splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard
verified publisher icon splunk

mGuard

Open mccain007 opened this issue 1 year ago • 6 comments

What is the sc4s version ? sc4s version=3.22.5 Is there a pcap available? no What the vendor name? Phoenix Contact What's the product name? mGuard ** Feature Request description: ** new filter ** Should it support TCP or UDP?** both ** Do you want to have it for local usage or prepare a github PR? ** local

mccain007 avatar May 01 '24 16:05 mccain007

Send me pcap file on email [email protected]

ikheifets-splunk avatar May 04 '24 21:05 ikheifets-splunk

@mccain007 without pcap file (with log messages that producing your device) we can't implement parser for you. We need to know format of log message

ikheifets-splunk avatar May 09 '24 14:05 ikheifets-splunk

Understood I was trying to get the pcap from the admin for mguard but he hasn’t replied

Get Outlook for iOShttps://aka.ms/o0ukef

From: Ilya @.> Sent: Thursday, May 9, 2024 10:59:09 AM To: splunk/splunk-connect-for-syslog @.> Cc: mccain007 @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] mGuard (Issue #2435)

@mccain007https://github.com/mccain007 without pcap file (with log messages that producing your device) we can't implement parser for you

— Reply to this email directly, view it on GitHubhttps://github.com/splunk/splunk-connect-for-syslog/issues/2435#issuecomment-2102831559, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GWLEP4FACDYFDVZVV7MJ3ZBOFL3AVCNFSM6AAAAABHCHIUQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBSHAZTCNJVHE. You are receiving this because you were mentioned.Message ID: @.***>

mccain007 avatar May 09 '24 15:05 mccain007

Here is what the customer sent me: Here we go @.***:~$ sudo tcpdump host XX.XX.XX.229 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on ens192, link-type EN10MB (Ethernet), snapshot length 262144 bytes 11:21:58.536095 ARP, Request who-has grp01.XXX.gov tell hqw-ntx-esx01.XXX.gov, length 46 11:22:33.125109 IP mdm.XXX.gov.46215 > grp01.XXX.gov.syslog: SYSLOG user.notice, length: 85 11:22:38.350866 ARP, Request who-has XXXgrp01.XXX.gov tell mdm.XXX.gov, length 28 11:22:38.351017 ARP, Reply XXXgrp01.XXX.gov is-at XXX:30:e7 (oui Unknown), length 46 11:22:55.612299 IP mdm.XXX.gov.46215 > XXXgrp01.XXX.gov.syslog: SYSLOG user.notice, length: 72 11:23:18.767188 IP mdm.XXX.gov.46215 > XXXgrp01.XXX.gov.syslog: SYSLOG user.notice, length: 63 11:23:23.918855 ARP, Request who-has XXXgrp01.XXX.gov tell mdm.XXX.gov, length 28 11:23:23.919074 ARP, Reply XXXgrp01.XXX.gov is-at XXX:30:e7 (oui Unknown), length 46 ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel

do you want me to send you whats being captured by SC4S? i can't connect to his server to do a pcap from the sc4s end.

From: Paul McCain @.> Sent: Thursday, May 9, 2024 11:53 AM To: splunk/splunk-connect-for-syslog @.>; splunk/splunk-connect-for-syslog @.> Cc: Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] mGuard (Issue #2435)

Understood I was trying to get the pcap from the admin for mguard but he hasn’t replied

Get Outlook for iOShttps://aka.ms/o0ukef

From: Ilya @.> Sent: Thursday, May 9, 2024 10:59:09 AM To: splunk/splunk-connect-for-syslog @.> Cc: mccain007 @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] mGuard (Issue #2435)

@mccain007https://github.com/mccain007 without pcap file (with log messages that producing your device) we can't implement parser for you

— Reply to this email directly, view it on GitHubhttps://github.com/splunk/splunk-connect-for-syslog/issues/2435#issuecomment-2102831559, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GWLEP4FACDYFDVZVV7MJ3ZBOFL3AVCNFSM6AAAAABHCHIUQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBSHAZTCNJVHE. You are receiving this because you were mentioned.Message ID: @.***>

mccain007 avatar May 13 '24 16:05 mccain007

Hello, @mccain007 ! I need raw logs that producing your device, send me please pcap file and I will open your pcap in WireShark.

Without raw message we can't implement parser, we need to know log format to implement that. I already mentioned https://github.com/splunk/splunk-connect-for-syslog/issues/2435#issuecomment-2102831559

problem of your tcpdump output that we can't see here raw log content. Please use official guide

ikheifets-splunk avatar May 13 '24 18:05 ikheifets-splunk

@mccain007 problem of your tcpdump output that we can't see here raw log content. Please use official guide

ikheifets-splunk avatar May 13 '24 19:05 ikheifets-splunk

@mccain007 I closing this issue, because you haven't provide me pcap file, and I waiting for it month. When you will provide I reopen this issue. You know that without examples of your log message impossible create a parser

ikheifets-splunk avatar May 27 '24 07:05 ikheifets-splunk