diff --git a/docs/configuration.md b/docs/configuration.md index d9c5fc0..6f707fd 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -9,6 +9,7 @@ and variables needed to properly configure SC4S for your environment. |----------|---------------|-------------| | SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list | | SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token | +| SC4S_GLOBAL_DNS_USE | yes or no(default) | use reverse DNS to identify hosts when HOST is not valid in the syslog header | * NOTE: Do _not_ configure HEC Acknowledgement when deploying the HEC token on the Splunk side; the underlying syslog-ng http destination does not support this feature. Moreover, HEC Ack would significantly degrade performance for streaming data such as diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index 7bb6ee6..b0c026d 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -19,10 +19,12 @@ to install and run it each time sc4s starts. It should be available in all RHEL install conntrack ``` -After this is done, add the following entry to the unit file (and/or use the command when starting sc4s manually): +After this is done, add the following entry to the unit file (and/or use the command when starting sc4s manually). +Note that the space on either side of the semicolon in the `ExecStartPost` entry is _required_ and systemd +will error out if it is missing. ``` -ExecStartPost=sleep 2; conntrack -D -p udp +ExecStartPost=sleep 2 ; conntrack -D -p udp ``` This command will delete the old (stale) UDP entries two seconds after the container starts and allow the system to build a new table that @@ -82,7 +84,7 @@ ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \ "$SC4S_TLS_DIR" \ --name SC4S \ --rm $SC4S_IMAGE -ExecStartPost=sleep 2; conntrack -D -p udp +ExecStartPost=sleep 2 ; conntrack -D -p udp ``` * Execute the following command to create a local volume that will contain the disk buffer files in the event of a communication diff --git a/package/Dockerfile b/package/Dockerfile index bd5e477..b461c2b 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -13,7 +13,7 @@ COPY --from=hairyhenderson/gomplate:v3.5.0 /gomplate /usr/local/bin/gomplate COPY goss.yaml goss.yaml -COPY etc/syslog-ng.conf /opt/syslog-ng/etc/syslog-ng.conf +COPY etc/syslog-ng.conf.tmpl /opt/syslog-ng/etc/syslog-ng.conf.tmpl COPY etc/conf.d /opt/syslog-ng/etc/conf.d COPY etc/go_templates /opt/syslog-ng/etc/go_templates COPY etc/context_templates /opt/syslog-ng/etc/context_templates diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index fc0c7a0..ce18953 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -80,6 +80,7 @@ template t_JSON_5424 { template('$(format-json --scope rfc5424 --pair PRI="<$PRI>" --key ISODATE + --key RAWMSG --exclude DATE --exclude FACILITY --exclude PRIORITY @@ -95,6 +96,7 @@ template t_JSON_5424_SDATA { template('$(format-json --scope rfc5424 --pair PRI="<$PRI>" --key ISODATE + --key RAWMSG --exclude DATE --exclude HOST --exclude FACILITY diff --git a/package/etc/syslog-ng.conf b/package/etc/syslog-ng.conf.tmpl similarity index 91% rename from package/etc/syslog-ng.conf rename to package/etc/syslog-ng.conf.tmpl index 03ba65c..98db6a2 100644 --- a/package/etc/syslog-ng.conf +++ b/package/etc/syslog-ng.conf.tmpl @@ -17,12 +17,12 @@ options { flush_lines (100); time_reopen (10); log_fifo_size (10000); - chain_hostnames (off); - use_dns (no); + chain_hostnames (yes); + use_dns ({{getenv "SC4S_GLOBAL_DNS_USE" "no"}}); use_fqdn (no); - dns-cache(no); + dns-cache({{getenv "SC4S_GLOBAL_DNS_CACHE" "yes"}}); create_dirs (no); - keep-hostname (yes); + keep-hostname (no); create_dirs(yes); dir_perm(0750); stats-freq(30);