-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zscaler Private Access: User activity logs are going to Main:fallback #2593
Comments
Hi @evslacker |
Yes, please attach it in the support ticket. It wont be public! :) |
Hi Ankit, I checked the provided pcap file and tried a few logs from both of the files, but all the logs are being classified correctly. Could you please attach a screenshot of the Splunk event in the ticket? Please make sure to expand the event and then take the screenshot. |
I cannot find the screenshot. If the data is sensitive, you can reopen the Splunk ticket 3577330 (if already closed) and attach the screenshot there. |
Hi Ankit, I checked my email and the ticket 3577330 but couldn't locate the screenshot. It seems like the image wasn't attached properly as I only see [image: image.png]. Could you please resend both the raw logs causing the issues and the screenshot of the Splunk events to my email address: cwadhwani@splunk.com? Thanks! |
Hi @evslacker |
I feel truncation is not an issue, as i could see logs in the correct index are between 1.5k to 2.5k Characters. in the main index 1000-1900 max. No Limits has been set in the sourcetype as well, so i would assume, it should be atleast 10k by default. |
is it possible to grab a TCPDUMP of only the logs which are not going to my index? |
I dont think that would be possible, not sure, but you can use Please feel free to reach out to the support team for any help with this or to get the ZScaler config checked. |
Closing this GitHub issue, due to unavailability of the PCAP file. Please feel free to reopen this case once a support ticket is created with the PCAP file attached. Thanks! |
What is the sc4s version?
3.30.1
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
wil lbe sharing over mail
What the vendor name?
Zscaler
What's the product name?
Zscaler private Access
If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?
NA
Do you have syslog documentation or a manual for that device??
NA
Feature Request description:
ZPA is already a approved vendor for SC4S, but somehow the User Activity logs are not going to the Defined index, and they are going to Index=main sourcetype=sc4s:falback.
Do you want to have it for local usage or prepare a github PR?
NA
The text was updated successfully, but these errors were encountered: