getting error on my sc4s container

[imsidr]

Was the issue replicated by support?

What is the sc4s version ? 3.19.0

Which operating system (including its version) are you using for hosting SC4S? docker container

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?

Is the issue related to the environment of the customer or Software related issue? Not Sure

Is it related to Data loss, please explain ? Protocol? Hardware specs?

Last chance index/Fallback index? sc4s index

Is the issue related to local customization? Not sure

Do we have all the default indexes created? NA

Describe the bug A clear and concise description of what the bug is. docker container in restarting(1) status Error parsing parser expression, syntax error, unexpected LL_IDENTIFIER, expecting '}' in parser generator app-parser:274:18-274:47: To Reproduce Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

I created a filter to parse data based on host and change the index & sourcetype name for cisco acs

/opt/sc4s/local/config/app-parsers/app-dest-cisco_acs.conf

File name provided is a suggestion it must be globally unique

block parser app-dest-ciso_acs-postfilter() { channel { rewrite { r_set_splunk_dest_default( index("cisco") sourcetype('cisco:acs') vendor("cisco") product("acs") ); }; }; }; application app-dest-cisco_acs-postfilter[sc4s-postfilter] { filter { host("hsradus" type(glob) flags(ignore-case)) }; parser { app-dest-cisco_acs-postfilter(); }; };

Getting below error - Error parsing parser expression, syntax error, unexpected LL_IDENTIFIER, expecting '}' in parser generator app-parser:274:18-274:47: 269 270 host("hsradus" type(glob) flags(ignore-case)) 271 272 }; 273 parser { 274---> app-dest-cisco_acs-postfilter(); 274---> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 275 }; 276 rewrite { 277 set-tag('.app.app-dest-cisco_acs-postfilter'); 278 set('app-dest-cisco_acs-postfilter' value('.app.name')); 279 };

Included from /etc/syslog-ng/conf.d/plugin/app_parser_topics.conf:32:5-32:39: 27 parser app-plugin-syslog-fix-program{ 28 app-parser(topic(fix-invalid-program)); 29 }; 30 31 parser app-plugin-source-postprocess{ 32----> app-parser(topic(sc4s-postfilter)); 32----> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 33 }; 34 35 parser app-plugin-source-finalprocess{ 36 app-parser(topic(sc4s-finalfilter)); 37 };

Included from /etc/syslog-ng/syslog-ng.conf:42:1-42:1: 37 38 @include "conf.d/enrich/.conf" 39 @include "conf.d/enrich//.conf" 40 41 @include "conf.d/plugin/.conf" 42----> 42----> ^ 43 @include "conf.d/sources/.conf" 44 @include "conf.d/sources//.conf" 45 @include "conf.d/local/config/sources/.conf" 46 @include "conf.d/local/config/sources//.conf" 47

Error parsing parser expression, syntax error, unexpected LL_IDENTIFIER, expecting '}' in parser generator app-parser:274:18-274:47: 269 270 host("hsradus" type(glob) flags(ignore-case)) 271 272 }; 273 parser { 274---> app-dest-cisco_acs-postfilter(); 274---> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 275 }; 276 rewrite { 277 set-tag('.app.app-dest-cisco_acs-postfilter'); 278 set('app-dest-cisco_acs-postfilter' value('.app.name')); 279 };

Included from /etc/syslog-ng/conf.d/plugin/app_parser_topics.conf:32:5-32:39: 27 parser app-plugin-syslog-fix-program{ 28 app-parser(topic(fix-invalid-program)); 29 }; 30 31 parser app-plugin-source-postprocess{ 32----> app-parser(topic(sc4s-postfilter)); 32----> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 33 }; 34 35 parser app-plugin-source-finalprocess{ 36 app-parser(topic(sc4s-finalfilter)); 37 };

Included from /etc/syslog-ng/syslog-ng.conf:42:1-42:1: 37 38 @include "conf.d/enrich/.conf" 39 @include "conf.d/enrich//.conf" 40 41 @include "conf.d/plugin/.conf" 42----> 42----> ^ 43 @include "conf.d/sources/.conf" 44 @include "conf.d/sources//.conf" 45 @include "conf.d/local/config/sources/.conf" 46 @include "conf.d/local/config/sources//.conf" 47

syslog-ng checking config sc4s version=3.19.0 Error parsing parser expression, syntax error, unexpected LL_IDENTIFIER, expecting '}' in parser generator app-parser:274:18-274:47: 269 270 host("hsradus" type(glob) flags(ignore-case)) 271 272 }; 273 parser { 274---> app-dest-cisco_acs-postfilter(); 274---> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 275 }; 276 rewrite { 277 set-tag('.app.app-dest-cisco_acs-postfilter'); 278 set('app-dest-cisco_acs-postfilter' value('.app.name')); 279 };

Included from /etc/syslog-ng/conf.d/plugin/app_parser_topics.conf:32:5-32:39: 27 parser app-plugin-syslog-fix-program{ 28 app-parser(topic(fix-invalid-program)); 29 }; 30 31 parser app-plugin-source-postprocess{ 32----> app-parser(topic(sc4s-postfilter)); 32----> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 33 }; 34 35 parser app-plugin-source-finalprocess{ 36 app-parser(topic(sc4s-finalfilter)); 37 };

Included from /etc/syslog-ng/syslog-ng.conf:42:1-42:1: 37 38 @include "conf.d/enrich/.conf" 39 @include "conf.d/enrich//.conf" 40 41 @include "conf.d/plugin/.conf" 42----> 42----> ^ 43 @include "conf.d/sources/.conf" 44 @include "conf.d/sources//.conf" 45 @include "conf.d/local/config/sources/.conf" 46 @include "conf.d/local/config/sources//.conf" 47

[cwadhwani-splunk]

@imsidr I can see there is a typo in your parser definition. The definition should be block parser app-dest-cisco_acs-postfilter instead of block parser app-dest-ciso_acs-postfilter. Please refer to the below parser:

block parser app-dest-cisco_acs-postfilter() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index("cisco")
                sourcetype('cisco:acs')
                vendor("cisco")
                product("acs")
            );
        };
    };
};
application app-dest-cisco_acs-postfilter[sc4s-postfilter] {
    filter {
        host("hsradus" type(glob) flags(ignore-case));
    };
    parser { app-dest-cisco_acs-postfilter(); };
};

Please give this a try and let us know if you are still facing any issues.

[imsidr]

Hi I want the host to contain hsradus in host field , should I not use hsradus

From: cwadhwani-splunk @.> Sent: Tuesday, June 25, 2024 5:33 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] getting error on my sc4s container (Issue #2510)

@imsidrhttps://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4-X3-Z9NQ$ I can see there is a typo in your parser definition. The definition should be block parser app-dest-cisco_acs-postfilter instead of block parser app-dest-ciso_acs-postfilter. Please refer to the below parser:

block parser app-dest-cisco_acs-postfilter() {

channel {

    rewrite {

        r_set_splunk_dest_default(

            index("cisco")

            sourcetype('cisco:acs')

            vendor("cisco")

            product("acs")

        );

    };

};

};

application app-dest-cisco_acs-postfilter[sc4s-postfilter] {

filter {

    host("hsradus" type(glob) flags(ignore-case));

};

parser { app-dest-cisco_acs-postfilter(); };

};

Please give this a try and let us know if you are still facing any issues.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2510*issuecomment-2188756166__;Iw!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4-LQhBjeg$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX4DABNS642OZXH3HJLZJFL67AVCNFSM6AAAAABJ2KYSV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBYG42TMMJWGY__;!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4_eGc0fyw$. You are receiving this because you were mentioned.Message ID: @.**@.>>

[imsidr]

Cc: @PAIDELA, @.***>

From: cwadhwani-splunk @.> Sent: Tuesday, June 25, 2024 5:33 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] getting error on my sc4s container (Issue #2510)

@imsidrhttps://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4-X3-Z9NQ$ I can see there is a typo in your parser definition. The definition should be block parser app-dest-cisco_acs-postfilter instead of block parser app-dest-ciso_acs-postfilter. Please refer to the below parser:

block parser app-dest-cisco_acs-postfilter() {

channel {

    rewrite {

        r_set_splunk_dest_default(

            index("cisco")

            sourcetype('cisco:acs')

            vendor("cisco")

            product("acs")

