diff --git a/.circleci/config.yml b/.circleci/config.yml
index a455417..d13a074 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -8,7 +8,7 @@
#work. If not, see .
version: 2.1
orbs:
- docker: circleci/docker@0.5.13
+ docker: circleci/docker@0.5.20
go: circleci/go@0.2.0
snyk: snyk/snyk@0.0.8
versioning: kollex/versioning@1.0.0
@@ -94,7 +94,7 @@ jobs:
- run: git submodule sync
- run: git submodule update --init --recursive
- - docker/install-docker-tools
+ #- docker/install-docker-tools
- docker/check:
registry: $REGISTRY
docker-username: GITHUB_USER
@@ -418,4 +418,4 @@ workflows:
tags:
only: /^\d*\.\d*\.\d*.*$/
branches:
- ignore: /.*/
\ No newline at end of file
+ ignore: /.*/
diff --git a/docker-compose.yml b/docker-compose.yml
index 3e3bc3d..3d936bc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -48,8 +48,11 @@ services:
# - SC4S_LISTEN_DEFAULT_UDP_PORT=514
# - SC4S_LISTEN_DEFAULT_TLS_PORT=6514
- SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000
- - SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT=6000
-# - SC4S_ARCHIVE_CHECKPOINT=yes
+ - SC4S_LISTEN_CISCO_ASA_TCP_PORT=5001
+ - SC4S_LISTEN_CISCO_IOS_TCP_PORT=5002
+ - SC4S_LISTEN_CISCO_MERAKI_TCP_PORT=5003
+ - SC4S_LISTEN_JUNIPER_IDP_TCP_PORT=5004
+ - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005
- SC4S_ARCHIVE_GLOBAL=yes
volumes:
- ./tls:/opt/syslog-ng/tls
diff --git a/package/etc/conf.d/conflib/_common/syslog_format.conf b/package/etc/conf.d/conflib/_common/syslog_format.conf
index b8802a7..b461e0e 100644
--- a/package/etc/conf.d/conflib/_common/syslog_format.conf
+++ b/package/etc/conf.d/conflib/_common/syslog_format.conf
@@ -4,15 +4,9 @@ filter f_rfc5424_strict{
filter f_rfc5424_noversion{
message('^(?(?(?<\d{1,3}>) ?(?(?(?\d{4})-(?\d\d)-(?\d\d))T(?(?(?[0-2]\d):(?[0-5]\d):(?[0-5]\d)(?:.(?\d{1,6}))?)(?Z|(?[+\-][0-2]\d:[0-5]\d))))))');
};
-filter f_rfc5424_epochtime{
- message('^(?(?(?<\d{1,3}>)(?[1-9][0-9]?) (?(?\d{10})(?:.(?\d{1,9})?)) (?[^ ]+) ))');
-};
filter f_rfc3164_version{
message('^(?(?(?<\d{1,3}>)(?[1-9][0-9]?) (?[A-Za-z]{3} \d\d \d\d:\d\d:\d\d) (?[^ ]+) ))');
};
-rewrite set_rfcnonconformant{
- set("rfc5424_nonconform" value("fields.sc4s_syslog_format"));
-};
rewrite set_rfc5424_strict{
set("rfc5424_strict" value("fields.sc4s_syslog_format"));
};
@@ -28,9 +22,6 @@ filter f_is_rfc5424_noversion{
rewrite set_rfc5424_epochtime{
set("rfc5424_epochtime" value("fields.sc4s_syslog_format"));
};
-filter f_is_rfc5424_epochtime{
- match("rfc5424_epochtime" value("fields.sc4s_syslog_format"))
-};
rewrite set_rfc3164_version{
set("rfc3164_version" value("fields.sc4s_syslog_format"));
};
diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl
index 90dc794..eb19250 100644
--- a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl
+++ b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl
@@ -6,7 +6,7 @@ destination d_hec {
workers({{- getenv "SC4S_DEST_SPLUNK_HEC_WORKERS" "10"}})
batch-lines({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_LINES" "1000"}})
batch-bytes({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_BYTES" "4096kb"}})
- batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1"}})
+ batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "3000"}})
timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_TIMEOUT" "30"}})
user_agent("sc4s/1.0 (events)")
user("sc4s")
@@ -45,4 +45,4 @@ destination d_hec {
event="$MSG"
fields.*)')
);
-};
\ No newline at end of file
+};
diff --git a/package/etc/conf.d/filters/VMware/vsphere.conf b/package/etc/conf.d/filters/VMware/vsphere.conf
index 624c6e0..a2378aa 100644
--- a/package/etc/conf.d/filters/VMware/vsphere.conf
+++ b/package/etc/conf.d/filters/VMware/vsphere.conf
@@ -23,7 +23,8 @@ filter f_vmware_all {
or program("NSX", flags(ignore-case))
or program("NSXV", flags(ignore-case))
or program("dfwpktlogs", flags(ignore-case))
- or program("nsx-.*", flags(ignore-case))};
+ or program("nsx-.*", flags(ignore-case))
+};
filter f_vmware_vsphere {
program("cimslp", flags(ignore-case))
diff --git a/package/etc/conf.d/local/config/log_paths/example.conf.tmpl b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl
similarity index 81%
rename from package/etc/conf.d/local/config/log_paths/example.conf.tmpl
rename to package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl
index 516f954..708bc7c 100644
--- a/package/etc/conf.d/local/config/log_paths/example.conf.tmpl
+++ b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl
@@ -29,24 +29,23 @@
{{- $context := dict "port_id" "LOCAL_EXAMPLE" "parser" "common" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-
-{{- /* The first time this template is used the log_path will be linked to the default port */}}
-
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_local_example);
-{{- end}}
-
-{{- /* In the second pass through the template a link to the dedicated port is used. This */}}
-{{- /* normally does not require additional filters */}}
-
-{{- if eq (.) "no"}}
- source (s_LOCAL_EXAMPLE);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic
+ source (s_LOCAL_EXAMPLE);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_local_example);
+ flags(final);
+ };
+ };
# Set a default sourcetype and index, as well as an appropriate value for the field
# "sc4s_vendor_product". This field is sent as an indexed field to Splunk,
@@ -86,16 +85,4 @@ log {
# All passes through any matching log path will be final
flags(flow-control,final);
-};
-{{- end}}
-
-{{- /* Prepare to run two passes through this template, one for default traffic and another for */}}
