Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zscaler Private Access: User activity logs are going to Main:fallback #2593

Closed
evslacker opened this issue Sep 20, 2024 · 15 comments
Closed
Assignees

Comments

@evslacker
Copy link

What is the sc4s version?
3.30.1
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
wil lbe sharing over mail

What the vendor name?
Zscaler

What's the product name?
Zscaler private Access

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?
NA
Do you have syslog documentation or a manual for that device??
NA
Feature Request description:
ZPA is already a approved vendor for SC4S, but somehow the User Activity logs are not going to the Defined index, and they are going to Index=main sourcetype=sc4s:falback.
Do you want to have it for local usage or prepare a github PR?
NA

@cwadhwani-splunk
Copy link
Collaborator

Hi @evslacker
We will need pcap file to get the raws logs to work on this issue. Could you please create a support ticket and attach the PCAP file there?

@cwadhwani-splunk cwadhwani-splunk self-assigned this Sep 24, 2024
@evslacker
Copy link
Author

evslacker commented Sep 24, 2024 via email

@cwadhwani-splunk
Copy link
Collaborator

Yes, please attach it in the support ticket. It wont be public! :)

@evslacker
Copy link
Author

evslacker commented Sep 25, 2024 via email

@cwadhwani-splunk
Copy link
Collaborator

Hi Ankit,

I checked the provided pcap file and tried a few logs from both of the files, but all the logs are being classified correctly. Could you please attach a screenshot of the Splunk event in the ticket? Please make sure to expand the event and then take the screenshot.
Also, if feasible, could you please point out the log that is not being classified correctly?

@evslacker
Copy link
Author

evslacker commented Sep 26, 2024 via email

@cwadhwani-splunk
Copy link
Collaborator

cwadhwani-splunk commented Sep 27, 2024

I cannot find the screenshot. If the data is sensitive, you can reopen the Splunk ticket 3577330 (if already closed) and attach the screenshot there.

@evslacker
Copy link
Author

evslacker commented Sep 27, 2024 via email

@cwadhwani-splunk
Copy link
Collaborator

Hi Ankit,

I checked my email and the ticket 3577330 but couldn't locate the screenshot. It seems like the image wasn't attached properly as I only see [image: image.png].

Just for reference:
image

Could you please resend both the raw logs causing the issues and the screenshot of the Splunk events to my email address: cwadhwani@splunk.com?

Thanks!

@evslacker
Copy link
Author

evslacker commented Sep 27, 2024 via email

@cwadhwani-splunk
Copy link
Collaborator

Hi @evslacker
I checked the screenshot and it seems like the logs coming from the ZScaler are truncated. We can check this by obtaining the raw logs coming to SC4S.
Please create a support ticket if you need any help with this, the support team can assist you here to proceed with the case. If this has something to do with SC4S, feel free to add a comment/reopen this GitHub issue.

@evslacker
Copy link
Author

I feel truncation is not an issue, as i could see logs in the correct index are between 1.5k to 2.5k Characters.

in the main index 1000-1900 max.

No Limits has been set in the sourcetype as well, so i would assume, it should be atleast 10k by default.

@evslacker
Copy link
Author

is it possible to grab a TCPDUMP of only the logs which are not going to my index?

@cwadhwani-splunk
Copy link
Collaborator

I dont think that would be possible, not sure, but you can use <tcpdump command>| grep "<search_term>" to only get the udp packet content that contains the search_term. You can also try other method of obtaining raw logs, like using the sc4s-finalfilter and sending traffic the sc4s instance.

Please feel free to reach out to the support team for any help with this or to get the ZScaler config checked.

@cwadhwani-splunk
Copy link
Collaborator

Closing this GitHub issue, due to unavailability of the PCAP file. Please feel free to reopen this case once a support ticket is created with the PCAP file attached. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants