Alpha Support for this protocol

CSVD · Apr 22, 2020 · 18fbe70 · 18fbe70
1 parent c0ec0c8
commit 18fbe70
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 0 deletions.
diff --git a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl
@@ -0,0 +1,41 @@
+# Linux/Unix OS system logs
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "IETF_SYSLOG" "parser" "rfc3164" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+log {
+    junction {
+        channel {
+        # Listen on the default port (typically 514) for IETF_SYSLOG traffic
+            source (s_ietf);
+            flags(final);
+        };
+    };
+
+    rewrite {
+        set("IETF_SYSLOG", value("fields.sc4s_vendor_product"));
+    };
+
+    rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), index("main"), source("${APP}:${PROGRAM}")) };
+    parser { p_add_context_splunk(key("IETF_SYSLOG")); };
+    parser (compliance_meta_by_source);
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); };
+
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_IETF_SYSLOG_HEC" "no")) }}
+    destination(d_hec);
+{{- end}}
+
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_IETF_SYSLOG" "no")) }}
+    destination(d_archive);
+{{- end}}
+
+{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+{{- if (print (getenv "SC4S_DEST_IETF_SYSLOG_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_IETF_SYSLOG_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+    flags(flow-control,final);
+};
diff --git a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl
@@ -1,6 +1,7 @@
 # Fallback for un-parsed sources
 
 log {
+    source(s_ietf);
     source(s_DEFAULT);
 
     rewrite { set("SC4S_fallback", value("fields.sc4s_vendor_product")); };

diff --git a/package/etc/conf.d/sources/rfc5687.conf.tmpl b/package/etc/conf.d/sources/rfc5687.conf.tmpl
@@ -0,0 +1,25 @@
+source s_ietf {
+    channel {
+        source {
+            syslog (
+                transport("tcp")
+                port(601)
+                ip-protocol(4)
+                keep-hostname(yes)
+                keep-timestamp(yes)
+                use-dns(no)
+                use-fqdn(no)
+                chain-hostnames(off)
+                flags(validate-utf8, syslog-protocol)
+            );    
+        };
+
+        if {
+            parser { app-parser(topic(syslog)); };
+        };
+        rewrite(set_rfc5424_strict);
+        parser {
+                vendor_product_by_source();
+        };
+    };
+};