-{{- /* "unique ports" if they are configured. */}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end }}
-
-# Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic
-{{ tmpl.Exec "log_path" "yes" }}
\ No newline at end of file
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
similarity index 86%
rename from package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
index 0fd2808..bddcbd3 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
@@ -1,19 +1,25 @@
# Checkpoint
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }}
+{{- $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_checkpoint_splunk);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_CHECKPOINT_SPLUNK);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT")) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic
+ source (s_CHECKPOINT_SPLUNK);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic
+ source(s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_checkpoint_splunk);
+ flags(final);
+ };
+ };
if {
filter(f_nix_syslog);
@@ -83,12 +89,4 @@ log {
{{- end}}
flags(flow-control,final);
-};
-{{- end}}
-{{- if or (or (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT")) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic
-{{ tmpl.Exec "log_path" "yes" }}
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
similarity index 81%
rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
index 0e3c4c1..817df0a 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
@@ -1,6 +1,6 @@
# Cisco ACS
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }}
+{{- $context := dict "port_id" "CISCO_ACS" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
# This filter uses a field we set to prevent the original messages before aggregation from being
@@ -46,17 +46,24 @@ parser acs_event_time {
template("${ACS.DATE} ${ACS.TIME} ${ACS.TZ}")
);
};
-{{- /* The following is an inline template to generate the actual log path */}}
-{{ define "log_path" }}
+
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_cisco_acs);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_CISCO_ACS);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ACS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ACS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ACS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CISCO_ACS traffic
+ source (s_CISCO_ACS);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CISCO_ACS traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_cisco_acs);
+ flags(final);
+ };
+ };
parser(acs_grouping);
@@ -83,15 +90,4 @@ log {
flags(flow-control,final);
};
-
-};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ACS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ACS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ACS_TLS_PORT")) }}
-
-# Listen on the specified dedicated port(s) for CISCO_ACS traffic
- {{tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CISCO_ACS traffic
-{{tmpl.Exec "log_path" "yes" }}
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl
similarity index 65%
rename from package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl
index 59e9c50..9045821 100644
--- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl
@@ -1,19 +1,25 @@
# Cisco ASA RFC5424
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_ASA" "parser" "common" }}
+{{- $context := dict "port_id" "CISCO_ASA" "parser" "rfc5424_noversion" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc5424_noversion);
- filter(f_cisco_asa);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_CISCO_ASA);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CISCO_ASA traffic
+ source (s_CISCO_ASA);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CISCO_ASA traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc5424_noversion);
+ filter(f_cisco_asa);
+ flags(final);
+ };
+ };
rewrite {
set("cisco_asa", value("fields.sc4s_vendor_product"));
@@ -33,12 +39,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for CISCO_ASA traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CISCO_ASA traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
similarity index 65%
rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
index b794ad8..0749e68 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
@@ -1,19 +1,25 @@
# Cisco ASA
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "common" }}
+{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_cisco_asa);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_CISCO_ASA_LEGACY);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CISCO_ASA_LEGACY traffic
+ source (s_CISCO_ASA_LEGACY);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CISCO_ASA_LEGACY traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_cisco_asa);
+ flags(final);
+ };
+ };
rewrite {
set("cisco_asa", value("fields.sc4s_vendor_product"));
@@ -31,16 +37,5 @@ log {
destination(d_archive);
{{- end}}
-
flags(flow-control,final);
-
};
-{{- end}}
-{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT")) }}
-
-# Listen on the specified dedicated port(s) for CISCO_ASA_LEGACY traffic
- {{tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CISCO_ASA_LEGACY traffic
-{{tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
similarity index 67%
rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
index 2749bc8..80aae01 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
@@ -1,18 +1,24 @@
# Cisco IOS
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_IOS" "parser" "common" }}
+{{- $context := dict "port_id" "CISCO_IOS" "parser" "cisco_parser" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes" }}
