Support Broadcom SMIME syslog.

[evslacker]

What is the sc4s version ?
2.49.8
Is there a pcap available?
Yes, i can email it to the personal who will be working on this request.
What the vendor name?
Broadcom
What's the product name?
SMIME
** Feature Request description: **
SMIME is not a part of current product supported by sc4s, we have got a request to ingest SMIME syslog to splunk cloud.
** Should it support TCP or UDP?**
It support both TCP and UDP over port 514
** Do you want to have it for local usage or prepare a github PR? **
Whichever suits best

[ikheifets-splunk]

Please send me pcapf file on email ikheifets@splunk.com
Also please update your instance from 2.x to 3.x, because after this PR you should be ready to update :)

[evslacker]

A team mate of mine must have shared the pcap with you, let me know if that is sufficient to start things

[ikheifets-splunk]

Thanks @evslacker , I've got your pcap we will start work with that

[evslacker]

Hi @ikheifets-splunk
Just a follow up on this, is there any update on this request.

[ikheifets-splunk]

Hello, @evslacker !
It's seems logs that you provided is pgp server logs. I worry that pgp servers logs might be wrongly identified as Broadcom SMIME by this reason I proposing you use user-defined parser, that you will use and we wouldn't release it.

What you need to do:

1. Go to this directory /opt/sc4s/local/config/app-parsers
2. In this directory create file app-syslog-pgp.conf with such content:

block parser app-syslog-broadcom-smime() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index('main')
                sourcetype('broadcom:smime')
                vendor("broadcom")
                product("smime")
            );
        };
   };
};

application app-syslog-broadcom-smime[sc4s-syslog-pgm] {
    filter {
        program('pgp/' type(string) flags(prefix));
    };	
    parser { app-syslog-broadcom-smime(); };
};

3. Restart SC4S
4. Check that your user-defined parser mounted inside container, check this directory inside your container
   /etc/syslog-ng/conf.d/local/config/app_parsers

P.S @evslacker please let me know is it working for you

[evslacker]

Hey @ikheifets-splunk
apologies if this created a confusion, as i passed on the information which I received from the application Team.

i have created the parser and restarted the sc4s as well.

But I've couple of queries.

1- i was not able to find /etc/syslog-ng/conf.d/local/config/app_parser

no directory for syslog-ng found.

2- post applying the filters, logs have started coming to index=main, but seems like we are getting SMTP connection logs in the logs but not the Remote TLS Certificate data AND LDAP syslogs as seen in the pcap.

3- Do Sc4s auto ingests the logs as per the verbosity or it takes any default verbosity.

4- To parse data do we always have to do it manually from UI, or we can do it via parser?

5- How to check if we are dropping any syslog or not.

[ikheifets-splunk]

Hello, @evslacker !
You asked lots of question, I think it would be easy to answer it in-person.
Let's schedule the call, please send me invite on ikheifets@splunk.com 27 May, I will be available on 14:00-20:00 CET

[evslacker]

@ikheifets-splunk thank you for the slot.

was able to get the answers later, as i updated the git comment just after config.(less patience. :p

thank you for the help

[ikheifets-splunk]

@evslacker, see you closed this issue, but I don't understand why. Hope my solution #2436 (comment) helped you. In general it should works correctly

[evslacker]

Hey @ikheifets-splunk

the parser you provided worked correctly with no issues, so i thought closing the case, in case of any issues will open a case or issue.

thank you