New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please help me this parser of Symantec logs #10454
Labels
Parser
Parser specialty review needed
Comments
Hi @NellyThai, |
Hi @NellyThai, |
Hi Team,
* The solution which is using is: Symantec ProxySG.
* Please refer the screenshot as follows:
[A screenshot of a computer Description automatically generated]
Needless to say, the Computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage.
Thank you so much for your support!
Best Regards,
Nelly Thai
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.******@***.***>
***@***.***
From: v-rusraut ***@***.***>
Sent: Wednesday, May 15, 2024 8:58 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454)
Hi @NellyThai<https://github.com/NellyThai>,
Please help us to understand which Symantec solution you are using and also share error screen shots.
Thanks
-
Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZK4WTZN4OPVC6ZRK7TZCNSXJAVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGYZDENZRHA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hi Rusraut,
* The solution which is using is: Symantec ProxySG.
* Please refer the screenshot as follows:
[A screenshot of a computer Description automatically generated]
Needless to say, the Computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage.
Thank you so much for your support!
Best Regards,
Nelly Thai
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.******@***.***>
***@***.***
From: v-rusraut ***@***.***>
Sent: Wednesday, May 15, 2024 8:58 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454)
Hi @NellyThai<https://github.com/NellyThai>,
Please help us to understand which Symantec solution you are using and also share error screen shots.
Thanks
-
Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZK4WTZN4OPVC6ZRK7TZCNSXJAVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGYZDENZRHA>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
Hi team,
Could I ask is there any new update on this?
Thank you so much for your attention to this matter!
Best Regards,
Nelly Thai
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.******@***.***>
***@***.***
From: Nelly Thai (WICLOUD CORPORATION)
Sent: Wednesday, May 15, 2024 10:15 PM
To: 'Azure/Azure-Sentinel' ***@***.***>; Azure/Azure-Sentinel ***@***.***>; 'v-rusraut' ***@***.***>
Cc: Mention ***@***.***>
Subject: RE: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454)
Hi Rusraut,
* The solution which is using is: Symantec ProxySG.
* Please refer the screenshot as follows:
[A screenshot of a computer Description automatically generated]
Needless to say, the Computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage.
Thank you so much for your support!
Best Regards,
Nelly Thai
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.******@***.***>
***@***.***
From: v-rusraut ***@***.******@***.***>>
Sent: Wednesday, May 15, 2024 8:58 PM
To: Azure/Azure-Sentinel ***@***.******@***.***>>
Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.******@***.***>>; Mention ***@***.******@***.***>>
Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454)
Hi @NellyThai<https://github.com/NellyThai>,
Please help us to understand which Symantec solution you are using and also share error screen shots.
Thanks
-
Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZK4WTZN4OPVC6ZRK7TZCNSXJAVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGYZDENZRHA>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
Hi @NellyThai, |
Hi @***@***.***>,
Please have a look on this screenshot:
Data connector: Symantec ProxySG
[A screenshot of a computer Description automatically generated]
The Computer and the HostName column are all incorrectly parsed, not to mention the actual SyslogMessage.
Thank you so much for your attention!
Best Regards,
Nelly Thai
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.******@***.***>
***@***.***
From: v-rusraut ***@***.***>
Sent: Monday, May 20, 2024 6:42 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelly Thai (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Please help me this parser of Symantec logs (Issue #10454)
Hi @NellyThai<https://github.com/NellyThai>,
Error screenshot not visible, please provide error screenshot to below email id:
***@***.******@***.***>
Thanks
-
Reply to this email directly, view it on GitHub<#10454 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BILNMZLZPJ4ASEU7LQQTLYLZDHOR5AVCNFSM6AAAAABHNFTS56VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRQGI4DSMJUGA>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I tested the symantec logs in my own environment. My conclusion is that the data connector is likely broken. Especially the log format in the step 3 of the data connector is incorrect, leading to incorrect parsing of syslog in the first place. And the parser query is also likely broken.
Here is the proof. After using the following query in the ASC, you can actually get the logs that resembles the tailed logs. Needless to say, the computer and the hostname column are all incorrectly parsed, not to mention the actual SyslogMessage. This proves that the oms agent has been uploading the logs all this time, the problem is with the custom log format given in the data connector.
For reference, the original logs from port 514 looks like this.
1 2024-04-04 08:29:22 3 10.1.89.51 - - authentication_failed DENIED "Technology/Internet;AdobeCC" "-" 407 TCP_DENIED CONNECT "-" tcp cc-api-data.adobe.io 443 / - - "CRWindowsClient" 192.168.8.32 0 0 - "none" "none" 443 "Unavailable" unavailable
I got confirmation from the Symantec team, that is the log from Symantec.
The text was updated successfully, but these errors were encountered: