Release PR for v1.26.1 (#603)

* [filterchange] Cisco Nexus (#594) Adjust airOS and Nexsus to address event with no HOST but with TZ indicator * [doc] Palo filter does not support UDP due to limitations of message size (#591) * [filteradd] Carbon Black Protection CEF format (#590) * [fix] noise in SC4S logs from goss (#595) * Troubleshooting/problem >solution (#593) (#596) * Troubleshooting/problem >solution (#593) * Troubleshooting guide format problem solution * Minor chnages * minor changes * Revert "Troubleshooting/problem >solution (#593)" (#597) This reverts commit 20a1116. Co-authored-by: nandinivij <61885842+nandinivij@users.noreply.github.com> * [filter] improve f5 filter logic (#601) * [filter] Additional severity levels for f5 * [filter] improve f5 matching * Fix indents * Fix indents Co-authored-by: mbonsack <mbonsack@splunk.com> * [doc] clarify SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE (#602) * [doc] clarify SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE * Clarification edit * Clarification edit * Clarify edit 2 * Clarify edit 2 * Clarify edit 3 * Clarify edit 3 * Clarify edit 4 * Clarify edit 4 Co-authored-by: mbonsack <mbonsack@splunk.com> Co-authored-by: nandinivij <61885842+nandinivij@users.noreply.github.com> Co-authored-by: mbonsack <mbonsack@splunk.com>
CSVD · Aug 4, 2020 · 0d6fea3 · 0d6fea3
1 parent f79c368
commit 0d6fea3
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 4 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -24,7 +24,7 @@ syslog.
 | SC4S_DEST_SPLUNK_HEC_GLOBAL | yes | Send events to Splunk using HEC.  This applies _only_ to the primary HEC destination. |
 | SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE | comma separated list | Open SSL cipher suite list |
 | SC4S_DEST_SPLUNK_HEC_SSL_VERSION |  comma separated list | Open SSL version list |
-| SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file |
+| SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | _container_ path `/opt/syslog-ng/tls/server.pem` | Custom trusted cert file, specified as a full path in the _container_ filesystem: `/opt/syslog-ng/tls/<ca-file>`<br>Ensure that the container TLS directory `/opt/syslog-ng/tls` is available locally via container mount in the `docker-compose.yml` or systemd unit file, and that you place the CA file in the locally-mounted directory. |
 | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate |
 | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads).  This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. |
 | SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,<br>severity,<br>container,<br>loghost,<br>destport,<br>fromhostip,<br>proto<br><br>none | List of sc4s indexed fields that will be included with each event in Splunk (default is the entire list except "none").  Two other indexed fields, `sc4s_vendor_product` and `sc4s_syslog_format`, will also appear along with the fields selected via the list and cannot be turned on or off individually.  If no indexed fields are desired (including the two internal ones), set the value to the single value of "none".  When setting this variable, separate multiple entries with commas and do not include extra spaces.<br><br>This list maps to the following indexed fields that will appear in all Splunk events:<br>facility: sc4s_syslog_facility<br>severity: sc4s_syslog_severity<br>container: sc4s_container<br>loghost: sc4s_loghost<br>dport: sc4s_destport<br>fromhostip: sc4s_fromhostip<br>proto: sc4s_proto

diff --git a/package/etc/conf.d/filters/f5/bigip.conf.tmpl b/package/etc/conf.d/filters/f5/bigip.conf.tmpl
@@ -3,6 +3,7 @@ filter f_f5_bigip {
     or match('^\[F5@12276' value("SDATA"))
     or program("tmsh")
     or program("mcpd")
+    or program("mprov")
     or program("apmd")
     or program("tmm\d?")
     or program('^f5_irule=')
@@ -16,7 +17,7 @@ filter f_f5_bigip_irule {
 
 filter f_f5_bigip_message {
     message(
-        '^(?i)(<\d+> ?[[:alpha:]]+\s{1,2}\d{1,2} \d\d:\d\d:\d\d )(?:([^\/]+)(?:\/))?([^ ]+) +(?:notice|err|error|warning|info) +?(.*)'
+        '^(?i)(<\d+> ?[[:alpha:]]+\s{1,2}\d{1,2} \d\d:\d\d:\d\d )(?:([^\/ ]+)(?:\/))?([^ ]+) +(?:alert|debug|notice|err|error|warning|info|emerg) +?(.*)'
         flags(store-matches)
     );
 };

diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
@@ -24,6 +24,7 @@ log {
         filter{
             program("tmsh")
             or program("mcpd")
+            or program("mprov")
             or program("apmd")
             or program("tmm\d?")
         };

diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
@@ -13,8 +13,7 @@ services:
     build:
       context: ../package
     hostname: sc4s
-    #When this is enabled test_common will fail
-    # command: -det
+    command: -det
     ports:
       - "514"
       - "601"