- source(s_DEFAULT);
- filter(f_is_cisco_ios);
-{{- end }}
-{{- if eq (.) "no" }}
- source (s_CISCO_IOS);
-{{- end }}
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CISCO_IOS traffic
+ source (s_CISCO_IOS);
+ flags (final);
+ };
+{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CISCO_IOS traffic
+ source (s_DEFAULT);
+ filter(f_is_cisco_ios);
+ flags(final);
+ };
+ };
rewrite {
set("cisco_ios", value("fields.sc4s_vendor_product"));
@@ -33,12 +39,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for CISCO_IOS traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CISCO_IOS traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
similarity index 81%
rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
index b56dae5..9a5bf0f 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
@@ -1,6 +1,6 @@
# Cisco ISE
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }}
+{{- $context := dict "port_id" "CISCO_ISE" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
# This filter uses a field we set to prevent the original messages before aggregation from being
@@ -48,17 +48,24 @@ parser ise_event_time {
template("${ISE.DATE} ${ISE.TIME} ${ISE.TZ}")
);
};
-{{- /* The following is an inline template to generate the actual log path */}}
-{{ define "log_path" }}
+
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_cisco_ise);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_CISCO_ISE);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ISE_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ISE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ISE_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CISCO_ISE traffic
+ source (s_CISCO_ISE);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CISCO_ISE traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_cisco_ise);
+ flags(final);
+ };
+ };
parser(ise_grouping);
@@ -86,13 +93,3 @@ log {
};
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ISE_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ISE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ISE_TLS_PORT")) }}
-
-# Listen on the specified dedicated port(s) for CISCO_ISE traffic
- {{tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CISCO_ISE traffic
-{{tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl
similarity index 66%
rename from package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl
index 4c2ba45..c0f37ce 100644
--- a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl
@@ -1,18 +1,24 @@
# Cisco Meraki
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_MERAKI" "parser" "common" }}
+{{- $context := dict "port_id" "CISCO_MERAKI" "parser" "cisco_meraki_parser" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_cisco_meraki);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_CISCO_MERAKI);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CISCO_MERAKI traffic
+ source (s_CISCO_MERAKI);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CISCO_MERAKI traffic
+ source (s_DEFAULT);
+ filter(f_cisco_meraki);
+ flags(final);
+ };
+ };
rewrite {
set("cisco_meraki", value("fields.sc4s_vendor_product"));
@@ -33,12 +39,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for CISCO_MERAKI traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CISCO_MERAKI traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl
similarity index 67%
rename from package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl
index 683dc1f..8bf2d2b 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl
@@ -1,18 +1,24 @@
# Cisco NX_OS
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }}
+{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes" }}
- source(s_DEFAULT);
- filter(f_cisco_nx_os);
-{{- end }}
-{{- if eq (.) "no" }}
- source (s_CISCO_NX_OS);
-{{- end }}
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for CISCO_NX_OS traffic
+ source (s_CISCO_NX_OS);
+ flags (final);
+ };
+{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for CISCO_NX_OS traffic
+ source (s_DEFAULT);
+ filter(f_cisco_nx_os);
+ flags(final);
+ };
+ };
rewrite {
set("cisco_nxos", value("fields.sc4s_vendor_product"));
@@ -32,15 +38,5 @@ log {
destination(d_archive);
{{- end}}
-
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for CISCO_NX_OS traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for CISCO_NX_OS traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl
similarity index 70%
rename from package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl
index a3346bd..3b55bfa 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl
@@ -1,19 +1,25 @@
# Forcepoint Webprotect
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }}
+{{- $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_forcepoint_webprotect_kv);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_FORCEPOINT_WEBPROTECT);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic
+ source (s_FORCEPOINT_WEBPROTECT);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for FORCEPOINT_WEBPROTECT traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_forcepoint_webprotect_kv);
+ flags(final);
+ };
+ };
rewrite {
subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global"));
@@ -34,12 +40,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for FORCEPOINT_WEBPROTECT traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl
similarity index 78%
rename from package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl
index 837ce58..aba6936 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-fortinet_fortios.conf.tmpl
@@ -1,19 +1,25 @@
# Fortinet Fortios
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "FORTINET_FORTIOS" "parser" "common" }}
+{{- $context := dict "port_id" "FORTINET_FORTIOS" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_fortinet_fortios);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_FORTINET_FORTIOS);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for FORTINET_FORTIOS traffic
+ source (s_FORTINET_FORTIOS);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for FORTINET_FORTIOS traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_fortinet_fortios);
+ flags(final);
+ };
+ };
parser {
kv-parser(prefix(".kv.") template("${MSGHDR} ${MSG}"));
@@ -53,12 +59,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for FORTINET_FORTIOS traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for FORTINET_FORTIOS traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl
similarity index 83%
rename from package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl
index a84ecaa..8b40188 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl
@@ -1,20 +1,25 @@
# Infoblox
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "INFOBLOX" "parser" "common" }}
+{{- $context := dict "port_id" "INFOBLOX" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_infoblox);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_INFOBLOX);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_INFOBLOX_TCP_PORT")) (getenv (print "SC4S_LISTEN_INFOBLOX_UDP_PORT"))) (getenv (print "SC4S_LISTEN_INFOBLOX_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for INFOBLOX traffic
+ source (s_INFOBLOX);
+ flags (final);
+ };
{{- end}}
-
+ channel {
+ # Listen on the default port (typically 514) for INFOBLOX traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_infoblox);
+ flags(final);
+ };
+ };
if {
filter{program("named")};
@@ -67,12 +72,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_INFOBLOX_TCP_PORT")) (getenv (print "SC4S_LISTEN_INFOBLOX_UDP_PORT"))) (getenv (print "SC4S_LISTEN_INFOBLOX_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for INFOBLOX traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for INFOBLOX traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl
similarity index 65%
rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl
index 162996d..436963a 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl
@@ -1,19 +1,25 @@
# Juniper IDP
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "JUNIPER_IDP" "parser" "common" }}
+{{- $context := dict "port_id" "JUNIPER_IDP" "parser" "rfc5424_strict" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc5424_strict);
- filter(f_juniper_idp);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_JUNIPER_IDP);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for JUNIPER_IDP traffic
+ source (s_JUNIPER_IDP);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for JUNIPER_IDP traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc5424_strict);
+ filter(f_juniper_idp);
+ flags(final);
+ };
+ };
rewrite {
set("juniper_idp", value("fields.sc4s_vendor_product"));
@@ -33,12 +39,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for JUNIPER_IDP traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for JUNIPER_IDP traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
similarity index 78%
rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
index facaf1c..05d7e5d 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
@@ -1,19 +1,25 @@
# Juniper JunOS
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "JUNIPER_JUNOS" "parser" "common" }}
+{{- $context := dict "port_id" "JUNIPER_JUNOS" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_juniper_junos_standard);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_JUNIPER_JUNOS);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for JUNIPER_JUNOS traffic
+ source (s_JUNIPER_JUNOS);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for JUNIPER_JUNOS traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_juniper_junos_standard);
+ flags(final);
+ };
+ };
rewrite {
set("juniper_junos", value("fields.sc4s_vendor_product"));
@@ -52,12 +58,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for JUNIPER_JUNOS traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for JUNIPER_JUNOS traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
similarity index 82%
rename from package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
index f5ac665..d5ae714 100644
--- a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -1,19 +1,25 @@
# Juniper JunOS (Structured, RFC5424-compliant)
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "JUNIPER_JUNOS_STRUCTURED" "parser" "common" }}
+{{- $context := dict "port_id" "JUNIPER_JUNOS_STRUCTURED" "parser" "rfc5424_strict" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc5424_strict);
- filter(f_juniper_junos_structured);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_JUNIPER_JUNOS_STRUCTURED);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for JUNIPER_JUNOS_STRUCTURED traffic
+ source (s_JUNIPER_JUNOS_STRUCTURED);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for JUNIPER_JUNOS_STRUCTURED traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc5424_strict);
+ filter(f_juniper_junos_structured);
+ flags(final);
+ };
+ };
rewrite {
set("juniper_junos", value("fields.sc4s_vendor_product"));
@@ -60,12 +66,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for JUNIPER_JUNOS_STRUCTURED traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for JUNIPER_JUNOS_STRUCTURED traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl
similarity index 66%
rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl
index 6fca3d1..74c40b0 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl
@@ -1,18 +1,24 @@
# Juniper Netscreen
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "common" }}
+{{- $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_juniper_netscreen);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_JUNIPER_NETSCREEN);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for JUNIPER_NETSCREEN traffic
+ source (s_JUNIPER_NETSCREEN);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for JUNIPER_NETSCREEN traffic
+ source (s_DEFAULT);
+ filter(f_juniper_netscreen);
+ flags(final);
+ };
+ };
rewrite {
set("juniper_netscreen", value("fields.sc4s_vendor_product"));
@@ -31,13 +37,4 @@ log {
{{- end}}
flags(flow-control,final);
-};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for JUNIPER_NETSCREEN traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end }}
-
-# Listen on the default port (typically 514) for JUNIPER_NETSCREEN traffic
-{{ tmpl.Exec "log_path" "yes" }}
\ No newline at end of file
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl
similarity index 65%
rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl
index 668f287..650b7c9 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl
@@ -1,19 +1,25 @@
# Juniper NSM
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "JUNIPER_NSM" "parser" "common" }}
+{{- $context := dict "port_id" "JUNIPER_NSM" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_juniper_nsm);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_JUNIPER_NSM);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for JUNIPER_NSM traffic
+ source (s_JUNIPER_NSM);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for JUNIPER_NSM traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_juniper_nsm);
+ flags(final);
+ };
+ };
rewrite {
set("juniper_nsm", value("fields.sc4s_vendor_product"));
@@ -33,12 +39,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for JUNIPER_NSM traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for JUNIPER_NSM traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl
similarity index 64%
rename from package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl
index 2ac5fa0..e76fb0a 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl
@@ -1,19 +1,25 @@
# Juniper NSM IDP
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "common" }}
+{{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_juniper_nsm_idp);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_JUNIPER_NSM_IDP);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic
+ source (s_JUNIPER_NSM_IDP);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for JUNIPER_NSM_IDP traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_juniper_nsm_idp);
+ flags(final);
+ };
+ };
rewrite {
set("juniper_nsm_idp", value("fields.sc4s_vendor_product"));
@@ -32,12 +38,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for JUNIPER_NSM_IDP traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl
similarity index 82%
rename from package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl
index 8a5a386..ae04a47 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl
@@ -1,6 +1,6 @@
# Microfocus ArcSight
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "MICROFOCUS_ARCSIGHT" "parser" "common" }}
+{{- $context := dict "port_id" "MICROFOCUS_ARCSIGHT" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
parser p_microfocus_arcsight_header {
@@ -33,17 +33,24 @@ parser p_microfocus_arcsight_source {
default-selector("unknown")
);
};
-{{- /* The following is an inline template to generate the actual log path */}}
-{{ define "log_path" }}
+
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_microfocus_arcsight);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_MICROFOCUS_ARCSIGHT);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT")) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for MICROFOCUS_ARCSIGHT traffic
+ source (s_MICROFOCUS_ARCSIGHT);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for MICROFOCUS_ARCSIGHT traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_microfocus_arcsight);
+ flags(final);
+ };
+ };
rewrite {
set("microfocus_arcsight", value("fields.sc4s_vendor_product"));
@@ -82,14 +89,4 @@ log {
{{- end}}
flags(flow-control,final);
-
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT")) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for MICROFOCUS_ARCSIGHT traffic
- {{tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for MICROFOCUS_ARCSIGHT traffic
-{{tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl
similarity index 86%
rename from package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl
index 6f5cb7f..f115db2 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl
@@ -1,19 +1,25 @@
# PaloAlto PanOS
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "PALOALTO_PANOS" "parser" "common" }}
+{{- $context := dict "port_id" "PALOALTO_PANOS" "parser" "rfc3164_version" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_palalto_format);
- filter(f_paloalto_panos);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_PALOALTO_PANOS);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for PALOALTO_PANOS traffic
+ source (s_PALOALTO_PANOS);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for PALOALTO_PANOS traffic
+ source (s_DEFAULT);
+ filter(f_is_palalto_format);
+ filter(f_paloalto_panos);
+ flags(final);
+ };
+ };
