ikheifets-splunk
commented
1 month ago Send me pcap file on email ikheifets@splunk.com
Closed mccain007 closed 1 month ago
ikheifets-splunk
commented
1 month ago Send me pcap file on email ikheifets@splunk.com
ikheifets-splunk
commented
1 month ago @mccain007 without pcap file (with log messages that producing your device) we can't implement parser for you. We need to know format of log message
mccain007
commented
1 month ago Understood I was trying to get the pcap from the admin for mguard but he hasn’t replied
Get Outlook for iOShttps://aka.ms/o0ukef
From: Ilya @.> Sent: Thursday, May 9, 2024 10:59:09 AM To: splunk/splunk-connect-for-syslog @.> Cc: mccain007 @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] mGuard (Issue #2435)
@mccain007https://github.com/mccain007 without pcap file (with log messages that producing your device) we can't implement parser for you
— Reply to this email directly, view it on GitHubhttps://github.com/splunk/splunk-connect-for-syslog/issues/2435#issuecomment-2102831559, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GWLEP4FACDYFDVZVV7MJ3ZBOFL3AVCNFSM6AAAAABHCHIUQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBSHAZTCNJVHE. You are receiving this because you were mentioned.Message ID: @.***>
mccain007
commented
1 month ago Here is what the customer sent me: Here we go @.***:~$ sudo tcpdump host XX.XX.XX.229 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on ens192, link-type EN10MB (Ethernet), snapshot length 262144 bytes 11:21:58.536095 ARP, Request who-has grp01.XXX.gov tell hqw-ntx-esx01.XXX.gov, length 46 11:22:33.125109 IP mdm.XXX.gov.46215 > grp01.XXX.gov.syslog: SYSLOG user.notice, length: 85 11:22:38.350866 ARP, Request who-has XXXgrp01.XXX.gov tell mdm.XXX.gov, length 28 11:22:38.351017 ARP, Reply XXXgrp01.XXX.gov is-at XXX:30:e7 (oui Unknown), length 46 11:22:55.612299 IP mdm.XXX.gov.46215 > XXXgrp01.XXX.gov.syslog: SYSLOG user.notice, length: 72 11:23:18.767188 IP mdm.XXX.gov.46215 > XXXgrp01.XXX.gov.syslog: SYSLOG user.notice, length: 63 11:23:23.918855 ARP, Request who-has XXXgrp01.XXX.gov tell mdm.XXX.gov, length 28 11:23:23.919074 ARP, Reply XXXgrp01.XXX.gov is-at XXX:30:e7 (oui Unknown), length 46 ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel
do you want me to send you whats being captured by SC4S? i can't connect to his server to do a pcap from the sc4s end.
From: Paul McCain @.> Sent: Thursday, May 9, 2024 11:53 AM To: splunk/splunk-connect-for-syslog @.>; splunk/splunk-connect-for-syslog @.> Cc: Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] mGuard (Issue #2435)
Understood I was trying to get the pcap from the admin for mguard but he hasn’t replied
Get Outlook for iOShttps://aka.ms/o0ukef
From: Ilya @.> Sent: Thursday, May 9, 2024 10:59:09 AM To: splunk/splunk-connect-for-syslog @.> Cc: mccain007 @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] mGuard (Issue #2435)
@mccain007https://github.com/mccain007 without pcap file (with log messages that producing your device) we can't implement parser for you
— Reply to this email directly, view it on GitHubhttps://github.com/splunk/splunk-connect-for-syslog/issues/2435#issuecomment-2102831559, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GWLEP4FACDYFDVZVV7MJ3ZBOFL3AVCNFSM6AAAAABHCHIUQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBSHAZTCNJVHE. You are receiving this because you were mentioned.Message ID: @.***>
ikheifets-splunk
commented
1 month ago Hello, @mccain007 ! I need raw logs that producing your device, send me please pcap file and I will open your pcap in WireShark.
Without raw message we can't implement parser, we need to know log format to implement that. I already mentioned https://github.com/splunk/splunk-connect-for-syslog/issues/2435#issuecomment-2102831559
problem of your tcpdump output that we can't see here raw log content. Please use official guide
ikheifets-splunk
commented
1 month ago @mccain007 I closing this issue, because you haven't provide me pcap file, and I waiting for it month. When you will provide I reopen this issue. You know that without examples of your log message impossible create a parser
What is the sc4s version ? sc4s version=3.22.5 Is there a pcap available? no What the vendor name? Phoenix Contact What's the product name? mGuard Feature Request description: new filter Should it support TCP or UDP? both Do you want to have it for local usage or prepare a github PR? local