search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
148 stars 107 forks source link

Truncated IP Address in host field #2381

Closed ehlo550 closed 2 months ago

ehlo550 commented 3 months ago

What is the sc4s version ? 3.22.1

Is the issue related to the environment of the customer or Software related issue? software related

Describe the bug After upgrading to 3.22.1 i saw that the host value got truncated for several hosts. Instead of 10.1.1.1 & 10.1.1.2 it was only 10 Instead of 172.20.20.1 & 172.20.30.1 it was only 172.

I have SC4S_USE_REVERSE_DNS = true and SC4S_REVERSE_DNS_KEEP_FQDN = false and if there is no reverse DNS entry instead of the original IP address only a truncated version is used in the HOST field.

To Reproduce Steps to reproduce the behavior:

  1. SC4S_USE_REVERSE_DNS = true
  2. SC4S_REVERSE_DNS_KEEP_FQDN = false
  3. Ingest logs from a Device where no hostname can be extracted from the message and where no DNS reverse entry is available
  4. See wrong host in splunk
ehlo550 commented 3 months ago

Hi @mstopa-splunk,

i really do not think this is vendor specific: image

image

Regards

ehlo550 commented 3 months ago

I can reproduce this with echo '<189>409882: Mar 28 2024 16:51:54.869 CET: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (0000.0000.0000) with reason (Timeout) on Interface Gi1/0/19 AuditSessionID 0A6414AC0000DD9083C9DCF0 Username: anonymous' | nc -u -w0 <sc4s_ip> 514

image

mstopa-splunk commented 3 months ago

@ehlo550 thank you, reproduced on my end

mstopa-splunk commented 3 months ago

@ehlo550 from which SC4S version did you upgrade?

ikheifets-splunk commented 3 months ago

@mstopa-splunk it seems that from 2.48.2 according to the todays message form splunk user group

mstopa-splunk commented 3 months ago

okay, it was already broken in 3.4.1: image

3.22.1 https://github.com/splunk/splunk-connect-for-syslog/blob/v3.22.1/package/etc/pylib/parser_fix_dns.py 3.4.1 https://github.com/splunk/splunk-connect-for-syslog/blob/v3.4.1/package/etc/pylib/parser_fix_dns.py 2.48.2 https://github.com/splunk/splunk-connect-for-syslog/blob/v2.48.2/package/etc/pylib/parser_fix_dns.py

mstopa-splunk commented 3 months ago

@ikheifets-splunk @ehlo550 I've got this:

2.48.2:

docker exec -it SC4S bash

python3
Python 3.9.13 (main, Nov  9 2022, 13:16:24) 
[GCC 8.5.0 20210514 (Red Hat 8.5.0-15)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> hostname, aliaslist, ipaddrlist = socket.gethostbyaddr("10.202.20.14")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
socket.herror: [Errno 1] Unknown host

3.4.1:

python3
Python 3.11.5 (main, Aug 26 2023, 11:59:23) [GCC 12.2.1 20220924] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> hostname, aliaslist, ipaddrlist = socket.gethostbyaddr("10.202.20.14")
>>> hostname
'10.202.20.14'

newer Python, newer socket which no longer raiser the error. We need to explicitly check if resolved hostname == IP. I will have a PR in an hour

ehlo550 commented 2 months ago

@mstopa-splunk can you perhaps tell me approximately when there will be the next release?

mstopa-splunk commented 2 months ago

@ehlo550 we plan on releasing this in the next batch on 22.04

mstopa-splunk commented 2 months ago

released in v3.22.4