# The palo message does not include a program value in the header, unfortunately.
# The use of colon in the message tricks the RFC3164 parser; We will re-write the message
@@ -89,12 +95,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for PALOALTO_PANOS traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for PALOALTO_PANOS traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl
similarity index 70%
rename from package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl
index d17a226..dc911ec 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl
@@ -1,18 +1,24 @@
# Proofpoint Protection Server
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "PROOFPOINT_PPS" "parser" "common" }}
+{{- $context := dict "port_id" "PROOFPOINT_PPS" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes" }}
- source(s_DEFAULT);
- filter { filter(f_proofpoint_pps_filter) or filter(f_proofpoint_pps_sendmail) };
-{{- end }}
-{{- if eq (.) "no" }}
- source (s_PROOFPOINT_PPS);
-{{- end }}
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for PROOFPOINT_PPS traffic
+ source (s_PROOFPOINT_PPS);
+ flags (final);
+ };
+{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for PROOFPOINT_PPS traffic
+ source (s_DEFAULT);
+ filter { filter(f_proofpoint_pps_filter) or filter(f_proofpoint_pps_sendmail) };
+ flags(final);
+ };
+ };
if (filter(f_proofpoint_pps_filter)) {
rewrite {
@@ -40,12 +46,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for PROOFPOINT_PPS traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for PROOFPOINT_PPS traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl
similarity index 96%
rename from package/etc/conf.d/log_paths/internal.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl
index 15ea441..0756b20 100644
--- a/package/etc/conf.d/log_paths/internal.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl
@@ -1,4 +1,3 @@
-{{- define "log_path"}}
log {
source(s_internal);
@@ -36,6 +35,4 @@ log {
};
flags(flow-control,final);
- };
-{{- end}}
-{{- tmpl.Exec "log_path" "yes" }}
+};
diff --git a/package/etc/conf.d/log_paths/startup.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl
similarity index 93%
rename from package/etc/conf.d/log_paths/startup.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl
index 8153c55..c6607be 100644
--- a/package/etc/conf.d/log_paths/startup.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl
@@ -1,6 +1,5 @@
# Startup events
-{{- define "log_path"}}
log {
source(s_startup_out);
@@ -32,6 +31,4 @@ log {
{{- end}}
flags(flow-control,final);
- };
-{{- end}}
-{{- tmpl.Exec "log_path" "yes" }}
+};
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl
similarity index 81%
rename from package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl
index 04ab7d1..8ae5329 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-symantec_brightmail.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl
@@ -24,20 +24,26 @@ parser symantec_brightmail_grouping {
{{- end }}
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }}
+{{- $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes" }}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_symantec_brightmail);
-{{- end }}
-{{- if eq (.) "no" }}
- source (s_SYMANTEC_BRIGHTMAIL);
-{{- end }}
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for SYMANTEC_BRIGHTMAIL traffic
+ source (s_SYMANTEC_BRIGHTMAIL);
+ flags (final);
+ };
+{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for SYMANTEC_BRIGHTMAIL traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_symantec_brightmail);
+ flags(final);
+ };
+ };
{{- if (conv.ToBool (getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes")) }}
if {
@@ -89,12 +95,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT"))) (getenv (print "SC4S_SYMANTEC_BRIGHTMAIL_NSS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for SYMANTEC_BRIGHTMAIL traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for SYMANTEC_BRIGHTMAIL traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl
similarity index 65%
rename from package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl
index 64584fd..cc3524d 100644
--- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl
@@ -1,19 +1,25 @@
# Symantec Proxy (Bluecoat)
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "SYMANTEC_PROXY" "parser" "common" }}
+{{- $context := dict "port_id" "SYMANTEC_PROXY" "parser" "rfc5424_noversion" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc5424_noversion);
- filter(f_symantec_bluecoat_proxy);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_SYMANTEC_PROXY);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for SYMANTEC_PROXY traffic
+ source (s_SYMANTEC_PROXY);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for SYMANTEC_PROXY traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc5424_noversion);
+ filter(f_symantec_bluecoat_proxy);
+ flags(final);
+ };
+ };
rewrite {
set("bluecoat_proxy", value("fields.sc4s_vendor_product"));
@@ -34,12 +40,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for SYMANTEC_PROXY traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for SYMANTEC_PROXY traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl
similarity index 89%
rename from package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl
index a8b891b..cee88ad 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl
@@ -1,19 +1,25 @@
# Ubiquiti unifi
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "common" }}
+{{- $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_ubiquiti_unifi);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_UBIQUITI_UNIFI);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT")) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for UBIQUITI_UNIFI traffic
+ source (s_UBIQUITI_UNIFI);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for UBIQUITI_UNIFI traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_ubiquiti_unifi);
+ flags(final);
+ };
+ };
parser {p_add_context_splunk(key("ubiquiti_unifi")); };
@@ -119,14 +125,4 @@ log {
{{- end}}
flags(flow-control,final);
-
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT")) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for UBIQUITI_UNIFI traffic
-{{tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for UBIQUITI_UNIFI traffic
-{{tmpl.Exec "log_path" "yes" }}
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
similarity index 81%
rename from package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
index 171fccc..877eb18 100644
--- a/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
@@ -1,18 +1,24 @@
# VMware ESXi and NSX
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "VMWARE" "parser" "common" }}
+{{- $context := dict "port_id" "VMWARE_VSPHERE" "parser" "common" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_vmware_all);
-{{- end}}
-{{- if eq (.) "no"}}
- source (s_VMWARE);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT")) (getenv (print "SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for VMWARE_VSPHERE traffic
+ source (s_VMWARE_VSPHERE);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for VMWARE_VSPHERE traffic
+ source (s_DEFAULT);
+ filter(f_vmware_all);
+ flags(final);
+ };
+ };
#NSX first because its the cheapest check
if {
@@ -83,21 +89,13 @@ log {
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
};
-{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_VMWARE_HEC" "no")) }}
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_VMWARE_VSPHERE_HEC" "no")) }}
destination(d_hec);
{{- end}}
-{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_VMWARE" "no")) }}
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_VMWARE_VSPHERE" "no")) }}
destination(d_archive);
{{- end}}
flags(flow-control,final);
};
-{{- end}}
-{{- if or (or (getenv (print "SC4S_LISTEN_VMWARE_TCP_PORT")) (getenv (print "SC4S_LISTEN_VMWARE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_VMWARE_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for VMWARE traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for VMWARE traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl
similarity index 86%
rename from package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl
index 27f682e..17782bf 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl
@@ -1,18 +1,24 @@
# Zscaler
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "ZSCALER_NSS" "parser" "common" }}
+{{- $context := dict "port_id" "ZSCALER_NSS" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes" }}
- source(s_DEFAULT);
- filter(f_zscaler_nss);
-{{- end }}
-{{- if eq (.) "no" }}
- source (s_ZSCALER_NSS);
-{{- end }}
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TCP_PORT")) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for ZSCALER_NSS traffic
+ source (s_ZSCALER_NSS);
+ flags (final);
+ };
+{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for ZSCALER_NSS traffic
+ source (s_DEFAULT);
+ filter(f_zscaler_nss);
+ flags(final);
+ };
+ };
parser { date-parser(format("%Y-%m-%d %H:%M:%S") template('$(substr "$LEGACY_MSGHDR$MSG" "0" "19")')); };
rewrite {
@@ -74,12 +80,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TCP_PORT")) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for ZSCALER_NSS traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for ZSCALER_NSS traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl
similarity index 68%
rename from package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl
index e1911f7..be65104 100644
--- a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl
@@ -1,18 +1,24 @@
# Linux/Unix OS system logs
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "NIX_SYSLOG" "parser" "common" }}
+{{- $context := dict "port_id" "NIX_SYSLOG" "parser" "rfc3164" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-{{- if eq (.) "yes" }}
- source(s_DEFAULT);
- filter(f_nix_syslog);
-{{- end }}
-{{- if eq (.) "no" }}
- source (s_NIX_SYSLOG);
-{{- end }}
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_NIX_SYSLOG_TCP_PORT")) (getenv (print "SC4S_LISTEN_NIX_SYSLOG_UDP_PORT"))) (getenv (print "SC4S_LISTEN_NIX_SYSLOG_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for NIX_SYSLOG traffic
+ source (s_NIX_SYSLOG);
+ flags (final);
+ };
+{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for NIX_SYSLOG traffic
+ source (s_DEFAULT);
+ filter(f_nix_syslog);
+ flags(final);
+ };
+ };
rewrite {
set("nix_syslog", value("fields.sc4s_vendor_product"));
@@ -36,12 +42,3 @@ log {
flags(flow-control,final);
};
