splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
Published
20 hours ago •
splunk
splunk
Rewriting host field with value from SC4S_fromhostip field
I have a customer collecting Cisco ISE logs that sometimes have the ip address in the host field, and sometimes the hostname. They have requested that the ip address be used always, which we can get from the SC4S_fromhostip field. They use SC4S version 2.34.1
We created the file app-vps-cisco_ise.conf in both /opt/sc4s/local/config/app_parsers and /opt/sc4s/local/config/app-parsers (because we weren't sure what the difference was) to set the correct vendor and product:
application app-vps-test-cisco_ise[sc4s-vps] {
filter {
host("*ise*" type(glob))
};
parser {
p_set_netsource_fields(
vendor('cisco')
product('ise')
);
};
};
We created /opt/sc4s/local/config/filters/app-dest-cisco_ise-ip-as-host-postfilter.conf to do the switch (code taken from #1753):
block parser app-dest-cisco_ise-change-hostname-to-ip() {
channel {
rewrite {
set("${fields.sc4s_fromhostip}", value("HOST"));
};
};
};
application app-dest-cisco_ise-change-hostname-to-ip[sc4s-postfilter] {
filter {
match('cisco', value('fields.sc4s_vendor') type(string))
and match('ise', value('fields.sc4s_product') type(string))
};
parser { app-dest-cisco_ise-change-hostname-to-ip(); };
};
It works on some events but not others. This event was correctly modified, with the ip value showing up in the host field:
^ÆäWã^B^F^Gd^Mó<181>Oct 7 09:58:19 TMPSRVR CISE_Failed_Attempts 0000092801 1 0 2022-10-07 09:58:19.891 -04:00 0381856301 5401 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=46, Device IP Address=10.78.XXX.XXX, Device Port=50340, DestinationIPAddress=10.78.XXX.XXX, DestinationPort=49, UserName=admin, Protocol=Tacacs, RequestLatency=7, NetworkDeviceName=CISCOSRVR, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=admin, Port=49, Remote-Address=10.94.XXX.XXX:56272, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=TMPSRVR/449175590/41603812, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Device Admin, FailureReason=22056 Subject not found in the applicable identity store(s), Step=13013, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24430, Step=24325, Step=24313, Step=24318, Step=24322, Step=24352, Step=24412, Step=22056, Step=22058, Step=22061, Step=13015, SelectedAuthenticationIdentityStores=TMP_AD, NetworkDeviceGroups=Location#All Locations#TMP_City, NetworkDeviceGroups=Device Type#All Device Types#CISCO NEXUS DASHBOARD, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=293519407010.78.150.6550340Authentication2935194070, ISEPolicySetName=TACACS_ND, IdentitySelectionMatchedRule=DEVICE_ADMIN_AD, StepData=3= Network Access.Protocol, StepData=4= DEVICE.Device Type, StepData=6=TMP_AD, StepData=7=TMP_AD, StepData=8=admin, Ste{0@c^S<9e>^M^@À^A^@^@À^A^@^@^@^@^@^A^@^F^@"½ø^Yÿ^@^@^H^@E^@^A°¨;^@¹;^QxÃ
N<80>õ
^ÆäpData=9=tmp.com, StepData=10=tmp.com, StepData=12=ERROR_NO_SUCH_USER, StepData=13=TMP_AD, IsMachineIdentity=false, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#TMP_City, Device Type=Device Type#All Device Types#CISCO NEXUS DASHBOARD, IPSEC=IPSEC#Is IPSEC Device#No, Response={AuthenticationResult=UnknownUser; Authen-Reply-Status=Fail; },á0@cWÔ^F^@ì^E^@^@ì^E^@^@^@^@^@^A^@^F^@"½ø^Yÿ^@^@^H^@E^@^EÜ<89><91> ^@;^Qsú
N<80>õ
This one wasn't:
^ÆäWã^B^F^Eô^\ã<181>Oct 7 09:57:37 TMPSRVR CISE_Failed_Attempts 0000092800 2 1 Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12814, Step=12817, Step=12514, Step=12507, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12818, Step=11500, Step=61025, Step=11504, Step=11003, NetworkDeviceGroups=Location#All Locations#TMP_City2, NetworkDeviceGroups=Device Type#All Device Types#CISCO CATALYST 4510R, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, EapAuthentication=EAP-TLS, OpenSSLErrorMessage=SSL alert: code=0x230=560 \; source=local \; type=fatal \; message="Unknown CA - error unable to get issuer certificate locally.s3_srvr.c:3590 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed [error=336105606 lib=20 func=137 reason=134]", OpenSSLErrorStack= 32401:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3590:, CPMSessionID=0A4E406E00050906D8252350, EndPointMACAddress=08-92-04-DD-93-32, ISEPolicySetName=1221AOA_802.1X, StepData=4= Radius.Called-Station-ID, StepData=5= DEVICE.Location, TLSCipher=unknown, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#TMP_City2, Device Type=Device Type#All Device Types#CISCO CATALYST 4510R, IPSEC=IPSEC#Is IPSEC Device#No,Q0@cªë^A^@P^@^@^@P^@^@^@^@^@^@^A^@^F^@"½ø^Yÿ^@^@^H^@E^@^@@^V¬^@¹;^Q^KÃ
N<80>õ
^Æä Response={RadiusPacketType=AccessReject; },{0@c^K<9e>^M^@ì^E^@^@ì^E^@^@^@^@^@^A^@^F^@"½ø^Yÿ^@^@^H^@E^@^Eܨ; ^@;^QUP
N<80>õ
The vendor and product fields are set correctly for both events by the time they get ingested in Splunk, so I'm not sure why the second event isn't passing through our filter. Any suggestions on how to fix this would be greatly appreciated, as we have to duplicate it for a few other Cisco sources as well. Thanks.
