From 82c0de2ecdafad85dd7df0ccdb7af055411c6ab3 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Thu, 23 Apr 2020 16:13:12 -0700 Subject: [PATCH] Add context entry for mcafee * Add mcafee entry to `splunk_index.csv` * Clean up log path --- package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl | 8 +------- package/etc/context_templates/splunk_index.csv.example | 1 + 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl index 671fc5e..36419fb 100644 --- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl @@ -24,17 +24,11 @@ log { rewrite { set("mcafee_epo", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav")) }; - rewrite { r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav")) }; parser {p_add_context_splunk(key("mcafee_epo")); }; - parser (compliance_meta_by_source); - - - #We want to unset the fields we won't need, as this is copied into the - #disk queue for network destinations. This can be very disk expensive - #if we don't rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_MCAFEE_EPO_STRUCTURED_HEC" "no")) }} diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 8a77f3d..6339988 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -52,6 +52,7 @@ #juniper_nsm,index,netfw #juniper_nsm_idp,index,netids #juniper_legacy,index,netops +#mcafee_epo,index,epav #nix_syslog,index,osnix #pan_traffic,index,netfw #pan_threat,index,netproxy