From 18fbe70151a949fdeb05b623e541b300646afee0 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Wed, 22 Apr 2020 13:46:12 -0400
Subject: [PATCH 1/3] Alpha Support for this protocol

---
 .../log_paths/lp-bbb-ietf_syslog.conf.tmpl    | 41 +++++++++++++++++++
 .../log_paths/lp-zzz-fallback.conf.tmpl       |  1 +
 package/etc/conf.d/sources/rfc5687.conf.tmpl  | 25 +++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl
 create mode 100644 package/etc/conf.d/sources/rfc5687.conf.tmpl

diff --git a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl
new file mode 100644
index 0000000..85a083d
--- /dev/null
+++ b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl
@@ -0,0 +1,41 @@
+# Linux/Unix OS system logs
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "IETF_SYSLOG" "parser" "rfc3164" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+log {
+    junction {
+        channel {
+        # Listen on the default port (typically 514) for IETF_SYSLOG traffic
+            source (s_ietf);
+            flags(final);
+        };
+    };
+
+    rewrite {
+        set("IETF_SYSLOG", value("fields.sc4s_vendor_product"));
+    };
+
+    rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), index("main"), source("${APP}:${PROGRAM}")) };
+    parser { p_add_context_splunk(key("IETF_SYSLOG")); };
+    parser (compliance_meta_by_source);
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); };
+
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_IETF_SYSLOG_HEC" "no")) }}
+    destination(d_hec);
+{{- end}}
+
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_IETF_SYSLOG" "no")) }}
+    destination(d_archive);
+{{- end}}
+
+{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+{{- if (print (getenv "SC4S_DEST_IETF_SYSLOG_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_IETF_SYSLOG_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+    flags(flow-control,final);
+};
diff --git a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl
index a3a33d9..d8bbd88 100644
--- a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl
@@ -1,6 +1,7 @@
 # Fallback for un-parsed sources
 
 log {
+    source(s_ietf);
     source(s_DEFAULT);
 
     rewrite { set("SC4S_fallback", value("fields.sc4s_vendor_product")); };
diff --git a/package/etc/conf.d/sources/rfc5687.conf.tmpl b/package/etc/conf.d/sources/rfc5687.conf.tmpl
new file mode 100644
index 0000000..b5044b9
--- /dev/null
+++ b/package/etc/conf.d/sources/rfc5687.conf.tmpl
@@ -0,0 +1,25 @@
+source s_ietf {
+    channel {
+        source {
+            syslog (
+                transport("tcp")
+                port(601)
+                ip-protocol(4)
+                keep-hostname(yes)
+                keep-timestamp(yes)
+                use-dns(no)
+                use-fqdn(no)
+                chain-hostnames(off)
+                flags(validate-utf8, syslog-protocol)
+            );    
+        };
+    
+        if {
+            parser { app-parser(topic(syslog)); };
+        };
+        rewrite(set_rfc5424_strict);
+        parser {
+                vendor_product_by_source();
+        };
+    };
+};

From 01fa2f8811953c092be69a8fd701ce585202f2f4 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Wed, 22 Apr 2020 13:49:54 -0400
Subject: [PATCH 2/3] Update templates.conf

---
 package/etc/conf.d/conflib/_common/templates.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
index c86400f..4d62bdb 100644
--- a/package/etc/conf.d/conflib/_common/templates.conf
+++ b/package/etc/conf.d/conflib/_common/templates.conf
@@ -83,6 +83,7 @@ template t_JSON_5424 {
                 --exclude DATE
                 --exclude FACILITY
                 --exclude PRIORITY
+                --exclude HOST
                 )');
     };
 

From fbd71628cabf50710604273fc31931b6058295a3 Mon Sep 17 00:00:00 2001
From: mbonsack <mbonsack@splunk.com>
Date: Wed, 22 Apr 2020 16:05:01 -0700
Subject: [PATCH 3/3] Update IETF syslog log path

* Remove unique port settings for IETF syslog
* Fix commenting
* Consider removing junction/channel for initial source parsing; unnecessarily complicated
---
 package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl
index 85a083d..35366a8 100644
--- a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl
@@ -1,12 +1,9 @@
-# Linux/Unix OS system logs
-{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "IETF_SYSLOG" "parser" "rfc3164" }}
-{{- tmpl.Exec "t/source_network.t" $context }}
+# IETF Syslog
 
 log {
     junction {
         channel {
-        # Listen on the default port (typically 514) for IETF_SYSLOG traffic
+        # Listen on the default port (typically 601) for IETF_SYSLOG traffic
             source (s_ietf);
             flags(final);
         };