Hi Everyone,   We have successfully integrated a Sophos XG Firewall with Splunk using Splunk Connect for Syslog (SC4S). However, we are running into a syslog parsing and segregation issue. Currently, all incoming Sophos logs are being mapped to a single generic sourcetype (sophos:xg:idp) instead of being segregated into their correct, specific sourcetypes (like firewall, web filter, etc.). The Root Cause: When reviewing the built-in SC4S Sophos parser, we noticed it strictly looks for the string device_name="SFW". We verified this by temporarily changing a firewall's hostname to SFW, which immediately resolved the issue and allowed SC4S to parse the logs correctly. The Dilemma: Due to strict client requirements, we cannot modify the hostnames on all production firewalls. Therefore, we are considering two approaches: Create a custom app parser in SC4S to handle the actual firewall hostnames. Implement heavy tracking/regex overrides via props.conf and transforms.conf directly on the Splunk Indexers/Heavy Forwarders to force proper sourcetype segregation. Where we are stuck: We prefer fixing this at the SC4S layer (Option 1). We attempted to create a custom app parser under /opt/sc4s/local/config/app_parser/sophos_firewall_custom.conf. However, upon restarting SC4S, the system seems to load both parsers but defaults back to the built-in vendor parser, ignoring our custom logic. application app-syslog-sophos_firewall_xg_custom[sc4s-syslog] { filter { ( message("device=\"SFW\"" type(string) flags(substring)) or message("device_name=\"SFW\"" type(string) flags(substring)) or ( ( netmask(10.0.103.20/32) or netmask(10.10.11.129/32) or netmask(10.10.11.65/32) or netmask(10.10.10.73/32) or netmask(10.10.10.78/32) or netmask(10.10.10.82/32) or netmask(10.10.11.97/32) ) and message("log_type=" type(string) flags(substring)) ) ); }; parser { app-syslog-sophos_firewall_xg(); }; };   Has anyone successfully overridden the default vendor device_name filter in SC4S without modifying the core files? Are we missing a specific block association or fallback trigger in our custom configuration? Any insights, alternate SC4S environment variable workarounds, or proper props.conf segregation examples for Sophos XG would be greatly appreciated! Thanks in advance. Sophos Next-Gen Firewall  ... View more

Hii everyone, I have installed Splunk uf 10.0.5 on windows server 2016. The UF needs to connected to DS whose version is 10.2.0. But the UF is not connecting with DS. I have tried checking whether there is a network issue or port is blocked. But Test-Net connection shows that it successfully connects my DS on 8089 port.  Netstat -ano shows that ports are open. When checked the splunkd.log of uf it shows that error not connected to DS, handshake failed or socket error. I am attaching the splunkd.log image for the reference. when I checked the splunkd.log of DS its shows socket error while idling. below is the image attached from DS for the reference.   Any idea? Thanks in advance, Regards, Ankit Singh ... View more

Hii, We have been using Splunk Enterprise 10.2.0, but in Monitoring Console we can see today's license utilization but unable to see historical license utilization.     ... View more

Hi, We are facing an issue related SC4S. We have sophos firewall logs coming on sc4s port 514. we have configured splunk_metadata.csv with respective to that. We have checked connectivity issue using curl and it shows logs in main index but no logs on my custom index. Also there is no logs on splunk that shows logs are being dropped. Splunk Connect for Syslog  ... View more

I am trying to integrate an Oracle database with Splunk using DB Connect. When I attempt to create an input in Data Lab and set the rising column as timestamp, I receive the following error: “dbxquery command: External search command exited unexpectedly.” I have already reviewed the related article, but the issue still persists. splunk db connect article  I am using Splunk DB Connect version 3.18. The SQL query runs successfully and returns data when executed normally; the error occurs only when selecting a rising column.                 I have searched the dbxquery logs in internal logs and  its shows:   ... View more