From 492b81ce84bc7a691dfe8eb6a911ca2d7c4b4b5d Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Mon, 9 Dec 2019 17:08:24 -0800 Subject: [PATCH 1/2] fix/startup_warnings Fix startup warnings at startup caused by fake comments in csv file --- .../etc/context_templates/compliance_meta_by_source.conf | 9 +++++---- .../etc/context_templates/compliance_meta_by_source.csv | 4 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/package/etc/context_templates/compliance_meta_by_source.conf b/package/etc/context_templates/compliance_meta_by_source.conf index 322b938..90b67f4 100644 --- a/package/etc/context_templates/compliance_meta_by_source.conf +++ b/package/etc/context_templates/compliance_meta_by_source.conf @@ -1,5 +1,6 @@ @version: 3.24 -#filter f_test_test { -# host("something-*" type(glob)) or -# netmask(192.168.100.1/24) -#}; +filter f_test_test { +# host("something-*" type(glob)) or +# netmask(169.254.100.0/24) + host("cannot_ever_happen") +}; diff --git a/package/etc/context_templates/compliance_meta_by_source.csv b/package/etc/context_templates/compliance_meta_by_source.csv index 6608db0..4ecf53a 100644 --- a/package/etc/context_templates/compliance_meta_by_source.csv +++ b/package/etc/context_templates/compliance_meta_by_source.csv @@ -1,2 +1,2 @@ -#f_test_test,.splunk.index,"badindex" -#f_test_test,fields.compliance,"pci" +f_test_test,.splunk.index,"will_never_happen_index" +f_test_test,fields.compliance,"pci" From 2b933323c8321b1f7e9686e5280ad892ac5cd610 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Tue, 10 Dec 2019 20:17:10 -0800 Subject: [PATCH 2/2] Remove extraneous proofpoint log path Remove extra proofpoint log path; causes event to be written twice --- .../p_rfc3164-proofpoint_pps_filter.conf.tmpl | 52 ------------------- 1 file changed, 52 deletions(-) delete mode 100644 package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl deleted file mode 100644 index 09dd410..0000000 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl +++ /dev/null @@ -1,52 +0,0 @@ -# Proofpoint -{{ $context := dict "port_id" "PROOFPOINT_PPS_FILTER" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} -log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_proofpoint_pps_filter); -{{- end }} -{{- if eq (.) "no" }} - source (s_PROOFPOINT_PPS_FILTER); -{{- end }} - - rewrite { - set("proofpoint_pps_filter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_filter_log"), index("email"))}; - parser { - p_add_context_splunk(key("proofpoint_pps_filter")); - }; - - parser (compliance_meta_by_source); - - - #We want to unset the fields we won't need, as this is copied into the - #disk queue for network destinations. This can be very disk expensive - #if we don't - rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); - unset(value("RAWMSG")); - unset(value("PROGRAM")); - unset(value("LEGACY_MSGHDR")); - groupunset(values(".kv.*")); - }; - - destination(d_hec); - -{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_PROOFPOINT_PPS") }} - destination(d_archive); -{{- end}} - - flags(flow-control); -}; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for PROOFPOINT_PPS_FILTER traffic - {{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for PROOFPOINT_PPS_FILTER traffic -{{ tmpl.Exec "log_path" "yes" }}