        );

    };

};

};

application app-dest-cisco_acs-postfilter[sc4s-postfilter] {

filter {

    host("hsradus" type(glob) flags(ignore-case));

};

parser { app-dest-cisco_acs-postfilter(); };

};

Please give this a try and let us know if you are still facing any issues.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2510*issuecomment-2188756166__;Iw!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4-LQhBjeg$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX4DABNS642OZXH3HJLZJFL67AVCNFSM6AAAAABJ2KYSV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBYG42TMMJWGY__;!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4_eGc0fyw$. You are receiving this because you were mentioned.Message ID: @.**@.>>

[imsidr]

Hi , I am still seeing the same error.

//BR,Sid

From: Rai, Siddhartha @.> Sent: Tuesday, June 25, 2024 6:27 PM To: splunk/splunk-connect-for-syslog @.>; splunk/splunk-connect-for-syslog @.>; PAIDELA, MAHESWARA @.> Cc: Mention @.***> Subject: RE: [splunk/splunk-connect-for-syslog] getting error on my sc4s container (Issue #2510)

Cc: @PAIDELA, @.***>

From: cwadhwani-splunk @.**@.>> Sent: Tuesday, June 25, 2024 5:33 PM To: splunk/splunk-connect-for-syslog @.**@.>> Cc: Rai, Siddhartha @.**@.>>; Mention @.**@.>> Subject: Re: [splunk/splunk-connect-for-syslog] getting error on my sc4s container (Issue #2510)

@imsidrhttps://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4-X3-Z9NQ$ I can see there is a typo in your parser definition. The definition should be block parser app-dest-cisco_acs-postfilter instead of block parser app-dest-ciso_acs-postfilter. Please refer to the below parser:

block parser app-dest-cisco_acs-postfilter() {

channel {

    rewrite {

        r_set_splunk_dest_default(

            index("cisco")

            sourcetype('cisco:acs')

            vendor("cisco")

            product("acs")

        );

    };

};

};

application app-dest-cisco_acs-postfilter[sc4s-postfilter] {

filter {

    host("hsradus" type(glob) flags(ignore-case));

};

parser { app-dest-cisco_acs-postfilter(); };

};

Please give this a try and let us know if you are still facing any issues.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2510*issuecomment-2188756166__;Iw!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4-LQhBjeg$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX4DABNS642OZXH3HJLZJFL67AVCNFSM6AAAAABJ2KYSV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBYG42TMMJWGY__;!!JJ-tOIoKdBzLSfV5jA!qGeqyMJk0DagxroAzym0VXk4DdQ4kVihl_8ucIkWJ3aqp2r0utB3nCC4g79sm9emrnOZ1tKARt_e6k8EmvVPh_-zP4_eGc0fyw$. You are receiving this because you were mentioned.Message ID: @.**@.>>

[cwadhwani-splunk]

Hey, Could you please confirm whether you restarted the sc4s service after applying the changes?

[imsidr]

Hi , we deploy code to ansible & cicd pipeline which creates a new image, however I did restart the container but still I see the same error.

Also I am adding in host("hsradus" type(glob) flags(ignore-case)); and for ise host as ise so that it picks all the hosts that has those flags.

//BR,Sid From: cwadhwani-splunk @.> Sent: Wednesday, June 26, 2024 11:52 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] getting error on my sc4s container (Issue #2510)

Hey, Could you please confirm whether you restarted the sc4s service after applying the changes?

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2510*issuecomment-2192372164__;Iw!!JJ-tOIoKdBzLSfV5jA!thQPI4XS6_aTgP6pYAevNEsYQs56bSKnFcKjbpB_q34fNHWZDd5CEM89EyeL_iiORZqWTDSqJR0_oigNMVHwlkmdSRGq0UrcLw$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX2QHLS3VH5RGSEXOHTZJMBFFAVCNFSM6AAAAABJ2KYSV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJSGM3TEMJWGQ__;!!JJ-tOIoKdBzLSfV5jA!thQPI4XS6_aTgP6pYAevNEsYQs56bSKnFcKjbpB_q34fNHWZDd5CEM89EyeL_iiORZqWTDSqJR0_oigNMVHwlkmdSRFDPslYPw$. You are receiving this because you were mentioned.Message ID: @.**@.>>

[rjha-splunk]

the parser provided has no error , we used and replicated at our side, something else is messing up check journalctl -xe -u sc4s , else please create a support ticket and Support can help to get it fixed.

