Parser de Squid Proxy

[JosepSirt]

What is the sc4s version ? 3.21.0

Is there a pcap available? Yes

What the vendor name? Squid

What's the product name? Squid Proxy

Feature Request description: When I configured the events of a SquidProxy to be sent to an SC4S and from there to send them to my Splunk Cloud, I realized that they arrive in sc4s_fallback format.

Should it support TCP or UDP? Support both TCP & UDP

Do you want to have it for local usage or prepare a github PR? github PR

[mstopa-splunk]

hi @JosepSirt can you send a pcap file through Splunk support or to mstopa@splunk.com?

[JosepSirt]

@mstopa-splunk send for mail

[mstopa-splunk]

hi @JosepSirt thank you for the email. It does not include raw messages, but you can easily fetch them:

Set the variable SC4S_SOURCE_STORE_RAWMSG=yes in env_file and restart sc4s. This will store the raw message in a syslog-ng macro called RAWMSG and will be displayed in Splunk for all fallback messages.

https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/#obtaining-on-the-wire-raw-events

If you temporarily modify your SC4S env_file this way, you will have the additional RAWMSG field for fallback messages. Please send me a few (3-4) examples

[JosepSirt]

@mstopa-splunk I have to ask the client, I don't know when I will have it

[mstopa-splunk]

@JosepSirt if the vendor has docs with description and examples we can start with that also while waiting for raw messages. If not, can we close this issue and reopen when the customer provides the events?

[JosepSirt]

Yes, we are going to close the case.

The client is no longer interested in integrating Squid into Splunk.

Thank you very much for the help.