Gigamon SSL Session Syslog

[cchansk]

Was the issue replicated by support? n/a What is the sc4s version ? 2.49.8 Is there a pcap available? Can be made available Is the issue related to the environment of the customer or Software related issue? No Is it related to Data loss, please explain ? Protocol? Hardware specs? No Last chance index/Fallback index? No Is the issue related to local customization? No Do we have all the default indexes created? Yes Describe the bug This issue was reported in https://github.com/splunk/splunk-connect-for-syslog/issues/1833, but it was recently closed. However, the issue still exists and never worked on.

Recently, after restarting the service and updating to a new version (2.35.0), I started seeing having certain issues with my Gigamon SSL session logs where 8 different devices with different source IPs are showing up with host=sep. They host field used to show up with the source IP. I tried modifying the host.csv file and adding the SC4S_USE_REVERSE_DNS variable to see if I can manually change it to a name, but had no luck. Wanted to see if anyone knows why that'd be happening.

Below is what some events look like:

Wed CEF:0|Gigamon|HC1|5.15.01|1002|SESSION_DECRYPT|6|src=10.40.24.148 dst=138.113.112.18 spt=53699 dpt=443 vlan=100 dhost=newseu.cgtn.com cs1Label=Certificate Subject cs1=*.cgtn.com cs2Label=Certificate Issuer cs2=Zscaler Intermediate Root CA (zscloud.net) (t) cs3Label=Cipher Suite cs3=TLS_AES_256_GCM_SHA384 proto=TLS/SSL outbound GigamonIsslTLSVersion=TLSv1.3 GigamonIsslCertStatus=Valid

Wed CEF:0|Gigamon|HC1|5.15.01|1001|SESSION_NO_DECRYPT|6|src=10.40.200.62 dst=20.106.86.13 spt=63240 dpt=443 vlan=100 dhost=settings-win.data.microsoft.com proto=TLS/SSL reason=Policy giga.txt

To Reproduce Send Gigamon SSL traffic logs to SC4S