Gigamon SSL Session Syslog

[cchansk]

Was the issue replicated by support?
n/a
What is the sc4s version ?
2.49.8
Is there a pcap available?
Can be made available
Is the issue related to the environment of the customer or Software related issue?
No
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
No
Last chance index/Fallback index?
No
Is the issue related to local customization?
No
Do we have all the default indexes created?
Yes
Describe the bug
This issue was reported in #1833, but it was recently closed. However, the issue still exists and never worked on.

Recently, after restarting the service and updating to a new version (2.35.0), I started seeing having certain issues with my Gigamon SSL session logs where 8 different devices with different source IPs are showing up with host=sep. They host field used to show up with the source IP. I tried modifying the host.csv file and adding the SC4S_USE_REVERSE_DNS variable to see if I can manually change it to a name, but had no luck. Wanted to see if anyone knows why that'd be happening.

Below is what some events look like:

Wed CEF:0|Gigamon|HC1|5.15.01|1002|SESSION_DECRYPT|6|src=10.40.24.148 dst=138.113.112.18 spt=53699 dpt=443 vlan=100 dhost=newseu.cgtn.com cs1Label=Certificate Subject cs1=*.cgtn.com cs2Label=Certificate Issuer cs2=Zscaler Intermediate Root CA (zscloud.net) (t) cs3Label=Cipher Suite cs3=TLS_AES_256_GCM_SHA384 proto=TLS/SSL outbound GigamonIsslTLSVersion=TLSv1.3 GigamonIsslCertStatus=Valid

Wed CEF:0|Gigamon|HC1|5.15.01|1001|SESSION_NO_DECRYPT|6|src=10.40.200.62 dst=20.106.86.13 spt=63240 dpt=443 vlan=100 dhost=settings-win.data.microsoft.com proto=TLS/SSL reason=Policy
giga.txt

To Reproduce
Send Gigamon SSL traffic logs to SC4S

[rjha-splunk]

Please do following as workaround to fix this :

Check the sourceip of the device from the splunk UI that will be sourceIP sc4s_fromhostip and check as sc4s_vendor , we will be using both fields.

Create host.csv entry with the value of SOURCEIP, for example say the IP there is 1.1.1.1 and the host value we want is gigamon.x.com

1.1.1.1,HOST,gigamon.x.com

Create an app_parser in the path /opt/sc4s/local/config/app_parsers/new_cef.conf

block parser app-dest-new-cef() {
   channel {
       parser {
          add-contextual-data(
          selector("${SOURCEIP}"),
          database("conf.d/local/context/host.csv")
          );
         };
     };
};

application app-dest-new-cef[sc4s-finalfilter] {
       filter {
           tags(".source.s_DEFAULT") and
           "${fields.sc4s_vendor}" eq "Gigamon";
             };
       parser {
            app-dest-new-cef();
             };
          };

Restart SC4S and it will work , it will update the host field from host.csv file

[rjha-splunk]

Please reopen the issue if you need any further assistance on the same.