From fab26c7f578706be5978d861e6a1331fa3a349a8 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Sat, 25 Jan 2020 19:25:04 -0500
Subject: [PATCH 1/2] File name cleanup

---
 .../etc/conf.d/filters/{fortinet => forcepoint}/webprotect.conf   | 0
 package/etc/conf.d/filters/infoblox/{pfsense.conf => ddi.conf}    | 0
 package/etc/conf.d/filters/nix/{syslog.conf => os.conf}           | 0
 package/etc/conf.d/filters/pfsense/{syslog.conf => pfsense.conf}  | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename package/etc/conf.d/filters/{fortinet => forcepoint}/webprotect.conf (100%)
 rename package/etc/conf.d/filters/infoblox/{pfsense.conf => ddi.conf} (100%)
 rename package/etc/conf.d/filters/nix/{syslog.conf => os.conf} (100%)
 rename package/etc/conf.d/filters/pfsense/{syslog.conf => pfsense.conf} (100%)

diff --git a/package/etc/conf.d/filters/fortinet/webprotect.conf b/package/etc/conf.d/filters/forcepoint/webprotect.conf
similarity index 100%
rename from package/etc/conf.d/filters/fortinet/webprotect.conf
rename to package/etc/conf.d/filters/forcepoint/webprotect.conf
diff --git a/package/etc/conf.d/filters/infoblox/pfsense.conf b/package/etc/conf.d/filters/infoblox/ddi.conf
similarity index 100%
rename from package/etc/conf.d/filters/infoblox/pfsense.conf
rename to package/etc/conf.d/filters/infoblox/ddi.conf
diff --git a/package/etc/conf.d/filters/nix/syslog.conf b/package/etc/conf.d/filters/nix/os.conf
similarity index 100%
rename from package/etc/conf.d/filters/nix/syslog.conf
rename to package/etc/conf.d/filters/nix/os.conf
diff --git a/package/etc/conf.d/filters/pfsense/syslog.conf b/package/etc/conf.d/filters/pfsense/pfsense.conf
similarity index 100%
rename from package/etc/conf.d/filters/pfsense/syslog.conf
rename to package/etc/conf.d/filters/pfsense/pfsense.conf

From 86c020aa1d497918f555f42c1e03fea8b4859ac5 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Mon, 27 Jan 2020 09:49:51 -0500
Subject: [PATCH 2/2] Update lp-common_event_format.conf.tmpl

Order of lookups should be "filter specific" "splunk_index" then compliance
---
 .../etc/conf.d/log_paths/lp-common_event_format.conf.tmpl | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
index 64e9577..52faaa7 100644
--- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -62,10 +62,6 @@ log {
         set("${fields.cef_device_vendor}_${fields.cef_device_product}", value("fields.sc4s_vendor_product"));
     };
 
-    parser {
-        p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}"));
-    };
-
     # We already have the syslog msg time stamp however that may not be the best one
     # If we have an rt or end field that is best we use the If trick here so if this parser fails
     # We don't get sent to fallback.
@@ -78,6 +74,10 @@ log {
     #CEF TAs use the source as their bounds in props.conf
     parser(p_cef_source);
 
+    parser {
+        p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}"));
+    };
+
     parser (compliance_meta_by_source);
 
     #We want to unset the fields we won't need, as this is copied into the