Skip to content

Commit

Permalink
Update metadata keys for Meraki and Zscaler
Browse files Browse the repository at this point in the history 
* Fix incorrect Meraki and Zscaler keys in docs
* Change zscaler LSS `zpa-auth` logs to use `netproxy` index (to match all other LSS events).
  • Loading branch information
Mark Bonsack committed Apr 28, 2020
1 parent c0ec0c8 commit 39a19a2
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 16 deletions.
2 changes: 1 addition & 1 deletion docs/sources/Cisco/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ Verify timestamp, and host values match as expected

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| merkai | None |
| meraki | None |

### Sourcetype and Index Configuration

Expand Down
27 changes: 14 additions & 13 deletions docs/sources/Zscaler/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,14 @@ the IP or host name of the SC4S instance and port 514

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| zscalernss_alerts | zscalernss-alerts | main | none |
| zscalernss_dns | zscalernss-dns | netdns | none |
| zscalernss_fw | zscalernss-fw | netfw | none |
| zscalernss_web | zscalernss-web | netproxy | none |

| key | sourcetype | index | notes |
|---------------------|------------------------|----------|---------|
| zscaler_alerts | zscalernss-alerts | main | none |
| zscaler_dns | zscalernss-dns | netdns | none |
| zscaler_fw | zscalernss-fw | netfw | none |
| zscaler_web | zscalernss-web | netproxy | none |
| zscaler_zia_audit | zscalernss-zia-audit | netops | none |
| zscaler_zia_sandbox | zscalernss-zia-sandbox | main | none |

### Filter type

Expand Down Expand Up @@ -87,12 +88,12 @@ the IP or host name of the SC4S instance and port 514

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| zscalernss-zpa-app | zscalerlss_zpa-app | netproxy | none |
| zscalernss-zpa-auth | zscalerlss_zpa_auth | netauth | none |
| zscalernss-zpa-bba | zscalerlss_zpa_auth | netproxy | none |
| zscalernss-zpa-connector | zscalerlss_zpa_connector | netproxy | none |
| key | sourcetype | index | notes |
|----------------|--------------------------|------------|---------|
| zscaler_lss | zscalerlss_zpa-app | netproxy | none |
| zscaler_lss | zscalerlss_zpa_auth | netproxy | none |
| zscaler_lss | zscalerlss_zpa_auth | netproxy | none |
| zscaler_lss | zscalerlss_zpa_connector | netproxy | none |


### Filter type
Expand Down
2 changes: 1 addition & 1 deletion package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ log {
match('.' value('.json.SAMLAttributes'))
and match('.' value('.json.Customer'))
};
rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netauth"))};
rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netproxy"))};
parser { p_add_context_splunk(key("zscaler_lss")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
Expand Down
9 changes: 8 additions & 1 deletion package/etc/context_templates/splunk_index.csv.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,11 @@
#sc4s_fallback,index,main
#sc4s_metrics,index,em_metrics
#symanrtec_ep,index,epav
#vmware_nsx,index,main
#vmware_nsx,index,main
#zscaler_alerts,index,main
#zscaler_dns,index,netdns
#zscaler_fw,index,netfw
#zscaler_web,index,netproxy
#zscaler_zia_audit,index,netops
#zscaler_zia_sandbox,index,main
#zscaler_lss,index,netproxy

0 comments on commit 39a19a2

Please sign in to comment.