diff --git a/docs/configuration.md b/docs/configuration.md index 473b04f..390e85b 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -44,7 +44,7 @@ separately from that of the alternates below. | Variable | Values | Description | |----------|---------------|-------------| | SC4S_DEST_GLOBAL_ALTERNATES | Comma or space-separated list of syslog-ng destinations | Send all sources to alternate destinations | -| SC4S_DEST_<SOURCE>_ALTERNATES | Comma or space-separated list of syslog-ng destiinations | Send specific sources to alternate syslog-ng destinations, e.g. SC4S_DEST_CISCO_ASA_ALTERNATES | +| SC4S_DEST_<VENDOR_PRODUCT>_ALTERNATES | Comma or space-separated list of syslog-ng destinations | Send specific sources to alternate syslog-ng destinations using the VENDOR_PRODUCT syntax, e.g. SC4S_DEST_CISCO_ASA_ALTERNATES | ## SC4S Disk Buffer Configuration diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index f23926c..70f2128 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -54,11 +54,6 @@ Restart=always ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)" -ExecStartPre=/usr/bin/docker run \ - --env-file=/opt/sc4s/env_file \ - "$SC4S_LOCAL_CONFIG_MOUNT" \ - --name SC4S_preflight \ - --rm $SC4S_IMAGE -s ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \ -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \ --env-file=/opt/sc4s/env_file \ @@ -68,6 +63,7 @@ ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \ "$SC4S_TLS_DIR" \ --name SC4S \ --rm $SC4S_IMAGE +Restart=on-success ``` * Execute the following command to create a local volume that will contain the disk buffer files in the event of a communication diff --git a/docs/gettingstarted/index.md b/docs/gettingstarted/index.md index 4514c7f..de7f2a8 100644 --- a/docs/gettingstarted/index.md +++ b/docs/gettingstarted/index.md @@ -45,7 +45,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes * netipam * oswinsec * osnix -* em_metrics (ensure this is created as a metrics index) +* em_metrics (Optional opt-in for SC4S operational metrics; ensure this is created as a metrics index) #### Install Related Splunk Apps @@ -102,13 +102,13 @@ which has proven inadequate for many. #### Select a Container Runtime and SC4S Configuration -| Container and Orchestration | Notes | +| Container Runtime and Orchestration | Operating Systems | |-----------------------------|-------| -| [Podman + systemd](podman-systemd-general.md) | First choice for RedHat 8.x and CentOS, second choice for Debian and Ubuntu (packages provided via PPA). | -| [Docker CE + systemd](docker-systemd-general.md) | First choice for RHEL/CentOS 7.x, Debian and Ubuntu | -| [Docker CE + Swarm](docker-swarm-general.md) | Option for Debian, Ubuntu, CentOS, and Desktop Docker desiring Docker Compose or Swarm orchestration | -| [Docker CE + Swarm RHEL 7.7](docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring Docker Compose or Swarm orchestration | -| [Bring your own Envionment](byoe-rhel7.md) | Option for RedHat 7.7 (centos 7) with SC4S configuration without containers | +| [Podman 1.7 & 1.9 + systemd](podman-systemd-general.md) | RHEL or CentOS 8.1 & 8.2 (best option), Debian or Ubuntu 18.04LTS | +| [Docker CE 18 & 19 + systemd](docker-systemd-general.md) | RHEL or CentOS 7.7 (best option), Debian or Ubuntu 18.04LTS | +| [Docker CE 18 & 19 + Swarm](docker-swarm-general.md) | CentOS 7.7 (best option), Debian or Ubuntu 18.04LTS | +| [Docker CE 18 & 19 + Swarm](docker-swarm-rhel7.md) | RHEL 7.7 | +| [Bring your own Envionment](byoe-rhel7.md) | RHEL or CentOS 8.1 & 8.2 (best option) | ### Offline Container Installation diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index 83fd6cd..fedde53 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -72,11 +72,6 @@ Restart=always ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)" -ExecStartPre=/usr/bin/podman run \ - --env-file=/opt/sc4s/env_file \ - "$SC4S_LOCAL_CONFIG_MOUNT" \ - --name SC4S_preflight \ - --rm $SC4S_IMAGE -s ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \ -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \ --env-file=/opt/sc4s/env_file \ @@ -87,6 +82,7 @@ ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \ --name SC4S \ --rm $SC4S_IMAGE ExecStartPost=sleep 2 ; conntrack -D -p udp +Restart=on-success ``` * Execute the following command to create a local volume that will contain the disk buffer files in the event of a communication diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index 185e0c8..187f28d 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -405,9 +405,9 @@ Verify timestamp, and host values match as expected | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| cisco_wsa_l4tm | cisco:wsa:l4tm | netops | None | -| cisco_wsa_squid | cisco:wsa:squid | netops | None | -| cisco_wsa_squid_new | cisco:wsa:squid:new | netops | None | +| cisco_wsa | cisco:wsa:l4tm | netproxy | None | +| cisco_wsa | cisco:wsa:squid | netproxy | None | +| cisco_wsa | cisco:wsa:squid:new | netproxy | None | ### Filter type diff --git a/docs/sources/Citrix/index.md b/docs/sources/Citrix/index.md index 3dedf1a..6bf7d4c 100644 --- a/docs/sources/Citrix/index.md +++ b/docs/sources/Citrix/index.md @@ -35,11 +35,9 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CITRIX_NETSCALER_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | -| SC4S_LISTEN_CITRIX_NETSCALERSPLUNK_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | -| SC4S_ARCHIVE_CITRIX_NETSCALER_SPLUNK | no | Enable archive to disk for this specific source | -| SC4S_DEST_CITRIX_NETSCALER_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_DEST_CITRIX_NETSCALER_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_CITRIX_NETSCALER_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | +| SC4S_LISTEN_CITRIX_NETSCALER_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | +| SC4S_DEST_CITRIX_NETSCALER_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT | no | Use "DDMMYYYY" format rather than "MMDDYYYY" | ### Verification diff --git a/docs/sources/Splunk/index.md b/docs/sources/Splunk/index.md new file mode 100644 index 0000000..098a413 --- /dev/null +++ b/docs/sources/Splunk/index.md @@ -0,0 +1,51 @@ +# Vendor - Splunk + + +## Product - Splunk Connect for Syslog (SC4S) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4740/ | +| Product Manual | https://splunk-connect-for-syslog.readthedocs.io/en/master/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| sc4s:events | Internal events from the SC4S container and underlying syslog-ng process | +| sc4s:metrics | syslog-ng operational metrics that will be delivered directly to a metrics index in Splunk | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| sc4s_events | all | main | none | +| sc4s_metrics | all | em_metrics | none | + +### Filter type + +SC4S events and metrics are generated automatically and no specific ports or filters need to be configured for the collection of this data. + +### Setup and Configuration + +* No specific requirements are required for the collection of sc4s internal events. +* Metrics data is _not_ collected by default; it is an opt-in set by the variable `SC4S_DEST_SC4S_METRICS_HEC`. See the "Options" +section below for details. + +### Options + +| Variable | default | description | +|-----------------------------------|-----------|----------------| +| SC4S_DEST_SPLUNK_SC4S_EVENTS_HEC | no | When Splunk HEC is disabled globally set to "yes" to enable this specific source | +| SC4S_DEST_SPLUNK_SC4S_METRICS_HEC | no | Set to "yes" to send metrics via HEC to Splunk (opt-in). Metrics are _not_ enabled by default when HEC is enabled globally. | + +### Verification + +SC4S will generate versioning events at startup. These startup events can be used to validate HEC is set up properly on the Splunk side. + +``` +index= sourcetype=sc4s:events | stats count by host +``` +Metrics can be observed via the "Analytics-->Metrics" navigation in the Search and Reporting app in Splunk. +* NOTE: The presentation of metrics is undergoing active development; the delivery of metrics is currently considered an experimental feature. diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 1146ee7..dafc3e6 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -89,19 +89,12 @@ and navigating the syslog-ng config filesystem directly. To do this, run /usr/bin/podman exec -it SC4S /bin/bash ``` and navigate to `/opt/syslog-ng/etc/` to see the actual config files in use. If you are adept with container operations and syslog-ng -itself, you can also modify files directly and reload syslog-ng with the command `kill -1 1` in the container. This is an advanced topic -and futher help can be obtained via the github issue tracker and Slack channels. +itself, you can modify files directly and reload syslog-ng with the command `kill -1 1` in the container. +You can also run the `/entrypoint.sh` script by hand (or a subset of it, such as everything +but syslog-ng) and have complete control over the templating and underlying syslog-ng process. +This is an advanced topic and futher help can be obtained via the github issue tracker and Slack channels. -## Run the container with a null entrypoint (Advanced!) - -You can run the container without the usual entrypoint shell script by executing this command (modified to suit your environment): - -```bash -/usr/bin/podman run -p 514:514 -p 514:514/udp -p 5000-5020:5000-5020 -p 5000-5020:5000-5020/udp --entrypoint=tail --env-file=/opt/sc4s/env_file -v /opt/sc4s/local:/opt/syslog-ng/etc/conf.d/local:z --name SC4S --rm splunk/scs:latest -f /dev/null -``` -From there, you can "exec" into the container (above) and run the `/entrypoint.sh` script by hand (or a subset of it, such as everything -but syslog-ng) and have complete control over the templating and underlying syslog-ng process. Again, this is an advanced topic but can be -very useful for low-level troubleshooting. +When debugging a configuration syntax issue at startup the container must remain running. This can be enabled by adding `SC4S_DEBUG_CONTAINER=yes` to the `env_file`. ## Dealing with non RFC-5424 compliant sources diff --git a/mkdocs.yml b/mkdocs.yml index b1fd53c..d36a804 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -33,6 +33,7 @@ nav: - "pfSense": sources/Pfsense/index.md - Proofpoint: sources/Proofpoint/index.md - Schneider: sources/Schneider/index.md + - Splunk: sources/Splunk/index.md - Symantec: sources/Symantec/index.md - Ubiquiti: sources/Ubiquiti/index.md - VMware: sources/VMWare/index.md diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 989e4bf..56e3017 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -33,15 +33,13 @@ rewrite r_set_splunk_default { }; {{- end}} }; -#used by each log-path to set index and sourcetype which may be +#used by each log-path to set source and sourcetype which may be #overridden by user defined values block rewrite r_set_splunk_dest_default( - index() source("${.splunk.source}") sourcetype() template(`splunk-template`) ) { - set("`index`", value(".splunk.index")); set("`source`", value(".splunk.source")); set("`sourcetype`", value(".splunk.sourcetype")); }; diff --git a/package/etc/conf.d/context/common_event_format_source.csv b/package/etc/conf.d/context/common_event_format_source.csv index 695314e..17947e0 100644 --- a/package/etc/conf.d/context/common_event_format_source.csv +++ b/package/etc/conf.d/context/common_event_format_source.csv @@ -1,4 +1,5 @@ ArcSight_ArcSight,source,ArcSight:ArcSight +ArcSight_ArcSight,index,main Carbon Black_Protection,sourcetype,carbonblack:protection:cef Carbon Black_Protection,index,cb:cef Cyber-Ark_Vault,sourcetype,cyberark:epv:cef diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index 345d317..4ba8680 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -73,7 +73,7 @@ parser cisco-parser-ex{ } elif { #Cisco IOS Other filter { - message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*|\.)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Za-z]{3,3} )?)? ?((?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*(?:[A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)' + message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*|\.)?(?:20\d\d )?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Za-z]{3,3} )?)? ?((?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*(?:[A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: (last message repeated \d* times|(\%[^\: ]+)\:? ?.*)' flags(store-matches)); }; diff --git a/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl index 918530b..5f8b1e0 100644 --- a/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl +++ b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl @@ -53,7 +53,7 @@ log { rewrite { set("local_example", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("sc4s:local_example"), index("main")); + r_set_splunk_dest_default(sourcetype("sc4s:local_example")); }; # using the key "local_example" find any customized index,source or sourcetype meta values diff --git a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl index 35366a8..6630fda 100644 --- a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl @@ -13,7 +13,7 @@ log { set("IETF_SYSLOG", value("fields.sc4s_vendor_product")); }; - rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), index("main"), source("${APP}:${PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), source("${APP}:${PROGRAM}")) }; parser { p_add_context_splunk(key("IETF_SYSLOG")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl index 9ddf47b..354a6c6 100644 --- a/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl @@ -27,7 +27,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("brocade:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("brocade:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("brocade_syslog")); }; diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl index 778ac9b..f08ee05 100644 --- a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl @@ -45,7 +45,7 @@ log { set("${.kv.hostname}", value("HOST")); set("${.kv.hostname}", value("fields.cp_lm")); set("checkpoint_splunk", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cp_log"), index("netops")) + r_set_splunk_dest_default(sourcetype("cp_log")) }; if { @@ -89,31 +89,31 @@ log { if { filter(f_checkpoint_splunk_NetworkTraffic); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"))}; parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; } elif { filter(f_checkpoint_splunk_Web); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"))}; parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; } elif { filter(f_checkpoint_splunk_NetworkSessions); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"))}; parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; } elif { filter(f_checkpoint_splunk_IDS_Malware); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"))}; parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; } elif { filter(f_checkpoint_splunk_IDS); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"))}; parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; } elif { filter(f_checkpoint_splunk_email); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"))}; parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; } elif { filter(f_checkpoint_splunk_DLP); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"))}; parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; } elif { filter(f_checkpoint_splunk_syslog); @@ -130,7 +130,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("checkpoint_os")); }; }; @@ -163,7 +163,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("checkpoint_os")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl index 97b7d4c..fc1b7a7 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl @@ -86,7 +86,7 @@ log { parser(acs_event_time); rewrite { set("cisco_acs", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:acs"), index("netauth")) + r_set_splunk_dest_default(sourcetype("cisco:acs")) }; parser {p_add_context_splunk(key("cisco_acs")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl index 64c123b..a7e3331 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl @@ -29,14 +29,14 @@ log { }; rewrite { set("cisco_APIC_acl", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), index("netfw"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_apic_acl")); }; } elif { rewrite { set("cisco_APIC_events", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:apic:events"), index("netops"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:apic:events"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_apic_events")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl index b60f1d6..54cb420 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl @@ -28,7 +28,7 @@ log { }; rewrite { set("cisco_ftd", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog")) }; parser {p_add_context_splunk(key("cisco_ftd")); }; parser (compliance_meta_by_source); @@ -37,7 +37,7 @@ log { } else { rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:asa")) }; parser {p_add_context_splunk(key("cisco_asa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl index 27acbc8..743c94b 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:asa")) }; parser {p_add_context_splunk(key("cisco_asa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl index 9722fe1..aa1210d 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl @@ -86,7 +86,7 @@ log { parser(ise_event_time); rewrite { set("cisco_ise", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:ise:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("cisco:ise:syslog")) }; parser {p_add_context_splunk(key("cisco_ise")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl index 3822ee6..630b6ed 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("cisco_meraki", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("meraki"), index("netfw")) + r_set_splunk_dest_default(sourcetype("meraki")) }; parser {p_add_context_splunk(key("cisco_meraki")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl index b490903..6cfbc47 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_nxos", value("fields.sc4s_vendor_product")); guess-time-zone(); - r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:ios"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_nx_os")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl index 61d0274..6bb6021 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl @@ -44,7 +44,7 @@ log { rewrite { set("cisco_ucm", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main")) + r_set_splunk_dest_default(sourcetype("cisco:ucm")) }; parser {p_add_context_splunk(key("cisco_ucm")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl index 9403f7d..785b988 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl @@ -26,7 +26,7 @@ log{ }; rewrite { set("cisco_wsa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:l4tm"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:l4tm")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); @@ -51,7 +51,7 @@ log{ }; rewrite { set("cisco_wsa11_7", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), index("netops"),source("wsa_11.7")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), source("wsa_11.7")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); @@ -75,7 +75,7 @@ log{ }; rewrite { set("cisco_wsa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:squid"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:squid")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl index d7ba89c..dd3260f 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_ios", value("fields.sc4s_vendor_product")); guess-time-zone(); - r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:ios")) }; parser { p_add_context_splunk(key("cisco_ios")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl b/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl index ed6f197..94b5005 100644 --- a/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("citrix_netscaler", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("citrix:netscaler:syslog"), index("netfw")) + r_set_splunk_dest_default(sourcetype("citrix:netscaler:syslog")) }; parser {p_add_context_splunk(key("citrix_netscaler")); }; diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index dbbf675..54e1b77 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -63,7 +63,7 @@ log { }; rewrite { - r_set_splunk_dest_default(sourcetype("cef"), index("main")) + r_set_splunk_dest_default(sourcetype("cef")) }; parser (p_cef_header); diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl index 413dea2..7ca852e 100644 --- a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl @@ -44,27 +44,27 @@ log { filter{match('audit\.admin' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } elif { filter{match('system\.com\.rsa|,\s+system\.erationsconsole' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } elif { filter{match('audit\.runtime\.com\.rsa' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } else { rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; }; @@ -81,9 +81,9 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; - parser { p_add_context_splunk(key("nix_syslog")); }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; } else { @@ -99,9 +99,9 @@ log { }; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:trace"), index("netauth")); + r_set_splunk_dest_default(sourcetype("rsa:securid:trace")); }; - parser { p_add_context_splunk(key("nix_syslog")); }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl index a12ca6b..308d60d 100644 --- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl @@ -31,7 +31,7 @@ log { set("f5_bigip", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("f5:bigip:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("f5:bigip:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); @@ -42,7 +42,7 @@ log { }; rewrite { set("f5_bigip_access_json", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:access_json"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:access_json")) }; parser { p_add_context_splunk(key("f5_bigip_access_json")); }; parser (compliance_meta_by_source); @@ -56,32 +56,32 @@ log { program('^f5_irule=Splunk-iRule-HTTP') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:http:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:http:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-DNS_REQUEST') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:request:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:request:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-DNS_RESPONSE') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:response:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:response:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-LB_FAILED') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:failed:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:failed:irule")) }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:irule")) }; }; rewrite { @@ -96,7 +96,7 @@ log { }; rewrite { set("f5_bigip_asm", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("f5:bigip:asm:syslog"), index("netwaf")) + r_set_splunk_dest_default(sourcetype("f5:bigip:asm:syslog")) }; parser { p_add_context_splunk(key("f5_bigip_asm")); }; parser (compliance_meta_by_source); @@ -108,7 +108,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); @@ -117,7 +117,7 @@ log { rewrite { set("f5_bigip_rogue_message", value("fields.sc4s_vendor_product")); set("rogue-f5", value("fields.sc4s_error")); - r_set_splunk_dest_default(sourcetype("f5:bigip:rogue"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:rogue")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl index 40c072f..dbf9c3c 100644 --- a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl @@ -24,7 +24,7 @@ log { rewrite { subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global")); set("forcepoint_webprotect", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("websense:cg:kv"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("websense:cg:kv")) }; parser {p_add_context_splunk(key("forcepoint_webprotect")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl index 4f0351c..438a1a6 100644 --- a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl @@ -65,16 +65,16 @@ log { set("${.kv.devname}", value("HOST")); }; if (match("traffic" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_traffic"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_traffic")); }; } elif (match("attack" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_attack"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_attack"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_attack")); }; } elif (match("event" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_event"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_event"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_event")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_log"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_log")); }; }; #FortiOS @@ -84,16 +84,16 @@ log { set("${.kv.devname}", value("HOST")); }; if (match("traffic" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"))}; parser {p_add_context_splunk(key("fortinet_fortios_traffic")); }; } elif (match("utm" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"))}; parser {p_add_context_splunk(key("fortinet_fortios_utm")); }; } elif (match("event" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"))}; parser {p_add_context_splunk(key("fortinet_fortios_event")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"))}; parser {p_add_context_splunk(key("fortinet_fortios_log")); }; }; }; diff --git a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl index 086e3a5..261dbe4 100644 --- a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl @@ -27,7 +27,7 @@ log { set("infoblox_dns", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:dns"), index("netdns"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:dns"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_dns")); }; } elif { @@ -36,7 +36,7 @@ log { set("infoblox_dhcp", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:dhcp"), index("netipam"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:dhcp"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_dhcp")); }; } elif { @@ -45,7 +45,7 @@ log { set("infoblox_threat", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:threat"), index("netids"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:threat"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_threat")); }; } else { @@ -54,7 +54,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl index 432c393..b5d3cf9 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl @@ -26,19 +26,19 @@ log { }; if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"))}; parser {p_add_context_splunk(key("juniper_idp")); }; } elif (program('RT_FLOW') or message('PFE_FW_|DFWD_')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_fw")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_ids")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_utm")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"))}; parser {p_add_context_splunk(key("juniper_legacy")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index 8f4371b..3b3dd45 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -25,25 +25,25 @@ log { set("juniper_junos", value("fields.sc4s_vendor_product")); }; if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured")) }; parser {p_add_context_splunk(key("juniper_idp_structured")); }; } elif (program('RT_FLOW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_fw_structured")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_ids_structured")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_utm_structured")); }; } elif (program('RT_AAMW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured")) }; parser {p_add_context_splunk(key("juniper_junos_aamw_structured")); }; } elif (program('RT_SECINTEL')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured")) }; parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured")) }; parser {p_add_context_splunk(key("juniper_structured")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl index 49cdbb9..d10b21c 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("juniper_netscreen", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("netscreen:firewall"), index("netfw")) + r_set_splunk_dest_default(sourcetype("netscreen:firewall")) }; parser { p_add_context_splunk(key("juniper_netscreen")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl index 74b590d..6c1cf8c 100644 --- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl @@ -31,11 +31,12 @@ log { r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), source("${.mcafee.product}")) }; } else { - # If the product is not provided by EPO we will just use a constant for the value - rewrite { - set("mcafee_epo", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), source("epo")) - }; + # If the product is not provided by EPO we will just use a constant for the value + rewrite { + set("mcafee_epo", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), source("epo")) + }; + }; parser {p_add_context_splunk(key("mcafee_epo")); }; diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl index f07df1c..52131be 100644 --- a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl @@ -58,7 +58,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"))}; parser {p_add_context_splunk(key("pan_threat")); }; } elif (match('TRAFFIC', value('.pan.type'))) { parser { @@ -68,7 +68,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"))}; parser {p_add_context_splunk(key("pan_traffic")); }; } elif (match('SYSTEM', value('.pan.type'))) { parser { @@ -78,7 +78,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:system"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:system"))}; parser {p_add_context_splunk(key("pan_system")); }; } elif (match('CONFIG', value('.pan.type'))) { parser { @@ -88,7 +88,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:config"))}; parser {p_add_context_splunk(key("pan_config")); }; } elif (match('HIPMATCH', value('.pan.type'))) { parser { @@ -98,7 +98,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"))}; parser {p_add_context_splunk(key("pan_hipmatch")); }; } elif (match('CORRELATION', value('.pan.type'))) { parser { @@ -108,7 +108,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"))}; parser {p_add_context_splunk(key("pan_correlation")); }; } elif (match('USERID', value('.pan.type'))) { parser { @@ -118,7 +118,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"), index("netauth"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"))}; parser {p_add_context_splunk(key("pan_userid")); }; } else { parser { @@ -128,7 +128,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:log"))}; parser {p_add_context_splunk(key("pan_log")); }; }; rewrite { diff --git a/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl b/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl index 293f428..4fb3fcb 100644 --- a/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl @@ -27,7 +27,7 @@ log { set("pfsense_filterlog", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("pfsense:filterlog"), index("netfw"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("pfsense:filterlog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("pfsense_filterlog")); }; parser (compliance_meta_by_source); @@ -38,7 +38,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("pfsense:${.PROGRAM}"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("pfsense:${.PROGRAM}"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("pfsense")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl index 8881d4c..6968eda 100644 --- a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl @@ -23,12 +23,12 @@ log { if (filter(f_proofpoint_pps_filter)) { rewrite { set("proofpoint_pps_filter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_filter_log"), index("email"))}; + r_set_splunk_dest_default(sourcetype("pps_filter_log"))}; parser { p_add_context_splunk(key("proofpoint_pps_filter")); }; } else { rewrite { set("proofpoint_pps_sendmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_mail_log"), index("email"))}; + r_set_splunk_dest_default(sourcetype("pps_mail_log"))}; parser { p_add_context_splunk(key("proofpoint_pps_sendmail")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl index f1f50aa..bb8c017 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl @@ -3,7 +3,7 @@ log { if (match("Log statistics; " value("MESSAGE"))) { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:metrics"), index("em_metrics")) }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:metrics")) }; parser {p_add_context_splunk(key("sc4s_metrics")); }; rewrite { @@ -16,11 +16,10 @@ log { ); }; - {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_METRICS_HEC" "no")) }} + {{- if eq (getenv "SC4S_DEST_SPLUNK_SC4S_METRICS_HEC" "no") "yes" }} destination(d_hecmetrics); - {{- end}} - {{- if eq (getenv "SC4S_DEBUG_STDOUT" "yes") "no"}} + {{- if eq (getenv "SC4S_DEBUG_STDOUT" "no") "yes" }} destination(d_stdout); {{- end}} @@ -28,13 +27,14 @@ log { {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); {{- end }} - {{- if (print (getenv "SC4S_DEST_INTERNAL_EVENTS_ALTERNATES")) }} + {{- if (print (getenv "SC4S_DEST_SPLUNK_SC4S_METRICS_ALTERNATES")) }} {{ getenv "SC4S_DEST_INTERNAL_EVENTS_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); {{- end }} + {{- end }} } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"))}; parser {p_add_context_splunk(key("sc4s_events")); }; if (not match("Destination timeout has elapsed, closing connection; fd=" value("MESSAGE")) and @@ -42,7 +42,7 @@ log { not match("Syslog connection closed; fd=" value("MESSAGE")) and not match("Syslog connection accepted; fd=" value("MESSAGE"))) { - {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no")) }} + {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_SPLUNK_SC4S_EVENTS_HEC" "no")) }} destination(d_hec_internal); {{- end}} @@ -50,12 +50,12 @@ log { {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); {{- end }} - {{- if (print (getenv "SC4S_DEST_INTERNAL_EVENTS_ALTERNATES")) }} - {{ getenv "SC4S_DEST_INTERNAL_EVENTS_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); + {{- if (print (getenv "SC4S_DEST_SPLUNK_SC4S_EVENTS_ALTERNATES")) }} + {{ getenv "SC4S_DEST_SPLUNK_SC4S_EVENTS_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); {{- end }} }; - {{- if eq (getenv "SC4S_DEBUG_STDOUT" "no") "yes"}} + {{- if eq (getenv "SC4S_DEBUG_STDOUT" "no") "yes" }} destination(d_stdout); {{- end}} }; diff --git a/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl index c0dedf6..1665e64 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl @@ -3,7 +3,7 @@ log { source(s_startup_out); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:out"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:out"))}; parser {p_add_context_splunk(key("sc4s_events")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no")) }} @@ -28,7 +28,7 @@ log { log { source(s_startup_err); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:err"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:err"))}; parser {p_add_context_splunk(key("sc4s_events")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no")) }} diff --git a/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl b/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl index 97d28d0..8c269c3 100644 --- a/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl @@ -22,7 +22,7 @@ log { }; rewrite { set("schneider_apc", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("apc:syslog"), index("main")) + r_set_splunk_dest_default(sourcetype("apc:syslog")) }; parser { p_add_context_splunk(key("schneider_apc")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl index 66b22cc..0bd3dda 100644 --- a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl @@ -6,7 +6,7 @@ log { ); }; - rewrite { r_set_splunk_dest_default(sourcetype("snmp:trap"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("snmp:trap"))}; parser {p_add_context_splunk(key("snmp_trap")); }; rewrite { set("$(template ${.splunk.sc4s_template} $(template t_snmp_trap))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl index baa48a9..74bde79 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl @@ -56,7 +56,7 @@ log { rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("symantec:smg:mail"), index("email"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("symantec:smg:mail"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("symantec_brightmail")); }; parser (compliance_meta_by_source); @@ -76,7 +76,7 @@ log { rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("symantec:smg"), index("email"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("symantec:smg"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("symantec_brightmail")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl index e093563..c758541 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl @@ -24,66 +24,66 @@ log { if { filter(f_symantec_ep_proactive); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog")) }; } elif { filter(f_symantec_ep_risk); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog")) }; } elif { filter(f_symantec_ep_agt_system); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog")) }; } elif { filter(f_symantec_ep_packet); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog")) }; } elif { filter(f_symantec_ep_traffic); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog")) }; } elif { filter(f_symantec_ep_security); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog")) }; } elif { filter(f_symantec_ep_scan); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog")) }; } elif { filter(f_symantec_ep_behavior); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog")) }; } elif { filter(f_symantec_ep_policy); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog")) }; } elif { filter(f_symantec_ep_admin); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog")) }; } elif { filter(f_symantec_ep_agent); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog")) }; } elif { filter(f_symantec_ep_scm_system); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog")) }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:syslog")) }; }; rewrite { diff --git a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl index 1447711..30f725b 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("bluecoat_proxy", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv")) subst( "([-_a-zA-Z\(\)]+=(\"-\"|-| ))", "", value(MESSAGE) diff --git a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl index bccf149..e1a643a 100644 --- a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl @@ -32,17 +32,17 @@ log { rewrite { set("${LEGACY_MSGHDR}${MSG}" value("MSG")); }; if (match("[^)]\s\S+\skernel:\s[^ll\sheader][^\[\d+.\d+\]]\S+\s\w+:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:threat"), index("netids")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:threat")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_threat")); }; } elif (match("\S+\slinkcheck:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:link"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:link")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_link")); }; } elif (match("\d+:\d+:\d+\s\S+\ssudo:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:sudo"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:sudo")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_sudo")); }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("ubnt:fw"), index("netfw")); + r_set_splunk_dest_default(sourcetype("ubnt:fw")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_fw")); }; }; @@ -57,21 +57,21 @@ log { if (match('hostapd:\s+ath' value("MSG"))) { rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:hostapd"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:hostapd")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; } elif (match('\d+:\d+:\d+\s\S+\smcad:' value("MSG"))) { rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:mcad"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:mcad")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; } else { rewrite { set("ubiquiti_unifi_switch", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:switch"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:switch")); set("${FULLHOST_FROM}",value("HOST")); set("${model}", value("fields.model")); set("${serial}", value("fields.serial")); @@ -87,7 +87,7 @@ log { }; rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:wireless"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:wireless")); set("${FULLHOST_FROM}",value("HOST")); set("${model}", value("fields.model")); set("${serial}", value("fields.serial")); @@ -98,7 +98,7 @@ log { } elif (match("traputil.c\(696\) " value("MSG"))) { rewrite { set("ubiquiti_unifi_edge_switch", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:edgeswitch"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:edgeswitch")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_edge_switch")); }; @@ -106,7 +106,7 @@ log { } else { rewrite { set("ubiquiti_unifi", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi")); }; diff --git a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl index 2aeed34..a3cfc91 100644 --- a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl @@ -27,7 +27,7 @@ log { rewrite { set("vmware_nsx", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_nsx")); }; parser (compliance_meta_by_source); @@ -41,7 +41,7 @@ log { set("vmware_nsx", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_nsx")); }; parser (compliance_meta_by_source); @@ -52,7 +52,7 @@ log { rewrite { set("vmware_vcenter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_vcenter")); }; parser (compliance_meta_by_source); @@ -65,7 +65,7 @@ log { set("vmware_vcenter", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_vcenter")); }; parser (compliance_meta_by_source); @@ -78,7 +78,7 @@ log { rewrite { set("vmware_vsphere_esx", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_esx")); }; parser (compliance_meta_by_source); @@ -92,7 +92,7 @@ log { set("vmware_vsphere_esx", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_esx")); }; parser (compliance_meta_by_source); @@ -107,7 +107,7 @@ log { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; parser (compliance_meta_by_source); if { diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl index 25d655a..0c6442e 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl @@ -45,7 +45,7 @@ log { and match('.' value('.json.AppGroup')) and match('.' value('.json.Application')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { @@ -53,7 +53,7 @@ log { and match('.' value('.json.Customer')) and match('.' value('.json.ConnectionID')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { @@ -61,20 +61,20 @@ log { and match('.' value('.json.Customer')) and match('.' value('.json.ConnectorGroup')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { match('.' value('.json.SAMLAttributes')) and match('.' value('.json.Customer')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } else { rewrite { set("zscaler_lss_rogue_message", value("fields.sc4s_vendor_product")); set("rogue-zscaler_lss", value("fields.sc4s_error")); - r_set_splunk_dest_default(sourcetype("zscalerlss:rogue"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("zscalerlss:rogue")) }; parser { p_add_context_splunk(key("zscaler_lss")); }; # Rogue message needs a different template than valid LSS