Please help me this parser of Symantec logs

[NellyThai]

Describe the bug
I tested the symantec logs in my own environment. My conclusion is that the data connector is likely broken. Especially the log format in the step 3 of the data connector is incorrect, leading to incorrect parsing of syslog in the first place. And the parser query is also likely broken.

Here is the proof. After using the following query in the ASC, you can actually get the logs that resembles the tailed logs. Needless to say, the computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage. This proves that the oms agent has been uploading the logs all this time, the problem is with the custom log format given in the data connector.

For reference, the original logs from port 514 looks like this.
1 2024-04-04 08:29:22 3 10.1.89.51 - - authentication_failed DENIED "Technology/Internet;AdobeCC" "-" 407 TCP_DENIED CONNECT "-" tcp cc-api-data.adobe.io 443 / - - "CRWindowsClient" 192.168.8.32 0 0 - "none" "none" 443 "Unavailable" unavailable

I got confirmation from the Symantec team, that is the log from Symantec.

[v-rusraut]

Hi @NellyThai,
Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 16 May 2024. Thanks!

[v-rusraut]

Hi @NellyThai,
Please help us to understand which Symantec solution you are using and also share error screen shots.
Thanks

[NellyThai]

Hi Team, * The solution which is using is: Symantec ProxySG. * Please refer the screenshot as follows: [A screenshot of a computer Description automatically generated] Needless to say, the Computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage. Thank you so much for your support! Best Regards, Nelly Thai Support Engineer Azure - Security Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday) Need help outside of my working hours? Locate an engineer: ***@***.******@***.***> Manager: Olivia Li/ ***@***.******@***.***> ***@***.*** From: v-rusraut ***@***.***> Sent: Wednesday, May 15, 2024 8:58 PM To: Azure/Azure-Sentinel ***@***.***> Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454) Hi @NellyThai<https://github.com/NellyThai>, Please help us to understand which Symantec solution you are using and also share error screen shots. Thanks - Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZK4WTZN4OPVC6ZRK7TZCNSXJAVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGYZDENZRHA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[NellyThai]

Hi Rusraut, * The solution which is using is: Symantec ProxySG. * Please refer the screenshot as follows: [A screenshot of a computer Description automatically generated] Needless to say, the Computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage. Thank you so much for your support! Best Regards, Nelly Thai Support Engineer Azure - Security Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday) Need help outside of my working hours? Locate an engineer: ***@***.******@***.***> Manager: Olivia Li/ ***@***.******@***.***> ***@***.*** From: v-rusraut ***@***.***> Sent: Wednesday, May 15, 2024 8:58 PM To: Azure/Azure-Sentinel ***@***.***> Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454) Hi @NellyThai<https://github.com/NellyThai>, Please help us to understand which Symantec solution you are using and also share error screen shots. Thanks - Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZK4WTZN4OPVC6ZRK7TZCNSXJAVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGYZDENZRHA>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[NellyThai]

Hi team, Could I ask is there any new update on this? Thank you so much for your attention to this matter! Best Regards, Nelly Thai Support Engineer Azure - Security Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday) Need help outside of my working hours? Locate an engineer: ***@***.******@***.***> Manager: Olivia Li/ ***@***.******@***.***> ***@***.*** From: Nelly Thai (WICLOUD CORPORATION) Sent: Wednesday, May 15, 2024 10:15 PM To: 'Azure/Azure-Sentinel' ***@***.***>; Azure/Azure-Sentinel ***@***.***>; 'v-rusraut' ***@***.***> Cc: Mention ***@***.***> Subject: RE: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454) Hi Rusraut, * The solution which is using is: Symantec ProxySG. * Please refer the screenshot as follows: [A screenshot of a computer Description automatically generated] Needless to say, the Computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage. Thank you so much for your support! Best Regards, Nelly Thai Support Engineer Azure - Security Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday) Need help outside of my working hours? Locate an engineer: ***@***.******@***.***> Manager: Olivia Li/ ***@***.******@***.***> ***@***.*** From: v-rusraut ***@***.******@***.***>> Sent: Wednesday, May 15, 2024 8:58 PM To: Azure/Azure-Sentinel ***@***.******@***.***>> Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.******@***.***>>; Mention ***@***.******@***.***>> Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454) Hi @NellyThai<https://github.com/NellyThai>, Please help us to understand which Symantec solution you are using and also share error screen shots. Thanks - Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZK4WTZN4OPVC6ZRK7TZCNSXJAVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGYZDENZRHA>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[v-rusraut]

Hi @NellyThai,
Error screenshot not visible, please provide error screenshot to below email id:
v-rusraut@microsoft.com
Thanks

[NellyThai]

Hi @***@***.***>, Please have a look on this screenshot: Data connector: Symantec ProxySG [A screenshot of a computer Description automatically generated] The Computer and the HostName column are all incorrectly parsed, not to mention the actual SyslogMessage. Thank you so much for your attention! Best Regards, Nelly Thai Support Engineer Azure - Security Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday) Need help outside of my working hours? Locate an engineer: ***@***.******@***.***> Manager: Olivia Li/ ***@***.******@***.***> ***@***.*** From: v-rusraut ***@***.***> Sent: Monday, May 20, 2024 6:42 PM To: Azure/Azure-Sentinel ***@***.***> Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454) Hi @NellyThai<https://github.com/NellyThai>, Error screenshot not visible, please provide error screenshot to below email id: ***@***.******@***.***> Thanks - Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZLZPJ4ASEU7LQQTLYLZDHOR5AVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRQGI4DSMJUGA>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>