-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cohesity: some logs are not detected by parser, filter needs to be updated #2215
Comments
@aalisher-tmx Please don't forget mention this issue, when you will send .pcap file. Will wait your .pcap file |
sent an email with the pcap file. Thanks. |
@aalisher-tmx I looked at your .pcap file. We identifying logs as In your case logs producing mostly producing By this reason it's not a bug. |
Thanks for the update. Yes, it's not a bug, but rather enhancement. How can
we resolve this issue for sshd logs?
sshd[17458]: pam_unix(sshd:session): session closed for user cohesity
Also, I see the logs shown below which are in json format. They need to be
recognized as cohesity syslog as well.
api_audit[133048]: {"username":"","domain":"","method":"POST","urlPath":"/
irisservices/api/v1/public/accessTokens","requestTimestamp":1696526762824,"
statusCode":201,"responseHeader":{"Content-Encoding":["gzip"],"Content-
Security-Policy":["default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src
https: data:; font-src data: https:"],"Content-Type":["application/json"],"
Permissions-Policy":["geolocation=(), midi=(), sync-xhr=(), microphone=(),
camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=()"],"
Referrer-Policy":["strict-origin-when-cross-origin"],"Strict-Transport-
Security":["max-age=31536000; includeSubDomains"],"Vary":["Accept-Encoding
"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-
Ratelimit-Limit":["600"],"X-Ratelimit-Remaining":["599"],"X-Ratelimit-Reset"
:["1696526822"],"X-Xss-Protection":["1; mode=block"]},"responseTime":
268741493}
{"username":"svc_nagios","domain":"LOCAL","method":"GET","urlPath":"/
irisservices/api/v1/public/protectionSources/registrationInfo","
requestTimestamp":1696526790076,"statusCode":200,"responseHeader":{"Cache-
Control":["no-cache, no-store, must-revalidate"],"Content-Encoding":["gzip
"],"Content-Type":["application/json"],"Pragma":["no-cache"],"Referrer-
Policy":["strict-origin-when-cross-origin"],"Strict-Transport-Security":["
max-age=31536000; includeSubDomains"],"Vary":["Accept-Encoding"],"X-Content-
Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Ratelimit-
Limit":["10000"],"X-Ratelimit-Remaining":["9998"],"X-Ratelimit-Reset":["
1696526790"],"X-Xss-Protection":["1; mode=block"]},"responseTime":156705634}
Thanks.
…On Thu, Oct 5, 2023 at 1:09 PM Ilya ***@***.***> wrote:
@aalisher-tmx <https://github.com/aalisher-tmx> I looked at your .pcap
file. We identifying logs as cohesity if logs produced by program
cluster_audit or dataprotection_events. In your case logs producing
mostly producing sshd. we can't identify your logs by sshd because it's a
very generic and popular program. By this reason it's not a bug.
—
Reply to this email directly, view it on GitHub
<#2215 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVQ2JW3B34ATPGDUDF45BE3X53STVAVCNFSM6AAAAAA5THXGAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBZGMZDQNRTGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
NOTICE OF CONFIDENTIALITYThis e-mail, including all materials contained in
or attached to this e-mail, contains proprietary and confidential
information solely for the internal use of the intended recipient. If you
have received this email in error, please notify us immediately by return
e-mail or otherwise and ensure that it is permanently deleted from your
systems, and do not print, copy, distribute or read its contents.
AVIS DE
CONFIDENTIALITÉLe présent courriel, y compris tous les documents qu'il
contient ou qui y sont joints, renferme des renseignements exclusifs et
confidentiels destinés uniquement à l'usage interne du destinataire prévu.
Si vous avez reçu le présent courriel par erreur, veuillez nous aviser
immédiatement, notamment par retour de courriel, et vous assurer qu'il est
supprimé de façon permanente de vos systèmes; veuillez également vous
abstenir d'imprimer, de copier, de distribuer ou de lire son contenu.
|
@aalisher-tmx As I already mentioned If you really need to mark them as |
@aalisher-tmx if we talking about |
Is there anyway to ingest json logs? They seemed to always be dropped by sc4s. |
@aalisher-tmx will merge soon that PR that will add support If we talking about
P.S. Kindly recommending use regex for host filtering |
Was the issue replicated by support?
No
What is the sc4s version ?
3.1.4
Is there a pcap available?
can share via email or via sales engineer
Is the issue related to the environment of the customer or Software related issue?
Software
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
cohesity is using port 514 (tcp) to ingest syslog
Last chance index/Fallback index?
Fallback
Is the issue related to local customization?
Do we have all the default indexes created?
Yes
Describe the bug
A clear and concise description of what the bug is.
I have defined a custom index for the keys defined in https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Cohesity/cluster/ in a metadata file. But some of the logs are still going to infraops and osnix indexes. Looks like filter is not detecting some of the source types.
To Reproduce
Steps to reproduce the behavior:
The text was updated successfully, but these errors were encountered: