-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Netapp OnTap ems logs go to sc4s:fallback #2610
Comments
Hi @DavidLopez-jr |
I added the tcpdump to case # 3585166 Netapp OnTap ems logs go to sc4s:fallback #2610.
From: cwadhwani-splunk ***@***.***>
Sent: Tuesday, October 8, 2024 04:19 AM
To: splunk/splunk-connect-for-syslog ***@***.***>
Cc: Lopez, David (US) ***@***.***>; Mention ***@***.***>
Subject: EXTERNAL: Re: [splunk/splunk-connect-for-syslog] Netapp OnTap ems logs go to sc4s:fallback (Issue #2610)
Hi @DavidLopez-jr<https://github.com/DavidLopez-jr>
Could you please provide the PCAP file, so that we can look at the raw logs and try to reproduce the issue on our environment. Please create a support ticket and attach the pcap file/tcpdump, so that we can ge the raw logs to move forward.
—
Reply to this email directly, view it on GitHub<#2610 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANLGXA6PFC7BILWX2HRLTW3Z2OPQPAVCNFSM6AAAAABPKNFUQGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJZGMYTIMBWHE>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
Hi @DavidLopez-jr Also, looking at the tags that you have provided in the GitHub issue,
it seems like you are using some additional env parameters and local parsers. We will need the env file and the local parsers (/opt/sc4s/local folder) to check what you are facing. Please provide these details (PCAP, env file (redact the sensitive details), local parsers) on the support case that you opened. Support can help you to get these details. |
Note: If your issue is not a bug or a feature request, please raise a support ticket through our support portal (Splunk.com > Support > Support Portal). This will help us resolve your issue more efficiently and provide you with better assistance. For more information on how to work with the Splunk Support, please refer to this guide.
**Was the issue replicated by support? No
**What is the sc4s version ? 3.26.1
**Which operating system (including its version) are you using for hosting SC4S?REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.9"
**Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? Podman
**Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? I do not have a pcap available but can provide tcpdump.
**Is the issue related to the environment of the customer or Software related issue? No
**Is it related to Data loss, please explain ?No
Protocol? none Hardware specs? none
**Last chance index/Fallback index? wireformat:rfc|wireformat:rfc3164|vps|.app.app-fallbackz-lastchance|.app.app-fix-invalid-program-z_bsdconvention|ns_vendor:netapp|ns_product:ontap|.source.s_NETAPP_ONTAP
**Do we have all the default indexes created? No
Describe the bug
A clear and concise description of what the bug is.
Our SC4S host is collecting events from a NetApp OnTap host sending ems logs. The logs are being sent to sourcetype=sc4s:fallback.
It appears the SC4S filter for the source is misconfigured. It appears the filtering/parser was based on audit logs.
Steps to reproduce the behavior:
The text was updated successfully, but these errors were encountered: