Closed relarizky closed 2 months ago
HI @relarizky, As we will need pcap or apt sample logs, please submit a support ticket and include the pcap file. Our support team will assist as needed. Once we receive the pcap file or appropriate sample logs, we can proceed with developing the parser. Thanks!
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
Hi @cwadhwani-splunk, we have sent the files through splunk ticket
Thank you!
Hi @relarizky We checked the files but could not find any syslog formatted log. We will need those to work with the parser. There is another way of getting the raw logs: https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/#obtain-raw-message-events
Please feel free to reach out to the support team if you need any assistance with this.
Collaborator Hi, i have created a new case to give you another pcap file, i've also provided other output files so that you can see it directly with cat.
Please let me know if you have already received it.
Below is a local parser for the provided logs.
Create a new file with the below content and restart the sc4s service.
File path: /opt/sc4s/local/config/app_parsers/app-syslog-thales_payshield.conf Content
block parser app-syslog-thales_payshield() {
channel {
rewrite {
r_set_splunk_dest_default(
index("netauth")
sourcetype('thales:payshield:syslog')
vendor("thales")
product("payshield")
class("syslog")
);
};
};
};
application app-syslog-thales_payshield[sc4s-syslog-pgm] {
filter {
program('AUDITLOG' type(string) flags(prefix));
};
parser { app-syslog-thales_payshield(); };
};
Let me know if this works for you. Thanks.
What is the sc4s version? 3.26.1
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? this is an example of the raw log Jul 04 15:22:00 2024 bullsharkprod AUDITLOG: 0000002476 Remote (619be0a2) - (Client: 192.123.132.12) - Login (Left: 1306019737090471) - Current users: (Left: 1306019737090471) Jul 05 16:23:40 2024 bullsharkprod AUDITLOG: 0000002487 Remote (1eba4ace) - invalid request for /accessControl/terminateSession - Current users: Unable to retrieve user status Jul 05 16:22:01 2024 bullsharkprod AUDITLOG: 0000002485 Console command DT
What the vendor name? Thales
What's the product name? Payshield
If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events? No
Do you have syslog documentation or a manual for that device?? No
Feature Request description:
Do you want to have it for local usage or prepare a github PR? local usage