search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
152 stars 107 forks source link

Thales Payshield Logs Parser #2525

Closed relarizky closed 2 months ago

relarizky commented 3 months ago

What is the sc4s version? 3.26.1

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? this is an example of the raw log Jul 04 15:22:00 2024 bullsharkprod AUDITLOG: 0000002476 Remote (619be0a2) - (Client: 192.123.132.12) - Login (Left: 1306019737090471) - Current users: (Left: 1306019737090471) Jul 05 16:23:40 2024 bullsharkprod AUDITLOG: 0000002487 Remote (1eba4ace) - invalid request for /accessControl/terminateSession - Current users: Unable to retrieve user status Jul 05 16:22:01 2024 bullsharkprod AUDITLOG: 0000002485 Console command DT

What the vendor name? Thales

What's the product name? Payshield

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events? No

Do you have syslog documentation or a manual for that device?? No

Feature Request description:

Do you want to have it for local usage or prepare a github PR? local usage

cwadhwani-splunk commented 3 months ago

HI @relarizky, As we will need pcap or apt sample logs, please submit a support ticket and include the pcap file. Our support team will assist as needed. Once we receive the pcap file or appropriate sample logs, we can proceed with developing the parser. Thanks!

relarizky commented 3 months ago

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?

Hi @cwadhwani-splunk, we have sent the files through splunk ticket

Thank you!

cwadhwani-splunk commented 3 months ago

Hi @relarizky We checked the files but could not find any syslog formatted log. We will need those to work with the parser. There is another way of getting the raw logs: https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/#obtain-raw-message-events

Please feel free to reach out to the support team if you need any assistance with this.

relarizky commented 2 months ago

Collaborator Hi, i have created a new case to give you another pcap file, i've also provided other output files so that you can see it directly with cat.

Please let me know if you have already received it.

cwadhwani-splunk commented 2 months ago

Below is a local parser for the provided logs.

Create a new file with the below content and restart the sc4s service.

File path: /opt/sc4s/local/config/app_parsers/app-syslog-thales_payshield.conf Content

block parser app-syslog-thales_payshield() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index("netauth")
                sourcetype('thales:payshield:syslog')
                vendor("thales")
                product("payshield")
                class("syslog")
            );
        };
    };
};

application app-syslog-thales_payshield[sc4s-syslog-pgm] {
    filter {
        program('AUDITLOG' type(string) flags(prefix));
    };
    parser { app-syslog-thales_payshield(); };
};

Let me know if this works for you. Thanks.