Cohesity: some logs are not detected by parser, filter needs to be updated

[aalisher-tmx]

Was the issue replicated by support?
No
What is the sc4s version ?
3.1.4
Is there a pcap available?
can share via email or via sales engineer
Is the issue related to the environment of the customer or Software related issue?
Software
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
cohesity is using port 514 (tcp) to ingest syslog
Last chance index/Fallback index?
Fallback
Is the issue related to local customization?

Do we have all the default indexes created?
Yes
Describe the bug
A clear and concise description of what the bug is.
I have defined a custom index for the keys defined in https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Cohesity/cluster/ in a metadata file. But some of the logs are still going to infraops and osnix indexes. Looks like filter is not detecting some of the source types.
To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

[ikheifets-splunk]

@aalisher-tmx Please don't forget mention this issue, when you will send .pcap file. Will wait your .pcap file

[aalisher-tmx]

sent an email with the pcap file. Thanks.

[ikheifets-splunk]

@aalisher-tmx I looked at your .pcap file.

We identifying logs as cohesity only if logs produced by program cluster_audit (sourcetype=cohesity:cluster:audit) or dataprotection_events (sourcetype=cohesity:cluster:dataprotection).

In your case logs producing mostly producing sshd. we can't identify your logs produced by ssh because it's a very generic logs and might be produced by any vendor. Also would be wrong write it oninfraops index. In general it's not device specific logs, it's ssh logs.

By this reason it's not a bug.

[aalisher-tmx]

Thanks for the update. Yes, it's not a bug, but rather enhancement. How can we resolve this issue for sshd logs? sshd[17458]: pam_unix(sshd:session): session closed for user cohesity Also, I see the logs shown below which are in json format. They need to be recognized as cohesity syslog as well. api_audit[133048]: {"username":"","domain":"","method":"POST","urlPath":"/ irisservices/api/v1/public/accessTokens","requestTimestamp":1696526762824," statusCode":201,"responseHeader":{"Content-Encoding":["gzip"],"Content- Security-Policy":["default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https: data:; font-src data: https:"],"Content-Type":["application/json"]," Permissions-Policy":["geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=()"]," Referrer-Policy":["strict-origin-when-cross-origin"],"Strict-Transport- Security":["max-age=31536000; includeSubDomains"],"Vary":["Accept-Encoding "],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X- Ratelimit-Limit":["600"],"X-Ratelimit-Remaining":["599"],"X-Ratelimit-Reset" :["1696526822"],"X-Xss-Protection":["1; mode=block"]},"responseTime": 268741493} {"username":"svc_nagios","domain":"LOCAL","method":"GET","urlPath":"/ irisservices/api/v1/public/protectionSources/registrationInfo"," requestTimestamp":1696526790076,"statusCode":200,"responseHeader":{"Cache- Control":["no-cache, no-store, must-revalidate"],"Content-Encoding":["gzip "],"Content-Type":["application/json"],"Pragma":["no-cache"],"Referrer- Policy":["strict-origin-when-cross-origin"],"Strict-Transport-Security":[" max-age=31536000; includeSubDomains"],"Vary":["Accept-Encoding"],"X-Content- Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Ratelimit- Limit":["10000"],"X-Ratelimit-Remaining":["9998"],"X-Ratelimit-Reset":[" 1696526790"],"X-Xss-Protection":["1; mode=block"]},"responseTime":156705634} Thanks.

…

On Thu, Oct 5, 2023 at 1:09 PM Ilya ***@***.***> wrote: @aalisher-tmx <https://github.com/aalisher-tmx> I looked at your .pcap file. We identifying logs as cohesity if logs produced by program cluster_audit or dataprotection_events. In your case logs producing mostly producing sshd. we can't identify your logs by sshd because it's a very generic and popular program. By this reason it's not a bug. — Reply to this email directly, view it on GitHub <#2215 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AVQ2JW3B34ATPGDUDF45BE3X53STVAVCNFSM6AAAAAA5THXGAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBZGMZDQNRTGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- NOTICE OF CONFIDENTIALITYThis e-mail, including all materials contained in or attached to this e-mail, contains proprietary and confidential information solely for the internal use of the intended recipient. If you have received this email in error, please notify us immediately by return e-mail or otherwise and ensure that it is permanently deleted from your systems, and do not print, copy, distribute or read its contents. AVIS DE CONFIDENTIALITÉLe présent courriel, y compris tous les documents qu'il contient ou qui y sont joints, renferme des renseignements exclusifs et confidentiels destinés uniquement à l'usage interne du destinataire prévu. Si vous avez reçu le présent courriel par erreur, veuillez nous aviser immédiatement, notamment par retour de courriel, et vous assurer qu'il est supprimé de façon permanente de vos systèmes; veuillez également vous abstenir d'imprimer, de copier, de distribuer ou de lire son contenu.

[ikheifets-splunk]

@aalisher-tmx As I already mentioned ssh logs might be produced by any vendor and device, we mostly skipping such logs and analysing only device-specific logs. I also will discuss with another maintainers tomorrow about that, but it's seems that we wouldn't fix that.

If you really need to mark them as cohesity then I can propose such approach. You need to ask tech support provide you custom local configuration that will identify logs as cohesity if hostname is equal to some hostname (constant name of device that producing this logs).

[ikheifets-splunk]

@aalisher-tmx if we talking about api_audit please send me .pcap with that. In your .pcap I didn't find something similar.
If we talking about ssh, I already described what to do on my previous comment

[chipzzz]

Is there anyway to ingest json logs? They seemed to always be dropped by sc4s.

[ikheifets-splunk]

@aalisher-tmx will merge soon that PR that will add support api_audit.
UPD please update SC4S on version 3.4.7 we added support of api_audit

If we talking about sshd (as I mentioned before) you need to create a local parser:

block parser sshd_cohesity_parser() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index("main")
                source("cohesity:sshd")
                sourcetype("cohesity:sshd")
                vendor("cohesity")
                product("sshd")
            );
        };
    };
};

application sshd_cohesity_parser[sc4s-syslog-pgm] {
   filter {
        program("sshd" type(string) flags(prefix)) and host("ttpsa-coh01-cc520220127-node-2");
    };	
    parser { sshd_cohesity_parser(); };
};

P.S. Kindly recommending use regex for host filtering