Open marakji-splunk opened 2 weeks ago
cwadhwani-splunk
commented
2 weeks ago Hi @marakji-splunk Could you please share the sample logs or the pcap file. This would help us to create the parser. Note: You can share the pcap file / sample logs over email (cwadhwani@splunk.com)
marakji-splunk
commented
2 weeks ago Awesome, thank you so much, just sent the sample logs over your email.
On Thu, Jun 13, 2024 at 9:10 PM cwadhwani-splunk @.***> wrote:
[ External sender. Exercise caution. ]
Hi @marakji-splunk https://github.com/marakji-splunk Could you please share the sample logs or the pcap file. This would help us to create the parser. Note: You can share the pcap file / sample logs over email ( @.***)
— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2494#issuecomment-2165342200, or unsubscribe https://github.com/notifications/unsubscribe-auth/A4HS7RD3ZDEEN4RFIG2JDJLZHF4Z7AVCNFSM6AAAAABJDPLZGCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRVGM2DEMRQGA . You are receiving this because you were mentioned.Message ID: @.***>
--
Mustapha Arakji
Senior Professional Services Consultant
Splunk Inc.
+61 421 821 634 | @.***
SYDNEY | AMER | APAC | EMEA
[image: Splunk: Resilience. Let's build it together.] https://www.splunk.com/
This message is intended only for the personal, confidential, and authorized use of the recipient(s) named above. If you are not that person, you are not authorized to review, use, copy, forward, distribute or otherwise disclose the information contained in the message.
cwadhwani-splunk
commented
5 days ago Hi @marakji-splunk A PR has been raised for adding the veeam parser. Until it gets merged and released, here is the build on which you can test the parser. Build: ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2507
cwadhwani-splunk
commented
4 days ago I have updated the build with the latest changes, please redownload the image if already done. Note: we have kept the sourcetype as "veeam:vbr:syslog" (since this is the practice that we follow), and the product as "vbr".
You can use splunk_metadata.csv file to update the sourcetype if you want to, below is an example for the same:
File location: /opt/sc4s/local/context/splunk_metadata.csv
veeam_vbr_syslog,sourcetype,
Alternatively you can create a new conf file to update the same. File location: /opt/sc4s/local/config/app_parsers/app-syslog-veeam_vbr.conf
block parser app-syslog-veeam_vbr() {
channel {
rewrite {
r_set_splunk_dest_default(
product('<sample_product_name>')
sourcetype('<sample_sourcetype>')
);
};
};
};
application app-syslog-veeam_vbr[sc4s-postfilter] {
filter {
program('Veeam_MP' type(string) flags(prefix));
};
parser { app-syslog-veeam_vbr(); };
};Most appreciated, will give this a try next week and let you know.
Thanks,
On Thu, Jun 27, 2024 at 4:17 AM cwadhwani-splunk @.***> wrote:
I have updated the build with the latest changes, please redownload the image if already done. Note: we have kept the sourcetype as "veeam:vbr:syslog" (since this is the practice that we follow), and the product as "vbr".
You can use splunk_metadata.csv file to update the sourcetype if you want to, below is an example for the same: File location: /opt/sc4s/local/context/splunk_metadata.csv veeam_vbr_syslog,sourcetype,
Alternatively you can create a new conf file to update the same. File location: /opt/sc4s/local/config/app_parsers/app-syslog-veeam_vbr.conf
block parser app-syslog-veeam_vbr() { channel { rewrite { r_set_splunk_dest_default( product('
') sourcetype(' ') ); }; }; }; application app-syslog-veeam_vbr[sc4s-postfilter] { filter { program('Veeam_MP' type(string) flags(prefix)); }; parser { app-syslog-veeam_vbr(); }; }; — Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2494#issuecomment-2192363707, or unsubscribe https://github.com/notifications/unsubscribe-auth/A4HS7REZFHDCGODAR7OCWELZJMARVAVCNFSM6AAAAABJDPLZGCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJSGM3DGNZQG4 . You are receiving this because you were mentioned.Message ID: @.***>
--
Mustapha Arakji
Senior Professional Services Consultant
Splunk Inc.
+61 421 821 634 | @.***
SYDNEY | AMER | APAC | EMEA
[image: Splunk: Resilience. Let's build it together.] https://www.splunk.com/
This message is intended only for the personal, confidential, and authorized use of the recipient(s) named above. If you are not that person, you are not authorized to review, use, copy, forward, distribute or otherwise disclose the information contained in the message.
What is the sc4s version? 3.26.1 Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? Happy to provide the logs through a support case. What the vendor name? Veeam What's the product name? Veeam If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events? veeam_vbr_syslog Do you have syslog documentation or a manual for that device?? Not much, but I have the app from the vendor, which already parses the data that we need. https://splunkbase.splunk.com/app/7312 Feature Request description: Veeam is a common solution used by our customers, and often requires integration with Splunk for operational monitoring. An app was already developed in Splunk base by the Vendor. The extractions required can be found in the app. Would be great if we could have the parser available for this. Do you want to have it for local usage or prepare a github PR?