diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md index dc6dcf2..58e79a5 100644 --- a/docs/sources/Symantec/index.md +++ b/docs/sources/Symantec/index.md @@ -89,7 +89,7 @@ MSG Parse: This filter parses message content |----------------|----------------|----------------| | SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | | SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | +| SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL | no | Enable archive to disk for this specific source | | SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG | yes | Email processing events generated by the bmserver process will be grouped by host+program+pid+msg ID into a single event | ### Verification diff --git a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl index 21ca1eb..6e71835 100644 --- a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl @@ -1,3 +1,4 @@ +{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) filter f_symantec_brightmail_complete{ match("yes", value("SMG.COMPLETE") type(glob)); }; @@ -13,12 +14,12 @@ parser symantec_brightmail_grouping { key("${SMG.seq}") timeout(2) aggregate( - value("MESSAGE" ";CONTEXT|${PID};${SMG.seq}|$(implode ';' $(context-values ${MESSAGE}))") + value("MESSAGE" "${PID}|${SMG.seq}|$(implode ';' $(context-values ${MESSAGE}))") value("SMG.COMPLETE" "yes") ) ); }; - +{{- end }} {{ $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} {{ tmpl.Exec "t/source_network.t" $context }} @@ -35,12 +36,11 @@ log { {{- end }} {{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) - if { - filter(f_symantec_brightmail_details); + filter(f_symantec_brightmail_details); parser(symantec_brightmail_grouping); - {{- end}} + if { filter(f_symantec_brightmail_complete); @@ -77,7 +77,8 @@ log { }; } else { -{{- end}} +{{- end }} + rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); }; @@ -108,9 +109,7 @@ log { {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} destination(d_archive); {{- end}} - {{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) - }; {{- end}}