splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Add support for Squid Proxy

Open lakshman237 opened this issue 1 year ago • 5 comments

What is the sc4s version ? 3.17

Is there a pcap available? sample files 705686136.023 logformat=splunk_recommended_squid duration=19 src_ip=172.xx.2.1 src_port=62838 dest_ip=15.xx.5x.xx dest_port=443 local_time=[19/Jan/2024:17:42:16 +0000] http_method=POST request_method_from_client=POST request_method_to_server=POST url="https://sig.xxx.com/xxx/ReportManagement.asmx" status=200 vendor_action=TCP_MISS dest_status=HIER_DIRECT http_content_type="text/xml" bytes=2732 bytes_in=993 bytes_out=1739 sni="xx.yy-software.com"

What the vendor name? Squid Proxy

What's the product name? Proxy

** Feature Request description: ** Need to have parser to support this product

** Should it support TCP or UDP?** UDP

** Do you want to have it for local usage or prepare a github PR? ** both please. Currently, customer uses https://splunkbase.splunk.com/app/2965 to onboard.

lakshman237 avatar Jan 19 '24 17:01 lakshman237

Hi @lakshman237, I've begun working on this issue. I've read both the Splunk add-on source config files and its documentation, as well as the vendor documentation.

What's still unclear to me is the precise format of Squid logs as received by SC4S. I need to verify if it adheres to RFC5424 and how it manages the Squid appliance's hostname.

Please provide us with a PCAP file containing Squid Proxy events collected from the machine running SC4S.

mstopa-splunk avatar Feb 05 '24 15:02 mstopa-splunk

Thx Again. Let me work with the client to get this for you via TCP dump. If you want us to use specific flags in tcpdump pls advise.

On Mon, 5 Feb 2024, 15:34 mstopa-splunk, @.***> wrote:

Hi @lakshman237 https://github.com/lakshman237, I've begun working on this issue. I've read both the Splunk add-on source config files and its documentation, as well as the vendor documentation.

What's still unclear to me is the precise format of Squid logs as received by SC4S. I need to verify if it adheres to RFC5424 and how it manages the Squid appliance's hostname.

Please provide us with a PCAP file containing Squid Proxy events collected from the machine running SC4S.

— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2313#issuecomment-1927270507, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6ZKPLOIX2OA5GJ5GAJH73YSD3WXAVCNFSM6AAAAABCCJ2XOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRXGI3TANJQG4 . You are receiving this because you were mentioned.Message ID: @.***>

lakshman237 avatar Feb 06 '24 07:02 lakshman237

Hi @lakshman237 do you have any updates?

mstopa-splunk avatar Feb 27 '24 15:02 mstopa-splunk

Thx again for your continued help.

The customer has now moved to write to a file which we are now reading via UF.

So we are going with SC4S

On Tue, 27 Feb 2024, 15:52 mstopa-splunk, @.***> wrote:

Hi @lakshman237 https://github.com/lakshman237 do you have any updates?

— Reply to this email directly, view it on GitHub https://github.com/splunk/splunk-connect-for-syslog/issues/2313#issuecomment-1966872331, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6ZKPKRMID4Z6ZTAOTCVODYVX6LTAVCNFSM6AAAAABCCJ2XOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRWHA3TEMZTGE . You are receiving this because you were mentioned.Message ID: @.***>

lakshman237 avatar Feb 27 '24 16:02 lakshman237

Hi @lakshman237 , thank you, should we keep this issue open? If you'd like to further discuss SC4S support and challenges in this process please send me a message to [email protected]

mstopa-splunk avatar Feb 28 '24 14:02 mstopa-splunk

closing this issue due to a lack of response for over two weeks

mstopa-splunk avatar Mar 14 '24 08:03 mstopa-splunk