Skip to content

Commit

Permalink
Merge branch 'develop' into mcafee/add_context
Browse files Browse the repository at this point in the history
  • Loading branch information
Ryan Faircloth authored and GitHub committed May 4, 2020
2 parents 82c0de2 + d2fd253 commit 52f5cfa
Showing 1 changed file with 4 additions and 10 deletions.
14 changes: 4 additions & 10 deletions package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,6 @@ log {
};
rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"), index("netproxy"))};
parser { p_add_context_splunk(key("zscaler_lss")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
} elif {
filter {
match('.' value('.json.Exporter'))
Expand All @@ -57,8 +55,6 @@ log {
};
rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"), index("netproxy"))};
parser { p_add_context_splunk(key("zscaler_lss")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
} elif {
filter {
match('.' value('.json.Connector'))
Expand All @@ -67,29 +63,27 @@ log {
};
rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"), index("netproxy"))};
parser { p_add_context_splunk(key("zscaler_lss")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
} elif {
filter {
match('.' value('.json.SAMLAttributes'))
and match('.' value('.json.Customer'))
};
rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netauth"))};
parser { p_add_context_splunk(key("zscaler_lss")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
} else {
rewrite {
set("zscaler_lss_rogue_message", value("fields.sc4s_vendor_product"));
set("Possible rogue message on zscaler_lss unique port", value("fields.sc4s_error"));
r_set_splunk_dest_default(sourcetype("zscalerlss:rogue"), index("netproxy"))
};
parser { p_add_context_splunk(key("zscaler_lss")); };
parser (compliance_meta_by_source);
# Rogue message needs a different template than valid LSS events. Final rewrite (further below) will be a
# no-op in this case.
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
};


# Parser for all valid LSS events. Rogue events, having previously loaded $MSG with the entire payload,
# will be unaffected by the rewrite here.
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };

Expand Down

0 comments on commit 52f5cfa

Please sign in to comment.