diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl index 316bd6d..e0d5c88 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl @@ -14,47 +14,63 @@ log { source (s_CHECKPOINT_SPLUNK); {{- end}} - parser { - kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); - date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); - }; + if { + filter(f_nix_syslog); + rewrite { + set("checkpoint_splunk", value("fields.sc4s_vendor_product")); + subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); + set("${PROGRAM}", value(".PROGRAM")); + subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); + }; + rewrite { + r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}") ) + }; + parser { p_add_context_splunk(key("checkpoint_os")); }; - rewrite { - set("${.kv.hostname}", value("HOST")); - set("checkpoint_splunk", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cp_log"), index("netops")) - }; - parser {p_add_context_splunk(key("checkpoint_splunk")); }; + } else { + parser { + kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); + date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); + }; + + rewrite { + set("${.kv.hostname}", value("HOST")); + set("checkpoint_splunk", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("cp_log"), index("netops")) + }; + + parser {p_add_context_splunk(key("checkpoint_splunk")); }; - if { - filter(f_checkpoint_splunk_NetworkTraffic); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; - } elif { - filter(f_checkpoint_splunk_Web); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; - } elif { - filter(f_checkpoint_splunk_NetworkSessions); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; - } elif { - filter(f_checkpoint_splunk_IDS_Malware); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; - } elif { - filter(f_checkpoint_splunk_IDS); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; - } elif { - filter(f_checkpoint_splunk_email); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; - } elif { - filter(f_checkpoint_splunk_DLP); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; + if { + filter(f_checkpoint_splunk_NetworkTraffic); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; + } elif { + filter(f_checkpoint_splunk_Web); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; + } elif { + filter(f_checkpoint_splunk_NetworkSessions); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; + } elif { + filter(f_checkpoint_splunk_IDS_Malware); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; + } elif { + filter(f_checkpoint_splunk_IDS); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; + } elif { + filter(f_checkpoint_splunk_email); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; + } elif { + filter(f_checkpoint_splunk_DLP); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; + }; }; parser (compliance_meta_by_source); diff --git a/package/syslog-ng b/package/syslog-ng index f219fbb..b880087 160000 --- a/package/syslog-ng +++ b/package/syslog-ng @@ -1 +1 @@ -Subproject commit f219fbbb12dad0b0b6cb458a0bb4415b2cd94d8a +Subproject commit b880087c95ce44e3d33722a825e895b9351aca58 diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py index 92d1717..ab0a630 100644 --- a/tests/test_checkpoint.py +++ b/tests/test_checkpoint.py @@ -138,3 +138,27 @@ def test_checkpoint_splunk_smartconsole(record_property, setup_wordlist, setup_s record_property("message", message) assert resultCount == 1 + + +#<6>kernel: sd 2:0:0:0: SCSI error: return code = 0x00040000 +def test_checkpoint_splunk_os(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + pid = random.randint(1000, 32000) + + + mt = env.from_string( + "{{ mark }}kernel: sd 2:0:0:0: SCSI error: return code = 0x{{pid}}\n") + message = mt.render(mark="<6>", pid=pid) + + sendsingle(message) + + st = env.from_string("search index=main \"0x{{ pid }}\" sourcetype=\"nix:syslog\" | head 2") + search = st.render(pid=pid) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 \ No newline at end of file