Juniper sourcetype

[n0068702]

What is the sc4s version?
version = "3.4.2"

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
?

What the vendor name?
Juniper

What's the product name?
firewall

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?

index = juniper_admin
sourcetypes = juniper:junos:admin
junos:firewall

Do you have syslog documentation or a manual for that device??

Feature Request description:

Need to add these sourcetypes to sc4s vendor

Do you want to have it for local usage or prepare a github PR?

[cwadhwani-splunk]

Hi @n0068702
Could you please create a support ticket and share the sample logs or the pcap file over that ticket? This will help us move forward with this case.

Thanks.

[n0068702]

I already had a case open with splunk 3533537<https://splunk.my.site.com/customer/5005a0000313kAoAAI> Remind me how to run a pcap Donald McNeill Senior Infrastructure Engineer Global Digital Services – Service Management and Delivery From: cwadhwani-splunk ***@***.***> Date: Monday, August 5, 2024 at 1:57 AM To: splunk/splunk-connect-for-syslog ***@***.***> Cc: McNeill, Don ***@***.***>, Mention ***@***.***> Subject: Re: [splunk/splunk-connect-for-syslog] Juniper sourcetype (Issue #2544) Hi @n0068702<https://urldefense.com/v3/__https:/github.com/n0068702__;!!JJ-tOIoKdBzLSfV5jA!pVsCi01bHHBC9MtHKMvahlb0iLeuFbWhqWk4UjqZbfuG-HOetel4Wx_BTUxGVxNCmKPOjFEP63d_CirkEQBWHprlgHezlY-q$> Could you please create a support ticket and share the sample logs or the pcap file over that ticket? This will help us move forward with this case. Thanks. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2544*issuecomment-2268233170__;Iw!!JJ-tOIoKdBzLSfV5jA!pVsCi01bHHBC9MtHKMvahlb0iLeuFbWhqWk4UjqZbfuG-HOetel4Wx_BTUxGVxNCmKPOjFEP63d_CirkEQBWHprlgBOUtJuD$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AY3BP72S5OX3KB5OKFPOPQTZP4H5BAVCNFSM6AAAAABL2XTCUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRYGIZTGMJXGA__;!!JJ-tOIoKdBzLSfV5jA!pVsCi01bHHBC9MtHKMvahlb0iLeuFbWhqWk4UjqZbfuG-HOetel4Wx_BTUxGVxNCmKPOjFEP63d_CirkEQBWHprlgGM-zjUk$>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[cwadhwani-splunk]

Hi @n0068702
Here are a couple of links that can help you to get the raw logs/pcap file:

• https://splunk.github.io/splunk-connect-for-syslog/main/create-parser/#procure-a-raw-log-message-using-tcpdump
• https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/#obtain-raw-message-events

Please feel free to reach out to support if you need any further help with the PCAP file.

[n0068702]

Can we do a call? Donald McNeill Senior Infrastructure Engineer Global Digital Services – Service Management and Delivery From: cwadhwani-splunk ***@***.***> Date: Wednesday, August 7, 2024 at 2:12 AM To: splunk/splunk-connect-for-syslog ***@***.***> Cc: McNeill, Don ***@***.***>, Mention ***@***.***> Subject: Re: [splunk/splunk-connect-for-syslog] Juniper sourcetype (Issue #2544) Hi @n0068702<https://urldefense.com/v3/__https:/github.com/n0068702__;!!JJ-tOIoKdBzLSfV5jA!rSlKr7RLQV2taTN75zILVPCSN3F-Ps69l7IW1-kvsQv0yPyZsjom8nuGBrKrujN5gYJxiawLZdTPnB0JwjW2FBCLAfzoINIn$> Here are a couple of links that can help you to get the raw logs/pcap file: * https://splunk.github.io/splunk-connect-for-syslog/main/create-parser/#procure-a-raw-log-message-using-tcpdump<https://urldefense.com/v3/__https:/splunk.github.io/splunk-connect-for-syslog/main/create-parser/*procure-a-raw-log-message-using-tcpdump__;Iw!!JJ-tOIoKdBzLSfV5jA!rSlKr7RLQV2taTN75zILVPCSN3F-Ps69l7IW1-kvsQv0yPyZsjom8nuGBrKrujN5gYJxiawLZdTPnB0JwjW2FBCLAZAzpfI_$> * https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/#obtain-raw-message-events<https://urldefense.com/v3/__https:/splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/*obtain-raw-message-events__;Iw!!JJ-tOIoKdBzLSfV5jA!rSlKr7RLQV2taTN75zILVPCSN3F-Ps69l7IW1-kvsQv0yPyZsjom8nuGBrKrujN5gYJxiawLZdTPnB0JwjW2FBCLAQJLd2ll$> Please feel free to reach out to support if you need any further help with the PCAP file. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2544*issuecomment-2272693687__;Iw!!JJ-tOIoKdBzLSfV5jA!rSlKr7RLQV2taTN75zILVPCSN3F-Ps69l7IW1-kvsQv0yPyZsjom8nuGBrKrujN5gYJxiawLZdTPnB0JwjW2FBCLAbM6KYi-$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AY3BP72BQJYM6YEYAPYFXIDZQG3FFAVCNFSM6AAAAABL2XTCUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGY4TGNRYG4__;!!JJ-tOIoKdBzLSfV5jA!rSlKr7RLQV2taTN75zILVPCSN3F-Ps69l7IW1-kvsQv0yPyZsjom8nuGBrKrujN5gYJxiawLZdTPnB0JwjW2FBCLAYwoc6LB$>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[cwadhwani-splunk]

Hi @n0068702
I have requested the support team to assist you with generating the pcap file. They will get in touch with you for the same.

[cwadhwani-splunk]

Hi @n0068702

Could you please confirm if the call is solely for generating the pcap file, or if you need assistance with any other issues as well? This will help the support team prepare accordingly.

Note: For now, we just need the pcap file or sample raw logs to proceed with the case.

[Ruthieb-splunk]

Hi @cwadhwani-splunk, I'm the Splunk TSE working with the customer on the support side. SFDC case: 3533537.
We already had a call and I guided the customer on how to collect the pcap we need to create the sourcetype.
Once I have the file on the case I will share it with you.

[cwadhwani-splunk]

Closing this GitHub issue, due to unavailability of the PCAP file. If not already resolved, please feel free to reopen this case once a support ticket is created with the PCAP file attached. Thanks!