Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Collecting Logs from Netwrix EPP #2691

Closed
x-R4Z0R-x opened this issue Jan 31, 2025 · 2 comments
Closed

Collecting Logs from Netwrix EPP #2691

x-R4Z0R-x opened this issue Jan 31, 2025 · 2 comments
Assignees
@cwadhwani-splunk

Comments

@x-R4Z0R-x
Copy link

Hi,

I am trying to connect logs from Netwrix EPP Server
I already configured the env_file as follows:
SC4S_LISTEN_NETWRIX_EPP_TCP_PORT=10614

As far as i understood this will allow sc4s to listen for this port and any logs that are coming to this port will be as follows:
Vendor: Netwrix
Product: EPP

Also I added the following to splunk_metadata.csv:
netwrix_epp,index,sc4s-generic
netwrix_epp,sourcetype,netwrix:epp

I can see the logs in Splunk but they are being handled by fallback app.
I created a custom app to change the sourcetype but this didnt work
The Custom app (/opt/sc4s/local/config/app_parsers/syslog/netwrix_custom.conf):

block parser app-netwrix-parser() {
channel {
rewrite {
r_set_splunk_dest_default(
index("sc4s-generic")
sourcetype("netwrix:epp")
vendor("netwrix")
product("epp")
);
};
};
};
application netwrix-parser[sc4s-vps] {
filter {
match("10614", value("fields.sc4s_destport") type(glob));
#"${.netsource.sc4s_vendor_product}" eq "netwrix_epp" (Commented out)
};
parser { app-netwrix-parser(); };
};

Sample.log

Can some one please tell me what i did wrong here?
@cwadhwani-splunk
Copy link
Collaborator

Hi @x-R4Z0R-x
I noticed in the sample.log file that you are using IETF framed logs. In this case, I recommend using port 601 instead of 10614, as 601 is the default port for framed logs. You don’t need to configure it separately (e.g., SC4S_LISTEN_NETWRIX_EPP_TCP_PORT=601).
Port 10614 expects logs without frames, which is why your logs are being sent to the fallback sourcetype.
Additionally, if you need to update metadata like sourcetype, index, source, or template, I suggest using the splunk_metadata.csv file—there’s no need for a parser. I've attached a documentation reference for more details.

https://splunk.github.io/splunk-connect-for-syslog/main/configuration/#override-the-log-path-of-indexes-or-metadata
https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Netwrix/endpoint_protector/#key-facts

@cwadhwani-splunk cwadhwani-splunk self-assigned this Feb 4, 2025
@x-R4Z0R-x
Copy link
Author

Worked like a charm, Thank you very much
Wish you a nice rest of the day

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwadhwani-splunk cwadhwani-splunk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@x-R4Z0R-x @cwadhwani-splunk