events. Final rewrite (further below) will be a diff --git a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl index b38adf1..836a779 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl @@ -21,7 +21,7 @@ log { }; }; if (message('^ZscalerNSS:')) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"))}; parser { p_add_context_splunk(key("zscaler_alerts")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; @@ -37,22 +37,22 @@ log { }; if (match("dns" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"), index("netdns"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"))}; parser { p_add_context_splunk(key("zscaler_dns")); }; } elif (match("fw" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"))}; parser { p_add_context_splunk(key("zscaler_fw")); }; } elif (match("NSS" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"))}; parser { p_add_context_splunk(key("zscaler_web")); }; } elif (match("audit" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"))}; parser { p_add_context_splunk(key("zscaler_zia_audit")); }; } elif (match("sandbox" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"))}; parser { p_add_context_splunk(key("zscaler_zia_sandbox")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"))}; parser { p_add_context_splunk(key("zscaler_nss")); }; diff --git a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl index 558818d..24fd1a4 100644 --- a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl @@ -26,7 +26,7 @@ log { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl index d8bbd88..7a7b16d 100644 --- a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl @@ -8,14 +8,14 @@ log { if { filter(f_is_rfc5424_strict); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_3164))" value("MSG")); }; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index b740247..7b8e14e 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -1,82 +1,97 @@ -#bluecoat_proxy,index,netproxy -#ArcSight_ArcSight,index,netwaf -#Cyber-Ark_Vault,index,netauth -#CyberArk_PTA,index,main -#Incapsula_SIEMintegration,index,netwaf -#Microsoft_Microsoft Windows,index,oswinsec -#Microsoft_System or Application Event,index,oswin -#checkpoint_splunk,index,netops -#checkpoint_splunk_dlp,index,netdlp -#checkpoint_splunk_email,index,email -#checkpoint_splunk_firewall,index,netfw -#checkpoint_splunk_sessions,index,netops -#checkpoint_splunk_web,index,netproxy -#checkpoint_splunk,index,netops -#checkpoint_splunk,index,netops -#cisco_apic_acl,index,netfw -#cisco_apic_events,index,netops -#cisco_acs,index,netauth -#cisco_asa,index,netfw -#cisco_ios,index,netops -#cisco_ise,index,netauth -#cisco_nx_os,index,netops -#cisco_ucm,index,main -#dell_rsa_secureid,index,netauth -#citrix_netscaler,index,netfw -#local_example,index,main -#forcepoint_webprotect,index,netproxy -#f5_bigip,index,netops -#f5_bigip_irule,index,netops -#f5_bigip_asm,index,netwaf -#f5_bigip_nix,index,netops -#fortinet_fortios_event,index,netops -#fortinet_fortios_log,index,netops -#fortinet_fortios_traffic,index,netfw -#fortinet_fortios_utm,index,netids -#fortinet_fortweb_log,index,netops -#fortinet_fortweb_traffic,index,netfw -#fortinet_fortweb_attack,index,netids -#infoblox_dns,index,netdns -#infoblox_dhcp,index,netipam -#infoblox_threat,index,netids -#juniper_idp,index,netids -#juniper_structured,index,netops -#juniper_idp_structured,index,netids -#juniper_junos_fw_structured,index,netfw -#juniper_junos_ids_structured,index,netids -#juniper_junos_utm_structured,index,netfw -#juniper_junos_aamw_structured,index,netfw -#juniper_junos_secintel_structured,index,netfw -#juniper_junos_fw,index,netfw -#juniper_junos_ids,index,netids -#juniper_junos_utm,index,netfw -#juniper_netscreen,index,netfw -#juniper_legacy,index,netops -#mcafee_epo,index,epav -#nix_syslog,index,osnix -#pan_traffic,index,netfw -#pan_threat,index,netproxy -#pan_system,index,netops -#pan_config,index,netops -#pan_hipmatch,index,main -#pan_correlation,index,main -#pan_userid,index,netauth -#pan_unknown,index,netops -#pfsense,index,netops -#pfsense_filterlog,index,netfw -#proofpoint_pps_filter,index,email -#proofpoint_pps_sendmail,index,email -#sc4s_events,index,main -#sc4s_fallback,index,main -#sc4s_metrics,index,em_metrics -#symantec_ep,index,epav -#vmware_esx,index,main -#vmware_nsx,index,main -#vmware_vcenter,index,main -#zscaler_alerts,index,main -#zscaler_dns,index,netdns -#zscaler_fw,index,netfw -#zscaler_web,index,netproxy -#zscaler_zia_audit,index,netops -#zscaler_zia_sandbox,index,main -#zscaler_lss,index,netproxy \ No newline at end of file +bluecoat_proxy,index,netproxy +brocade_syslog,index,netops +ArcSight_ArcSight,index,main +Cyber-Ark_Vault,index,netauth +CyberArk_PTA,index,main +Incapsula_SIEMintegration,index,netwaf +Microsoft_Microsoft Windows,index,oswinsec +Microsoft_System or Application Event,index,oswin +checkpoint_splunk,index,netops +checkpoint_splunk_dlp,index,netdlp +checkpoint_splunk_email,index,email +checkpoint_splunk_firewall,index,netfw +checkpoint_splunk_ids,index,netids +checkpoint_splunk_sessions,index,netops +checkpoint_splunk_web,index,netproxy +checkpoint_splunk,index,netops +checkpoint_splunk,index,netops +cisco_apic_acl,index,netfw +cisco_apic_events,index,netops +cisco_acs,index,netauth +cisco_asa,index,netfw +cisco_ftd,index,netfw +cisco_ios,index,netops +cisco_ise,index,netauth +cisco_meraki,index,netfw +cisco_nx_os,index,netops +cisco_ucm,index,main +cisco_wsa,index,netproxy +dell_rsa_secureid,index,netauth +citrix_netscaler,index,netfw +local_example,index,main +forcepoint_webprotect,index,netproxy +f5_bigip,index,netops +f5_bigip_access_json,index,netops +f5_bigip_irule,index,netops +f5_bigip_asm,index,netwaf +f5_bigip_nix,index,netops +fortinet_fortios_event,index,netops +fortinet_fortios_log,index,netops +fortinet_fortios_traffic,index,netfw +fortinet_fortios_utm,index,netids +fortinet_fortiweb_attack,index,netids +fortinet_fortiweb_event,index,netops +fortinet_fortiweb_log,index,netops +fortinet_fortiweb_traffic,index,netfw +infoblox_dns,index,netdns +infoblox_dhcp,index,netipam +infoblox_threat,index,netids +juniper_idp,index,netids +juniper_structured,index,netops +juniper_idp_structured,index,netids +juniper_junos_fw_structured,index,netfw +juniper_junos_ids_structured,index,netids +juniper_junos_utm_structured,index,netfw +juniper_junos_aamw_structured,index,netfw +juniper_junos_secintel_structured,index,netfw +juniper_junos_fw,index,netfw +juniper_junos_ids,index,netids +juniper_junos_utm,index,netfw +juniper_netscreen,index,netfw +juniper_legacy,index,netops +mcafee_epo,index,epav +nix_syslog,index,osnix +pan_traffic,index,netfw +pan_threat,index,netproxy +pan_system,index,netops +pan_config,index,netops +pan_hipmatch,index,main +pan_correlation,index,main +pan_userid,index,netauth +pan_unknown,index,netops +pfsense,index,netops +pfsense_filterlog,index,netfw +proofpoint_pps_filter,index,email +proofpoint_pps_sendmail,index,email +sc4s_events,index,main +sc4s_fallback,index,main +sc4s_metrics,index,em_metrics +symantec_ep,index,epav +symantec_brightmail,index,email +ubiquiti_unifi,index,netops +ubiquiti_unifi_fw,index,netfw +ubiquiti_unifi_link,index,netops +ubiquiti_unifi_sudo,index,netops +ubiquiti_unifi_switch,index,netops +ubiquiti_unifi_threat,index,netidss +ubiquiti_unifi_wireless,index,netops +vmware_esx,index,main +vmware_nsx,index,main +vmware_vcenter,index,main +zscaler_alerts,index,netops +zscaler_dns,index,netdns +zscaler_fw,index,netfw +zscaler_web,index,netproxy +zscaler_zia_audit,index,netops +zscaler_zia_sandbox,index,main +zscaler_lss,index,netproxy \ No newline at end of file diff --git a/package/etc/local_config/log_paths/lp-example.conf.tmpl b/package/etc/local_config/log_paths/lp-example.conf.tmpl index d168cc9..3eb4b0c 100644 --- a/package/etc/local_config/log_paths/lp-example.conf.tmpl +++ b/package/etc/local_config/log_paths/lp-example.conf.tmpl @@ -53,7 +53,7 @@ log { rewrite { set("local_example", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("sc4s:local_example"), index("main")); + r_set_splunk_dest_default(sourcetype("sc4s:local_example")); }; # using the key "local_example" find any customized index,source or sourcetype meta values diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index f2cedb0..c663740 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -34,13 +34,28 @@ hup_handler() { trap 'kill ${!}; hup_handler' SIGHUP trap 'kill ${!}; term_handler' SIGTERM - -gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl --out=\2/') --template t=etc/go_templates/ +# Run gomplate to create config from templates if the command errors this is fatal +# Stop the container. Errors in this step should only happen with user provided +#Templates +if ! gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl --out=\2/') --template t=etc/go_templates/; then + echo "Error in Gomplate template; unable to continue, exiting..." + exit 800 +fi mkdir -p /opt/syslog-ng/etc/conf.d/local/context/ mkdir -p /opt/syslog-ng/etc/conf.d/local/config/ -cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context/ +cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose -n $file ${file%.example}; done + +#splunk_indexes.csv updates +#Remove comment headers from existing config +touch /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv +sed -i 's/^#//' /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv +# Add new entries +awk '{print $0}' /opt/syslog-ng/etc/context_templates/splunk_index.csv /opt/syslog-ng/etc/context_templates/splunk_index.csv.example | sort -b -t ',' -k1,2 -u +#We don't need this file anylonger +rm -f /opt/syslog-ng/etc/context_templates/splunk_index.csv.example + cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ mkdir -p /opt/syslog-ng/var/log @@ -56,6 +71,19 @@ echo syslog-ng starting /opt/syslog-ng/sbin/syslog-ng $@ & pid="$!" +sleep 5 +if ! ps -p $pid > /dev/null +then + echo "syslog-ng failed to start; PID $pid is not running, exiting..." + if [ "${SC4S_DEBUG_CONTAINER}" != "yes" ] + then + exit $(wait ${pid}) + else + tail -f /dev/null + fi + # Do something knowing the pid exists, i.e. the process with $PID is running +fi + # wait forever if [[ $@ != *"-s"* ]]; then while true diff --git a/tests/docker-compose-ci.yml b/tests/docker-compose-ci.yml index 6221947..8fcb6ae 100644 --- a/tests/docker-compose-ci.yml +++ b/tests/docker-compose-ci.yml @@ -39,6 +39,7 @@ services: environment: - SPLUNK_HEC_URL=https://splunk:8088 - SPLUNK_HEC_TOKEN=70b6ae71-76b3-4c38-9597-0c5b37ad9630 + - SC4S_DEST_SPLUNK_SC4S_METRICS_HEC=yes - SC4S_SOURCE_TLS_ENABLE=no - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index e6c4eb8..e5daca8 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -14,7 +14,7 @@ services: context: ../package hostname: sc4s #When this is enabled test_common will fail - command: -dvt + command: -det ports: - "514" - "601" @@ -29,6 +29,7 @@ services: environment: - SPLUNK_HEC_URL=https://splunk:8088 - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN} + - SC4S_DEST_SPLUNK_SC4S_METRICS_HEC=yes - SC4S_SOURCE_TLS_ENABLE=no - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py index 9e79df9..ea884cc 100644 --- a/tests/test_cisco_ios.py +++ b/tests/test_cisco_ios.py @@ -42,6 +42,8 @@ "{{ mark }}84027: {{ bsd }}.{{ millisec }} dst: %SYS-5-CONFIG_I: Configured from console by username on vty0 ({{ host }})", "{{ mark }}{{ host }}: *spamApTask1: {{ bsd }}.{{ millisec }}: %CAPWAP-4-DISC_INTF_ERR2: [PA]capwap_ac_sm.c:2053 Ignoring Primary discovery request received on a wrong VLAN (202) on interface (8) from AP 00:b7:00:00:00:00", "{{ mark }}22191: {{ host }}: 022546: {{ bsd }}.{{ millisec }} CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:dfa_service_admin logged command:!exec: enable", + "{{ mark }}{{ host }}: {{ year }} {{ bsd }} CDT: %MODULE-2-MOD_SOMEPORTS_FAILED: Module 13 (Serial number: JAF12345678) reported failure on ports Eth13/17-20 (Ethernet) due to hardware not accessible in device DEV_CLP_FWD(device error 0xca804200)", + "{{ mark }}{{ host }}: {{ year }} {{ bsd }}.{{ millisec }} CDT: %MODULE-2-MOD_SOMEPORTS_FAILED: Module 13 (Serial number: JAF12345678) reported failure on ports Eth13/17-20 (Ethernet) due to hardware not accessible in device DEV_CLP_FWD(device error 0xca804200)", ] testdata_badtime = [ "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet", @@ -78,6 +80,7 @@ def test_cisco_ios( dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + year = dt.year # Tune time functions epoch = epoch[:-7] @@ -95,6 +98,7 @@ def test_cisco_ios( microsec=microsec, tzname=tzname, host=host, + year=year, ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) diff --git a/tests/test_cisco_wsa.py b/tests/test_cisco_wsa.py index 3a4e2de..ff3e1f8 100644 --- a/tests/test_cisco_wsa.py +++ b/tests/test_cisco_wsa.py @@ -50,7 +50,7 @@ def test_cisco_wsa_squid_11_7(record_property, setup_wordlist, get_host_key, set sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops sourcetype=\"cisco:wsa:squid:new\" _raw=\"{{ message }}\"") + "search index=netproxy sourcetype=\"cisco:wsa:squid:new\" _raw=\"{{ message }}\"") message1 = mt.render(mark="", bsd="", host="") search = st.render(host=host, message=message1.lstrip().replace('"','\\"')) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -77,7 +77,7 @@ def test_cisco_wsa_squid(record_property, setup_wordlist, get_host_key, setup_sp sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops sourcetype=\"cisco:wsa:squid\" _raw=\"{{ message }}\"") + "search index=netproxy sourcetype=\"cisco:wsa:squid\" _raw=\"{{ message }}\"") message1 = mt.render(mark="", bsd="", host="") search = st.render(host=host, message=message1.lstrip().replace('"','\\"')) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -103,7 +103,7 @@ def test_cisco_wsa_l4tm(record_property, setup_wordlist, get_host_key, setup_spl sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"cisco:wsa:l4tm\" _raw=\"{{ message }}\"") + "search index=netproxy _time={{ epoch }} sourcetype=\"cisco:wsa:l4tm\" _raw=\"{{ message }}\"") message1 = mt.render(mark="", bsd="", host="") search = st.render(epoch=epoch, host=host, message=message1.lstrip()) diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py index 686fb91..b27a8a1 100644 --- a/tests/test_juniper_junos_rfc3164.py +++ b/tests/test_juniper_junos_rfc3164.py @@ -28,7 +28,7 @@ def test_juniper_utm_standard(record_property, setup_wordlist, get_host_key, set sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"") + st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search)