-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Juniper admin , firewall & idps logs are not parsed correctly #2643
Comments
pcap attached to splunk support case # CASE [3621290] |
Hi @rjha-splunk @sbylica-splunk any update on this ? |
Hi @imsidr, looking into it, I will post an update once we have something more. |
@imsidr so we decided to add parsing logs with an RT_SYSTEM tag, with a sourcetype |
@imsidr yeah, logs with RT_SYSTEM tag would be assigned to a |
@imsidr can you attach an example of RT_FLOW log that is not being parsed properly? I don't see any in the pcap file that was attached. |
I asked Ravi from support to setup a call to show this issue, can we connect on this ?
I am sure all sorts of logs were captured in both the pcaps , I am not sure how I capture it for a particular log.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Wednesday, December 4, 2024 5:58 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
@imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!s8_bMQv-sPJ0aAksfaKi7k0qNUtU3RAuH_VOkbTFQtLqpWcyNrYbSsEzitM2iZtuFxuYiihQI3tqV_JJkvU70kG5ZLf_xTQQnQ$> can you attach an example of RT_FLOW log that is not being parsed properly? I don't see any in the pcap file that was attached.
Logs with RT_FLOW tag should be parsed correctly since we have a rule for that.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2517211402__;Iw!!JJ-tOIoKdBzLSfV5jA!s8_bMQv-sPJ0aAksfaKi7k0qNUtU3RAuH_VOkbTFQtLqpWcyNrYbSsEzitM2iZtuFxuYiihQI3tqV_JJkvU70kG5ZLdUnM0YCw$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX4GSSR46Y2TGTPQQJT2D3YLNAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMJXGIYTCNBQGI__;!!JJ-tOIoKdBzLSfV5jA!s8_bMQv-sPJ0aAksfaKi7k0qNUtU3RAuH_VOkbTFQtLqpWcyNrYbSsEzitM2iZtuFxuYiihQI3tqV_JJkvU70kG5ZLekQaW9lQ$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
@imsidr Yeah, we can setup a call. What would be a possible time for it? |
@imsidr today probably not, could we arrange for it tomorrow or next week? |
Hey @imsidr, so we have two follow-up questions for now:
|
Hi Szymon ,
I have attached the pcap in spluk support case.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Wednesday, December 11, 2024 3:01 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
Hey @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!oMKnsmnGeILH8pITmDFWMv1Iiarkq2cIsDJ8rH9GWK8gFN-cpy-gKYgBhMuFzm_bDNZTRyeJ-wqsVU8oSkxeMlQ8H8gr6-1zUQ$>, so we have two follow-up questions for now:
* Can we get a .pcap file with an example of logs with RT_FLOW tag, like the one we saw on a meeting with the customer?
* Were the logs getting parsed earlier? Was there any noticeable trigger point that led to this issue?
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2535302054__;Iw!!JJ-tOIoKdBzLSfV5jA!oMKnsmnGeILH8pITmDFWMv1Iiarkq2cIsDJ8rH9GWK8gFN-cpy-gKYgBhMuFzm_bDNZTRyeJ-wqsVU8oSkxeMlQ8H8ikEbPAaA$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX5G5KDBQ7JEEYNGSVT2FAA6HAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZVGMYDEMBVGQ__;!!JJ-tOIoKdBzLSfV5jA!oMKnsmnGeILH8pITmDFWMv1Iiarkq2cIsDJ8rH9GWK8gFN-cpy-gKYgBhMuFzm_bDNZTRyeJ-wqsVU8oSkxeMlQ8H8gtt6911w$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
@imsidr thanks, could you also ask for a screenshot from the Splunk side? We would like to see the message and the sc4s_tags field. |
Hi @imsidr, maybe I missed it but was there any response to this question? Also, a new version of SC4S with the fix for RT_SYSTEM logs was released, can the customer upgrade to this version? |
Hi Szymon,
It was being parsed when we were onboarding it using legacy method. Also we have Juniper Add-on installed with some additional configs from out side but it is not related to parsing.
