Skip to content

ACN_CD_InfobloxParserUpdate#880

Merged
preetikr merged 3 commits into
masterfrom
unknown repository
Sep 10, 2020
Merged

ACN_CD_InfobloxParserUpdate#880
preetikr merged 3 commits into
masterfrom
unknown repository

Conversation

@ghost

@ghost ghost commented Jul 20, 2020

Copy link
Copy Markdown

Fixes #

Proposed Changes

  • SyslogMessage was not including the Header (RFC3164) part of the message, only the MSG part, which is the proper way. This update modifies the parser (Kusto Function) to remove the parsing of the Header

@preetikr preetikr assigned shainw and ashwin-patil and unassigned shainw Jul 21, 2020
ashwin-patil
ashwin-patil requested changes Jul 22, 2020
View reviewed changes

@ashwin-patil ashwin-patil left a comment
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested first part only.

Update: I tested further by changing ProcessName== logic in each subparser to Syslogmessage contains "" . looks like Test Data has incorrect ProcessName assigned.

Both Type, Response time are not parsed correctly or coming empty in each sub-parser section.

Comment thread Parsers/InfobloxNIOS/InfobloxNIOS.txt Outdated
Comment thread Parsers/InfobloxNIOS/InfobloxNIOS.txt
ashwin-patil
ashwin-patil requested changes Jul 22, 2020
View reviewed changes

@ashwin-patil ashwin-patil left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: I tested further by changing ProcessName== logic in each subparser to Syslogmessage contains "" .

Added comments in some sections where parsing was incorrect

Comment thread Parsers/InfobloxNIOS/InfobloxNIOS.txt
Comment thread Parsers/InfobloxNIOS/InfobloxNIOS.txt
Comment thread Parsers/InfobloxNIOS/InfobloxNIOS.txt
Comment thread Parsers/InfobloxNIOS/InfobloxNIOS.txt
@ghost

ghost commented Jul 22, 2020

Copy link
Copy Markdown
Author

@ashwin-patil my apologies, the old sample data was not updated. I have uploaded the updated sample data is reflective of live data stream.

ashwin-patil
ashwin-patil requested changes Jul 22, 2020
View reviewed changes

@ashwin-patil ashwin-patil left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few things I noticed per new Sample data:

  • Facility is set as daemon, if its right in SampleData then we have to change in the query from local6 to daemon.
  • Not required, but per new data, we can change Computer to computer1.domain.org from datasource
  • just wanted to check , new data only has DHCPDISCOVER events, if we don’t have other event types samples to test then I`ll approve for now as DHCPDISCOVER parsing looks good.

Comment thread Parsers/InfobloxNIOS/InfobloxNIOS.txt
@ashwin-patil

ashwin-patil commented Jul 22, 2020

Copy link
Copy Markdown
Member

@ashwin-patil my apologies, the old sample data was not updated. I have uploaded the updated sample data is reflective of live data stream.

No problem, added couple of things based on new sample data.

ashwin-patil
ashwin-patil approved these changes Jul 22, 2020
View reviewed changes

@ashwin-patil ashwin-patil left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved based on the testing on available sample data .

I think user instructions on Facility looks good to me, i`ll let @preetikr review it for any changes if required before merging.

@preetikr

preetikr commented Jul 23, 2020

Copy link
Copy Markdown
Contributor

I'll merge this after the respective workbook and analytics changes make it to production.

@ghost

ghost commented Jul 27, 2020
edited by ghost
Loading

Copy link
Copy Markdown
Author

@preetikr Following up on this, is there anything outstanding?

@preetikr

preetikr commented Sep 10, 2020

Copy link
Copy Markdown
Contributor

The analytic rule template and workbook changes are now in production so merging the parser change as well.

@preetikr preetikr merged commit 4bfdba2 into Azure:master Sep 10, 2020
@ghost ghost deleted the acn_cd_infobloxparserupdate branch September 12, 2020 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Amitbergman Amitbergman Awaiting requested review from Amitbergman

@dicolanl dicolanl Awaiting requested review from dicolanl

@ianhelle ianhelle Awaiting requested review from ianhelle

@juliango2100 juliango2100 Awaiting requested review from juliango2100

@KobyKoren KobyKoren Awaiting requested review from KobyKoren

@liemilyg liemilyg Awaiting requested review from liemilyg

@mgladi mgladi Awaiting requested review from mgladi

@morshabi morshabi Awaiting requested review from morshabi

@orco365 orco365 Awaiting requested review from orco365

@sagamzu sagamzu Awaiting requested review from sagamzu

@shainw shainw Awaiting requested review from shainw

@timbMSFT timbMSFT Awaiting requested review from timbMSFT

@YaronFruchtmann YaronFruchtmann Awaiting requested review from YaronFruchtmann

Assignees

@preetikr preetikr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ashwin-patil @preetikr @shainw