You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's one of the worst syslog messages you can get, because it says it's RFC-compliant and then sends invalid headers, which breaks default-parsers in sc4s and syslog-ng adds an error to the message (Error processing log message).
I managed to make it work by creating an own source with syslog-parser flag no-parse and manually extracting required fields using an app parser.
Source:
source s_THALES_STA {
channel {
source {
# NOTES:
# -> no-parse tells syslog-ng to not parse the message as RFC5424-compliant syslog,
# which would fail because STA sends its' messages saying they are RFC compliant,
# but actually they are not, which breaks further parsing.
# -> no-multi-line is important, because otherwise full message can't be rewritten
syslog (
transport("tcp")
so-reuseport(1)
port(602)
persist-name("THALES_STA_6587_602_1")
ip-protocol(4)
max-connections(2000)
log-iw-size(20000000)
log-fetch-limit(2000)
keep-timestamp(yes)
use-dns(no)
use-fqdn(no)
chain-hostnames(off)
flags(validate-utf8, no-parse, no-multi-line)
);
};
parser {
channel {
rewrite {
set("Thales", value(".netsource.sc4s_vendor"));
set("STA", value(".netsource.sc4s_product"));
set("Thales STA", value(".netsource.sc4s_vendor_product"));
set-tag("vps");
};
};
};
rewrite(set_rfc);
rewrite(set_rfc5424);
parser(app-group-sc4s-syslog);
rewrite(r_set_source_identified);
rewrite{
groupunset(values('.tmp.*'));
};
if {
filter(f_is_source_identified);
} else {
parser(app-group-sc4s-fallback);
};
rewrite {
set($FACILITY, value("fields.sc4s_syslog_facility") condition(match('facility' template('r_unixtime,facility,container,loghost,destport,fromhostip,proto,severity') type(string) flags(substring))));
set($LEVEL, value("fields.sc4s_syslog_severity") condition(match('severity' template('r_unixtime,facility,container,loghost,destport,fromhostip,proto,severity') type(string) flags(substring)) ));
};
};
};
What is the sc4s version?
3.30.1Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
I have a packet capture, but it includes confidential customer data that I'm not allowed to share.
I anonymized an example log that you can use for testing though --> see attachment:
thales_sta_example.log
Please note that a BOM is in there and it's really important for making the parser work.
What the vendor name?
Thales
What's the product name?
SafeNet Trusted Access (STA)
If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?
Index:
netauthSourcetype:
thales:sta:jsonDo you have syslog documentation or a manual for that device??
https://thalesdocs.com/sta/agents/logging/index.html
Feature Request description:
This topic came up in Slack first: https://splunkcommunity.slack.com/archives/CNV918JCQ/p1739203759977949.
It's one of the worst syslog messages you can get, because it says it's RFC-compliant and then sends invalid headers, which breaks default-parsers in sc4s and syslog-ng adds an error to the message (
Error processing log message).I managed to make it work by creating an own source with syslog-parser flag
no-parseand manually extracting required fields using an app parser.Source:
Parser:
It's veeeeeery unlikely that the vendor will fix their syslog implementation, so I would be happy if you don't ask me to open a case.
Do you want to have it for local usage or prepare a github PR?
Local usage.
The text was updated successfully, but these errors were encountered: