diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml index 0c983a3..c33122c 100644 --- a/docker-compose-ci.yml +++ b/docker-compose-ci.yml @@ -38,8 +38,8 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no - - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 + - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 splunk: image: splunk/splunk:latest hostname: splunk diff --git a/docker-compose-debug.yml b/docker-compose-debug.yml index ecb8f6a..9b885f3 100644 --- a/docker-compose-debug.yml +++ b/docker-compose-debug.yml @@ -38,7 +38,7 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no splunk: image: splunk/splunk:latest hostname: splunk diff --git a/docker-compose-demo.yml b/docker-compose-demo.yml index b696193..5e4c200 100644 --- a/docker-compose-demo.yml +++ b/docker-compose-demo.yml @@ -40,8 +40,8 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no - - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 + - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 splunk: image: splunk/splunk:latest hostname: splunk @@ -65,4 +65,4 @@ volumes: sc4s-results: external: true splunk-etc: - external: true \ No newline at end of file + external: true diff --git a/docker-compose-perf.yml b/docker-compose-perf.yml index 729f51b..9831278 100644 --- a/docker-compose-perf.yml +++ b/docker-compose-perf.yml @@ -31,8 +31,8 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no - - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 + - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 splunk: image: splunk/splunk:latest @@ -61,4 +61,3 @@ services: links: - egbundles - sc4s - diff --git a/docker-compose.yml b/docker-compose.yml index fcf5e48..c637ff6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -46,8 +46,8 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no - - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 + - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 splunk: image: splunk/splunk:latest hostname: splunk @@ -68,4 +68,4 @@ volumes: sc4s-results: external: true splunk-etc: - external: true \ No newline at end of file + external: true diff --git a/docs/Configuration.md b/docs/Configuration.md index c4f2903..c8380d1 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -3,7 +3,7 @@ |----------|---------------|-------------| | SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list | | SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token | -| SCS_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | -| SCS_DEST_SPLUNK_HEC_CIPHER_SUITE | comma separated list | Open SSL cipher suite list | -| SCS_DEST_SPLUNK_HEC_SSL_VERSION | comma separated list | Open SSL version list | -| SCS_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | +| SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | +| SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE | comma separated list | Open SSL cipher suite list | +| SC4S_DEST_SPLUNK_HEC_SSL_VERSION | comma separated list | Open SSL version list | +| SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | diff --git a/docs/gettingstarted.md b/docs/gettingstarted.md index 351786f..cfcc7ba 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted.md @@ -13,11 +13,11 @@ transmission of events between computer systems over UDP, TCP, or TLS. The proto overhead on the sender favoring performance over reliability. This fundamental choice means any instability or resource constraint will cause data to be lost in transmission. -* When practical and cost effective considering the importance of completeness as a requirement, place the scs +* When practical and cost effective considering the importance of completeness as a requirement, place the SC4s instance in the same VLAN as the source device. * Avoid crossing a Wireless network, WAN, Firewall, Load Balancer, or inline IDS. -* When High Availability of a single instance of SCS is required, implement multi node clustering of the container +* When High Availability of a single instance of SC4S is required, implement multi node clustering of the container environment. * Avoid TCP except where the source is unable to contain the event to a single UDP packet. * Avoid TLS except where the event may cross a untrusted network. @@ -27,7 +27,7 @@ environment. ## Setup indexes in Splunk -SCS is pre-configured to map each sourcetype to a typical index, for new installations best practice is to create the following +SC4S is pre-configured to map each sourcetype to a typical index, for new installations best practice is to create the following indexes in Splunk. The indexes can be customized easily if desired. If using defaults create the following indexes on Splunk: * netauth @@ -49,7 +49,7 @@ Install the following: ## Setup Splunk HTTP Event Collector - Set up the Splunk HTTP Event Collector with the HEC endpoints behind a load balancer (VIP) configured for https round robin *WITHOUT* sticky session. Alternatively, a list of HEC endpoint URLs can be configured in SC4S if no load balancer is in place. In either case, it is recommended that SC4S traffic be sent to HEC endpoints configured directly on the indexers rather than an intermediate tier of HWFs. -- Create a HEC token that will be used by SCS and ensure the token has access to place events in main, em_metrics, and all indexes used as event destinations +- Create a HEC token that will be used by SC4S and ensure the token has access to place events in main, em_metrics, and all indexes used as event destinations ### Splunk Cloud @@ -59,7 +59,7 @@ Refer to [Splunk Cloud](http://docs.splunk.com/Documentation/Splunk/7.3.1/Data/U Refer to [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) -## Implement a container run time and SCS +## Implement a container run time and sc4s | Container and Orchestration | Notes | |-----------------------------|-------| diff --git a/docs/gettingstarted/docker-swarm-general.md b/docs/gettingstarted/docker-swarm-general.md index 0bad67a..123a303 100644 --- a/docs/gettingstarted/docker-swarm-general.md +++ b/docs/gettingstarted/docker-swarm-general.md @@ -6,7 +6,7 @@ Refer to [Getting Started](https://docs.docker.com/get-started/) # Setup * Create a directory on the server for configuration. This should be available to all administrators, for example: -``/opt/scs/`` +``/opt/sc4s/`` * Create a docker-compose.yml file and place it in the directory created above based on the following template: ```yaml @@ -26,7 +26,7 @@ services: #Comment the following line out if using docker-compose mode: host env_file: - - /opt/scs/env_file + - /opt/sc4s/env_file volumes: #Uncomment the following line if overriding index destinations # - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv @@ -36,9 +36,9 @@ services: ``` -## Configure the SCS environment +## Configure the SC4S environment -Create the following file ``/opt/scs/env_file`` +Create the following file ``/opt/sc4s/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -50,11 +50,11 @@ SPLUNK_DEFAULT_INDEX=main SPLUNK_METRICS_INDEX=em_metrics ``` -## Configure index destinations for Splunk +## Configure index destinations for Splunk Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. -* Download the latest context.csv file to a subdirectory sc4s below the docker-compose.yml file created above. +* Download the latest context.csv file to a subdirectory SC4S below the docker-compose.yml file created above. ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv @@ -63,9 +63,9 @@ sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/mas ## Configure sources by source IP or host name -Legacy sources and non-standard-compliant source require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. +Legacy sources and non-standard-compliant source require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. -* Download the latest vendor_product_by_source.conf file to a subdirectory sc4s below the docker-compose.yml file created above. +* Download the latest vendor_product_by_source.conf file to a subdirectory SC4S below the docker-compose.yml file created above. ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv @@ -86,14 +86,14 @@ Additional hosts can be deployed for syslog collection from additional network z # Single Source Technology instance -For certain source technologies message categorization by content is impossible to support collection +For certain source technologies message categorization by content is impossible to support collection of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using -an alternate port. +an alternate port. Refer to the Sources documentation to identify the specific variable used to enable a specific port for the technology in use. In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate -* Modify the unit file ``/opt/scs/docker-compose.yml`` +* Modify the unit file ``/opt/sc4s/docker-compose.yml`` ```yaml version: "3.7" services: @@ -121,7 +121,7 @@ services: #Comment the following line out if using docker-compose mode: host env_file: - - /opt/scs/env_file + - /opt/sc4s/env_file volumes: #Uncomment the following line if overriding index destinations # - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv @@ -130,7 +130,7 @@ services: # - ./sc4s-juniper/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf ``` -Modify the following file ``/opt/scs/default/env_file`` +Modify the following file ``/opt/sc4s/default/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -140,9 +140,9 @@ SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 SPLUNK_CONNECT_METHOD=hec SPLUNK_DEFAULT_INDEX=main SPLUNK_METRICS_INDEX=em_metrics -SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 #Uncomment the following line if using untrusted SSL certificates -#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +#SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no ``` * Start SC4S. diff --git a/docs/gettingstarted/docker-swarm-rhel7.md b/docs/gettingstarted/docker-swarm-rhel7.md index 8575a0f..6342c71 100644 --- a/docs/gettingstarted/docker-swarm-rhel7.md +++ b/docs/gettingstarted/docker-swarm-rhel7.md @@ -34,7 +34,7 @@ sudo docker swarm init # Setup * Create a directory on the server for configuration. This should be available to all administrators, for example: -``/opt/scs/`` +``/opt/sc4s/`` * Create a docker-compose.yml file and place it in the directory created above based on the following template: ```yaml @@ -54,7 +54,7 @@ services: #Comment the following line out if using docker-compose mode: host env_file: - - /opt/scs/env_file + - /opt/sc4s/env_file volumes: #Uncomment the following line if overriding index destinations # - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv @@ -64,9 +64,9 @@ services: ``` -## Configure the SCS environment +## Configure the SC4S environment -Create the following file ``/opt/scs/env_file`` +Create the following file ``/opt/sc4s/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -79,11 +79,11 @@ SPLUNK_METRICS_INDEX=em_metrics ``` -## Configure index destinations for Splunk +## Configure index destinations for Splunk Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. -* Download the latest context.csv file to a subdirectory sc4s below the docker-compose.yml file created above. +* Download the latest context.csv file to a subdirectory SC4S below the docker-compose.yml file created above. ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv @@ -92,9 +92,9 @@ sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/mas ## Configure sources by source IP or host name -Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. +Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. -* Download the latest vendor_product_by_source.conf file to a subdirectory sc4s below the docker-compose.yml file created above +* Download the latest vendor_product_by_source.conf file to a subdirectory SC4S below the docker-compose.yml file created above ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv @@ -114,14 +114,14 @@ Additional hosts can be deployed for syslog collection from additional network z # Single Source Technology instance -For certain source technologies message categorization by content is impossible to support collection +For certain source technologies message categorization by content is impossible to support collection of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using -an alternate port. +an alternate port. Refer to the Sources documentation to identify the specific variable used to enable a specific port for the technology in use. In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate -* Modify the unit file ``/opt/scs/docker-compose.yml`` +* Modify the unit file ``/opt/sc4s/docker-compose.yml`` ```yaml version: "3.7" services: @@ -149,7 +149,7 @@ services: #Comment the following line out if using docker-compose mode: host env_file: - - /opt/scs/env_file + - /opt/sc4s/env_file volumes: #Uncomment the following line if overriding index destinations # - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv @@ -158,7 +158,7 @@ services: # - ./sc4s-juniper/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf ``` -Modify the following file ``/opt/scs/default/env_file`` +Modify the following file ``/opt/sc4s/default/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -168,9 +168,9 @@ SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 SPLUNK_CONNECT_METHOD=hec SPLUNK_DEFAULT_INDEX=main SPLUNK_METRICS_INDEX=em_metrics -SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 #Uncomment the following line if using untrusted SSL certificates -#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +#SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no ``` * Start SC4S. diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index cb11a5c..808cbf6 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -5,7 +5,7 @@ Refer to [Getting Started](https://docs.docker.com/get-started/) # Setup -* Create a systemd unit file use to start the container with the host os. ``/lib/systemd/system/scs.service`` +* Create a systemd unit file use to start the container with the host os. ``/lib/systemd/system/sc4s.service`` *NOTE*: The 3 volumes "-v" are optional and should be omited if the customization options are not used @@ -13,38 +13,38 @@ Refer to [Getting Started](https://docs.docker.com/get-started/) ```ini [Unit] -Description=SCS Container +Description=SC4S Container After=network.service Requires=network.service [Service] -Environment="SCS_IMAGE=splunk/scs:latest" +Environment="SC4S_IMAGE=splunk/sc4s:latest" #Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started -Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +Environment="SC4S_UNIT_SPLUNK_INDEX=-v /opt/sc4s/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" #Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started -#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" -#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" +#Environment="SC4S_UNIT_VP_CSV=-v /opt/sc4s/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SC4S_UNIT_VP_CONF=-v /opt/sc4s/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" TimeoutStartSec=0 Restart=always -ExecStartPre=/usr/bin/docker pull $SCS_IMAGE +ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE ExecStartPre=/usr/bin/docker run \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs_preflight --rm \ - $SCS_IMAGE -s + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S_preflight --rm \ + $SC4S_IMAGE -s ExecStart=/usr/bin/docker run -p 514:514 \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs \ + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S \ --rm \ -$SCS_IMAGE +$SC4S_IMAGE ``` -## Configure the SCS environment +## Configure the SC4S environment -Create the following file ``/opt/scs/default/env_file`` +Create the following file ``/opt/sc4s/default/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -55,14 +55,14 @@ SPLUNK_CONNECT_METHOD=hec SPLUNK_DEFAULT_INDEX=main SPLUNK_METRICS_INDEX=em_metrics #Uncomment the following line if using untrusted SSL certificates -#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +#SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no ``` -## Configure index destinations for Splunk +## Configure index destinations for Splunk Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. -* Download the latest context.csv file to a directory ``/opt/scs/default/`` +* Download the latest context.csv file to a directory ``/opt/sc4s/default/`` ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv @@ -71,9 +71,9 @@ sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/mas ## Configure sources by source IP or host name -Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. +Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. -* Download the latest vendor_product_by_source.conf file to a directory ``/opt/scs/default/`` +* Download the latest vendor_product_by_source.conf file to a directory ``/opt/sc4s/default/`` ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv @@ -84,55 +84,55 @@ sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/mas ```bash sudo systemctl daemon-reload -sudo systemctl enable scs -sudo systemctl start scs +sudo systemctl enable sc4s +sudo systemctl start sc4s ``` # Single Source Technology instance -For certain source technologies message categorization by content is impossible to support collection +For certain source technologies message categorization by content is impossible to support collection of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using -an alternate port. +an alternate port. Refer to the Sources documentation to identify the specific variable used to enable a specific port for the technology in use. In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate -* Modify the unit file ``/opt/scs/default/env_file`` +* Modify the unit file ``/opt/sc4s/default/env_file`` ```ini [Unit] -Description=SCS Container +Description=SC4S Container After=network.service Requires=network.service [Service] -Environment="SCS_IMAGE=splunk/scs:latest" +Environment="SC4S_IMAGE=splunk/scs:latest" #Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started -Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +Environment="SC4S_UNIT_SPLUNK_INDEX=-v /opt/sc4s/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" #Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started -#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" -#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" +#Environment="SC4S_UNIT_VP_CSV=-v /opt/sc4s/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SC4S_UNIT_VP_CONF=-v /opt/sc4s/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" TimeoutStartSec=0 Restart=always -ExecStartPre=/usr/bin/docker pull $SCS_IMAGE +ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE ExecStartPre=/usr/bin/docker run \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs_preflight --rm \ - $SCS_IMAGE -s + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S_preflight --rm \ + $SC4S_IMAGE -s ExecStart=/usr/bin/docker run -p 514:514 -p 5000-5020:5000-5020 \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs \ + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S \ --rm \ -$SCS_IMAGE +$SC4S_IMAGE ``` -Modify the following file ``/opt/scs/default/env_file`` +Modify the following file ``/opt/sc4s/default/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -142,13 +142,13 @@ SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 SPLUNK_CONNECT_METHOD=hec SPLUNK_DEFAULT_INDEX=main SPLUNK_METRICS_INDEX=em_metrics -SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 #Uncomment the following line if using untrusted SSL certificates -#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +#SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no ``` * Restart SC4S. ```bash -sudo systemctl restart scs +sudo systemctl restart sc4s ``` diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index 6884d4d..e6f500c 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -3,11 +3,11 @@ Refer to [Installation](https://podman.io/getting-started/installation) -# Configure SCS +# Configure sc4s # Setup -* Create a systemd unit file use to start the container with the host os. ``/lib/systemd/system/scs.service`` +* Create a systemd unit file use to start the container with the host os. ``/lib/systemd/system/sc4s.service`` *NOTE*: The 3 volumes "-v" are optional and should be omited if the customization options are not used @@ -15,39 +15,39 @@ Refer to [Installation](https://podman.io/getting-started/installation) ```ini [Unit] -Description=SCS Container +Description=SC4S Container After=network.service Requires=network.service [Service] -Environment="SCS_IMAGE=splunk/scs:latest" +Environment="SC4S_IMAGE=splunk/sc4s:latest" #Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started -Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +Environment="SC4S_UNIT_SPLUNK_INDEX=-v /opt/sc4s/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" #Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started -#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" -#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" +#Environment="SC4S_UNIT_VP_CSV=-v /opt/sc4s/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SC4S_UNIT_VP_CONF=-v /opt/sc4s/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" TimeoutStartSec=0 Restart=always -ExecStartPre=/usr/bin/podman pull $SCS_IMAGE +ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE ExecStartPre=/usr/bin/podman run \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs_preflight --rm \ - $SCS_IMAGE -s + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S_preflight --rm \ + $SC4S_IMAGE -s ExecStart=/usr/bin/podman run -p 514:514 \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs \ + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S \ --rm \ -$SCS_IMAGE +$SC4S_IMAGE ``` -## Configure the SCS environment +## Configure the SC4S environment -Create the following file ``/opt/scs/default/env_file`` +Create the following file ``/opt/sc4s/default/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -58,14 +58,14 @@ SPLUNK_CONNECT_METHOD=hec SPLUNK_DEFAULT_INDEX=main SPLUNK_METRICS_INDEX=em_metrics #Uncomment the following line if using untrusted SSL certificates -#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +#SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no ``` -## Configure index destinations for Splunk +## Configure index destinations for Splunk Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. -* Download the latest context.csv file to a directory ``/opt/scs/default/`` +* Download the latest context.csv file to a directory ``/opt/sc4s/default/`` ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv @@ -74,9 +74,9 @@ sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/mas ## Configure sources by source IP or host name -Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. +Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. -* Download the latest vendor_product_by_source.conf file to a directory ``/opt/scs/default/`` +* Download the latest vendor_product_by_source.conf file to a directory ``/opt/sc4s/default/`` ```bash sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv @@ -86,14 +86,14 @@ sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/mas * Start SC4S. ```bash -sudo systemctl daemon-reload -sudo systemctl enable scs -sudo systemctl start scs +sudo systemctl daemon-reload +sudo systemctl enable sc4s +sudo systemctl start sc4s ``` # Single Source Technology instance -For certain source technologies message categorization by content is impossible to support collection +For certain source technologies message categorization by content is impossible to support collection of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using an alternate port. @@ -101,40 +101,40 @@ Refer to the Sources documentation to identify the specific variable used to ena In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate -* Modify the unit file ``/lib/systemd/system/scs.service`` +* Modify the unit file ``/lib/systemd/system/sc4s.service`` ```ini [Unit] -Description=SCS Container +Description=SC4S Container After=network.service Requires=network.service [Service] -Environment="SCS_IMAGE=splunk/scs:latest" +Environment="SC4S_IMAGE=splunk/scs:latest" #Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started -Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +Environment="SC4S_UNIT_SPLUNK_INDEX=-v /opt/sc4s/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" #Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started -#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" -#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" +#Environment="SC4S_UNIT_VP_CSV=-v /opt/sc4s/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SC4S_UNIT_VP_CONF=-v /opt/sc4s/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" TimeoutStartSec=0 Restart=always -ExecStartPre=/usr/bin/podman pull $SCS_IMAGE +ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE ExecStartPre=/usr/bin/podman run \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs_preflight --rm \ - $SCS_IMAGE -s + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S_preflight --rm \ + $SC4S_IMAGE -s ExecStart=/usr/bin/podman run -p 514:514 -p 5000-5020:5000-5020 \ - --env-file=/opt/scs/default/env_file \ - "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ - --name scs \ + --env-file=/opt/sc4s/default/env_file \ + "$SC4S_UNIT_SPLUNK_INDEX" "$SC4S_UNIT_VP_CSV" "$SC4S_UNIT_VP_CONF" \ + --name SC4S \ --rm \ -$SCS_IMAGE +$SC4S_IMAGE ``` -Modify the following file ``/opt/scs/default/env_file`` +Modify the following file ``/opt/sc4s/default/env_file`` * Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment @@ -144,13 +144,13 @@ SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 SPLUNK_CONNECT_METHOD=hec SPLUNK_DEFAULT_INDEX=main SPLUNK_METRICS_INDEX=em_metrics -SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 #Uncomment the following line if using untrusted SSL certificates -#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +#SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no ``` * Restart SC4S. ```bash -sudo systemctl restart scs +sudo systemctl restart sc4s ``` diff --git a/docs/sources.md b/docs/sources.md index 0d16a48..363bbe5 100644 --- a/docs/sources.md +++ b/docs/sources.md @@ -42,8 +42,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_JUNIPER_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SCS_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_LISTEN_JUNIPER_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | ### Verification @@ -101,10 +101,10 @@ Verify timestamp, and host values match as expected * Protocol is TCP/IP * device-id is hostname and included * timestamp is included and milisecond accuracy selected -* ACI Logging configuration of the ACI product often varies by use case. +* ACI Logging configuration of the ACI product often varies by use case. * Ensure NTP sync is configured and active * Ensure proper host names are configured -* WLC +* WLC * Ensure NTP sync is configured and active * Ensure proper host names are configured * For security use cases per AP logging is required @@ -113,8 +113,8 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SCS_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -144,7 +144,7 @@ Verify timestamp, and host values match as expected | fgt_log | The catch all sourcetype is not used | | fgt_traffic | None | | fgt_utm | None | -| fgt_event | None +| fgt_event | None ### Sourcetype and Index Configuration @@ -204,7 +204,7 @@ end | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -217,7 +217,7 @@ diag log test Verify timestamp, and host values match as expected ``` -index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) +index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) ``` ### UTM Message type @@ -272,8 +272,8 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| -| SCS_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | +| SC4S_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | ### Verification @@ -322,8 +322,8 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SCS_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -372,8 +372,8 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SCS_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -420,7 +420,7 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -483,7 +483,7 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_PALOALTO_PANOS_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -532,7 +532,7 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SCS_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -540,4 +540,4 @@ An active proxy will generate frequent events. Use the following search to valid ``` index= sourcetype=bluecoat:proxysg:access:kv | stats count by host -``` \ No newline at end of file +``` diff --git a/package/etc/conf.d/conflib/_common/network.conf.tmpl b/package/etc/conf.d/conflib/_common/network.conf.tmpl index 3a789e9..1592248 100644 --- a/package/etc/conf.d/conflib/_common/network.conf.tmpl +++ b/package/etc/conf.d/conflib/_common/network.conf.tmpl @@ -16,7 +16,7 @@ transport("udp") port({{getenv "confgen_udp_port"}}) ip-protocol(4) - so-rcvbuf({{getenv "SCS_SOURCE_UDP_SO_RCVBUFF" "425984"}}) + so-rcvbuf({{getenv "SC4S_SOURCE_UDP_SO_RCVBUFF" "425984"}}) keep-hostname(yes) keep-timestamp(yes) use-dns(no) @@ -30,9 +30,9 @@ transport("tcp") port({{getenv "confgen_tcp_port"}}) ip-protocol(4) - max-connections({{getenv "SCS_SOURCE_TCP_MAX_CONNECTIONS" "2000"}}) - log-iw-size({{getenv "SCS_SOURCE_TCP_IW_SIZE" "20000000"}}) - log-fetch-limit({{getenv "SCS_SOURCE_TCP_FETCH_LIMIT" "2000"}}) + max-connections({{getenv "SC4S_SOURCE_TCP_MAX_CONNECTIONS" "2000"}}) + log-iw-size({{getenv "SC4S_SOURCE_TCP_IW_SIZE" "20000000"}}) + log-fetch-limit({{getenv "SC4S_SOURCE_TCP_FETCH_LIMIT" "2000"}}) keep-hostname(yes) keep-timestamp(yes) use-dns(no) @@ -64,7 +64,7 @@ rewrite(set_metadata_vendor_product_cisco_ios); {{ else if eq (getenv "confgen_parser") "rfc3164" }} parser { - syslog-parser(time-zone({{getenv "SCS_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); + syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); }; rewrite(set_rfc3164); {{ else }} @@ -85,7 +85,7 @@ rewrite(set_metadata_vendor_product_cisco_ios); } else { parser { - syslog-parser(time-zone({{getenv "SCS_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); + syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); }; rewrite(set_rfc3164); }; diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl index 5da5234..441c5a9 100644 --- a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl +++ b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl @@ -1,35 +1,35 @@ http( url("{{getenv "SPLUNK_HEC_URL"}}") method("POST") - log-fifo-size({{getenv "SCS_DEST_SPLUNK_HEC_LOG_FIFO_SIZE" "180000000"}}) - workers({{getenv "SCS_DEST_SPLUNK_HEC_WORKERS" "10"}}) - batch-lines({{getenv "SCS_DEST_SPLUNK_HEC_BATCH_LINES" "1000"}}) - batch-bytes({{getenv "SCS_DEST_SPLUNK_HEC_BATCH_BYTES" "4096kb"}}) - batch-timeout({{getenv "SCS_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1"}}) - timeout({{getenv "SCS_DEST_SPLUNK_HEC_TIMEOUT" "30"}}) - user_agent("SCS/1.0 (events)") - user("scs") - headers("{{getenv "SCS_DEST_SPLUNK_DEST_SPLUNK_HEC_HEADERS" "Connection: close"}}") + log-fifo-size({{getenv "SC4S_DEST_SPLUNK_HEC_LOG_FIFO_SIZE" "180000000"}}) + workers({{getenv "SC4S_DEST_SPLUNK_HEC_WORKERS" "10"}}) + batch-lines({{getenv "SC4S_DEST_SPLUNK_HEC_BATCH_LINES" "1000"}}) + batch-bytes({{getenv "SC4S_DEST_SPLUNK_HEC_BATCH_BYTES" "4096kb"}}) + batch-timeout({{getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1"}}) + timeout({{getenv "SC4S_DEST_SPLUNK_HEC_TIMEOUT" "30"}}) + user_agent("sc4s/1.0 (events)") + user("sc4s") + headers("{{getenv "SC4S_DEST_SPLUNK_DEST_SPLUNK_HEC_HEADERS" "Connection: close"}}") password("{{getenv "SPLUNK_HEC_TOKEN"}}") persist-name("splunk_hec") -{{ if eq (getenv "SCS_DEST_SPLUNK_HEC_DISKBUFF_ENABLE" "yes") "yes" }} +{{ if eq (getenv "SC4S_DEST_SPLUNK_HEC_DISKBUFF_ENABLE" "yes") "yes" }} disk-buffer( -{{ if eq (getenv "SCS_DEST_SPLUNK_HEC_DISKBUFF_RELIABLE" "no") "yes" }} - mem-buf-size({{getenv "SCS_DEST_SPLUNK_HEC_DISKBUFF_MEMBUFSIZE" "10241024"}}) +{{ if eq (getenv "SC4S_DEST_SPLUNK_HEC_DISKBUFF_RELIABLE" "no") "yes" }} + mem-buf-size({{getenv "SC4S_DEST_SPLUNK_HEC_DISKBUFF_MEMBUFSIZE" "10241024"}}) reliable(yes) {{else}} - mem-buf-length({{getenv "SCS_DEST_SPLUNK_HEC_DISKBUFF_MEMBUFLENGTH" "15000"}}) + mem-buf-length({{getenv "SC4S_DEST_SPLUNK_HEC_DISKBUFF_MEMBUFLENGTH" "15000"}}) reliable(no) {{ end }} {{ end }} - disk-buf-size({{getenv "SCS_DEST_SPLUNK_HEC_DISKBUFF_DISKBUFSIZE" "1048576"}}) + disk-buf-size({{getenv "SC4S_DEST_SPLUNK_HEC_DISKBUFF_DISKBUFSIZE" "1048576"}}) dir("/opt/syslog-ng/var/data/disk-buffer/") ) - tls(peer-verify({{getenv "SCS_DEST_SPLUNK_HEC_TLS_VERIFY" "yes"}}) -{{if ne (getenv "SCS_DEST_SPLUNK_HEC_CIPHER_SUITE") ""}} cipher-suite("{{getenv "SCS_DEST_SPLUNK_HEC_CIPHER_SUITE"}}"){{end}} -{{if ne (getenv "SCS_DEST_SPLUNK_HEC_SSL_VERSION") ""}} ssl-version("{{getenv "SCS_DEST_SPLUNK_HEC_SSL_VERSION"}}"){{end}} - ca-file("{{getenv "SCS_DEST_SPLUNK_HEC_TLS_CA_FILE" "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}}") + tls(peer-verify({{getenv "SC4S_DEST_SPLUNK_HEC_TLS_VERIFY" "yes"}}) +{{if ne (getenv "SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE") ""}} cipher-suite("{{getenv "SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE"}}"){{end}} +{{if ne (getenv "SC4S_DEST_SPLUNK_HEC_SSL_VERSION") ""}} ssl-version("{{getenv "SC4S_DEST_SPLUNK_HEC_SSL_VERSION"}}"){{end}} + ca-file("{{getenv "SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE" "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}}") ) body('$(format-json time=$S_UNIXTIME.$S_MSEC diff --git a/package/etc/conf.d/destinations/splunk_hec_metrics.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec_metrics.conf.tmpl index 119c21b..7b8d9a1 100644 --- a/package/etc/conf.d/destinations/splunk_hec_metrics.conf.tmpl +++ b/package/etc/conf.d/destinations/splunk_hec_metrics.conf.tmpl @@ -5,16 +5,16 @@ batch-bytes(1024Kb) batch-timeout(1) timeout(15) - user_agent("SCS/1.0 (internal metrics)") - user("scs") - headers("{{getenv "SCS_DEST_SPLUNK_HEC_HEADERS" "Connection: close"}}") + user_agent("sc4s/1.0 (internal metrics)") + user("sc4s") + headers("{{getenv "SC4S_DEST_SPLUNK_HEC_HEADERS" "Connection: close"}}") password("{{getenv "SPLUNK_HEC_TOKEN"}}") persist-name("splunk_metrics") - tls(peer-verify({{getenv "SCS_DEST_SPLUNK_HEC_TLS_VERIFY" "yes"}}) -{{if ne (getenv "SCS_DEST_SPLUNK_HEC_CIPHER_SUITE") ""}} cipher-suite("{{getenv "SCS_DEST_SPLUNK_HEC_CIPHER_SUITE"}}"){{end}} -{{if ne (getenv "SCS_DEST_SPLUNK_HEC_SSL_VERSION") ""}} ssl-version("{{getenv "SCS_DEST_SPLUNK_HEC_SSL_VERSION"}}"){{end}} - ca-file("{{getenv "SCS_DEST_SPLUNK_HEC_TLS_CA_FILE" "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}}") + tls(peer-verify({{getenv "SC4S_DEST_SPLUNK_HEC_TLS_VERIFY" "yes"}}) +{{if ne (getenv "SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE") ""}} cipher-suite("{{getenv "SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE"}}"){{end}} +{{if ne (getenv "SC4S_DEST_SPLUNK_HEC_SSL_VERSION") ""}} ssl-version("{{getenv "SC4S_DEST_SPLUNK_HEC_SSL_VERSION"}}"){{end}} + ca-file("{{getenv "SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE" "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}}") ) body('$MESSAGE') ); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl index 0e34ba1..a8e9b29 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_CISCO_ASA_LEGACY_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_CISCO_ASA_LEGACY_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT" }}) ) }; {{ end }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl index 243621b..67fc196 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl @@ -8,8 +8,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_CISCO_IOS_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_CISCO_IOS_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_CISCO_IOS_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_CISCO_IOS_UDP_PORT" }}) ) }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl index 38528fd..a6c1e20 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl @@ -8,8 +8,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_CISCO_NX_OS_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_CISCO_NX_OS_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT" }}) ) }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl index fc6d446..6684b30 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_FORTINET_FORTIOS_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_FORTINET_FORTIOS_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT" }}) ) }; @@ -18,7 +18,7 @@ parser { kv-parser(prefix(".kv.") template("${MSGHDR} ${MSG}")); - date-parser(format("%Y-%m-%d:%H:%M:%S") template("${.kv.date}:${.kv.time}") time-zone({{getenv "SCS_DEFAULT_TIMEZONE" "GMT"}})); + date-parser(format("%Y-%m-%d:%H:%M:%S") template("${.kv.date}:${.kv.time}") time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})); }; rewrite { set("${.kv.devname}", value("HOST")); }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl index 3abcd33..9589805 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_JUNIPER_IDP_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_JUNIPER_IDP_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT" }}) ); }; {{ end }} @@ -22,4 +22,4 @@ destination(d_hec); #--HEC-- - flags(flow-control); \ No newline at end of file + flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl index f49af18..3850ad4 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_JUNIPER_JUNOS_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_JUNIPER_JUNOS_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT" }}) ) }; @@ -38,4 +38,4 @@ destination(d_hec); #--HEC-- - flags(flow-control); \ No newline at end of file + flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl index 40ed78c..a800328 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl @@ -8,8 +8,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_JUNIPER_NETSCREEN_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT" }}) ) }; {{ end }} @@ -25,4 +25,4 @@ }; destination(d_hec); #--HEC-- - flags(flow-control); \ No newline at end of file + flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl index 897f6af..e637dc4 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_JUNIPER_NSM_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_JUNIPER_NSM_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT" }}) ) }; {{ end }} @@ -22,4 +22,4 @@ }; destination(d_hec); #--HEC-- - flags(flow-control); \ No newline at end of file + flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl index d1b157f..2974ff2 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_JUNIPER_NSM_IDP_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_JUNIPER_NSM_IDP_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT" }}) ) }; {{ end }} @@ -21,4 +21,4 @@ }; destination(d_hec); #--HEC-- - flags(flow-control); \ No newline at end of file + flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl index 20c5ab6..58e98e9 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_PALOALTO_PANOS_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_PALOALTO_PANOS_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT" }}) ) }; diff --git a/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf.tmpl index b5b9246..4aeacfe 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_JUNIPER_CISCO_ASA_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_JUNIPER_CISCO_ASA_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_JUNIPER_CISCO_ASA_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_JUNIPER_CISCO_ASA_UDP_PORT" }}) ) }; diff --git a/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec_proxy.conf.tmpl index 0f56343..b651236 100644 --- a/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec_proxy.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_SYMANTEC_PROXY_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_SYMANTEC_PROXY_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT" }}) ) }; diff --git a/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper_junos.conf.tmpl index 5142c73..bfa3fad 100644 --- a/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper_junos.conf.tmpl @@ -9,8 +9,8 @@ {{ if eq (getenv "confgen_sourcedefault") "no" }} source { dedicated_port( - tcp_port({{ getenv "SCS_LISTEN_JUNIPER_JUNOS_TCP_PORT" }}) - udp_port({{ getenv "SCS_LISTEN_JUNIPER_JUNOS_UDP_PORT" }}) + tcp_port({{ getenv "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT" }}) + udp_port({{ getenv "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT" }}) ) }; {{ end }} @@ -41,4 +41,3 @@ }; destination(d_hec); #--HEC-- - diff --git a/package/etc/conf.d/sources/network.conf.tmpl b/package/etc/conf.d/sources/network.conf.tmpl index 07a9b8f..0cb943d 100644 --- a/package/etc/conf.d/sources/network.conf.tmpl +++ b/package/etc/conf.d/sources/network.conf.tmpl @@ -15,7 +15,7 @@ transport("udp") port(514) ip-protocol(4) - so-rcvbuf({{getenv "SCS_SOURCE_UDP_SO_RCVBUFF" "425984"}}) + so-rcvbuf({{getenv "SC4S_SOURCE_UDP_SO_RCVBUFF" "425984"}}) keep-hostname(yes) keep-timestamp(yes) use-dns(no) @@ -28,9 +28,9 @@ transport("tcp") port(514) ip-protocol(4) - max-connections({{getenv "SCS_SOURCE_TCP_MAX_CONNECTIONS" "2000"}}) - log-iw-size({{getenv "SCS_SOURCE_TCP_IW_SIZE" "20000000"}}) - log-fetch-limit({{getenv "SCS_SOURCE_TCP_FETCH_LIMIT" "2000"}}) + max-connections({{getenv "SC4S_SOURCE_TCP_MAX_CONNECTIONS" "2000"}}) + log-iw-size({{getenv "SC4S_SOURCE_TCP_IW_SIZE" "20000000"}}) + log-fetch-limit({{getenv "SC4S_SOURCE_TCP_FETCH_LIMIT" "2000"}}) keep-hostname(yes) keep-timestamp(yes) use-dns(no) @@ -61,7 +61,7 @@ rewrite(set_metadata_vendor_product_cisco_ios); } else { parser { - syslog-parser(time-zone({{getenv "SCS_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); + syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); }; rewrite(set_rfc3164); };