ASimWebSessionSquidProxy issue with data from AMA #11268
Assignees
Labels
Comments
v-sudkharat
added
Parser
|
Hi @gitjpk , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
|
Hi @gitjpk, Could you please share the sample data with us which is not parsing through the parser. Thanks! |
|
Hello Sudarshan ,
Sure ! As an MS employee, I'll send you through teams.
Thanks,
JP
…________________________________
De : v-sudkharat ***@***.***>
Envoyé : mercredi 23 octobre 2024 08:49
À : Azure/Azure-Sentinel ***@***.***>
Cc : gitjpk ***@***.***>; Mention ***@***.***>
Objet : Re: [Azure/Azure-Sentinel] ASimWebSessionSquidProxy issue with data from AMA (Issue #11268)
Hi @gitjpk<https://github.com/gitjpk>, Could you please share the sample data with us which is not parsing through the parser. Thanks!
—
Reply to this email directly, view it on GitHub<#11268 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGGRZPXOTFJI6ZUAZIL2AJDZ45BJBAVCNFSM6AAAAABP4OFUXSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZRGA3DKNBUHE>.
You are receiving this because you were mentioned.
|
v-sudkharat
added
Connector
|
ASIM - @vakohl |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The parser does not work correctly with data coming AMA connector.
To Reproduce
Execute the parser against Syslog data collected with AMA.
Expected behavior
Parse the data
Additional context
Basically, we installed Custom logs via AMA data connector on a “default configured” Squid proxy, using AMA version 1.33.1.0, and we planned to use the “Web Session Essentials Workbook”.
Data filled in the right table with no issue (Squidproxy_CL) but the workbook did not get any data (and we configured the logic apps, same issue).
Troubleshooting the issue, we went through _Asim_WebSession(), then _Im_WebSessionBuiltIn(), then _Im_WebSession_SquidProxyV06, we found a few errors in the last one.
On line 32, it’s expecting a computer field which does not exist in the table:
Dvc = Computer
On line 88, it’s projecting away a few field that don’t exist in the table;:
| project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost
For testing purpose, we added the following transformation rule in the DCR :
source | extend Computer="FakeComputerName", MG="MG", ManagementGroupName="ManagementGroupName", SourceSystem="SourceSystem"
We then saw data in the workbook 😊
The text was updated successfully, but these errors were encountered: