Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create a10 networks filter for syslog messages #2147

Closed
amalitol opened this issue Aug 23, 2023 · 3 comments · Fixed by #2153
Closed

create a10 networks filter for syslog messages #2147

amalitol opened this issue Aug 23, 2023 · 3 comments · Fixed by #2153
Assignees
@ikheifets-splunk

Comments

@amalitol
Copy link

amalitol commented Aug 23, 2023
edited
Loading

Hi, @ikheifets-splunk,
This is the new ticket created per your request.
@ikheifets-splunk ikheifets-splunk self-assigned this Aug 24, 2023
@ikheifets-splunk
Copy link
Contributor

ikheifets-splunk commented Aug 29, 2023
edited
Loading

Hello @amalitol !
You sent me 2 .pcap files and the second (last) it's really incorrect. I opened it in WireShark and it's don't looks like a syslog messages. The first pcap is okay it's consisting real syslog messages.

P.S. I can implement filter for first .pcap file but as I understood you need to support both formats. If it would be CEF format then your message should be looks like that

@amalitol
Copy link
Author

Yes @ikheifets-splunk,
I think we might need to support both formats using different "indexes" and "sourcetypes".
This is an ADC device. Notice the SYSTEM and AUDIT logs are in Syslog format and they are sent by the Management interfaces (IPs). The WAF logs are sent in a CEF format using the DATA interfaces (different IPs).
I'd like to propose you a couple of source types and indexes, similar to f5 bigIP:
1. a10networks:vthunder:[waf or cef] => index=netwaf
2. a10networks:vthunder:[system or Syslog] => index=netops

Thank you again.

@ikheifets-splunk ikheifets-splunk linked a pull request Aug 31, 2023 that will close this issue
feat: add syslog format for a10networks #2153
Merged
@ikheifets-splunk
Copy link
Contributor

@amalitol please update on version 3.4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ikheifets-splunk ikheifets-splunk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add syslog format for a10networks splunk/splunk-connect-for-syslog
2 participants
@amalitol @ikheifets-splunk