mstopa-splunk
commented
4 months ago hi @wozzies please send sample events through Splunk support or to mstopa@splunk.com . Events can be anonymised
Closed wozzies closed 1 month ago
mstopa-splunk
commented
4 months ago hi @wozzies please send sample events through Splunk support or to mstopa@splunk.com . Events can be anonymised
wozzies
commented
3 months ago Hi,
Since we can't get logs into our sc4s server, we haven't been able to get a viable pcap from Aviatrix. I have included a file containing sample events provided by Aviatrix.
On Wed, Feb 28, 2024 at 8:57 AM mstopa-splunk @.***> wrote:
hi @wozzies https://github.com/wozzies please send sample events through Splunk support or to @.*** . Events can be anonymised
— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2357#issuecomment-1969041302, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFX2OSCSR67FXE5PHZJTHNTYV4ZVRAVCNFSM6AAAAABD4WR2RKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRZGA2DCMZQGI . You are receiving this because you were mentioned.Message ID: @.***>
wozzies
commented
3 months ago Attachment included on this email
On Mon, Mar 11, 2024 at 1:28 PM Whitney Gray @.***> wrote:
Hi,
Since we can't get logs into our sc4s server, we haven't been able to get a viable pcap from Aviatrix. I have included a file containing sample events provided by Aviatrix.
On Wed, Feb 28, 2024 at 8:57 AM mstopa-splunk @.***> wrote:
hi @wozzies https://github.com/wozzies please send sample events through Splunk support or to @.*** . Events can be anonymised
— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2357#issuecomment-1969041302, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFX2OSCSR67FXE5PHZJTHNTYV4ZVRAVCNFSM6AAAAABD4WR2RKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRZGA2DCMZQGI . You are receiving this because you were mentioned.Message ID: @.***>
Aug 17 22:07:39 ip-172-31-46-24 cloudx_cli: AviatrixVPNSession: User=demo, Status=active, Gateway=demo, GatewayIP=52.52.76.149, VPNVirtualIP=192.168.0.6, PublicIP=N/A, Login=2016-08-17 22:07:38, Logout=N/A, Duration=N/A, RXbytes=N/A, TXbytes=N/A
Aug 17 22:26:37 ip-172-31-46-24 cloudx_cli: AviatrixVPNSession: User=demo, Status=disconnected, Gateway=demo, GatewayIP=52.52.76.149, VPNVirtualIP=192.168.0.6, PublicIP=N/A, Login=2016-08-17 22:07:38, Logout=2016-08-17 22:26:37, Duration=0:0:18:59, RXbytes=2.1 MB, TXbytes=9.03 MB
2019-04-10T23:33:47.217018+00:00 ip-10-240-0-44 kernel: [ 4976.320353] AvxRl gw1 D:IN=eth0 OUT=eth0 MAC=02:bd:e5:4f:d0:e2:02:d8:14:81:fc:48:08:00 SRC=10.240.1.60 DST=10.230.1.23 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45312 DF PROTO=ICMP TYPE=8 CODE=0 ID=2833 SEQ=1
2019-04-10T23:34:47.602166+00:00 ip-10-240-0-44 kernel: [ 5036.705845] AvxRl StatfulGW2 A:IN=eth0 OUT=eth0 MAC=02:bd:e5:4f:d0:e2:02:d8:14:81:fc:48:08:00 SRC=10.240.1.60 DST=10.230.1.23 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=48453 DF PROTO=ICMP TYPE=8 CODE=0 ID=2834 SEQ=1
2022-05-25T15:57:43.088860+00:00 ip-10-4-179-71 /usr/local/bin/avx-gw-state-sync[1168]: 2022/05/25 15:57:43 AviatrixGwMicrosegPacket: POLICY=54ea65c4-313e-4b3d-8db3-1ecc4f0981db SRC_MAC=16:06:11:d7:a1:11 DST_MAC=16:54:ec:50:09:17 IP_SZ=84 SRC_IP=10.4.187.253 DST_IP=10.5.144.38 PROTO=ICMP SRC_PORT=0 DST_PORT=0 DATA=0x ACT=PERMIT ENFORCED=true
