a feature request here to progress this further.
• This option would suit us well as we would like SC4S to natively support EPP syslog data please.

Should it support TCP or UDP? Support both TCP & UDP

Do you want to have it for local usage or prepare a github PR? As its time sensitive, happy to start with a local usage option but would like to get it into a github PR to ensure its shipped out as a standard within the official SC4S product releases.

[mstopa-splunk]

@krish-flutter yes please work with your team to get a pcap file. You can send it to mstopa@splunk.com or through our support. Also, do you have vendor's documentation for syslog? If not, we will use pcap samples only.

[krish-flutter]

@mstopa-splunk, tx for getting back. I have sent you a mail with the EPP spec. Please let me know if that is good enough or if you would need anything else

[mstopa-splunk]

Thank you, I answered the email message

[krish-flutter]

Hey @mstopa-splunk, my colleague has replied to your email with the epp dump/sample/raw events

[mstopa-splunk]

As its time sensitive, happy to start with a local usage option but would like to get it into a github PR to ensure its shipped out as a standard within the official SC4S product releases.

@krish-flutter please use this local parser:

block parser app-syslog-netwrix_epp() {
 channel {
        rewrite {
            r_set_splunk_dest_default(
                index('netops')
                source('netwrix:epp')
                sourcetype('netwrix:epp')
                vendor("netwrix")
                product("epp")
            );
        };

   };
};

application app-syslog-netwrix_epp[sc4s-syslog-pgm] {
    filter {
        program('EPP-' type(string) flags(prefix))
    };  

    parser { app-syslog-netwrix_epp(); };
};

You should copy it to /opt/sc4s/local/config/app_parsers/ or subdirectories there as a *.conf file and restart the service. We will work on the official release during this sprint, so feel free to share your feedback or additional requests regarding this

[mstopa-splunk]

released in v3.22.0