New filter for Safeguard Privileged Passwords

[evetovicsm]

What is the sc4s version?
3.32.0

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
Available. I will attach to this issue. The pcap is zipped.

What the vendor name?
OneIdentity

What's the product name?
Safeguard for Privileged Passwords

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?

Do you have syslog documentation or a manual for that device??
https://support.oneidentity.com/one-identity-safeguard-for-privileged-passwords/kb/4259986/is-it-possible-to-get-a-list-of-potential-syslog-events-alerts-and-the-syslog-fields-that-are-sent

Feature Request description:
Need to add these sourcetypes to sc4s vendor

Do you want to have it for local usage or prepare a github PR?
NA

[cwadhwani-splunk]

Hi @evetovicsm
Removed the pcap file for security reasons. I ll check this GitHub issue and will get back to you.

[cwadhwani-splunk]

I have looked into the pcap file. All logs are in CEF and SC4S is already supporting CEF logs. If the aim is to change the sourcetype of the logs, you can change it from splunk_metadata.csv file or by writing a postfilter.

ex. <device_vendor><device_product><device_class>(optional), sourcetype,
file location: /etc/syslog-ng/conf.d/local/context/splunk_metadata.csv

Ref: https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/
Please check this link for more details.