From 0d6fea379e48217f4a2b8200cb74cabfe6c6a8b9 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Tue, 4 Aug 2020 11:10:15 -0400 Subject: [PATCH] Release PR for v1.26.1 (#603) * [filterchange] Cisco Nexus (#594) Adjust airOS and Nexsus to address event with no HOST but with TZ indicator * [doc] Palo filter does not support UDP due to limitations of message size (#591) * [filteradd] Carbon Black Protection CEF format (#590) * [fix] noise in SC4S logs from goss (#595) * Troubleshooting/problem >solution (#593) (#596) * Troubleshooting/problem >solution (#593) * Troubleshooting guide format problem solution * Minor chnages * minor changes * Revert "Troubleshooting/problem >solution (#593)" (#597) This reverts commit 20a11167d17ba929bff588c758dd76dd404b0255. Co-authored-by: nandinivij <61885842+nandinivij@users.noreply.github.com> * [filter] improve f5 filter logic (#601) * [filter] Additional severity levels for f5 * [filter] improve f5 matching * Fix indents * Fix indents Co-authored-by: mbonsack * [doc] clarify SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE (#602) * [doc] clarify SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE * Clarification edit * Clarification edit * Clarify edit 2 * Clarify edit 2 * Clarify edit 3 * Clarify edit 3 * Clarify edit 4 * Clarify edit 4 Co-authored-by: mbonsack Co-authored-by: nandinivij <61885842+nandinivij@users.noreply.github.com> Co-authored-by: mbonsack --- docs/configuration.md | 2 +- package/etc/conf.d/filters/f5/bigip.conf.tmpl | 3 ++- package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl | 1 + tests/docker-compose.yml | 3 +-- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 4029d54..6c6cf86 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -24,7 +24,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_GLOBAL | yes | Send events to Splunk using HEC. This applies _only_ to the primary HEC destination. | | SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE | comma separated list | Open SSL cipher suite list | | SC4S_DEST_SPLUNK_HEC_SSL_VERSION | comma separated list | Open SSL version list | -| SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | +| SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | _container_ path `/opt/syslog-ng/tls/server.pem` | Custom trusted cert file, specified as a full path in the _container_ filesystem: `/opt/syslog-ng/tls/`
Ensure that the container TLS directory `/opt/syslog-ng/tls` is available locally via container mount in the `docker-compose.yml` or systemd unit file, and that you place the CA file in the locally-mounted directory. | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | | SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,
severity,
container,
loghost,
destport,
fromhostip,
proto

none | List of sc4s indexed fields that will be included with each event in Splunk (default is the entire list except "none"). Two other indexed fields, `sc4s_vendor_product` and `sc4s_syslog_format`, will also appear along with the fields selected via the list and cannot be turned on or off individually. If no indexed fields are desired (including the two internal ones), set the value to the single value of "none". When setting this variable, separate multiple entries with commas and do not include extra spaces.

This list maps to the following indexed fields that will appear in all Splunk events:
facility: sc4s_syslog_facility
severity: sc4s_syslog_severity
container: sc4s_container
loghost: sc4s_loghost
dport: sc4s_destport
fromhostip: sc4s_fromhostip
proto: sc4s_proto diff --git a/package/etc/conf.d/filters/f5/bigip.conf.tmpl b/package/etc/conf.d/filters/f5/bigip.conf.tmpl index 8b25e6f..7215a90 100644 --- a/package/etc/conf.d/filters/f5/bigip.conf.tmpl +++ b/package/etc/conf.d/filters/f5/bigip.conf.tmpl @@ -3,6 +3,7 @@ filter f_f5_bigip { or match('^\[F5@12276' value("SDATA")) or program("tmsh") or program("mcpd") + or program("mprov") or program("apmd") or program("tmm\d?") or program('^f5_irule=') @@ -16,7 +17,7 @@ filter f_f5_bigip_irule { filter f_f5_bigip_message { message( - '^(?i)(<\d+> ?[[:alpha:]]+\s{1,2}\d{1,2} \d\d:\d\d:\d\d )(?:([^\/]+)(?:\/))?([^ ]+) +(?:notice|err|error|warning|info) +?(.*)' + '^(?i)(<\d+> ?[[:alpha:]]+\s{1,2}\d{1,2} \d\d:\d\d:\d\d )(?:([^\/ ]+)(?:\/))?([^ ]+) +(?:alert|debug|notice|err|error|warning|info|emerg) +?(.*)' flags(store-matches) ); }; diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl index 308d60d..a2b4d64 100644 --- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl @@ -24,6 +24,7 @@ log { filter{ program("tmsh") or program("mcpd") + or program("mprov") or program("apmd") or program("tmm\d?") }; diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index 88a462f..fe7d932 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -13,8 +13,7 @@ services: build: context: ../package hostname: sc4s - #When this is enabled test_common will fail - # command: -det + command: -det ports: - "514" - "601"