2 Replies Latest reply on Nov 15, 2013 11:56 PM by shirishl

    Sidewinder Log Format

    shirishl

      Hi!

      I have no experience with sidewinder. I recently got a log and was asked to help with parsing the logs.

       

      Some of the line items have an additional field of dst_geo=XXX and rest don't. This is making parsing difficult.

       

      I would have expected an additional comma in line items where the dst_geo is not present.

       

      Rest all the fields are identical. Here are two sample entries

       

      Dec 17 11:06:24 SRC_Server auditd: date="2013-12-17 08:06:24 +0000",fac=f_kernel,area=a_nil_area,type=t_netprobe,pri=p_minor,hostname=ab.cc. dd,event="TCP netprobe",srcip=172.16.2.1,srcport=7583,srczone=internal,dst_geo=AU,dstip=115.6 9.177.25,dstport=364,protocol=6,interface=1-6,reason="Received a TCP connection attempt destined for a service that the current policy does not support."

       

       

       

       

      Dec 17 11:06:33 SRC_Server auditd: date="2013-12-17 08:06:33 +0000",fac=f_kernel,area=a_nil_area,type=t_netprobe,pri=p_minor,hostname=aa.cc. dd,event="TCP netprobe",srcip=172.16.2.1,srcport=1399,srczone=internal,dstip=134.244.112.176, dstport=3277,protocol=6,interface=1-6,reason="Received a TCP connection attempt destined for a service that the current policy does not support."

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

      Both entries have come from the same server. Why is there a difference in the format?

       

      Can someone please help? Is there something that I am missing?

       

      Thanks

      Shirish

        • 1. Re: Sidewinder Log Format
          sliedl

          Try updating the Geolocation database under Maintenance -> Updates and try to telnet to that IP (134.244...) on some port you don't allow and see if the dst_geo shows up then.  I just tried this and it told me that this 134 IP is in the U.S., which is what the maxmind.com site says also.

          • 2. Re: Sidewinder Log Format
            shirishl

            Thanks for your response.

             

            My point was, if for whatever reason the dst_geo cannot be resolved, should siteminder log not keep a "blank" and additional "," to preserve the formatting?

             

            Thanks

            Shirish