From 230e282b2702a168ee383021b6dbccabd6b0adcb Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Sun, 5 Jan 2020 20:44:14 -0800 Subject: [PATCH] Gomplate update for "soup" port defaults * Add defaults in template for `source_network.t` * Remove default listening ports in entrypoint.sh and docker-compose.yml files * Clean up all log path templates to make final output more readable * Minor cleanup to `network.conf.tmpl` for readability --- docker-compose.yml | 8 ++--- .../p_rfc3164-checkpoint_splunk.conf.tmpl | 12 +++---- .../log_paths/p_rfc3164-cisco_acs.conf.tmpl | 16 +++++---- .../log_paths/p_rfc3164-cisco_asa.conf.tmpl | 9 ++--- .../log_paths/p_rfc3164-cisco_ios.conf.tmpl | 11 ++++--- .../log_paths/p_rfc3164-cisco_ise.conf.tmpl | 15 +++++---- .../log_paths/p_rfc3164-cisco_nxos.conf.tmpl | 11 ++++--- .../p_rfc3164-forcepoint_webprotect.conf.tmpl | 11 ++++--- .../p_rfc3164-fortinet_fortios.conf.tmpl | 11 ++++--- .../log_paths/p_rfc3164-infoblox.conf.tmpl | 11 ++++--- .../log_paths/p_rfc3164-juniper_idp.conf.tmpl | 11 ++++--- .../p_rfc3164-juniper_junos.conf.tmpl | 11 ++++--- .../p_rfc3164-juniper_netscreen.conf.tmpl | 15 +++++---- .../log_paths/p_rfc3164-juniper_nsm.conf.tmpl | 11 ++++--- .../p_rfc3164-juniper_nsm_idp.conf.tmpl | 11 ++++--- .../p_rfc3164-microfocus_arcsight.conf.tmpl | 7 ++-- .../p_rfc3164-paloalto_panos.conf.tmpl | 12 ++++--- .../p_rfc3164-proofpoint_pps.conf.tmpl | 12 ++++--- .../p_rfc3164-symantec_brightmail.conf.tmpl | 15 +++++---- .../p_rfc3164-ubiquiti_unifi.conf.tmpl | 16 ++++----- .../log_paths/p_rfc3164-zscaler_nss.conf.tmpl | 12 ++++--- .../p_rfc5424-noversion_cisco_asa.conf.tmpl | 12 ++++--- ...rfc5424-noversion_symantec_proxy.conf.tmpl | 12 ++++--- .../p_rfc5424-strict_juniper_junos.conf.tmpl | 10 +++--- .../p_rfc5424_epoch-cisco_meraki.conf.tmpl | 12 ++++--- .../log_paths/p_vmware_vsphere.conf.tmpl | 14 ++++---- .../log_paths/p_za_nix_syslog.conf.tmpl | 12 ++++--- .../conf.d/log_paths/p_zz_fallback.conf.tmpl | 1 + .../etc/conf.d/log_paths/startup.conf.tmpl | 4 +-- package/etc/conf.d/sources/network.conf.tmpl | 5 +-- package/etc/go_templates/source_network.t | 33 +++++++++---------- package/sbin/entrypoint.sh | 4 --- 32 files changed, 200 insertions(+), 167 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index dff7a5c..3e3bc3d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -44,12 +44,12 @@ services: - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN} - SC4S_SOURCE_TLS_ENABLE=no - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no - - SC4S_LISTEN_DEFAULT_TCP_PORT=514 - - SC4S_LISTEN_DEFAULT_UDP_PORT=514 -# - SC4S_LISTEN_DEFAULT_TLS_PORT=6514 +# - SC4S_LISTEN_DEFAULT_TCP_PORT=514 +# - SC4S_LISTEN_DEFAULT_UDP_PORT=514 +# - SC4S_LISTEN_DEFAULT_TLS_PORT=6514 - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 - SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT=6000 -# - SC4S_ARCHIVE_CHECKPOINT=yes +# - SC4S_ARCHIVE_CHECKPOINT=yes - SC4S_ARCHIVE_GLOBAL=yes volumes: - ./tls:/opt/syslog-ng/tls diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl index 9c64b3b..0fd2808 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl @@ -1,10 +1,10 @@ # Checkpoint -# Generate the custom port if defined -{{ $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -87,7 +87,7 @@ log { {{- end}} {{- if or (or (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT")) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl index 15d0963..0e3c4c1 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl @@ -1,9 +1,11 @@ # Cisco ACS -{{ $context := dict "port_id" "CISCO_ACS" "parser" "common"}} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +# This filter uses a field we set to prevent the original messages before aggregation from being +# sent to Splunk -#This filter uses a field we set to prevent the original messages before aggregation from being -#sent to Splunk filter f_cisco_acs_complete{ match("yes", value("ACS.COMPLETE") type(glob)); }; @@ -29,8 +31,8 @@ parser acs_grouping { ); }; -#The syslog message includes a date with nano seconds and TZ which is not in the header -#So must reparse the date +# The syslog message includes a date with nano seconds and TZ which is not in the header +# So must reparse the date parser acs_event_time { csv-parser( columns(ACS.DATE, ACS.TIME, ACS.TZ, MESSAGE) @@ -44,7 +46,7 @@ parser acs_event_time { template("${ACS.DATE} ${ACS.TIME} ${ACS.TZ}") ); }; -# The following is an inline template; we will use this to generate the actual log path +{{- /* The following is an inline template to generate the actual log path */}} {{ define "log_path" }} log { {{- if eq (.) "yes"}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl index 8b9ca9a..b794ad8 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl @@ -1,9 +1,10 @@ # Cisco ASA -{{ $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "common"}} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl index 015f86b..2749bc8 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl @@ -1,9 +1,10 @@ # Cisco IOS -{{ $context := dict "port_id" "CISCO_IOS" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_IOS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes" }} source(s_DEFAULT); @@ -36,7 +37,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_IOS traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for CISCO_IOS traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl index 7157f5e..b56dae5 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl @@ -1,15 +1,18 @@ # Cisco ISE -{{ $context := dict "port_id" "CISCO_ISE" "parser" "common"}} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +# This filter uses a field we set to prevent the original messages before aggregation from being +# sent to Splunk -#This filter uses a field we set to prevent the original messages before aggregation from being -#sent to Splunk filter f_cisco_ise_complete{ match("yes", value("ISE.COMPLETE") type(glob)); }; #This parser adds messages from ISE to a context without sending them #forward to Splunk + parser ise_grouping { csv-parser( columns(PID, ISE.num, ISE.seq, MESSAGE) @@ -31,6 +34,7 @@ parser ise_grouping { #The syslog message includes a date with nano seconds and TZ which is not in the header #So must reparse the date + parser ise_event_time { csv-parser( columns(ISE.DATE, ISE.TIME, ISE.TZ, MESSAGE) @@ -44,7 +48,7 @@ parser ise_event_time { template("${ISE.DATE} ${ISE.TIME} ${ISE.TZ}") ); }; -# The following is an inline template; we will use this to generate the actual log path +{{- /* The following is an inline template to generate the actual log path */}} {{ define "log_path" }} log { {{- if eq (.) "yes"}} @@ -81,7 +85,6 @@ log { flags(flow-control,final); }; - }; {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl index 6c40bc0..683dc1f 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl @@ -1,9 +1,10 @@ # Cisco NX_OS -{{ $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes" }} source(s_DEFAULT); @@ -38,7 +39,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_NX_OS traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for CISCO_NX_OS traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl index dc65e02..a3346bd 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl @@ -1,9 +1,10 @@ # Forcepoint Webprotect -{{ $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -37,7 +38,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT")) }} # Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for FORCEPOINT_WEBPROTECT traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl index a3bfc99..837ce58 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl @@ -1,9 +1,10 @@ # Fortinet Fortios -{{ $context := dict "port_id" "FORTINET_FORTIOS" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "FORTINET_FORTIOS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -56,7 +57,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for FORTINET_FORTIOS traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for FORTINET_FORTIOS traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl index 1c047af..a84ecaa 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl @@ -1,9 +1,10 @@ # Infoblox -{{ $context := dict "port_id" "INFOBLOX" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "INFOBLOX" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -70,7 +71,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_INFOBLOX_TCP_PORT")) (getenv (print "SC4S_LISTEN_INFOBLOX_UDP_PORT"))) (getenv (print "SC4S_LISTEN_INFOBLOX_TLS_PORT")) }} # Listen on the specified dedicated port(s) for INFOBLOX traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for INFOBLOX traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl index 5aecfc0..162996d 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl @@ -1,9 +1,10 @@ # Juniper IDP -{{ $context := dict "port_id" "JUNIPER_IDP" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "JUNIPER_IDP" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -36,7 +37,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_IDP traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for JUNIPER_IDP traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl index 004e8c8..facaf1c 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl @@ -1,9 +1,10 @@ # Juniper JunOS -{{ $context := dict "port_id" "JUNIPER_JUNOS" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "JUNIPER_JUNOS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -55,7 +56,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_JUNOS traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for JUNIPER_JUNOS traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl index ece524e..6fca3d1 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl @@ -1,9 +1,10 @@ # Juniper Netscreen -{{ $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -35,8 +36,8 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_NETSCREEN traffic - {{ tmpl.Exec "log_path" "no" }} -{{- end}} +{{ tmpl.Exec "log_path" "no" }} +{{- end }} # Listen on the default port (typically 514) for JUNIPER_NETSCREEN traffic -{{ tmpl.Exec "log_path" "yes" }} +{{ tmpl.Exec "log_path" "yes" }} \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl index 4cac2a7..668f287 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl @@ -1,9 +1,10 @@ # Juniper NSM -{{ $context := dict "port_id" "JUNIPER_NSM" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "JUNIPER_NSM" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -36,7 +37,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_NSM traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for JUNIPER_NSM traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl index f33f3f6..2ac5fa0 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl @@ -1,9 +1,10 @@ # Juniper NSM IDP -{{ $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -35,7 +36,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for JUNIPER_NSM_IDP traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl index 25ddce5..8a5a386 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl @@ -1,6 +1,7 @@ # Microfocus ArcSight -{{ $context := dict "port_id" "MICROFOCUS_ARCSIGHT" "parser" "common"}} -{{ tmpl.Exec "t/source_network.t" $context }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "MICROFOCUS_ARCSIGHT" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} parser p_microfocus_arcsight_header { csv-parser( @@ -32,7 +33,7 @@ parser p_microfocus_arcsight_source { default-selector("unknown") ); }; -# The following is an inline template; we will use this to generate the actual log path +{{- /* The following is an inline template to generate the actual log path */}} {{ define "log_path" }} log { {{- if eq (.) "yes"}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl index 8c6f97f..4a797d1 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl @@ -1,8 +1,10 @@ # PaloAlto PanOS -{{ $context := dict "port_id" "PALOALTO_PANOS" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "PALOALTO_PANOS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -91,7 +93,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for PALOALTO_PANOS traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for PALOALTO_PANOS traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl index 46c5267..d17a226 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl @@ -1,8 +1,10 @@ # Proofpoint Protection Server -{{ $context := dict "port_id" "PROOFPOINT_PPS" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "PROOFPOINT_PPS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes" }} source(s_DEFAULT); @@ -42,7 +44,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for PROOFPOINT_PPS traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for PROOFPOINT_PPS traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl index a2b4c57..95b811b 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl @@ -1,4 +1,5 @@ -#Symantec Brightmail +# Symantec Brightmail + {{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) }} filter f_symantec_brightmail_complete{ match("yes", value("SMG.COMPLETE") type(glob)); @@ -22,10 +23,12 @@ parser symantec_brightmail_grouping { }; {{- end }} -{{ $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes" }} source(s_DEFAULT); @@ -90,7 +93,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT"))) (getenv (print "SC4S_SYMANTEC_BRIGHTMAIL_NSS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for SYMANTEC_BRIGHTMAIL traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for SYMANTEC_BRIGHTMAIL traffic diff --git a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl index a6ab503..a8b891b 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl @@ -1,9 +1,10 @@ -#Ubiquiti unifi -{{ $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "common"}} -{{ tmpl.Exec "t/source_network.t" $context }} +# Ubiquiti unifi +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -14,7 +15,6 @@ log { source (s_UBIQUITI_UNIFI); {{- end}} - parser {p_add_context_splunk(key("ubiquiti_unifi")); }; #Firewall @@ -125,8 +125,8 