splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
Splunk Connect for Syslog
All events from vcenter are showing up with `sourcetype=vmware:esxlog:` and `sc4s_class=esx` It also appears sc4s is prefixing events with ``` - - - - - [meta sequenceId="1996712"] ``` I have...
https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf ` patterns('^[A-Za-z0-9\-\_\.]+: [0-9]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] (?[A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)') ` --> `^[A-Za-z0-9\-\_\.]+: [0-9a-f]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] (?[A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)` I send a capture to @mateuszpierzchala-splunk in slack...
Ours isnt being recognised using the out of the box send it to splunk by the Forcepoint Content Gateways (configured via the FSM) % % vendor=Forcepoint product=Security product_version=% action=% severity=%...
Hi, looks like there is a bug for https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf In the condition elseif when no value in `processEvent/timestamp` Sample data below: `fenotify-7441437.warning:{"msg": "normal","appliance-id": "3CECEF7DC5E8","product": "HX","version": "5.2.0.958244","appliance": "AC2004-D-PR-FIREEYEHX03-ISD-MTE.srv.westpac.com.au","alert": { "matched_at": "2022-10-03T15:34:20.656+00:00",...
Hi Team, I had a question/scenario to pose to you: Let's say I was able to backup the my reliable disk buffering directory for SC4S and detach it from Instance...
Hi, currently mcafee parser uses syslog header for event time. https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_epo.conf The business has requested that `2022-09-30T00:06:51` be used if it exists. Alternatively all events have field `2022-09-30T00:06:51` NOTE: these...
I've found the following that aren't accurately being captured as `class=esx`. There could be more this is just over a 1hr period. | source | | --- | | program:esxupdate...
I think I found a bug. In env_file, if I set: `SC4S_SOURCE_LISTEN_RFC6587_SOCKETS=2 `The containers refuses to start and this is the error: ``` Traceback (most recent call last): File "/etc/syslog-ng/conf.d/sources/source_syslog/plugin.py",...
Hi, Following our conversation in Slack (https://splunk-usergroups.slack.com/archives/CNV918JCQ/p1664459905826089), this is the issue: Using the "Filtering by an extra product description" (docs https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-by-an-extra-product-description) with the listener below makes the parser of Infoblox...