data is not going to defined sourcetype- Previous ticket #2510

[imsidr]

Was the issue replicated by support?

What is the sc4s version ? 3.19.0

Which operating system (including its version) are you using for hosting SC4S? docker container

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?

Is the issue related to the environment of the customer or Software related issue? Not Sure

Is it related to Data loss, please explain ?
Protocol? Hardware specs?

Last chance index/Fallback index? sc4s index

Is the issue related to local customization? Not sure

Do we have all the default indexes created? NA
Describe the bug - the sourcetype is not the same as defined in parser. the data is ending up in cisco:ise:syslog sourcetype and i dont have any poc:syslog sourcetype configured but i see data for that too

block parser app-dest-cisco_ise-postfilter() {
channel {
rewrite {
r_set_splunk_dest_default(
index("cisco")
sourcetype('cisco:ise')
vendor("cisco")
product("ise")
);
};
};
};
application app-dest-cisco_ise-postfilter[sc4s-postfilter] {
filter {
host("ise*" type(glob) flags(ignore-case));
};
parser { app-dest-cisco_ise-postfilter(); };
};

[cwadhwani-splunk]

@imsidr
Can we please get sample logs or the pcap file to find the root cause. Also, did you get a chance to open a support ticket for this as mentioned by Rahul in the previous case?
You can share the sample logs to cwadhwani@splunk.com

[imsidr]

Where is pcap file stored ? From: cwadhwani-splunk ***@***.***> Sent: Friday, June 28, 2024 2:41 PM To: splunk/splunk-connect-for-syslog ***@***.***> Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***> Subject: Re: [splunk/splunk-connect-for-syslog] data is not going to defined sourcetype- Previous ticket #2510 (Issue #2513) @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJgeYUEQg$> Can we please get sample logs or the pcap file to find the root cause. You can share the sample logs to ***@***.******@***.***> — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2513*issuecomment-2196469208__;Iw!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJpy_Xz_w$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX3QTOGSYC3T7CI4KLLZJUSCJAVCNFSM6AAAAABKAAFLYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJWGQ3DSMRQHA__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdALgPmqfaQ$>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[imsidr]

@cwadhwani-splunk case #[3514354]

[imsidr]

Attached pcap file in case #3514354 From: Rai, Siddhartha ***@***.***> Sent: Friday, June 28, 2024 3:59 PM To: splunk/splunk-connect-for-syslog ***@***.***>; splunk/splunk-connect-for-syslog ***@***.***>; ***@***.*** Cc: Mention ***@***.***> Subject: RE: [splunk/splunk-connect-for-syslog] data is not going to defined sourcetype- Previous ticket #2510 (Issue #2513) Where is pcap file stored ? From: cwadhwani-splunk ***@***.******@***.***>> Sent: Friday, June 28, 2024 2:41 PM To: splunk/splunk-connect-for-syslog ***@***.******@***.***>> Cc: Rai, Siddhartha ***@***.******@***.***>>; Mention ***@***.******@***.***>> Subject: Re: [splunk/splunk-connect-for-syslog] data is not going to defined sourcetype- Previous ticket #2510 (Issue #2513) @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJgeYUEQg$> Can we please get sample logs or the pcap file to find the root cause. You can share the sample logs to ***@***.******@***.***> — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2513*issuecomment-2196469208__;Iw!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJpy_Xz_w$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX3QTOGSYC3T7CI4KLLZJUSCJAVCNFSM6AAAAABKAAFLYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJWGQ3DSMRQHA__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdALgPmqfaQ$>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[cwadhwani-splunk]

Hi @imsidr
I added all the parsers (including the ones present in the attached zip) that you have provided in the issue and also made the changes that were suggested in the same ticket. Then, I tried to send a few logs from the PCAP file that you have shared and observed that all the events are ending up in sourcetype=cisco:ise (since the host for all the logs was starting with ise)
Could you please share the whole local folder (Path: /opt/sc4s/local) so that we can look if there is anything else that could cause such behaviour? Please attach it in this GitHub issue.

[imsidr]

syslog (2).zip

[cwadhwani-splunk]

Hi @imsidr
Just extracted the provided zip and observed that the parser present in the file app-dest-cisco_ise.conf is different from the parser provide by us in the previous issue (or the one that you have mentioned in the description). The sourcetype mentioned in the current parser is cisco:ise:syslog.

Here is the screenshot of the app-dest-cisco_ise.conf file present in your current local folder:

Please change the sourcetype to cisco:ise as mentioned in the previous issue.

