From 0cfc3c9288d40f1569649bbcb23bf03ff81d5df6 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sat, 13 Jun 2020 21:05:04 -0400 Subject: [PATCH] Remove set of index in code in favor of configutation only --- .../conflib/_splunk/splunkfields.conf.tmpl | 2 -- .../config/log_paths/lp-example.conf.tmpl | 2 +- .../log_paths/lp-bbb-ietf_syslog.conf.tmpl | 2 +- .../etc/conf.d/log_paths/lp-brocade.conf.tmpl | 2 +- .../log_paths/lp-checkpoint_splunk.conf.tmpl | 20 +++++++------- .../conf.d/log_paths/lp-cisco_acs.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_apic.conf.tmpl | 4 +-- .../conf.d/log_paths/lp-cisco_asa.conf.tmpl | 4 +-- .../log_paths/lp-cisco_asa_legacy.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_ise.conf.tmpl | 2 +- .../log_paths/lp-cisco_meraki.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_nxos.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_ucm.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_wsa.conf.tmpl | 6 ++--- .../conf.d/log_paths/lp-cisco_z_ios.conf.tmpl | 2 +- .../log_paths/lp-citrix-netscaler.conf.tmpl | 2 +- .../lp-common_event_format.conf.tmpl | 2 +- .../log_paths/lp-dell_rsa_secureid.conf.tmpl | 12 ++++----- .../conf.d/log_paths/lp-f5_bigip.conf.tmpl | 20 +++++++------- .../lp-forcepoint_webprotect.conf.tmpl | 2 +- .../conf.d/log_paths/lp-fortinet.conf.tmpl | 16 ++++++------ .../conf.d/log_paths/lp-infoblox.conf.tmpl | 8 +++--- .../log_paths/lp-juniper_junos.conf.tmpl | 10 +++---- .../lp-juniper_junos_structured.conf.tmpl | 14 +++++----- .../log_paths/lp-juniper_netscreen.conf.tmpl | 2 +- .../conf.d/log_paths/lp-mcafee_epo.conf.tmpl | 2 +- .../log_paths/lp-paloalto_panos.conf.tmpl | 16 ++++++------ .../etc/conf.d/log_paths/lp-pfsense.conf.tmpl | 4 +-- .../log_paths/lp-proofpoint_pps.conf.tmpl | 4 +-- .../log_paths/lp-sc4s_internal.conf.tmpl | 6 ++--- .../log_paths/lp-sc4s_startup.conf.tmpl | 4 +-- .../log_paths/lp-schneider_apc.conf.tmpl | 2 +- .../conf.d/log_paths/lp-snmp_traps.conf.tmpl | 2 +- .../lp-symantec_brightmail.conf.tmpl | 4 +-- .../conf.d/log_paths/lp-symantec_ep.conf.tmpl | 26 +++++++++---------- .../log_paths/lp-symantec_proxy.conf.tmpl | 2 +- .../log_paths/lp-ubiquiti_unifi.conf.tmpl | 20 +++++++------- .../log_paths/lp-vmware_vsphere.conf.tmpl | 14 +++++----- .../conf.d/log_paths/lp-zscaler_lss.conf.tmpl | 10 +++---- .../conf.d/log_paths/lp-zscaler_nss.conf.tmpl | 14 +++++----- .../log_paths/lp-zzy-nix_syslog.conf.tmpl | 2 +- .../log_paths/lp-zzz-fallback.conf.tmpl | 4 +-- .../log_paths/lp-example.conf.tmpl | 2 +- 43 files changed, 140 insertions(+), 142 deletions(-) diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 989e4bf..0e85478 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -36,12 +36,10 @@ rewrite r_set_splunk_default { #used by each log-path to set index and sourcetype which may be #overridden by user defined values block rewrite r_set_splunk_dest_default( - index() source("${.splunk.source}") sourcetype() template(`splunk-template`) ) { - set("`index`", value(".splunk.index")); set("`source`", value(".splunk.source")); set("`sourcetype`", value(".splunk.sourcetype")); }; diff --git a/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl index 918530b..5f8b1e0 100644 --- a/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl +++ b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl @@ -53,7 +53,7 @@ log { rewrite { set("local_example", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("sc4s:local_example"), index("main")); + r_set_splunk_dest_default(sourcetype("sc4s:local_example")); }; # using the key "local_example" find any customized index,source or sourcetype meta values diff --git a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl index 35366a8..6630fda 100644 --- a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl @@ -13,7 +13,7 @@ log { set("IETF_SYSLOG", value("fields.sc4s_vendor_product")); }; - rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), index("main"), source("${APP}:${PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), source("${APP}:${PROGRAM}")) }; parser { p_add_context_splunk(key("IETF_SYSLOG")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl index 9ddf47b..354a6c6 100644 --- a/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl @@ -27,7 +27,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("brocade:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("brocade:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("brocade_syslog")); }; diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl index 778ac9b..f08ee05 100644 --- a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl @@ -45,7 +45,7 @@ log { set("${.kv.hostname}", value("HOST")); set("${.kv.hostname}", value("fields.cp_lm")); set("checkpoint_splunk", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cp_log"), index("netops")) + r_set_splunk_dest_default(sourcetype("cp_log")) }; if { @@ -89,31 +89,31 @@ log { if { filter(f_checkpoint_splunk_NetworkTraffic); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"))}; parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; } elif { filter(f_checkpoint_splunk_Web); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"))}; parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; } elif { filter(f_checkpoint_splunk_NetworkSessions); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"))}; parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; } elif { filter(f_checkpoint_splunk_IDS_Malware); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"))}; parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; } elif { filter(f_checkpoint_splunk_IDS); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"))}; parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; } elif { filter(f_checkpoint_splunk_email); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"))}; parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; } elif { filter(f_checkpoint_splunk_DLP); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"))}; parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; } elif { filter(f_checkpoint_splunk_syslog); @@ -130,7 +130,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("checkpoint_os")); }; }; @@ -163,7 +163,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("checkpoint_os")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl index 97b7d4c..fc1b7a7 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl @@ -86,7 +86,7 @@ log { parser(acs_event_time); rewrite { set("cisco_acs", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:acs"), index("netauth")) + r_set_splunk_dest_default(sourcetype("cisco:acs")) }; parser {p_add_context_splunk(key("cisco_acs")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl index 64c123b..a7e3331 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl @@ -29,14 +29,14 @@ log { }; rewrite { set("cisco_APIC_acl", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), index("netfw"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_apic_acl")); }; } elif { rewrite { set("cisco_APIC_events", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:apic:events"), index("netops"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:apic:events"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_apic_events")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl index b60f1d6..54cb420 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl @@ -28,7 +28,7 @@ log { }; rewrite { set("cisco_ftd", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog")) }; parser {p_add_context_splunk(key("cisco_ftd")); }; parser (compliance_meta_by_source); @@ -37,7 +37,7 @@ log { } else { rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:asa")) }; parser {p_add_context_splunk(key("cisco_asa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl index 27acbc8..743c94b 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:asa")) }; parser {p_add_context_splunk(key("cisco_asa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl index 9722fe1..aa1210d 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl @@ -86,7 +86,7 @@ log { parser(ise_event_time); rewrite { set("cisco_ise", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:ise:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("cisco:ise:syslog")) }; parser {p_add_context_splunk(key("cisco_ise")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl index 3822ee6..630b6ed 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("cisco_meraki", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("meraki"), index("netfw")) + r_set_splunk_dest_default(sourcetype("meraki")) }; parser {p_add_context_splunk(key("cisco_meraki")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl index b490903..6cfbc47 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_nxos", value("fields.sc4s_vendor_product")); guess-time-zone(); - r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:ios"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_nx_os")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl index 61d0274..6bb6021 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl @@ -44,7 +44,7 @@ log { rewrite { set("cisco_ucm", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main")) + r_set_splunk_dest_default(sourcetype("cisco:ucm")) }; parser {p_add_context_splunk(key("cisco_ucm")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl index 9403f7d..785b988 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl @@ -26,7 +26,7 @@ log{ }; rewrite { set("cisco_wsa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:l4tm"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:l4tm")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); @@ -51,7 +51,7 @@ log{ }; rewrite { set("cisco_wsa11_7", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), index("netops"),source("wsa_11.7")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), source("wsa_11.7")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); @@ -75,7 +75,7 @@ log{ }; rewrite { set("cisco_wsa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:squid"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:squid")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl index d7ba89c..dd3260f 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_ios", value("fields.sc4s_vendor_product")); guess-time-zone(); - r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:ios")) }; parser { p_add_context_splunk(key("cisco_ios")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl b/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl index ed6f197..94b5005 100644 --- a/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("citrix_netscaler", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("citrix:netscaler:syslog"), index("netfw")) + r_set_splunk_dest_default(sourcetype("citrix:netscaler:syslog")) }; parser {p_add_context_splunk(key("citrix_netscaler")); }; diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index dbbf675..54e1b77 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -63,7 +63,7 @@ log { }; rewrite { - r_set_splunk_dest_default(sourcetype("cef"), index("main")) + r_set_splunk_dest_default(sourcetype("cef")) }; parser (p_cef_header); diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl index 9e23d49..2758af4 100644 --- a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl @@ -44,27 +44,27 @@ log { filter{match('audit\.admin' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } elif { filter{match('system\.com\.rsa|,\s+system\.erationsconsole' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } elif { filter{match('audit\.runtime\.com\.rsa' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } else { rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; }; @@ -81,7 +81,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; parser (compliance_meta_by_source); @@ -99,7 +99,7 @@ log { }; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:trace"), index("netauth")); + r_set_splunk_dest_default(sourcetype("rsa:securid:trace")); }; parser { p_add_context_splunk(key("p_add_context_splunk")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl index a12ca6b..308d60d 100644 --- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl @@ -31,7 +31,7 @@ log { set("f5_bigip", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("f5:bigip:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("f5:bigip:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); @@ -42,7 +42,7 @@ log { }; rewrite { set("f5_bigip_access_json", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:access_json"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:access_json")) }; parser { p_add_context_splunk(key("f5_bigip_access_json")); }; parser (compliance_meta_by_source); @@ -56,32 +56,32 @@ log { program('^f5_irule=Splunk-iRule-HTTP') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:http:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:http:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-DNS_REQUEST') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:request:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:request:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-DNS_RESPONSE') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:response:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:response:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-LB_FAILED') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:failed:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:failed:irule")) }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:irule")) }; }; rewrite { @@ -96,7 +96,7 @@ log { }; rewrite { set("f5_bigip_asm", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("f5:bigip:asm:syslog"), index("netwaf")) + r_set_splunk_dest_default(sourcetype("f5:bigip:asm:syslog")) }; parser { p_add_context_splunk(key("f5_bigip_asm")); }; parser (compliance_meta_by_source); @@ -108,7 +108,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); @@ -117,7 +117,7 @@ log { rewrite { set("f5_bigip_rogue_message", value("fields.sc4s_vendor_product")); set("rogue-f5", value("fields.sc4s_error")); - r_set_splunk_dest_default(sourcetype("f5:bigip:rogue"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:rogue")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl index 40c072f..dbf9c3c 100644 --- a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl @@ -24,7 +24,7 @@ log { rewrite { subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global")); set("forcepoint_webprotect", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("websense:cg:kv"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("websense:cg:kv")) }; parser {p_add_context_splunk(key("forcepoint_webprotect")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl index 4f0351c..438a1a6 100644 --- a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl @@ -65,16 +65,16 @@ log { set("${.kv.devname}", value("HOST")); }; if (match("traffic" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_traffic"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_traffic")); }; } elif (match("attack" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_attack"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_attack"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_attack")); }; } elif (match("event" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_event"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_event"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_event")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_log"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_log")); }; }; #FortiOS @@ -84,16 +84,16 @@ log { set("${.kv.devname}", value("HOST")); }; if (match("traffic" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"))}; parser {p_add_context_splunk(key("fortinet_fortios_traffic")); }; } elif (match("utm" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"))}; parser {p_add_context_splunk(key("fortinet_fortios_utm")); }; } elif (match("event" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"))}; parser {p_add_context_splunk(key("fortinet_fortios_event")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"))}; parser {p_add_context_splunk(key("fortinet_fortios_log")); }; }; }; diff --git a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl index 086e3a5..261dbe4 100644 --- a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl @@ -27,7 +27,7 @@ log { set("infoblox_dns", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:dns"), index("netdns"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:dns"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_dns")); }; } elif { @@ -36,7 +36,7 @@ log { set("infoblox_dhcp", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:dhcp"), index("netipam"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:dhcp"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_dhcp")); }; } elif { @@ -45,7 +45,7 @@ log { set("infoblox_threat", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:threat"), index("netids"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:threat"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_threat")); }; } else { @@ -54,7 +54,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl index 432c393..b5d3cf9 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl @@ -26,19 +26,19 @@ log { }; if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"))}; parser {p_add_context_splunk(key("juniper_idp")); }; } elif (program('RT_FLOW') or message('PFE_FW_|DFWD_')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_fw")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_ids")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_utm")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"))}; parser {p_add_context_splunk(key("juniper_legacy")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index 91707cf..3b3dd45 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -25,25 +25,25 @@ log { set("juniper_junos", value("fields.sc4s_vendor_product")); }; if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured")) }; parser {p_add_context_splunk(key("juniper_idp_structured")); }; } elif (program('RT_FLOW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_fw_structured")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_ids_structured")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_utm_structured")); }; } elif (program('RT_AAMW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured")) }; parser {p_add_context_splunk(key("juniper_junos_aamw_structured")); }; } elif (program('RT_SECINTEL')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured")) }; parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured")) }; parser {p_add_context_splunk(key("juniper_structured")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl index 49cdbb9..d10b21c 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("juniper_netscreen", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("netscreen:firewall"), index("netfw")) + r_set_splunk_dest_default(sourcetype("netscreen:firewall")) }; parser { p_add_context_splunk(key("juniper_netscreen")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl index 36419fb..f484bf6 100644 --- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl @@ -24,7 +24,7 @@ log { rewrite { set("mcafee_epo", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog")) }; parser {p_add_context_splunk(key("mcafee_epo")); }; diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl index f07df1c..52131be 100644 --- a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl @@ -58,7 +58,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"))}; parser {p_add_context_splunk(key("pan_threat")); }; } elif (match('TRAFFIC', value('.pan.type'))) { parser { @@ -68,7 +68,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"))}; parser {p_add_context_splunk(key("pan_traffic")); }; } elif (match('SYSTEM', value('.pan.type'))) { parser { @@ -78,7 +78,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:system"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:system"))}; parser {p_add_context_splunk(key("pan_system")); }; } elif (match('CONFIG', value('.pan.type'))) { parser { @@ -88,7 +88,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:config"))}; parser {p_add_context_splunk(key("pan_config")); }; } elif (match('HIPMATCH', value('.pan.type'))) { parser { @@ -98,7 +98,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"))}; parser {p_add_context_splunk(key("pan_hipmatch")); }; } elif (match('CORRELATION', value('.pan.type'))) { parser { @@ -108,7 +108,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"))}; parser {p_add_context_splunk(key("pan_correlation")); }; } elif (match('USERID', value('.pan.type'))) { parser { @@ -118,7 +118,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"), index("netauth"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"))}; parser {p_add_context_splunk(key("pan_userid")); }; } else { parser { @@ -128,7 +128,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:log"))}; parser {p_add_context_splunk(key("pan_log")); }; }; rewrite { diff --git a/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl b/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl index 293f428..4fb3fcb 100644 --- a/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl @@ -27,7 +27,7 @@ log { set("pfsense_filterlog", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("pfsense:filterlog"), index("netfw"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("pfsense:filterlog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("pfsense_filterlog")); }; parser (compliance_meta_by_source); @@ -38,7 +38,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("pfsense:${.PROGRAM}"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("pfsense:${.PROGRAM}"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("pfsense")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl index 8881d4c..6968eda 100644 --- a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl @@ -23,12 +23,12 @@ log { if (filter(f_proofpoint_pps_filter)) { rewrite { set("proofpoint_pps_filter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_filter_log"), index("email"))}; + r_set_splunk_dest_default(sourcetype("pps_filter_log"))}; parser { p_add_context_splunk(key("proofpoint_pps_filter")); }; } else { rewrite { set("proofpoint_pps_sendmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_mail_log"), index("email"))}; + r_set_splunk_dest_default(sourcetype("pps_mail_log"))}; parser { p_add_context_splunk(key("proofpoint_pps_sendmail")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl index 91214a2..01e5993 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl @@ -3,12 +3,12 @@ log { if (match("Log statistics; " value("MESSAGE"))) { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:metrics"), index("em_metrics")) }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:metrics")) }; parser {p_add_context_splunk(key("sc4s_metrics")); }; rewrite { subst('.*Log statistics; ', '', value("MESSAGE"), flags("utf8" "global")); - subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:, )?)', '', value("MESSAGE"), flags("utf8" "global")); + subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:)?)', '', value("MESSAGE"), flags("utf8" "global")); subst('(?[^= ]+)=\x27(?[^\(]+)\((?\S+(?=\)[=,]))(?:,(?[^,]+),(?[^\)]+))?\)\=(?\d+)\x27,? ?', '{"time": "$S_UNIXTIME","event": "metric","host": "$HOST","index": "${.splunk.index}","source": "internal","sourcetype": "${.splunk.sourcetype}","fields": {"source_name": "${SourceName}","source_instance": "${SourceInstance}","state": "${State}","type": "${Type}","_value": ${Number},"metric_name": "syslogng.