Also the issue is not related to RT_SYSTEM only , none of the events are parsed.
But I will still go ahead and upgrade it.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Thursday, December 12, 2024 6:58 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
Hi @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WE_pvSdNg$>, maybe I missed it but was there any response to this question?
Were the logs getting parsed earlier? Was there any noticeable trigger point that led to this issue?
Also, a new version of SC4S with the fix for RT_SYSTEM logs was released, can the customer upgrade to this version?
https://github.com/splunk/splunk-connect-for-syslog/releases/tag/v3.33.0<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/releases/tag/v3.33.0__;!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WEzXBqVFw$>
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2538920279__;Iw!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WFHbV7MKw$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX7SC2KSU5DSGDR7RUD2FGFNHAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZYHEZDAMRXHE__;!!JJ-tOIoKdBzLSfV5jA!otXOrer8wBw-0jD4pXW9EIZB3dEkZw_bxDnV4uyuQmrn1RUQaYuezx60RkAuQG6iJhN119ON9vBNnZ2YDOvXHBCs3WECMuxbrQ$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
Hi @imsidr, So, it was being parsed correctly using the legacy method? Do we have a configuration/description of this method? Ok, let's see if updating fixes this issue, keep me updated. |
We are using syslog-ng relay to get the data and forward it to the splunk cloud, we have juniper TA(customized) which is doing all the parsing & extraction stuff , I will attach the copy on support case.
//BR,Sid
From: Szymon Bylica ***@***.***>
Sent: Friday, December 13, 2024 3:23 PM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/splunk-connect-for-syslog] Juniper admin , firewall & idps logs are not parsed correctly (Issue #2643)
Hi @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!tOLxBRTxVvuNhPaStQCEy14UtlNMzG4-bhVIDjbjSOEF_QzuUXgTjdLZCmc0075oZNEaqVxWF36U00nrMyBCNjYa3stqY5h5FQ$>, So, it was being parsed correctly using the legacy method? Do we have a configuration/description of this method? Ok, let's see if updating fixes this issue, keep me updated.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2643*issuecomment-2541025418__;Iw!!JJ-tOIoKdBzLSfV5jA!tOLxBRTxVvuNhPaStQCEy14UtlNMzG4-bhVIDjbjSOEF_QzuUXgTjdLZCmc0075oZNEaqVxWF36U00nrMyBCNjYa3ssadf2LyA$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX4YYJQTISHQA5TEUVD2FKVBRAVCNFSM6AAAAABSCRG5TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBRGAZDKNBRHA__;!!JJ-tOIoKdBzLSfV5jA!tOLxBRTxVvuNhPaStQCEy14UtlNMzG4-bhVIDjbjSOEF_QzuUXgTjdLZCmc0075oZNEaqVxWF36U00nrMyBCNjYa3svtIFI92A$>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
@sbylica-splunk @sbylica-splunk we are seeing jinja2 module errors after upgrading to v 3.33 , the container is in restarting status , we already have jinja2 module installed , not sure why are we getting this error. Attaching sc4s file in the case. |
Note: If your issue is not a bug or a feature request, please raise a support ticket through our support portal (Splunk.com > Support > Support Portal). This will help us resolve your issue more efficiently and provide you with better assistance. For more information on how to work with the Splunk Support, please refer to this guide.
Was the issue replicated by support? no
What is the sc4s version ? 3.27.0
Which operating system (including its version) are you using for hosting SC4S? Ubuntu
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? yes
Is the issue related to the environment of the customer or Software related issue? Software related issue
Is it related to Data loss, please explain ? No
Protocol? Hardware specs?
Last chance index/Fallback index? sc4s
Is the issue related to local customization? yes
Do we have all the default indexes created? yes
Describe the bug
Juniper admin , firewall & idps logs are not parsed correctly
To Reproduce
Steps to reproduce the behavior:
The text was updated successfully, but these errors were encountered: