Squid parser data connector could not parse the data correctly. #8999
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @v-jackzou , thanks for flagging this issue, we will soon get back to you on this. Thanks! |
|
Hi @v-jackzou, we have reached out to concerned team for this, we will get back to you by 27 Sep 2023. |
|
Sure! thanks looking forward to your updates! |
|
HI team, just a follow up regarding this issue, any updates regarding this issue? @v-rbajaj |
|
HI team Any updates for this issue ? |
|
Hi @v-jackzou, we investigated on this issue and we could find that the parser was optimized for this issue over this PR Please have a look and update the solution if its not updated. |
|
Hi @v-jackzou, Gentle Reminder: We are awaiting for your response on this issue. If you still need to keep this issue active please respond on it in the next 2 days . If we don't receive response, we will be close this issue. |
|
Hi @v-rbajaj allow me to sync with the customer |
|
issue is yet not fixed, morever fields are distorted
|
|
Hi @ypendhare, thanks for updating us, let us check and will get back to you by 16 Oct 2023 |
|
Hi team, any updates for this issue? |
|
Hi @v-jackzou, apologies for delay in response, we will provide you an update by 7 Nov 2023 |
|
Hi @v-jackzou, we are still investigating on this issue, we will provide an update by 09 Nov 2023. |
|
Hi @v-jackzou, we have tested the parser and it seems to be parsing the data correctly. Also can you please try below parser query and see if this helps you to fix the issue?
|
|
Team, i am still seeing issue, this time a different one - EpochTimeExtended field is mixed with other field data
also let me mention the original source format i am getting as below if you observe - you will note the starting string till (squid-1) adds full date + time+ source squid server + app name but similar is not pushed to Sentinel table |
|
Hi @ypendhare, can you please share the complete list of raw log messages which you guys are trying to parse, because the ones which we have is parsing the data correctly. |
|
Hi @ypendhare Could you please share the complete list of raw log messages so we can parse the data correctly |
|
Hi team Thanks again for the help on this, I have provided the required information to @v-muuppugund , please investigate and we will wait for your response. Thank you |
|
Hi @v-jackzou ,As discussed over call,will analyse in detail over the data provided and will get back to you by 23Nov23 and will share some updated by tomorrow 5pm over teams call |
|
squidlog.log |
|
@ypendhare Thanks for sharing the logs,will check on it and get back to you |
|
We are checking the logs and trying to ingest similar data and will get back to you by 27 Nov 2023. |
|
We are trying to ingest similar data and will get back to you by 30 Nov 2023 |
|
We have reached out to concerned team we will get back to you by 1 Dec 2023 |
|
Hi @ypendhare, can you please share these logs in csv file? |
|
Hi @ypendhare, Gentle Reminder: We are awaiting for your response on this issue. If you still need to keep this issue active please respond on it in the next 2 days . If we don't receive response, we will be close this issue. |
|
I have already provided log file refer earlier comments |
|
Hi @ypendhare ,Apologies for the delayed response,we are working on it and will share update by 21Dec2023 |
|
Hi @ypendhare / @v-jackzou ,need some details from customer as we are unable to process the log format to csv and few queries on the issue,Could you please suggest convenient time slots for teams meeting, |
|
Hi @v-jackzou / @ypendhare, Could you please share your convenient time slot for meeting on this mail id - v-muuppugund@microsoft.com Thanks! |
|
Hi @ypendhare / @v-jackzou ,As discussed on yesterday call ,got the data and the following are the issues and working on it ,will update you
|
|
Hi @ypendhare / @v-jackzou ,I have done the changes and working on testing,once completed,will update you |
|
Hi @ypendhare / @v-jackzou Still data dump is in progress with large data, Will update you once testing is completed by 10Jan2024 |
|
Hi @v-jackzou ,As discussed over teams ,having issues with data, working on it,once done,will test and schedule meeting with customer. |
|
Hi @ypendhare / @v-jackzou ,Completed the testing,scheduled call for the showing the changes on Tuesday i.e. 23/1/24 at 4:30pm to 5pm ,please join the meeting. |
|
Hi @ypendhare ,As discussed over today's call ,Squid proxy parser changes tested successfully and changes are in this branch(https://github.com/Azure/Azure-Sentinel/blob/users/v-muuppugund/SquidProxyParserChanges/Solutions/SquidProxy/Parsers/SquidProxy.txt),as the issue is resolved, we are closing your issue (#8999) . If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation! |
Bug description
After installing the squid proxy connector from the Sentinel content hub solution. It will start ingesting the squidProxy_CL log into the workspace. However the parser could not parse the day column correctly.
To reproduce
The squidProxy_CL with the RAW data ingested as follows;
Sep 11 13:27:33 xxxxxx (squid-1): 100000000.547 701 1.1.1.1 TCP_MISS/200 386364 POST http://sample.com :9002/webSvc/Get - HIER_DIRECT/1.1.1.1 application/json
However, after the parsing the day column only parse 11 instead of Sep 11
The text was updated successfully, but these errors were encountered: