Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- sc4s app_parsers don't seem to work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We're currently having an issue of SC4S tagging Cisco firepower data as nix:syslog, but I was having this issue even when I was doing some testing on a dev instance. Example log (only the starting section)
(null) %NGIPS-7-430003: EventPriority: Low, DeviceUUID:....
And I basically want to match only on that starting "(null) %NGIPS-"
My conf file (app_parsers/app-syslog-cisco_firepowernull.conf):
block parser app-syslog-firepowernull() {
channel {
rewrite {
r_set_splunk_dest_default(
index("main")
sourcetype('cisco:firepower:syslog')
vendor("cisco")
product("firepower")
);
};
};
};
application app-syslog-firepowernull[sc4s-syslog] {
filter {
message("*(null) %NGIPS*" type(glob));
};
parser { app-syslog-firepowernull(); };
};
I made no other changes. I am aware I can also change this with the compliance csv, but I'd rather do it this way, especially if we will have new log sources in the future.
After making these changes and reloading (and I know that syslog-ng can see it, because I had a typo originally and it crashed lol), the logs are still tagged with vendor as "nix" and product as "syslog". The sourcetype is also still nix:syslog. Am I missing something? I found the documentation confusing when regarding this.
Also, what does the [] mean in the application name? I have tried several different values, and it seemed to make no difference.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hoookay, I managed to get it to work. I changed several things and then it worked, so lord knows which of these actually fixed it.
First, my app parser:
block parser app-syslog-cisco_merakinix() {
channel {
rewrite {
r_set_splunk_dest_default(
index('mymeraki')
sourcetype('meraki:syslog')
vendor("cisco")
product('meraki')
template('t_hdr_msg')
);
};
};
};
application app-syslog-cisco_meraki_nix_app[sc4s-syslog] {
filter {
match("*src=*dst=*mac=*request:*" value("MSG") type(glob))
};
parser {
app-syslog-cisco_merakinix();
};
};
The things I changed that made it work:
- I placed it inside the syslog folder within app_parsers instead of in the same directory as that folder (so, the full path of the file was /data/sc4s/local/config/app_parsers/syslog/app-syslog-cisco_meraki_from_nix.conf)
- I changed the square bracket contents to "sc4s-syslog". I still have no idea what the square brackets mean, but my running theory is that string tells sc4s what data sources should be run through this (previously I had sc4s raw. this was a syslog ingest)
- I made sure the template() was set in the rewrite function. I think that may be a required field.
Finally, an issue with the original post was I was looking for the message in "MSG", and the app, which was (null), was not included in the MSG. That was the "program" field in syslog-ng.
Also, I tried using RAWMSG, but that is NOT supported in sc4s. There is a way you can configure that to work, but their own docs say you shouldn't do it unless you are testing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hoookay, I managed to get it to work. I changed several things and then it worked, so lord knows which of these actually fixed it.
First, my app parser:
block parser app-syslog-cisco_merakinix() {
channel {
rewrite {
r_set_splunk_dest_default(
index('mymeraki')
sourcetype('meraki:syslog')
vendor("cisco")
product('meraki')
template('t_hdr_msg')
);
};
};
};
application app-syslog-cisco_meraki_nix_app[sc4s-syslog] {
filter {
match("*src=*dst=*mac=*request:*" value("MSG") type(glob))
};
parser {
app-syslog-cisco_merakinix();
};
};
The things I changed that made it work:
- I placed it inside the syslog folder within app_parsers instead of in the same directory as that folder (so, the full path of the file was /data/sc4s/local/config/app_parsers/syslog/app-syslog-cisco_meraki_from_nix.conf)
- I changed the square bracket contents to "sc4s-syslog". I still have no idea what the square brackets mean, but my running theory is that string tells sc4s what data sources should be run through this (previously I had sc4s raw. this was a syslog ingest)
- I made sure the template() was set in the rewrite function. I think that may be a required field.
Finally, an issue with the original post was I was looking for the message in "MSG", and the app, which was (null), was not included in the MSG. That was the "program" field in syslog-ng.
Also, I tried using RAWMSG, but that is NOT supported in sc4s. There is a way you can configure that to work, but their own docs say you shouldn't do it unless you are testing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have another option.
If you can... try this one.
https://splunkbase.splunk.com/app/7404
Thank You!
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
