splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Thales SafeNet Trusted Access (STA) Support

Open Stjubit opened this issue 8 months ago • 0 comments

What is the sc4s version?

3.30.1

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?

I have a packet capture, but it includes confidential customer data that I'm not allowed to share.

I anonymized an example log that you can use for testing though --> see attachment:

thales_sta_example.log

Please note that a BOM is in there and it's really important for making the parser work.

What the vendor name?

Thales

What's the product name?

SafeNet Trusted Access (STA)

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?

Index: netauth Sourcetype: thales:sta:json

Do you have syslog documentation or a manual for that device??

https://thalesdocs.com/sta/agents/logging/index.html

Feature Request description:

This topic came up in Slack first: https://splunkcommunity.slack.com/archives/CNV918JCQ/p1739203759977949.

It's one of the worst syslog messages you can get, because it says it's RFC-compliant and then sends invalid headers, which breaks default-parsers in sc4s and syslog-ng adds an error to the message (Error processing log message).

I managed to make it work by creating an own source with syslog-parser flag no-parse and manually extracting required fields using an app parser.

Source:

source s_THALES_STA {
  channel {
	source {
	  # NOTES:
	  # -> no-parse tells syslog-ng to not parse the message as RFC5424-compliant syslog,
	  #    which would fail because STA sends its' messages saying they are RFC compliant,
	  #    but actually they are not, which breaks further parsing.
	  # -> no-multi-line is important, because otherwise full message can't be rewritten
	  syslog (
		transport("tcp")
		so-reuseport(1)
		port(602)
		persist-name("THALES_STA_6587_602_1")
		ip-protocol(4)
		max-connections(2000)
		log-iw-size(20000000)
		log-fetch-limit(2000)
		keep-timestamp(yes)
		use-dns(no)
		use-fqdn(no)
		chain-hostnames(off)
		flags(validate-utf8, no-parse, no-multi-line)
	  );
	};

	parser {
	  channel {
		rewrite {
		  set("Thales", value(".netsource.sc4s_vendor"));
		  set("STA", value(".netsource.sc4s_product"));
		  set("Thales STA", value(".netsource.sc4s_vendor_product"));
		  set-tag("vps");
		};
	  };
	};

	rewrite(set_rfc);
	rewrite(set_rfc5424);

	parser(app-group-sc4s-syslog);
	rewrite(r_set_source_identified);
	rewrite{
	  groupunset(values('.tmp.*'));
	};

	if {
	  filter(f_is_source_identified);
	} else {
	  parser(app-group-sc4s-fallback);
	};

	rewrite {
	  set($FACILITY, value("fields.sc4s_syslog_facility") condition(match('facility' template('r_unixtime,facility,container,loghost,destport,fromhostip,proto,severity') type(string) flags(substring))));
	  set($LEVEL, value("fields.sc4s_syslog_severity") condition(match('severity' template('r_unixtime,facility,container,loghost,destport,fromhostip,proto,severity') type(string) flags(substring)) ));
	};
  };
};

Parser:

block parser app-syslog-k4z6pt_thales-syslog-parser() {
  channel {
	# Extract timestamp, host, source and message via RegEx
	parser {
	  regexp-parser(
		prefix(".tmp.")
		patterns('^\<\d{2}\>\d\s(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2})\s(?<host>\w+)\s-\s-\s(?<source>\w+)\s(?<message>.*)')
	  );
	};

	# Parse extracted timestamp
	parser {
	  date-parser-nofilter(
		format('%Y-%m-%dT%H:%M:%S.%f%z')
		template("${.tmp.timestamp}")
	  );
	};

	rewrite {
	  # Set Splunk host and use extracted message as _raw
	  set("${.tmp.host}", value("HOST"));
	  set("${.tmp.message}", value("MESSAGE"));

	  # Remove BOM from message
	  subst(
		"^\\xEF\\xBB\\xBF",
		"",
		value("MESSAGE")
	  );

	  r_set_splunk_dest_default(
		index('aaa')
		sourcetype('thales:sta:json')
		source('${.tmp.source}')
		vendor('Thales')
		product('SafeNet Trusted Access')
		template('t_msg_only')
	  );
	};
  };
};

application app-syslog-k4z6pt_thales-syslog[sc4s-syslog] {
  filter {
	netmask(1.2.3.4/32)
  };
  parser { app-syslog-k4z6pt_thales-syslog-parser(); };
};

It's veeeeeery unlikely that the vendor will fix their syslog implementation, so I would be happy if you don't ask me to open a case.

Do you want to have it for local usage or prepare a github PR?

Local usage.

Stjubit avatar Feb 27 '25 15:02 Stjubit