All Apps and Add-ons

Splunk TA for Password Manager Pro: I've set the sourcetype in the syslog input, but why are fields not being extracted?

alexlomas
Path Finder

I've set the sourcetype in the syslog input to be 'passman' - events are being ingested, but fields aren't being extracted. The tag of 'account' is being added though. Have I set the wrong type?

0 Karma

atellez_splunk
Splunk Employee
Splunk Employee

The TA uses sourcetype pipelines in order to "match" the event to three different types of logs: pmp_resource, pmp_login, pmp_notification. If the fields are failing to extract the syslog output from your appliance might not match the regular expressions found in the TA. An easy way to test this is to copy some logs into a regex editor (regex101.com) and use the EXTRACT regexes to test that the regexes are valid against your logs.

Example for pmp_resource logs:

EXTRACT-passman=(?P<date>\d+\-\d+\-\d+\s\d+\:\d+\:\d+)\s(?P<facility>\w+\.\w+)\s(?P<program>\w+)\s(?P<otherdate>\w+\s\d+\s\d+\:\d+\:\d+)\s(?P<host>\w+)\s(?P<logged_in_username>\S+)\:(?P<src>\S+)\s(?P<operation_type>\S+)\s(?P<operated_time>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)\s(?P<status_of_operation>\w+)\s(?P<pmp_server_name>\S+)\s(?P<dest>\S+)\:(?P<user>\S+)\:(?P<reason>\S+)

alexlomas
Path Finder

Thanks - looks like the extracts in the TA no longer match what PMP is sending then.

0 Karma

knicholson0
Engager

Yes. I'm on PMP Version: 9.1.0 / Build Number: 9101 and the date format being sent to Syslog is not in a valid ISO 8601 date, such as "2004-05", but rather "Mar 2" [sic]. So much for this statement from Manage Engine "A RFC-3164 compliant Syslog message will be generated and sent to the configured host and port, using the chosen protocol"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...