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT")) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT")) }} # Listen on the specified dedicated port(s) for UBIQUITI_UNIFI traffic - {{tmpl.Exec "log_path" "no" }} +{{tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for UBIQUITI_UNIFI traffic -{{tmpl.Exec "log_path" "yes" }} +{{tmpl.Exec "log_path" "yes" }} \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl index d70f139..da807c3 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl @@ -1,8 +1,10 @@ # Zscaler -{{ $context := dict "port_id" "ZSCALER_NSS" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "ZSCALER_NSS" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes" }} source(s_DEFAULT); @@ -75,7 +77,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TCP_PORT")) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for ZSCALER_NSS traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for ZSCALER_NSS traffic diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl index 1b93b48..59e9c50 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl @@ -1,8 +1,10 @@ # Cisco ASA RFC5424 -{{ $context := dict "port_id" "CISCO_ASA" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_ASA" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -35,7 +37,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_ASA traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for CISCO_ASA traffic diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl index 7a40ebf..64584fd 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl @@ -1,8 +1,10 @@ # Symantec Proxy (Bluecoat) -{{ $context := dict "port_id" "SYMANTEC_PROXY" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "SYMANTEC_PROXY" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -36,7 +38,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TLS_PORT")) }} # Listen on the specified dedicated port(s) for SYMANTEC_PROXY traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for SYMANTEC_PROXY traffic diff --git a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl index e808f85..f5ac665 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl @@ -1,8 +1,10 @@ # Juniper JunOS (Structured, RFC5424-compliant) -{{ $context := dict "port_id" "JUNIPER_JUNOS_STRUCTURED" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "JUNIPER_JUNOS_STRUCTURED" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); diff --git a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl index f080c1c..4c2ba45 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl @@ -1,8 +1,10 @@ # Cisco Meraki -{{ $context := dict "port_id" "CISCO_MERAKI" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_MERAKI" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -35,7 +37,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_MERAKI traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for CISCO_MERAKI traffic diff --git a/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl index 5d31966..171fccc 100644 --- a/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl @@ -1,10 +1,10 @@ -#VMware ESXi and NSX -# Generate the custom port if defined -{{ $context := dict "port_id" "VMWARE" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +# VMware ESXi and NSX +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "VMWARE" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes"}} source(s_DEFAULT); @@ -96,7 +96,7 @@ log { {{- end}} {{- if or (or (getenv (print "SC4S_LISTEN_VMWARE_TCP_PORT")) (getenv (print "SC4S_LISTEN_VMWARE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_VMWARE_TLS_PORT")) }} # Listen on the specified dedicated port(s) for VMWARE traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for VMWARE traffic diff --git a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl index 91fa349..e1911f7 100644 --- a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl @@ -1,8 +1,10 @@ # Linux/Unix OS system logs -{{ $context := dict "port_id" "NIX_SYSLOG" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "NIX_SYSLOG" "parser" "common" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +{{- /* The following is an inline template to generate the actual log path */}} +{{- define "log_path"}} log { {{- if eq (.) "yes" }} source(s_DEFAULT); @@ -38,7 +40,7 @@ log { {{- if or (or (getenv (print "SC4S_LISTEN_NIX_SYSLOG_TCP_PORT")) (getenv (print "SC4S_LISTEN_NIX_SYSLOG_UDP_PORT"))) (getenv (print "SC4S_NIX_SYSLOG_NSS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for NIX_SYSLOG traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for NIX_SYSLOG traffic diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 44be960..d2057c2 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -1,4 +1,5 @@ # Fallback for un-parsed sources + log { source(s_DEFAULT); diff --git a/package/etc/conf.d/log_paths/startup.conf.tmpl b/package/etc/conf.d/log_paths/startup.conf.tmpl index 3c5df61..4559544 100644 --- a/package/etc/conf.d/log_paths/startup.conf.tmpl +++ b/package/etc/conf.d/log_paths/startup.conf.tmpl @@ -1,8 +1,9 @@ +# Startup events + {{- define "log_path"}} log { source(s_startup_out); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"), index("main"))}; parser {p_add_context_splunk(key("sc4s_events:startup:out")); }; @@ -19,7 +20,6 @@ log { log { source(s_startup_err); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:err"), index("main"))}; parser {p_add_context_splunk(key("sc4s_events")); }; diff --git a/package/etc/conf.d/sources/network.conf.tmpl b/package/etc/conf.d/sources/network.conf.tmpl index be569ff..7f6a9e5 100644 --- a/package/etc/conf.d/sources/network.conf.tmpl +++ b/package/etc/conf.d/sources/network.conf.tmpl @@ -1,2 +1,3 @@ -{{ $context := dict "port_id" "DEFAULT" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} +# Default "soup" syslog-ng sources, typically UDP/TCP 514; TLS 6514 +{{- $context := dict "port_id" "DEFAULT" "parser" "common" -}} +{{- tmpl.Exec "t/source_network.t" $context -}} \ No newline at end of file diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 8b43665..ff4f766 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -1,13 +1,14 @@ +{{ define "T1" }} + # The following is the source port declaration for {{ (print .port_id) }} -# Two log paths will be created -- one for the dedicated port(s) and one for the default (typically port 514) -{{- define "T1" }} -source s_{{ .port_id}} { + +source s_{{ .port_id }} { channel { source { -{{- if (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT" )) }} +{{- if or (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT")) (eq .port_id "DEFAULT") }} syslog ( transport("udp") - port({{getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT") }}) + port({{ getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT") "514" }}) ip-protocol(4) so-rcvbuf({{getenv "SC4S_SOURCE_UDP_SO_RCVBUFF" "425984"}}) keep-hostname(yes) @@ -18,10 +19,10 @@ source s_{{ .port_id}} { flags(no-parse) ); {{- end}} -{{- if (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT" )) }} +{{- if or (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) (eq .port_id "DEFAULT") }} network ( transport("tcp") - port({{getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT") }}) + port({{ getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT") "514" }}) ip-protocol(4) max-connections({{getenv "SC4S_SOURCE_TCP_MAX_CONNECTIONS" "2000"}}) log-iw-size({{getenv "SC4S_SOURCE_TCP_IW_SIZE" "20000000"}}) @@ -34,10 +35,10 @@ source s_{{ .port_id}} { flags(no-parse) ); {{- end}} -{{- if (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT" )) }} +{{- if or (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT")) (eq .port_id "DEFAULT_TLS") }} network( - port({{getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT") }}) transport("tls") + port({{ getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT") "6514" }}) ip-protocol(4) max-connections({{getenv "SC4S_SOURCE_TCP_MAX_CONNECTIONS" "2000"}}) log-iw-size({{getenv "SC4S_SOURCE_TCP_IW_SIZE" "20000000"}}) @@ -59,7 +60,7 @@ source s_{{ .port_id}} { }; #TODO: #60 Remove this function with enhancement rewrite(set_rfcnonconformant); -{{ if eq .parser "rfc5424_strict" }} +{{- if eq .parser "rfc5424_strict" }} filter(f_rfc5424_strict); parser { syslog-parser(flags(syslog-protocol)); @@ -129,11 +130,9 @@ source s_{{ .port_id}} { unset(value("fields.sc4s_time_zone")); }; }; - - - }; + }; }; -{{- end }} -{{- if or (or (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT"))) (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT")) }} -{{ template "T1" (.) }} -{{- end }} +{{- end -}} +{{- if or (or (or (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT"))) (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT"))) (eq .port_id "DEFAULT") -}} +{{- template "T1" (.) -}} +{{- end -}} \ No newline at end of file diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index aa01301..b7d5b2d 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -1,14 +1,10 @@ #!/usr/bin/env bash source scl_source enable rh-python36 -export SC4S_LISTEN_DEFAULT_TCP_PORT=514 -export SC4S_LISTEN_DEFAULT_UDP_PORT=514 - cd /opt/syslog-ng gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl --out=\2/') --template t=etc/go_templates/ - mkdir -p /opt/syslog-ng/etc/conf.d/local/context/ mkdir -p /opt/syslog-ng/etc/conf.d/local/config/ cp --verbose -n /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context/