Zscaler Private Access: User activity logs are going to Main:fallback

[evslacker]

What is the sc4s version? 3.30.1 Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? wil lbe sharing over mail

What the vendor name? Zscaler

What's the product name? Zscaler private Access

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events? NA Do you have syslog documentation or a manual for that device?? NA Feature Request description: ZPA is already a approved vendor for SC4S, but somehow the User Activity logs are not going to the Defined index, and they are going to Index=main sourcetype=sc4s:falback. Do you want to have it for local usage or prepare a github PR? NA

[cwadhwani-splunk]

Hi @evslacker We will need pcap file to get the raws logs to work on this issue. Could you please create a support ticket and attach the PCAP file there?

[evslacker]

Hi , I have not sanitized the pcap or I would say I'm not sure how to do that.

pcap access will be only for the Splunk internal team right? and not public?

Regards AK

On Tue, Sep 24, 2024 at 12:35 PM cwadhwani-splunk < @.***> wrote:

Hi @evslacker We will need pcap file to get the raws logs to work on this issue. Could you please create a support ticket and attach the PCAP file there? —Reply to this email directly, view it on GitH DuckDuckGo removed one tracker. More https://duckduckgo.com/-6Kfpmf_4qjTUty6IxsQiLNliaSIEFiJlbU5hBjyDIlXm7m_0ySkCbKAHg0Uq40oxIj0VV22HcHEAgy4isEgixLSAwYYIaREBeUoIQSgxB9LCvAvCK48BeK4hk7N09bs5CagrlqeZGU1lF91SuosxZigV6j41_r5CwLpSB3EO5nL60xi243aBbKYwBrv0mlFVxI8_yQbDyexT10sBzI-wlfMidL05w3bfDx-npedvjBMtPINQTEPOCBjgHVRjJEd7DtzdKaXQjY0zFIVN_PgiAaPhlEnqCwz1xELSp63BedIbNry93-0U89N3QWFT6QluWqRQkLN_HlJD_CFdCG-6TOMV3efb1EWKPxEbvnbRwbvTBKsw-Zl6nRPUxuoprBa1t3L4TifnPoz06Tltwb2JmNA3iGaRNlxQ-ORjWbg2Nj97WFc6NaW99QcD8O74JmP7-4oYRLoMs5YefsEaVlGBPUpB7McRcRqsG Report Spam https://duckduckgo.com/-6Kfpmf_4qjTUty6IxsQiLNliaSIEFiJlbU5hBjyDIlXm7m_0ySkCbKAHg0Uq40oxIj0VV22HcHEAgy4isEgixLSAwYYIaREBeUoIQSgxB9LCvAvCK48BeK4hk7N09bs5CagrlqeZGU1lF91SuosxZigV6j41_r5CwLpSB3EO5nL60xi243aBbKYwBrv0mlFVxI8_yQbDyexT10sBzI-wlfMidL05w3bfDx-npedvjBMtPINQTEPOCBjgHVRjJEd7DtzdKaXQjY0zFIVN_PgiAaPhlEnqCwz1xELSp63BedIbNry93-0U89N3QWFT6QluWqRQkLN_HlJD_CFdCG-6TOMV3efb1EWKPxEbvnbRwbvTBKsw-Zl6nRPUxuoprBa1t3L4TifnPoz06Tltwb2JmNA3iGaRNlxQ-ORjWbg2Nj97WFc6NaW99QcD8O74JmP7-4oYRLoMs5YefsEaVlGBPUpB7McRcRqsG

Hi @evslacker https://github.com/evslacker We will need pcap file to get the raws logs to work on this issue. Could you please create a support ticket and attach the PCAP file there?

— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2593#issuecomment-2370365662, or unsubscribe https://github.com/notifications/unsubscribe-auth/BH5F7OO4VOLAEKCX3IWB2QLZYEFNBAVCNFSM6AAAAABORMKSI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZQGM3DKNRWGI . You are receiving this because you were mentioned.Message ID: @.***>

[cwadhwani-splunk]

Yes, please attach it in the support ticket. It wont be public! :)

[evslacker]

Hey Chirag,

I have uploaded the pcap over 3577330, Let me know if it is accessible to you.

Regards Ankit

On Tue, Sep 24, 2024 at 8:04 PM cwadhwani-splunk < @.***> wrote:

Yes, please attach it in the support ticket. It wont be public! :) —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID:

DuckDuckGo removed one tracker. More https://duckduckgo.com/-yoArzgO7LWCSMbe3ePmLKSmUJ5qbk6-F_haaYyQWjML6PhLU9wTNxNfYNdfPp2-NKP6Hn0RfxyUAjjtGV8KVCxMCb57T-Hg735B8IS-OyTy2EgFOO8fauzLrb-NhfeMSKgnIOYFDXD-jsxIjvAevr1RSqMbGWMqDpn680EARMMvk9ATHO6Jg6BNXYfzojOsfn2528_ioe-GxqLSF9qyTKUgYfk-5Yz9R7gS2nCfxCm-y7OvjxB7JDZ674DA7Xljkrlev0QVbgUJYDY3w3neqJIl2_jn0R4dpy24NzEzmgbxDNKmSwqfHDRr91egzypxsYaENRFmCgLmY_8mYPr7ixtGuAyylB9-whpVUoI9SUHuxRBzGa0a Report Spam https://duckduckgo.com/-yoArzgO7LWCSMbe3ePmLKSmUJ5qbk6-F_haaYyQWjML6PhLU9wTNxNfYNdfPp2-NKP6Hn0RfxyUAjjtGV8KVCxMCb57T-Hg735B8IS-OyTy2EgFOO8fauzLrb-NhfeMSKgnIOYFDXD-jsxIjvAevr1RSqMbGWMqDpn680EARMMvk9ATHO6Jg6BNXYfzojOsfn2528_ioe-GxqLSF9qyTKUgYfk-5Yz9R7gS2nCfxCm-y7OvjxB7JDZ674DA7Xljkrlev0QVbgUJYDY3w3neqJIl2_jn0R4dpy24NzEzmgbxDNKmSwqfHDRr91egzypxsYaENRFmCgLmY_8mYPr7ixtGuAyylB9-whpVUoI9SUHuxRBzGa0a

Yes, please attach it in the support ticket. It wont be public! :)

— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2593#issuecomment-2371481837, or unsubscribe https://github.com/notifications/unsubscribe-auth/BH5F7OLEYXUCDKRD7NB3DUTZYFZ5TAVCNFSM6AAAAABORMKSI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZRGQ4DCOBTG4 . You are receiving this because you were mentioned.Message ID: @.***>

[cwadhwani-splunk]

Hi Ankit,

I checked the provided pcap file and tried a few logs from both of the files, but all the logs are being classified correctly. Could you please attach a screenshot of the Splunk event in the ticket? Please make sure to expand the event and then take the screenshot. Also, if feasible, could you please point out the log that is not being classified correctly?

[evslacker]

Hello,

Attached are the logs which are falling in the main index, as you can see fallback are incomplete logs. Everything is set up correctly from Zscaler Portal not sure, some logs are falling to correct dest and rest are here.

[image: image.png] Note- That is PRE-13, used scrubbing, let me know if you need actual logs.

Regards Ak

On Thu, Sep 26, 2024 at 7:27 PM cwadhwani-splunk < @.***> wrote:

Hi Ankit, I checked the provided pcap file and tried a few logs from both of the files, but all the logs are being classified correctly. Could you please attach a screenshot of the Splunk event in the DuckDuckGo removed one tracker. More https://duckduckgo.com/-_m89jNwUzax5Kud9y7LoXCzCog8WX9BAAuTMrSlMwYdB5Mrc7ma_1BKm9ZQA8GguXGlGpMciq40wbwIgkGVEkguE2BYQkNCADRxMHlOCEEpMgY5QrwLgFcSBvVegwdi4u9tcBd8kSqK5MVjR7M_JffgtEWagPVDXuK9qFP7FPKkeye_xBZZb9N2CrTWEKa2-EeY0N3R-7xSduo_GQdl0NoBBpRv4ecGS1t4ejhnw3C7H0oJEEuhRE5OCBjhH_RAMI2SEaVecaUTBfIz7IVZ_PhAALchlGHqCgz3aUdiktTt3OsPXX1_u9h_h0FSDxqLSF9qyjIcgKsk-xAj9j3BGuWE9CVOkCbOvDxtreNZ77zjKji_HBKopE8wS9avkwnKxZIzL7Z5A_vx5tAHHZgvuTcwMpla8gqjpksIHB4HaYezlAkcUetXef-tKEGn4-noTbPr7ixtGdqlkMd_7hD0qowR7koLc8yGsUls1 Report Spam https://duckduckgo.com/-_m89jNwUzax5Kud9y7LoXCzCog8WX9BAAuTMrSlMwYdB5Mrc7ma_1BKm9ZQA8GguXGlGpMciq40wbwIgkGVEkguE2BYQkNCADRxMHlOCEEpMgY5QrwLgFcSBvVegwdi4u9tcBd8kSqK5MVjR7M_JffgtEWagPVDXuK9qFP7FPKkeye_xBZZb9N2CrTWEKa2-EeY0N3R-7xSduo_GQdl0NoBBpRv4ecGS1t4ejhnw3C7H0oJEEuhRE5OCBjhH_RAMI2SEaVecaUTBfIz7IVZ_PhAALchlGHqCgz3aUdiktTt3OsPXX1_u9h_h0FSDxqLSF9qyjIcgKsk-xAj9j3BGuWE9CVOkCbOvDxtreNZ77zjKji_HBKopE8wS9avkwnKxZIzL7Z5A_vx5tAHHZgvuTcwMpla8gqjpksIHB4HaYezlAkcUetXef-tKEGn4-noTbPr7ixtGdqlkMd_7hD0qowR7koLc8yGsUls1

Hi Ankit,

I checked the provided pcap file and tried a few logs from both of the files, but all the logs are being classified correctly. Could you please attach a screenshot of the Splunk event in the ticket? Please make sure to expand the event and then take the screenshot. Also, if feasible, could you please point out the log that is not being classified correctly?

— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2593#issuecomment-2377055311, or unsubscribe https://github.com/notifications/unsubscribe-auth/BH5F7OOE63COF6WCXY2FT4DZYQHF5AVCNFSM6AAAAABORMKSI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZXGA2TKMZRGE . You are receiving this because you were mentioned.Message ID: @.***>

[cwadhwani-splunk]

I cannot find the screenshot. If the data is sensitive, you can reopen the Splunk ticket 3577330 (if already closed) and attach the screenshot there.

[evslacker]

Check now, I directly pasted on emai earlier.

On Fri, Sep 27, 2024 at 1:27 PM cwadhwani-splunk < @.***> wrote:

I cannot find the screenshot. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID:

DuckDuckGo removed one tracker. More https://duckduckgo.com/-6gR9vaN-mboq-2Z-_SmNNy7JoTCzCog2WJlJgAWDm1pBm0CMIcmXe7mafyKiANlFCcGsl2mlGrCeiqu3oNwcElhFbJRQSWyCYMKEGEchLShihoguihX0UwDNO2nMFkYy9q8fdUUhdoTzVPQjKGudel8yNv83Dj2_EzJTsmU8bPYA9tt4OX9rdbfUjUeQcY4DwREKPxt0kbQWsYiVxapiEFBE2DArSPuMTQowav95QH9XrIdMPeqgnIOYFDdwtr4zkCG_h-yulNLqSMabikPm_PwRAVPw0iXzB4Z7YCdrUfTgvBtPuN5aH4yoe-m5oLipjoS_LVAoSlh9jSsh_xoXQhvvAKb7Jq7ePkHikZvTeUQU1H-PNldgn0NpztqnPN33DDkIodxePvuufR3t0nLZpvTRWNA2SEaRdj9JODoY1bLlRtytPEgKkkvdbEDCf5xcwEZ-1_T0uw7WUH75jjiop4ZkUFn4MMZfR-wM Report Spam https://duckduckgo.com/-6gR9vaN-mboq-2Z-_SmNNy7JoTCzCog2WJlJgAWDm1pBm0CMIcmXe7mafyKiANlFCcGsl2mlGrCeiqu3oNwcElhFbJRQSWyCYMKEGEchLShihoguihX0UwDNO2nMFkYy9q8fdUUhdoTzVPQjKGudel8yNv83Dj2_EzJTsmU8bPYA9tt4OX9rdbfUjUeQcY4DwREKPxt0kbQWsYiVxapiEFBE2DArSPuMTQowav95QH9XrIdMPeqgnIOYFDdwtr4zkCG_h-yulNLqSMabikPm_PwRAVPw0iXzB4Z7YCdrUfTgvBtPuN5aH4yoe-m5oLipjoS_LVAoSlh9jSsh_xoXQhvvAKb7Jq7ePkHikZvTeUQU1H-PNldgn0NpztqnPN33DDkIodxePvuufR3t0nLZpvTRWNA2SEaRdj9JODoY1bLlRtytPEgKkkvdbEDCf5xcwEZ-1_T0uw7WUH75jjiop4ZkUFn4MMZfR-wM

I cannot find the screenshot.

— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2593#issuecomment-2378647465, or unsubscribe https://github.com/notifications/unsubscribe-auth/BH5F7OLHBNS7BO4FMGTJSVDZYUFUXAVCNFSM6AAAAABORMKSI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZYGY2DONBWGU . You are receiving this because you were mentioned.Message ID: @.***>

[cwadhwani-splunk]

Hi Ankit,

I checked my email and the ticket 3577330 but couldn't locate the screenshot. It seems like the image wasn't attached properly as I only see [image: image.png].

Just for reference:

Could you please resend both the raw logs causing the issues and the screenshot of the Splunk events to my email address: cwadhwani@splunk.com?

Thanks!

[evslacker]

I have shared over email, can you check now.

