splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
Cisco Netscalar ADC/SDX
Customer is on latest version of SC4S and is having trouble ingesting Cisco Netscalar ADC/SDX events. Can’t find them in netfw or main. When we run the following command the event ends up in main and fallback sourcetype so I’m assuming there is a difference between what is in the pcap and the message I’m sending in the echo. netfw index does exist and there are no .conf changes to override index or sourcetype.
echo ‘19:22:45.168439 IP 10.99.16.7.46435 > ge4-splnk-l-p01.c.gcp-sp-infrastructure-01.internal.printer: Flags [F.], seq 1, ack 1, win 32, length 0’ | nc localhost 515
Please advise.
Just checking on this issue. Any updates or anything additional needed from me?
Hi @gregbecker-tekstream , I will work on that as soon as possible (most likely on Wednesday)- I'll let you know if there is anything else needed.
Hello @mateuszpierzchala-splunk - any updates on this one by chance? Thx!!
@gregbecker-tekstream Hey, I was not able to start working on this one, but I will tomorrow or on monday. Thanks for patience.
Hi @gregbecker-tekstream, the .pcap file that you provided does not contain any information that we can use- it's just SYN, ACK TCP messages- no logs that I can use to create a filter. Can you please take a look and provide sample that we can use?
Hello! Can you please suggest an appropriate command for gathering a pcap that you can use? Or point me to any docs that already describe what's needed?
tcpdump -s 0 host 1.2.3.4 and port 514 -i eth0 -w specificIP.pcap , please change it as you see it fit.
My apologies for the delayed response. This can be closed. The issue was with Citrix sending, not with Splunk parsing. Appreciate your time and review.