Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help Required: Create a block filter to push event to null Queue #2548

Closed
evslacker opened this issue Aug 6, 2024 · 8 comments
Closed

Help Required: Create a block filter to push event to null Queue #2548

evslacker opened this issue Aug 6, 2024 · 8 comments
Assignees
@cwadhwani-splunk

Comments

@evslacker
Copy link

Hi Team, i have scan logs which are coming to sc4s and neither the application team nor us wants them in Splunk as they are useless, we are not able to stop them from source, hence we thought of creating a block parser instead.

the logs are coming from 3 different ip's.
Ip1, Ip2, Ip3

the logs also have a common keyword which comes in every log:
keyword= " Some Text @zabbix_server_detect.nasl Some Text*"

Can you please help creating the parser for above conditions.

i tried to build one below but didn't worked:

block parser app-zabbix-scanlogs-drop() {
    channel {
        rewrite(r_set_dest_splunk_null_queue);
    };
};

application app-zabbix-scanlogs-drop[sc4s-postfilter] {
    filter {
          (host ("ip1") or host ("ip2") or host ("ip3"))
          AND message('@zabbix_server_detect.nasl',type(substring))
   };
    parser { app-zabbix-scanlogs-drop(); };
};

Also can you please mention the path where i have to save this parser, is it under app_parsers or rewriters?

below are sample logs
Sourcetype=json
{"request":"active checks", "host":"$@zabbix_server_detect.nasl"}

Sourcetype=sc4s:fallback
PRI=13
MESSAGE=ZBX_GET_ACTIVE_CHECKS\n$@zabbix_server_detect.nasl-1722404282
@cwadhwani-splunk
Copy link
Collaborator

Hi @evslacker

I checked your case and it seems that you need some help with a custom parser that stops the ingestion of a specific type of log. Here is what you can refer to:
https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-events-from-output

If you are still facing an issue with creating a parser please create a support ticket so that we can collect all the necessary information like sample logs to further assist you.

@cwadhwani-splunk cwadhwani-splunk self-assigned this Aug 7, 2024
@evslacker
Copy link
Author

Hey @cwadhwani-splunk , thanks for the link, I already went through it and i tried the below parsar as well, but i am getting error with that.

i have also given the sample raw logs what i could see in fallback and main index

block parser app-zabbix-scanlogs-drop() {
    channel {
        rewrite(r_set_dest_splunk_null_queue);
    };
};

application app-zabbix-scanlogs-drop[sc4s-postfilter] {
    filter {
          (host ("ip1") or host ("ip2") or host ("ip3"))
          AND message('@zabbix_server_detect.nasl',type(substring))
   };
    parser { app-zabbix-scanlogs-drop(); };
};

@cwadhwani-splunk
Copy link
Collaborator

Hi @evslacker

We will need a sample raw log (the exact log that is coming to SC4S) to replicate the scenario in our end. To get the raw logs you can either provide us the PCAP file over a support case or you can follow the below link to obtain the raw logs and attach it to a support case.

@cwadhwani-splunk
Copy link
Collaborator

@evslacker
We will need the asked raw logs to confirm the issue. But here is what I observed on my end with the information that we have.

  • type(substring) is not allowed.
  • AND should be small.

Here is the updated parser which I tested with a self generated log based on the provided information.

block parser app-zabbix-scanlogs-drop() {
    channel {
        rewrite(r_set_dest_splunk_null_queue);
    };
};

application app-zabbix-scanlogs-drop[sc4s-postfilter] {
    filter {
        (
            (host ("ip1") or host ("ip2") or host ("ip3"))
            and message('@zabbix_server_detect.nasl')
        )
   };
    parser { app-zabbix-scanlogs-drop(); };
};

Note:

  • Create this parser under /opt/sc4s/local/config/app_parsers. The file name could be: app-zabbix-scanlogs-drop.conf
  • Make sure to restart the SC4S service after making this change.

@evslacker
Copy link
Author

@cwadhwani-splunk let me try this once,

also the source is not a continuously log generating source, hence allow me few days of time to provide you pcap if needed, otherwise let me try this once.

@evslacker
Copy link
Author

hey @cwadhwani-splunk

is that ok if i use OR instead of AND so that if either IP or keyword matches in both cases my logs will go to null queue?

@cwadhwani-splunk
Copy link
Collaborator

Hi @evslacker
Yes you can use or/and based on your use case.
Considering that the provided filter worked for you I am closing this issue. Please feel free to reach out the support for any further queries. You can also raise a GitHub issue if you find any bug or feature request in SC4S.

Thanks.

@evslacker
Copy link
Author

it worked partially, but yea the CASE was what i was lacking in my filter, thanks for the help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwadhwani-splunk cwadhwani-splunk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evslacker @cwadhwani-splunk