-{{- end}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_NIX_SYSLOG_TCP_PORT")) (getenv (print "SC4S_LISTEN_NIX_SYSLOG_UDP_PORT"))) (getenv (print "SC4S_NIX_SYSLOG_NSS_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for NIX_SYSLOG traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end}}
-
-# Listen on the default port (typically 514) for NIX_SYSLOG traffic
-{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl
similarity index 99%
rename from package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl
index d2057c2..1298c67 100644
--- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl
@@ -29,5 +29,4 @@ log {
{{- end}}
flags(flow-control,fallback);
-
};
\ No newline at end of file
diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
index eef481a..480130a 100644
--- a/package/etc/go_templates/source_network.t
+++ b/package/etc/go_templates/source_network.t
@@ -58,35 +58,48 @@ source s_{{ .port_id }} {
);
{{- end}}
};
- #TODO: #60 Remove this function with enhancement
- rewrite(set_rfcnonconformant);
-{{- if eq .parser "rfc5424_strict" }}
- filter(f_rfc5424_strict);
+{{ if eq .parser "rfc3164" }}
+ parser {
+ syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
+ };
+ rewrite(set_rfc3164);
+{{ else if eq .parser "rfc3164_version" }}
+# filter(f_rfc3164_version);
+ rewrite(set_rfc3164_no_version_string);
+ parser {
+ syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
+ };
+ rewrite(set_rfc3164_version);
+{{ else if eq .parser "rfc5424_strict" }}
+# filter(f_rfc5424_strict);
parser {
syslog-parser(flags(syslog-protocol));
};
rewrite(set_rfc5424_strict);
-{{- else if eq .parser "rfc5424_noversion" }}
- filter(f_rfc5424_noversion);
+{{ else if eq .parser "rfc5424_noversion" }}
+# filter(f_rfc5424_noversion);
parser {
syslog-parser(flags(syslog-protocol));
};
rewrite(set_rfc5424_noversion);
-{{- else if eq .parser "cisco_parser" }}
+{{ else if eq .parser "cisco_parser" }}
parser {cisco-parser()};
rewrite(set_cisco_ios);
-{{- else if eq .parser "cisco_meraki_parser" }}
+{{ else if eq .parser "cisco_meraki_parser" }}
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
-{{- else if eq .parser "rfc3164" }}
- parser {
- syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) );
- };
- rewrite(set_rfc3164);
-{{- else if eq .parser "no_parse" }}
+{{ else if eq .parser "no_parse" }}
rewrite(set_no_parse);
-{{- else }}
- if {filter(f_rfc5424_strict);
+{{ else }}
+ if {
+ filter(f_rfc3164_version);
+ rewrite(set_rfc3164_no_version_string);
+ parser {
+ syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
+ };
+ rewrite(set_rfc3164_version);
+ } elif {
+ filter(f_rfc5424_strict);
parser {
syslog-parser(flags(syslog-protocol));
};
@@ -100,13 +113,6 @@ source s_{{ .port_id }} {
} elif {
parser {cisco-parser()};
rewrite(set_cisco_ios);
- } elif {
- filter(f_rfc3164_version);
- rewrite(set_rfc3164_no_version_string);
- parser {
- syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
- };
- rewrite(set_rfc3164_version);
} elif {
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
@@ -116,9 +122,8 @@ source s_{{ .port_id }} {
};
rewrite(set_rfc3164);
};
-{{- end }}
+{{ end }}
rewrite(r_set_splunk_default);
-
parser {
vendor_product_by_source();
};
diff --git a/package/etc/local_config/log_paths/example.conf.tmpl b/package/etc/local_config/log_paths/lp-example.conf.tmpl
similarity index 81%
rename from package/etc/local_config/log_paths/example.conf.tmpl
rename to package/etc/local_config/log_paths/lp-example.conf.tmpl
index 516f954..708bc7c 100644
--- a/package/etc/local_config/log_paths/example.conf.tmpl
+++ b/package/etc/local_config/log_paths/lp-example.conf.tmpl
@@ -29,24 +29,23 @@
{{- $context := dict "port_id" "LOCAL_EXAMPLE" "parser" "common" }}
{{- tmpl.Exec "t/source_network.t" $context }}
-{{- /* The following is an inline template to generate the actual log path */}}
-{{- define "log_path"}}
log {
-
-{{- /* The first time this template is used the log_path will be linked to the default port */}}
-
-{{- if eq (.) "yes"}}
- source(s_DEFAULT);
- filter(f_is_rfc3164);
- filter(f_local_example);
-{{- end}}
-
-{{- /* In the second pass through the template a link to the dedicated port is used. This */}}
-{{- /* normally does not require additional filters */}}
-
-{{- if eq (.) "no"}}
- source (s_LOCAL_EXAMPLE);
+ junction {
+{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }}
+ channel {
+ # Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic
+ source (s_LOCAL_EXAMPLE);
+ flags (final);
+ };
{{- end}}
+ channel {
+ # Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic
+ source (s_DEFAULT);
+ filter(f_is_rfc3164);
+ filter(f_local_example);
+ flags(final);
+ };
+ };
# Set a default sourcetype and index, as well as an appropriate value for the field
# "sc4s_vendor_product". This field is sent as an indexed field to Splunk,
@@ -86,16 +85,4 @@ log {
# All passes through any matching log path will be final
flags(flow-control,final);
-};
-{{- end}}
-
-{{- /* Prepare to run two passes through this template, one for default traffic and another for */}}
-{{- /* "unique ports" if they are configured. */}}
-
-{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }}
-# Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic
-{{ tmpl.Exec "log_path" "no" }}
-{{- end }}
-
-# Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic
-{{ tmpl.Exec "log_path" "yes" }}
\ No newline at end of file
+};
\ No newline at end of file