Conversation
| 09:54:26.051644 IP (tos 0x0, ttl 64, id 29465, offset 0, flags [DF], proto UDP (17), length 466) | ||
| 10.202.22.239.41151 > 10.202.33.242.syslog: SYSLOG, length: 438 | ||
| Facility local0 (16), Severity info (6) | ||
| Msg: 2022-04-28T16:16:15.466731-04:00 NTNX-21SM6M510425-B-CVM audispd[32075]: node=ntnx-21sm6m510425-b-cvm type=SYSCALL msg=audit(1651176975.464:2828209): arch=c000003e syscall=2 success=yes exit=6 a0=7f2955ac932e a1=2 a2=3e8 a3=3 items=1 ppid=29680 pid=4684 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=964698 comm=“sshd” exe=“/usr/sbin/sshd” subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=“logins”\0x0a |
There was a problem hiding this comment.
This is not very standard looking, maybe we can add another example that was similar to the deleted one?
There was a problem hiding this comment.
I will replace it with the simpler one, this one is too complicated, besides we shouldn't provide documentaion on how to use tcpdump
Kawron
force-pushed
the
docs/update-create-parser-section
branch
from
c2a084f to
2c631c0
Compare
Kawron
force-pushed
the
docs/update-create-parser-section
branch
from
2c631c0 to
0b69b78
Compare
docs/creating_parsers/index.md
Outdated
|
|
||
| * Make sure you have read our [contribution standards](../CONTRIBUTING.md). | ||
| * Obtain a raw log message that you want to parse. If you do not know how to do it, refer to [Obtain raw message events](../troubleshooting/troubleshoot_resources.md#obtain-raw-message-events). | ||
| * Create a new branch in the repository where you will apply your changes. |
There was a problem hiding this comment.
I would remove this point from here if we moved all the contribution points to different place
There was a problem hiding this comment.
I deleted it completely, I think this is obvious that if someone wants to contribute then they need to create a branch
docs/creating_parsers/index.md
Outdated
| If you find a similar parser in SC4S, you can use it as a reference. In the parser, make sure you assign the proper sourcetype, index, vendor, product, and template. The template shows how your message should be parsed before sending them to Splunk. | ||
|
|
||
|
|
||
| The application filter will match all messages that start with the string `Carbon Black App Control event:`, and those events will be parsed by `block parser app-syslog-vmware_cb-protect()`. This parser then will route the message to index: `epintel`, set the sourcetype, source, vendor and product fields, and use speciefed template. |
There was a problem hiding this comment.
typo: speciefed -> specified
docs/creating_parsers/index.md
Outdated
|
|
||
| ### Adding parser to SC4S Lite package | ||
|
|
||
| For SC4S lite, parsers are grouped into `addons`. Create a folder (if it doesn't already exist) in `package/lite/etc/addons` with the name of vendor. In this folder also create an `addon_metadata.yaml` file with vendor name: |
| @@ -3,7 +3,7 @@ | |||
| ## Key facts | |||
| * Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message. | |||
There was a problem hiding this comment.
but generally in the future I would keep pr strictly for what they are so here - for the parser doc and fix different typos in separate otherwise it might grow infinitely and be harder to review
| * Common Event Format [CEF](https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/) Also known as ArcSight format | ||
| * Log Extended Format [LEEF](https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/leef/) | ||
| Sources that are *compliant* with RFC 5424, RFC 5425, RFC 5426, or RFC 6587 can be onboarded as [simple sources](simple.md). | ||
|
|
There was a problem hiding this comment.
3 points were removed, I think we can keep them there
There was a problem hiding this comment.
I think I can add the RFC3164 point because that's actually important, because it states that it can be used with simple sources. But two next points make no sens to be in the same list. That would suggest that cef and leef also can be onboard with simple sources but that's not true. I can add another paragraph for them
|
|
||
| * For most other sourcetypes, the `RAWMSG` is not displayed, but can be | ||
| viewed by changing the output template to one of the JSON variants, including t_JSON_3164 or t_JSON_5424, depending on RFC message type. See | ||
| [SC4S metadata configuration](https://splunk-connect-for-syslog.readthedocs.io/en/develop/configuration/#sc4s-metadata-configuration) for |
There was a problem hiding this comment.
I think this link can point to specific file not by develop
Kawron
force-pushed
the
docs/update-create-parser-section
branch
from
e150ba6 to
a2cb0b2
Compare
3 participants
Updated documentation with more details on how to create parsers. I recommend reviewing this live