cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
Employee
Employee
Report Inappropriate Content
Message 21 of 27
‎03-21-2022 12:46 PM

Re: Example Bash Script for Log Pull from Web Gateway Cloud Service?

Jump to solution

So truncate would be better for deleting blank lines assuming you can be positive of the character count. Agreed that it would be better to eliminate the "duplicate line" workaround on server side but there is a challenge there as well. How would you distinguish a response that came back with fewer lines than the record limit, but that was only because it couldn't send all the records matching the last timestamp without exceeding the record limit? Its a non-trivial change and it also could break other scripts or supported tools that depend on how it currently works.

We are actively investigating backend improvements like starting to return data as soon as we have some of it from the backend database to avoid idle timeouts. Again non-trivial because the authentication and API front-end is independent of the middleware handling the backend db queries.

My script was never intended to be a substitute for supported tools, just a stopgap to fill a need while logging client was in development. The logging client is now released and fully supported but unfortunately still has some deficiencies that my script does not have with regard to handling network timeouts gracefully.

More than happy to publish any improvements you can make, but I simply do not have the time or bandwidth to do any necessary experimentation and testing. I did make a few minor changes for one large customer that wanted to treat each completed pull as a separate file rather than merging. This allowed them to save processing time and start post retrieval processing sooner, but they already had modified the script to meet other needs so I'm not sure the integration into the current public script would be simple and it certainly would need some thorough testing as the first try at modification of the customer script without thorough testing resulted in an epic fail. ;-( 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
Reply
jebeling
Employee
Employee
Report Inappropriate Content
Message 22 of 27
‎03-21-2022 12:55 PM

Re: Example Bash Script for Log Pull from Web Gateway Cloud Service?

Jump to solution

Another thought. Using truncate could be nice speed improvement for deleting "useless lines" (preventing duplicates) if we could easily and efficiently get a count of bytes in all the trailing records that need to be deleted. Any ideas?

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
0 Kudos
Reply
fw_mon
MVP
Report Inappropriate Content
Message 23 of 27
‎05-24-2022 12:53 AM

Re: Example Bash Script for Log Pull from Web Gateway Cloud Service?

Jump to solution

Hello @jebeling 

I'm still testing changes in the script to figure out if there any negative consequences.

I have a question about this line in the 5.3.1 version:

cp $qTmpFileName $qOrigEndCTime.part

I see this part file hasn't being referenced anywhere else in the script. 

Interestingly, on one machine I've found a couple of 1652xxxxxx.part files that match missing gaps in SIEM, so my impression these part files should be somehow processed, but because of completeFile=false it doesn't get merged to a log later in the script.

 

 

 

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤
0 Kudos
Reply
jebeling
Employee
Employee
Report Inappropriate Content
Message 24 of 27
‎05-26-2022 01:33 PM

Re: Example Bash Script for Log Pull from Web Gateway Cloud Service?

Jump to solution

Good catch the copy of the partial file was part of my debugging to cover the situation where a truncated file was received. I am fairly confident that the line can be commented out but if you do see files of that form it does indicate that there was an instance where records were returned but the file was incomplete relative to what the server was trying to send. If record limit was reached you would get two blank lines at the end. Something must have aborted the file transfer but curl still wrote what it had received to that point.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
Reply
fw_mon
MVP
Report Inappropriate Content
Message 25 of 27
‎03-21-2022 01:47 PM

Re: Example Bash Script for Log Pull from Web Gateway Cloud Service?

Jump to solution

yes, this is a challenge. I worked with other cloud logs API implementations and one way would be to do more processing on the server side and to leave the client do an easy job. The server knows all the answers: how much logs there are, are there any events with the last timestamp that didn't fit the current batch etc. The server can just attach this "meta" information to the archive to make all the work easier.

Anyway many thanks for all your work and many many hours you put in the script!

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤
0 Kudos
Reply
jebeling
Employee
Employee
Report Inappropriate Content
Message 26 of 27
‎10-17-2022 02:19 PM

Re: Example Bash Script for Log Pull from Web Gateway Cloud Service?

Jump to solution

UPDATE! Name change for pulling logs.

Please update your conf files to reflect the following changes:

The logging script configuration (the kb says mandatory but, my understanding is that msg.mcafeesaas.com  will continue to resolve after December 1) but would be best to change sooner rather than later: From Web Gateway Cloud Service IP addresses and ranges (KB87232) : 

logapi.PNG

also here: 

Skyhigh_Secure_Web_Gateway_(Cloud)/Secure_Web_Gateway_Setup/IP_addresses_and_Ranges 

So, the script configuration file should change msg.mcafeesaas.com to us.logapi.skyhigh.cloud

If you are pulling logs from other regions, they should change xx.msg.mcafeesaas.com to xx.logapi.skyhigh.cloud

Also don't forget to change your .netrc file to match the new host names. .netrc reference 

Make sure the user has data analytics role in SSE (auth.ui.trellix.com).

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
Logpull5.3.2.zip
Reply
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 27 of 27
‎10-18-2022 09:12 AM

Re: Example Bash Script for Log Pull from Web Gateway Cloud Service?

Jump to solution

@jebeling Thanks for this update.  It's helpful for those of us not using the bash script too.  Can you please place the KB number in the response so we have it for future use and send it to support teams who need more information?

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC