Error of parsing syslog from INFOBLOX in SC4S

[ValkD]

What is the sc4s version ?
SC4S version=3.32

Which operating system (including its version) are you using for hosting SC4S?
Red Hat Enterprise Linux VERSION="9.4 (Plow)" 5.14.0-427.40.1.el9_4.x86_64

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S?
Docker

Describe the bug
Hello everyone

I have the following problem:

• I am trying to send logs from INFOBLOX to SC4S (docker) in SPLUNK_CIM format over port 514. The logs don't make it to the splunk cloud, I've checked indexes, sourcetypes, I've checked the env_file and it's well connected to my splunkcloud. I have revised the splunk_metadata.csv and added the settings indicated in the documentation (below I add the settings).

But in the SC4S logs I see that it is not parsing.

Can you help me please?

Thank you in advance.

Best regards.

To Reproduce

I add the configuration file /opt/sc4s/local/context/splunk_metadata.csv
infoblox_nios_dns,index=netdns,sourcetype=infoblox:dns
infoblox_nios_dhcp,index=netipam,sourcetype=infoblox:dhcp
infoblox_nios_threatprotect,index=netids,sourcetype=infoblox:threatprotect
infoblox_nios_audit,index=netops,sourcetype=infoblox:audit
infoblox_nios_fallback,index=netops,sourcetype=infoblox:port

I add the configuration file /opt/sc4s/env_file
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=myURLsplunkcloud.com
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=My_TOKEN
SC4S_SOURCE_UDP_SO_RCVBUFF=200000000

I see this errors in SC4S docker log
[2024-11-05T16:42:46.497985] add-contextual-data(): error parsing CSV file, expecting an additional column which was not found. Expecting (selector, name, value) triplets; target='name'
[2024-11-05T16:42:46.497985] add-contextual-data(): the failing line is; input='# INFOBLOX config', filename='conf.d/local/context/splunk_metadata.csv:1'
[2024-11-05T16:42:46.497985] add-contextual-data(): Error while parsing database; filename='conf.d/local/context/splunk_metadata.csv'
[2024-11-05T16:42:46.497985] Error initializing message pipeline; plugin_name='add_contextual_data', location='/etc/syslog-ng/conf.d/enrich/splunk_context.conf:5:13'
Handling exit 1 and restarting
starting syslog-ng

Configuration from: https://splunk.github.io/splunk-connect-for-syslog/3.32.0/sources/vendor/InfoBlox/

[ValkD]

I see the error, in the infoblox configuration we have the configuration to send logs for Heavy Forwarder (format: splunk_CIM). We change, in infoblox configuration to send logs to SC4S and now receive logs correctly.

IMPORTANT IN MY CASE:

• It's not necessary edit the /opt/sc4s/local/context/splunk_metadata.csv
• It's necessary create or edit /opt/sc4s/local/config/app-parsers/app-vps-infoblox_nios.conf as indicated in https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/InfoBlox/ with this content:
  #File name provided is a suggestion it must be globally unique

application app-vps-test-infoblox_nios[sc4s-vps] {
filter {
host("infoblox-*" type(glob))
};
parser {
p_set_netsource_fields(
vendor('infoblox')
product('nios')
);
};
};

Thank you very much.

[cwadhwani-splunk]

Hi @ValkD
Good new!
Appreciate that you figured the issue and fixed it. I am closing this issue, feel free to reopen this or create new case in future.