${SourceId}"}} ', @@ -34,7 +34,7 @@ log { } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"))}; parser {p_add_context_splunk(key("sc4s_events")); }; if (not match("Destination timeout has elapsed, closing connection; fd=" value("MESSAGE")) and diff --git a/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl index c0dedf6..1665e64 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl @@ -3,7 +3,7 @@ log { source(s_startup_out); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:out"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:out"))}; parser {p_add_context_splunk(key("sc4s_events")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no")) }} @@ -28,7 +28,7 @@ log { log { source(s_startup_err); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:err"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:err"))}; parser {p_add_context_splunk(key("sc4s_events")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no")) }} diff --git a/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl b/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl index 97d28d0..8c269c3 100644 --- a/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl @@ -22,7 +22,7 @@ log { }; rewrite { set("schneider_apc", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("apc:syslog"), index("main")) + r_set_splunk_dest_default(sourcetype("apc:syslog")) }; parser { p_add_context_splunk(key("schneider_apc")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl index 66b22cc..0bd3dda 100644 --- a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl @@ -6,7 +6,7 @@ log { ); }; - rewrite { r_set_splunk_dest_default(sourcetype("snmp:trap"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("snmp:trap"))}; parser {p_add_context_splunk(key("snmp_trap")); }; rewrite { set("$(template ${.splunk.sc4s_template} $(template t_snmp_trap))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl index baa48a9..74bde79 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl @@ -56,7 +56,7 @@ log { rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("symantec:smg:mail"), index("email"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("symantec:smg:mail"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("symantec_brightmail")); }; parser (compliance_meta_by_source); @@ -76,7 +76,7 @@ log { rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("symantec:smg"), index("email"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("symantec:smg"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("symantec_brightmail")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl index e093563..c758541 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl @@ -24,66 +24,66 @@ log { if { filter(f_symantec_ep_proactive); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog")) }; } elif { filter(f_symantec_ep_risk); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog")) }; } elif { filter(f_symantec_ep_agt_system); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog")) }; } elif { filter(f_symantec_ep_packet); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog")) }; } elif { filter(f_symantec_ep_traffic); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog")) }; } elif { filter(f_symantec_ep_security); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog")) }; } elif { filter(f_symantec_ep_scan); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog")) }; } elif { filter(f_symantec_ep_behavior); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog")) }; } elif { filter(f_symantec_ep_policy); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog")) }; } elif { filter(f_symantec_ep_admin); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog")) }; } elif { filter(f_symantec_ep_agent); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog")) }; } elif { filter(f_symantec_ep_scm_system); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog")) }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:syslog")) }; }; rewrite { diff --git a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl index 1447711..30f725b 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("bluecoat_proxy", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv")) subst( "([-_a-zA-Z\(\)]+=(\"-\"|-| ))", "", value(MESSAGE) diff --git a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl index bccf149..e1a643a 100644 --- a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl @@ -32,17 +32,17 @@ log { rewrite { set("${LEGACY_MSGHDR}${MSG}" value("MSG")); }; if (match("[^)]\s\S+\skernel:\s[^ll\sheader][^\[\d+.\d+\]]\S+\s\w+:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:threat"), index("netids")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:threat")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_threat")); }; } elif (match("\S+\slinkcheck:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:link"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:link")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_link")); }; } elif (match("\d+:\d+:\d+\s\S+\ssudo:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:sudo"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:sudo")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_sudo")); }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("ubnt:fw"), index("netfw")); + r_set_splunk_dest_default(sourcetype("ubnt:fw")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_fw")); }; }; @@ -57,21 +57,21 @@ log { if (match('hostapd:\s+ath' value("MSG"))) { rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:hostapd"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:hostapd")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; } elif (match('\d+:\d+:\d+\s\S+\smcad:' value("MSG"))) { rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:mcad"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:mcad")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; } else { rewrite { set("ubiquiti_unifi_switch", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:switch"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:switch")); set("${FULLHOST_FROM}",value("HOST")); set("${model}", value("fields.model")); set("${serial}", value("fields.serial")); @@ -87,7 +87,7 @@ log { }; rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:wireless"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:wireless")); set("${FULLHOST_FROM}",value("HOST")); set("${model}", value("fields.model")); set("${serial}", value("fields.serial")); @@ -98,7 +98,7 @@ log { } elif (match("traputil.c\(696\) " value("MSG"))) { rewrite { set("ubiquiti_unifi_edge_switch", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:edgeswitch"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:edgeswitch")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_edge_switch")); }; @@ -106,7 +106,7 @@ log { } else { rewrite { set("ubiquiti_unifi", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi")); }; diff --git a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl index 2aeed34..a3cfc91 100644 --- a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl @@ -27,7 +27,7 @@ log { rewrite { set("vmware_nsx", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_nsx")); }; parser (compliance_meta_by_source); @@ -41,7 +41,7 @@ log { set("vmware_nsx", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_nsx")); }; parser (compliance_meta_by_source); @@ -52,7 +52,7 @@ log { rewrite { set("vmware_vcenter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_vcenter")); }; parser (compliance_meta_by_source); @@ -65,7 +65,7 @@ log { set("vmware_vcenter", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_vcenter")); }; parser (compliance_meta_by_source); @@ -78,7 +78,7 @@ log { rewrite { set("vmware_vsphere_esx", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_esx")); }; parser (compliance_meta_by_source); @@ -92,7 +92,7 @@ log { set("vmware_vsphere_esx", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_esx")); }; parser (compliance_meta_by_source); @@ -107,7 +107,7 @@ log { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; parser (compliance_meta_by_source); if { diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl index 25d655a..0c6442e 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl @@ -45,7 +45,7 @@ log { and match('.' value('.json.AppGroup')) and match('.' value('.json.Application')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { @@ -53,7 +53,7 @@ log { and match('.' value('.json.Customer')) and match('.' value('.json.ConnectionID')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { @@ -61,20 +61,20 @@ log { and match('.' value('.json.Customer')) and match('.' value('.json.ConnectorGroup')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { match('.' value('.json.SAMLAttributes')) and match('.' value('.json.Customer')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } else { rewrite { set("zscaler_lss_rogue_message", value("fields.sc4s_vendor_product")); set("rogue-zscaler_lss", value("fields.sc4s_error")); - r_set_splunk_dest_default(sourcetype("zscalerlss:rogue"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("zscalerlss:rogue")) }; parser { p_add_context_splunk(key("zscaler_lss")); }; # Rogue message needs a different template than valid LSS events. Final rewrite (further below) will be a diff --git a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl index b38adf1..836a779 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl @@ -21,7 +21,7 @@ log { }; }; if (message('^ZscalerNSS:')) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"))}; parser { p_add_context_splunk(key("zscaler_alerts")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; @@ -37,22 +37,22 @@ log { }; if (match("dns" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"), index("netdns"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"))}; parser { p_add_context_splunk(key("zscaler_dns")); }; } elif (match("fw" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"))}; parser { p_add_context_splunk(key("zscaler_fw")); }; } elif (match("NSS" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"))}; parser { p_add_context_splunk(key("zscaler_web")); }; } elif (match("audit" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"))}; parser { p_add_context_splunk(key("zscaler_zia_audit")); }; } elif (match("sandbox" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"))}; parser { p_add_context_splunk(key("zscaler_zia_sandbox")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"))}; parser { p_add_context_splunk(key("zscaler_nss")); }; diff --git a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl index 558818d..24fd1a4 100644 --- a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl @@ -26,7 +26,7 @@ log { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl index d8bbd88..7a7b16d 100644 --- a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl @@ -8,14 +8,14 @@ log { if { filter(f_is_rfc5424_strict); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_3164))" value("MSG")); }; diff --git a/package/etc/local_config/log_paths/lp-example.conf.tmpl b/package/etc/local_config/log_paths/lp-example.conf.tmpl index d168cc9..3eb4b0c 100644 --- a/package/etc/local_config/log_paths/lp-example.conf.tmpl +++ b/package/etc/local_config/log_paths/lp-example.conf.tmpl @@ -53,7 +53,7 @@ log { rewrite { set("local_example", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("sc4s:local_example"), index("main")); + r_set_splunk_dest_default(sourcetype("sc4s:local_example")); }; # using the key "local_example" find any customized index,source or sourcetype meta values