splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Gigamon SSL Session Syslog

Open cchansk opened this issue 2 years ago • 9 comments

Recently, after restarting the service and updating to a new version (2.35.0), I started seeing having certain issues with my Gigamon SSL session logs where 8 different devices with different source IPs are showing up with host=sep. They host field used to show up with the source IP. I tried modifying the host.csv file and adding the SC4S_USE_REVERSE_DNS variable to see if I can manually change it to a name, but had no luck. Wanted to see if anyone knows why that'd be happening.

Below is what some events look like:

Wed CEF:0|Gigamon|HC1|5.15.01|1002|SESSION_DECRYPT|6|src=10.40.24.148 dst=138.113.112.18 spt=53699 dpt=443 vlan=100 dhost=newseu.cgtn.com cs1Label=Certificate Subject cs1=*.cgtn.com cs2Label=Certificate Issuer cs2=Zscaler Intermediate Root CA (zscloud.net) (t) cs3Label=Cipher Suite cs3=TLS_AES_256_GCM_SHA384 proto=TLS/SSL outbound GigamonIsslTLSVersion=TLSv1.3 GigamonIsslCertStatus=Valid

Wed CEF:0|Gigamon|HC1|5.15.01|1001|SESSION_NO_DECRYPT|6|src=10.40.200.62 dst=20.106.86.13 spt=63240 dpt=443 vlan=100 dhost=settings-win.data.microsoft.com proto=TLS/SSL reason=Policy

cchansk avatar Sep 28 '22 21:09 cchansk

https://splunk.github.io/splunk-connect-for-syslog/main/experiments/ Use the property SC4S_USE_NAME_CACHE=yes to fix it, We dont think its because of upgrade.

rjha-splunk avatar Sep 28 '22 22:09 rjha-splunk

The setting does not seem to have helped. Added it to the env_file, and restarted sc4s.

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://splunkreceiver.domain.com:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=token #Uncomment the following line if using untrusted SSL certificates SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no SC4S_LISTEN_SIMPLE_EXTREMEIQ_AEROHIVE_UDP_PORT=1514 SC4S_USE_NAME_CACHE=yes

cchansk avatar Sep 29 '22 13:09 cchansk

The setting will help if it will send any event which is parsed correctly by sc4s.

rjha-splunk avatar Sep 29 '22 13:09 rjha-splunk

also can you attach pcap/sanitized log with header so that we can see if you are receiving it on the wire and what is not working, alternatively you can reach out to us in external slack channel as mentioned in readme guide

rjha-splunk avatar Sep 29 '22 13:09 rjha-splunk

Please see attached. Thank you.

giga.txt

cchansk avatar Sep 29 '22 15:09 cchansk

Just an update - the host field changed to oct. I couldn't for the life of me figure out where it got sep from (I thought it was like an abbrv for some product), but I guess it's actually parsing the month into the host field.

cchansk avatar Oct 03 '22 13:10 cchansk

Just wanted to follow up to see if what I provided was enough.

cchansk avatar Oct 06 '22 15:10 cchansk

Thanks it is enough for now, i will get back after reviewing all the provided input and attachment asap.

rjha-splunk avatar Oct 06 '22 15:10 rjha-splunk

Wanted to bump this and see if there were any fixes on the way.

cchansk avatar Oct 23 '23 13:10 cchansk

Hi, I'm closing this issue due to the now outdated version of SC4S, but feel free to open a new issue if the problems persist on the latest release

mstopa-splunk avatar Apr 17 '24 12:04 mstopa-splunk