Keep CEF header for Imperva SecureSphere events

CSVD · May 21, 2020 · 091053b · 091053b
1 parent 660943b
commit 091053b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
@@ -34,6 +34,14 @@ template t_everything {
         template("${ISODATE} ${HOST} ${LEGACY_MSGHDR}${MESSAGE}");
         };
 
+# ===============================================================================================
+# CEF Header with message; useful for common event format (CEF)
+# ===============================================================================================
+
+template t_cef_hdr_msg {
+        template("${3}");
+        };
+
 # ===============================================================================================
 # Message Header with Message; for Palo Alto
 # ===============================================================================================

diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -98,7 +98,16 @@ log {
     #We want to unset the fields we won't need, as this is copied into the
     #disk queue for network destinations. This can be very disk expensive
     #if we don't
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+
+    if {
+        filter {
+            match('^Imperva\sInc\._SecureSphere$', value("fields.sc4s_vendor_product"))
+        };
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_cef_hdr_msg))" value("MSG")); };
+    }
+    else{
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+    };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CEF_HEC" "no")) }}
     destination(d_hec);