-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Broadcom SMIME syslog. #2436
Comments
Please send me pcapf file on email ikheifets@splunk.com |
A team mate of mine must have shared the pcap with you, let me know if that is sufficient to start things |
Thanks @evslacker , I've got your pcap we will start work with that |
Hi @ikheifets-splunk |
Hello, @evslacker ! What you need to do:
P.S @evslacker please let me know is it working for you |
Hey @ikheifets-splunk i have created the parser and restarted the sc4s as well. But I've couple of queries. 1- i was not able to find /etc/syslog-ng/conf.d/local/config/app_parser no directory for syslog-ng found. 2- post applying the filters, logs have started coming to index=main, but seems like we are getting SMTP connection logs in the logs but not the Remote TLS Certificate data AND LDAP syslogs as seen in the pcap. 3- Do Sc4s auto ingests the logs as per the verbosity or it takes any default verbosity. 4- To parse data do we always have to do it manually from UI, or we can do it via parser? 5- How to check if we are dropping any syslog or not. |
Hello, @evslacker ! |
@ikheifets-splunk thank you for the slot. was able to get the answers later, as i updated the git comment just after config.(less patience. :p thank you for the help |
@evslacker, see you closed this issue, but I don't understand why. Hope my solution #2436 (comment) helped you. In general it should works correctly |
the parser you provided worked correctly with no issues, so i thought closing the case, in case of any issues will open a case or issue. thank you |
What is the sc4s version ?
2.49.8
Is there a pcap available?
Yes, i can email it to the personal who will be working on this request.
What the vendor name?
Broadcom
What's the product name?
SMIME
** Feature Request description: **
SMIME is not a part of current product supported by sc4s, we have got a request to ingest SMIME syslog to splunk cloud.
** Should it support TCP or UDP?**
It support both TCP and UDP over port 514
** Do you want to have it for local usage or prepare a github PR? **
Whichever suits best
The text was updated successfully, but these errors were encountered: