diff --git a/docs/configuration.md b/docs/configuration.md index 4029d54..6c6cf86 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -24,7 +24,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_GLOBAL | yes | Send events to Splunk using HEC. This applies _only_ to the primary HEC destination. | | SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE | comma separated list | Open SSL cipher suite list | | SC4S_DEST_SPLUNK_HEC_SSL_VERSION | comma separated list | Open SSL version list | -| SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | +| SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | _container_ path `/opt/syslog-ng/tls/server.pem` | Custom trusted cert file, specified as a full path in the _container_ filesystem: `/opt/syslog-ng/tls/`
Ensure that the container TLS directory `/opt/syslog-ng/tls` is available locally via container mount in the `docker-compose.yml` or systemd unit file, and that you place the CA file in the locally-mounted directory. | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | | SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,
severity,
container,
loghost,
destport,
fromhostip,
proto

none | List of sc4s indexed fields that will be included with each event in Splunk (default is the entire list except "none"). Two other indexed fields, `sc4s_vendor_product` and `sc4s_syslog_format`, will also appear along with the fields selected via the list and cannot be turned on or off individually. If no indexed fields are desired (including the two internal ones), set the value to the single value of "none". When setting this variable, separate multiple entries with commas and do not include extra spaces.

This list maps to the following indexed fields that will appear in all Splunk events:
facility: sc4s_syslog_facility
severity: sc4s_syslog_severity
container: sc4s_container
loghost: sc4s_loghost
dport: sc4s_destport
fromhostip: sc4s_fromhostip
proto: sc4s_proto diff --git a/package/etc/conf.d/filters/f5/bigip.conf.tmpl b/package/etc/conf.d/filters/f5/bigip.conf.tmpl index 8b25e6f..7215a90 100644 --- a/package/etc/conf.d/filters/f5/bigip.conf.tmpl +++ b/package/etc/conf.d/filters/f5/bigip.conf.tmpl @@ -3,6 +3,7 @@ filter f_f5_bigip { or match('^\[F5@12276' value("SDATA")) or program("tmsh") or program("mcpd") + or program("mprov") or program("apmd") or program("tmm\d?") or program('^f5_irule=') @@ -16,7 +17,7 @@ filter f_f5_bigip_irule { filter f_f5_bigip_message { message( - '^(?i)(<\d+> ?[[:alpha:]]+\s{1,2}\d{1,2} \d\d:\d\d:\d\d )(?:([^\/]+)(?:\/))?([^ ]+) +(?:notice|err|error|warning|info) +?(.*)' + '^(?i)(<\d+> ?[[:alpha:]]+\s{1,2}\d{1,2} \d\d:\d\d:\d\d )(?:([^\/ ]+)(?:\/))?([^ ]+) +(?:alert|debug|notice|err|error|warning|info|emerg) +?(.*)' flags(store-matches) ); }; diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl index 308d60d..a2b4d64 100644 --- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl @@ -24,6 +24,7 @@ log { filter{ program("tmsh") or program("mcpd") + or program("mprov") or program("apmd") or program("tmm\d?") }; diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index 88a462f..fe7d932 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -13,8 +13,7 @@ services: build: context: ../package hostname: sc4s - #When this is enabled test_common will fail - # command: -det + command: -det ports: - "514" - "601"