2020-06-09T17:29:31.372628+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats: timestamp=2020-06-09T17:29:31.371791 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160 interface=eth0 total_rx_rate=10.06Kb total_tx_rate=12.77Kb total_rx_tx_rate=2.85Kb total_rx_cum=207.16MB total_tx_cum=1.2MB total_rx_tx_cum=208.36
2020-06-12T08:30:09.297478+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats: timestamp=2020-06-12T08:30:09.296752 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160 interface=eth0 total_rx_rate=8.84Kb total_tx_rate=8.45Kb total_rx_tx_rate=17.29Kb total_rx_cum=4.63MB total_tx_cum=6.8MB total_rx_tx_cum=11.44MB
2020-06-09T17:29:31.372822+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats: timestamp=2020-06-09T17:29:31.371791 name=test cpu_idle=68 memory_free=414640 memory_available=1222000 memory_total=1871644 disk_total=16197524 disk_free=10982084
2020-06-12T08:22:09.295660+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats: timestamp=2020-06-12T08:22:09.294333 name=test cpu_idle=99 memory_free=919904 memory_available=1264792 memory_total=1871644 disk_total=16197524 disk_free=11409716
2019-12-12T04:33:46.892381+00:00 ip-172-32-0-6 avx-nfq: AviatrixFQDNRule2[CRIT]nfq_ssl_handle_client_hello() L#281 Gateway=spoke1-fqdn S_IP=172.32.1.144 D_IP=52.218.234.41 hostname=aviatrix-download.s3-us-west-2.amazonaws.com state=MATCHED Rule=*.amazonaws.com;1
2019-12-12T04:36:53.173210+00:00 ip-172-32-0-6 avx-nfq: AviatrixFQDNRule1[CRIT]nfq_ssl_handle_client_hello() L#281 Gateway=spoke1-fqdn S_IP=172.32.1.144 D_IP=98.137.246.7 hostname=www.yahoo.com state=NO_MATCH drop_reason=NOT_WHITELISTED
2019-11-30T15:44:52.718808+00:00 ip-172-32-0-226 cloudxd: AviatrixTunnelStatusChange: src_gw=oregon-transit(AWS us-west-2) dst_gw=100.20.53.124(NA NA) old_state=Down new_state=Up
2019-11-19T20:13:44.585942+00:00 ip-172-32-0-226 cloudxd: AviatrixCMD: action=USERCONNECT_UPGRADE_TO_VERSION, argv=['--rtn_file', '/run/shm/rtn957594707', 'userconnect_upgrade_to_version', 'upgrade-status', ''], result=Success, reason=, username=admin
2019-11-19T18:01:59.796230+00:00 ip-172-32-0-226 cloudxd: AviatrixCMD: action=TRANSIT_SPOKE_LIST, argv=['--rtn_file', '/run/shm/rtn2091225061', 'transit_spoke_list', '--spoke_only'], result=Success, reason=, username=admin
2020-03-29T00:09:13.201669+00:00 ip-10-88-1-63 cloudxd: AviatrixGatewayStatusChanged: status=down gwname=EMEA-ENG-VPNGateway
wozzies
commented
2 months ago It looks like the parser for this has been created. How can I get that updated applied to our sc4s instance in order to get the aviatrix logs in?
mstopa-splunk
commented
2 months ago hello @wozzies we will release it on Monday, I will let you know which version to upgrade to
wozzies
commented
2 months ago Wonderful, thanks!
mstopa-splunk
commented
1 month ago released in v3.25.0
What is the sc4s version ? 3.19.0
Is there a pcap available? no, but sample syslog events available
What the vendor name? Aviatrix
What's the product name? Aviatrix Gateway Aviatrix Controller
Feature Request description: Add Aviatrix to the known vendors list
Should it support TCP or UDP? Both
Do you want to have it for local usage or prepare a github PR? Included in the next upgrade