Another way will be sharing all your local parsers so we can check it all.

[imsidr]

Hi Rahul, Attached are the local parsers that we are using in our env. Additionally,I will open a support ticket as well.

//BR,Sid

From: Rahul Jha @.> Sent: Thursday, June 27, 2024 3:09 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] getting error on my sc4s container (Issue #2510)

the parser provided has no error , we used and replicated at our side, something else is messing up check journalctl -xe -u sc4s , else please create a support ticket and Support can help to get it fixed.

Another way will be sharing all your local parsers so we can check it all.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2510*issuecomment-2194233531__;Iw!!JJ-tOIoKdBzLSfV5jA!pP29Aju1WNQxzFeS-Mg6H0O2Fv_hkRx5DCWW6c3Zt9ub8CLQnwgH2auvX9ZJZnIc0cfmEM9XnaPV_pylVTpqgBBuQr4Jsha9kA$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX2FCBSV73LM6LMCJRLZJPMURAVCNFSM6AAAAABJ2KYSV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJUGIZTGNJTGE__;!!JJ-tOIoKdBzLSfV5jA!pP29Aju1WNQxzFeS-Mg6H0O2Fv_hkRx5DCWW6c3Zt9ub8CLQnwgH2auvX9ZJZnIc0cfmEM9XnaPV_pylVTpqgBBuQr4-ziz7AA$. You are receiving this because you were mentioned.Message ID: @.**@.>>

[rjha-splunk]

Apologies but we dont see any attachment here, can you please do it from github web.

[imsidr]

syslog.zip

[imsidr]

done

From: Rahul Jha @.> Sent: Thursday, June 27, 2024 3:29 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] getting error on my sc4s container (Issue #2510)

Apologies but we dont see any attachment here, can you please do it from github web.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2510*issuecomment-2194277488__;Iw!!JJ-tOIoKdBzLSfV5jA!tD_IrwqHfM_7p7TG509gyGPTa0Y6tn--d3wu2MftXhO_rEz4vyEwATyUAjGUxY59jpkW-r4AIsvZ1LSMsBGo5HzZ1q64NKlTRQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJXZC675QJI6AA45HZ73ZJPO5NAVCNFSM6AAAAABJ2KYSV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJUGI3TONBYHA__;!!JJ-tOIoKdBzLSfV5jA!tD_IrwqHfM_7p7TG509gyGPTa0Y6tn--d3wu2MftXhO_rEz4vyEwATyUAjGUxY59jpkW-r4AIsvZ1LSMsBGo5HzZ1q5yLtsqjg$. You are receiving this because you were mentioned.Message ID: @.**@.>>

[rjha-splunk]

In the provided files , in following files: app-dest-cisco_acs.conf app-dest-cisco_ise.conf

You have a missing "};" in last line , Please correct them and it will start normally.

[rjha-splunk]

block parser app-dest-cisco_acs-postfilter() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index("cisco")
                sourcetype('cisco:acs')
                vendor("cisco")
                product("acs")
            );
        };
    };
};
application app-dest-cisco_acs-postfilter[sc4s-postfilter] {
    filter {
        host("hsradus" type(glob) flags(ignore-case));
    };
    parser { app-dest-cisco_acs-postfilter(); };
};

block parser app-dest-cisco_ise-postfilter() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index("cisco")
                sourcetype("cisco:ise")
                vendor("cisco")
                product("ise")
            );
        };
    };
};

application app-dest-cisco_ise-postfilter[sc4s-postfilter] {
    filter {
        host("ise*" type(glob) flags(ignore-case));
    };
    parser { app-dest-cisco_ise-postfilter(); };
};

Here is the updated file.

[imsidr]

Hi Rahul , the data is not showing up under the sourcetype i defined , it shows in cisco:ise:syslog and poc:syslog while my parser has cisco:ise and i dont understand where poc:syslog coming from