Regards AK

On Fri, Sep 27, 2024 at 5:42 PM cwadhwani-splunk < @.***> wrote:

Hi Ankit, I checked my email and the ticket 3577330 but couldn't locate the screenshot. It seems like the image wasn't attached properly as I only see [image: image.png]. Just for reference: image.png DuckDuckGo removed one tracker. More https://duckduckgo.com/-Y96nuXh30zebkQSo3uWTR6RvcZuqEOIWbzK3_UzdF3-zPUxlr21sWjYlFWLTB0kQKKEBNnU6hHh6C4KpzSdL5aTaANtFihEcrycqwUjOTXe1AvzkEiWOlUYmlzJUASljIDRIgL2lxghp0QbZwrwLolWTduYIsxt7dY3YUMmuUp9iNwIz6sEiDNfqJifjmr4Rrtk9ZT_x2LFvyPH3j5ZPVWYLOOYTOtdwRflOf0HguZxVbg2PDpBsdQMPcArpOGFzrXcNSDa5dlZoKW6zSkxDzkoFwtnwLSiOiBfEApzFBcUzzkOk-DwYgN-ISJaHkaU8epGzams4LYXj8-qrY3-jQT0NjWetLvKrSJUhGvg8xQv8RXklveE-aErsy-_qIWUYh2XuFfQFDkhiTAjMYdPbUr8_6tpcTQvm0Kvg-_jzak-O0BfVGzGQaZCNI2YBGFwej2r1h8Rk8leOjP4a-22fBcPPz9gZMf38JkhSX6TvOjz4wR5W0eE-Jq5BDPGVyHQ Report Spam https://duckduckgo.com/-Y96nuXh30zebkQSo3uWTR6RvcZuqEOIWbzK3_UzdF3-zPUxlr21sWjYlFWLTB0kQKKEBNnU6hHh6C4KpzSdL5aTaANtFihEcrycqwUjOTXe1AvzkEiWOlUYmlzJUASljIDRIgL2lxghp0QbZwrwLolWTduYIsxt7dY3YUMmuUp9iNwIz6sEiDNfqJifjmr4Rrtk9ZT_x2LFvyPH3j5ZPVWYLOOYTOtdwRflOf0HguZxVbg2PDpBsdQMPcArpOGFzrXcNSDa5dlZoKW6zSkxDzkoFwtnwLSiOiBfEApzFBcUzzkOk-DwYgN-ISJaHkaU8epGzams4LYXj8-qrY3-jQT0NjWetLvKrSJUhGvg8xQv8RXklveE-aErsy-_qIWUYh2XuFfQFDkhiTAjMYdPbUr8_6tpcTQvm0Kvg-_jzak-O0BfVGzGQaZCNI2YBGFwej2r1h8Rk8leOjP4a-22fBcPPz9gZMf38JkhSX6TvOjz4wR5W0eE-Jq5BDPGVyHQ

Hi Ankit,

I checked my email and the ticket 3577330 but couldn't locate the screenshot. It seems like the image wasn't attached properly as I only see [image: image.png].

Just for reference: image.png (view on web) https://github.com/user-attachments/assets/7fc8f23f-6596-4963-85fb-5d2659f380af

Could you please resend both the raw logs causing the issues and the screenshot of the Splunk events to my email address: @.***?

Thanks!

— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2593#issuecomment-2379131658, or unsubscribe https://github.com/notifications/unsubscribe-auth/BH5F7OJIRVVXA2BOQLPA57DZYVDTZAVCNFSM6AAAAABORMKSI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZZGEZTCNRVHA . You are receiving this because you were mentioned.Message ID: @.***>

[cwadhwani-splunk]

Hi @evslacker I checked the screenshot and it seems like the logs coming from the ZScaler are truncated. We can check this by obtaining the raw logs coming to SC4S. Please create a support ticket if you need any help with this, the support team can assist you here to proceed with the case. If this has something to do with SC4S, feel free to add a comment/reopen this GitHub issue.

[evslacker]

I feel truncation is not an issue, as i could see logs in the correct index are between 1.5k to 2.5k Characters.

in the main index 1000-1900 max.

No Limits has been set in the sourcetype as well, so i would assume, it should be atleast 10k by default.

[evslacker]

is it possible to grab a TCPDUMP of only the logs which are not going to my index?

[cwadhwani-splunk]

I dont think that would be possible, not sure, but you can use <tcpdump command>| grep "<search_term>" to only get the udp packet content that contains the search_term. You can also try other method of obtaining raw logs, like using the sc4s-finalfilter and sending traffic the sc4s instance.

Please feel free to reach out to the support team for any help with this or to get the ZScaler config checked.

[cwadhwani-splunk]

Closing this GitHub issue, due to unavailability of the PCAP file. Please feel free to reopen this case once a support ticket is created with the PCAP file attached. Thanks!