[imsidr]

Hi Chirag , Yes I updated it to that when It dint work , also I looked at cisco ise add-on which needs the sourcetype to be cisco:ise:system for CIM, so I will keep it like that only. But still I don’t understand why did it store to cisco:ise:syslog , I have pasted the parser in the ticket too. You can also find the old parser in ticket #2510 //BR,Sid From: cwadhwani-splunk ***@***.***> Sent: Tuesday, July 2, 2024 6:32 PM To: splunk/splunk-connect-for-syslog ***@***.***> Cc: Rai, Siddhartha ***@***.***>; Mention ***@***.***> Subject: Re: [splunk/splunk-connect-for-syslog] data is not going to defined sourcetype- Previous ticket #2510 (Issue #2513) Hi @imsidr<https://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!oID5XwSVZPoPKWEOQNq8SOjTUUpwQU2_79mCEX5TUajhaXdIQpl5LdxX2GmLQcNRfd9cP65TH9HNcLRScQ-7Q3D6qPKZSsHiRg$> Just extracted the provided zip and observed that the parser present in the file app-dest-cisco_ise.conf is different from the parser provide by us in the previous issue (or the one that you have mentioned in the description). The sourcetype mentioned in the current parser is cisco:ise:syslog. Here is the screenshot of the app-dest-cisco_ise.conf file present in your current local folder: image.png (view on web)<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/assets/169390435/590cbd74-744a-4032-b84e-4770b5cf0d4e__;!!JJ-tOIoKdBzLSfV5jA!oID5XwSVZPoPKWEOQNq8SOjTUUpwQU2_79mCEX5TUajhaXdIQpl5LdxX2GmLQcNRfd9cP65TH9HNcLRScQ-7Q3D6qPLBRDEGxA$> Please change the sourcetype to cisco:ise as mentioned in the previous issue<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2510__;!!JJ-tOIoKdBzLSfV5jA!oID5XwSVZPoPKWEOQNq8SOjTUUpwQU2_79mCEX5TUajhaXdIQpl5LdxX2GmLQcNRfd9cP65TH9HNcLRScQ-7Q3D6qPJeWl-x_Q$>. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2513*issuecomment-2203100823__;Iw!!JJ-tOIoKdBzLSfV5jA!oID5XwSVZPoPKWEOQNq8SOjTUUpwQU2_79mCEX5TUajhaXdIQpl5LdxX2GmLQcNRfd9cP65TH9HNcLRScQ-7Q3D6qPI7G8zRUg$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX2Q5LGHFNVXZY4BRL3ZKKQDPAVCNFSM6AAAAABKAAFLYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBTGEYDAOBSGM__;!!JJ-tOIoKdBzLSfV5jA!oID5XwSVZPoPKWEOQNq8SOjTUUpwQU2_79mCEX5TUajhaXdIQpl5LdxX2GmLQcNRfd9cP65TH9HNcLRScQ-7Q3D6qPJZPNOnLA$>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[cwadhwani-splunk]

Hi @imsidr

We have replicated a parser of cisco ise postfilter on our local environment. We have used sc4s version 3.19.0 and docker runtime environment and tested the parser by sending sample logs to the splunk. We found that the parser is properly working on our local environment and applying on the sample logs properly. It’s showing sourcetype as “cisco:ise” as per the postfilter parser.

Below are the details
Sample log:

<178>Jun 28 10:51:34 ise-test-host CISE_Alarm CRITICAL: Queue Link Error: Message=From ise-test-10.lmig.com To ise-test1.lmig.com; Cause={tls_alert;{unknown_ca;"tls Client: In State Certify At Ssl_handshake.erl:1887 Generated Client Alert: Fatal - Unknown Ca\n"}

Local Parser:

block parser app-dest-cisco_ise-postfilter() {                                                                        
    channel {                                                                                                         
        rewrite {                                                                                                     
            r_set_splunk_dest_default(                                                                                
                index("cisco")                                                                                        
                sourcetype("cisco:ise")                                                                               
                vendor("cisco")                                                                                       
                product("ise")                                                                                        
            );                                                                                                        
        };                                                                                                            
    };                                                                                                                
};                                                                                                                    
                                                                                                                      
application app-dest-cisco_ise-postfilter[sc4s-postfilter] {                                                          
    filter {                                                                                                          
        host("ise*" type(glob) flags(ignore-case));                                                                   
    };                                                                                                                
    parser { app-dest-cisco_ise-postfilter(); };                                                                      
};

Here is how the event looks like on the Splunk side:

If you are still facing this same issue, could you please send us the sc4s_tags field from the Splunk event. Also, please attach the screenshot of the sample splunk event (like I did here) and the latest /opt/sc4s/local folder in the support case.

Thanks.