From 091053b1ff354f11c068e7d55111fb46275dfd0f Mon Sep 17 00:00:00 2001 From: "Mahir Chavda (C)" Date: Thu, 21 May 2020 16:29:36 +0530 Subject: [PATCH] Keep CEF header for Imperva SecureSphere events --- package/etc/conf.d/conflib/_common/templates.conf | 8 ++++++++ .../conf.d/log_paths/lp-common_event_format.conf.tmpl | 11 ++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index dc5f58f..a5e0197 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -34,6 +34,14 @@ template t_everything { template("${ISODATE} ${HOST} ${LEGACY_MSGHDR}${MESSAGE}"); }; +# =============================================================================================== +# CEF Header with message; useful for common event format (CEF) +# =============================================================================================== + +template t_cef_hdr_msg { + template("${3}"); + }; + # =============================================================================================== # Message Header with Message; for Palo Alto # =============================================================================================== diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index da89bf8..dbbf675 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -98,7 +98,16 @@ log { #We want to unset the fields we won't need, as this is copied into the #disk queue for network destinations. This can be very disk expensive #if we don't - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + + if { + filter { + match('^Imperva\sInc\._SecureSphere$', value("fields.sc4s_vendor_product")) + }; + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_cef_hdr_msg))" value("MSG")); }; + } + else{ + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CEF_HEC" "no")) }} destination(d_hec);