Merge pull request #262 from splunk/fix/default_ports

Gomplate update/cleanup for "soup" port defaults
CSVD · Jan 13, 2020 · 6354a58 · 6354a58
2 parents f860d79 + b583b67
commit 6354a58
Show file tree

Hide file tree

Showing 32 changed files with 205 additions and 172 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -44,12 +44,12 @@ services:
       - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN}
       - SC4S_SOURCE_TLS_ENABLE=no
       - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no
-      - SC4S_LISTEN_DEFAULT_TCP_PORT=514
-      - SC4S_LISTEN_DEFAULT_UDP_PORT=514
-#      - SC4S_LISTEN_DEFAULT_TLS_PORT=6514
+#     - SC4S_LISTEN_DEFAULT_TCP_PORT=514
+#     - SC4S_LISTEN_DEFAULT_UDP_PORT=514
+#     - SC4S_LISTEN_DEFAULT_TLS_PORT=6514
       - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000
       - SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT=6000
-#      - SC4S_ARCHIVE_CHECKPOINT=yes
+#     - SC4S_ARCHIVE_CHECKPOINT=yes
       - SC4S_ARCHIVE_GLOBAL=yes
     volumes:
       - ./tls:/opt/syslog-ng/tls

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl
@@ -1,10 +1,10 @@
 # Checkpoint
-# Generate the custom port if defined
-{{ $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -87,7 +87,7 @@ log {
 {{- end}}
 {{- if or (or (getenv  (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl
@@ -1,9 +1,11 @@
 # Cisco ACS
-{{ $context := dict "port_id" "CISCO_ACS" "parser" "common"}}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+# This filter uses a field we set to prevent the original messages before aggregation from being
+# sent to Splunk
 
-#This filter uses a field we set to prevent the original messages before aggregation from being
-#sent to Splunk
 filter f_cisco_acs_complete{
     match("yes", value("ACS.COMPLETE") type(glob));
 };
@@ -29,8 +31,8 @@ parser acs_grouping {
     );
 };
 
-#The syslog message includes a date with nano seconds and TZ which is not in the header
-#So must reparse the date
+# The syslog message includes a date with nano seconds and TZ which is not in the header
+# So must reparse the date
 parser acs_event_time {
     csv-parser(
         columns(ACS.DATE, ACS.TIME, ACS.TZ, MESSAGE)
@@ -44,7 +46,7 @@ parser acs_event_time {
             template("${ACS.DATE} ${ACS.TIME} ${ACS.TZ}")
     );
 };
-# The following is an inline template; we will use this to generate the actual log path
+{{- /* The following is an inline template to generate the actual log path */}}
 {{ define "log_path" }}
 log {
 {{- if eq (.) "yes"}}

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl
@@ -1,9 +1,10 @@
 # Cisco ASA
-{{ $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "common"}}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl
@@ -1,9 +1,10 @@
 # Cisco IOS
-{{ $context := dict "port_id" "CISCO_IOS" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_IOS" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes" }}
     source(s_DEFAULT);
@@ -36,7 +37,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for CISCO_IOS traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for CISCO_IOS traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl
@@ -1,15 +1,18 @@
 # Cisco ISE
-{{ $context := dict "port_id" "CISCO_ISE" "parser" "common"}}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+# This filter uses a field we set to prevent the original messages before aggregation from being
+# sent to Splunk
 
-#This filter uses a field we set to prevent the original messages before aggregation from being
-#sent to Splunk
 filter f_cisco_ise_complete{
     match("yes", value("ISE.COMPLETE") type(glob));
 };
 
 #This parser adds messages from ISE to a context without sending them
 #forward to Splunk
+
 parser ise_grouping {
     csv-parser(
         columns(PID, ISE.num, ISE.seq, MESSAGE)
@@ -31,6 +34,7 @@ parser ise_grouping {
 
 #The syslog message includes a date with nano seconds and TZ which is not in the header
 #So must reparse the date
+
 parser ise_event_time {
     csv-parser(
         columns(ISE.DATE, ISE.TIME, ISE.TZ, MESSAGE)
@@ -44,7 +48,7 @@ parser ise_event_time {
             template("${ISE.DATE} ${ISE.TIME} ${ISE.TZ}")
     );
 };
-# The following is an inline template; we will use this to generate the actual log path
+{{- /* The following is an inline template to generate the actual log path */}}
 {{ define "log_path" }}
 log {
 {{- if eq (.) "yes"}}
@@ -81,7 +85,6 @@ log {
         flags(flow-control,final);
     };
 
-
 };
 {{- end}}
 

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl
@@ -1,9 +1,10 @@
 # Cisco NX_OS
-{{ $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_NX_OS" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes" }}
     source(s_DEFAULT);
@@ -38,7 +39,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for CISCO_NX_OS traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for CISCO_NX_OS traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl
@@ -1,9 +1,10 @@
 # Forcepoint Webprotect
-{{ $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -37,7 +38,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT")) (getenv  (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for FORCEPOINT_WEBPROTECT traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl
@@ -1,9 +1,10 @@
 # Fortinet Fortios
-{{ $context := dict "port_id" "FORTINET_FORTIOS" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "FORTINET_FORTIOS" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -56,7 +57,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT")) (getenv  (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for FORTINET_FORTIOS traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for FORTINET_FORTIOS traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl
@@ -1,9 +1,10 @@
 # Infoblox
-{{ $context := dict "port_id" "INFOBLOX" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "INFOBLOX" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -70,7 +71,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_INFOBLOX_TCP_PORT")) (getenv  (print "SC4S_LISTEN_INFOBLOX_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_INFOBLOX_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for INFOBLOX traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for INFOBLOX traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl
@@ -1,9 +1,10 @@
 # Juniper IDP
-{{ $context := dict "port_id" "JUNIPER_IDP" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "JUNIPER_IDP" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -36,7 +37,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv  (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for JUNIPER_IDP traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for JUNIPER_IDP traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl
@@ -1,9 +1,10 @@
 # Juniper JunOS
-{{ $context := dict "port_id" "JUNIPER_JUNOS" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "JUNIPER_JUNOS" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -55,7 +56,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT")) (getenv  (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for JUNIPER_JUNOS traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for JUNIPER_JUNOS traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl
@@ -1,9 +1,10 @@
 # Juniper Netscreen
-{{ $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "JUNIPER_NETSCREEN" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -35,8 +36,8 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv  (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for JUNIPER_NETSCREEN traffic
-    {{ tmpl.Exec "log_path" "no" }}
-{{- end}}
+{{ tmpl.Exec "log_path" "no" }}
+{{- end }}
 
 # Listen on the default port (typically 514) for JUNIPER_NETSCREEN traffic
-{{ tmpl.Exec "log_path" "yes" }}
+{{ tmpl.Exec "log_path" "yes" }}
diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl
@@ -1,9 +1,10 @@
 # Juniper NSM
-{{ $context := dict "port_id" "JUNIPER_NSM" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "JUNIPER_NSM" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -36,7 +37,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv  (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for JUNIPER_NSM traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for JUNIPER_NSM traffic

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl
@@ -1,9 +1,10 @@
 # Juniper NSM IDP
-{{ $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "common" }}
-{{ tmpl.Exec "t/source_network.t" $context }}
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
 
-# The following is an inline template; we will use this to generate the actual log path
-{{ define "log_path" }}
+{{- /* The following is an inline template to generate the actual log path */}}
+{{- define "log_path"}}
 log {
 {{- if eq (.) "yes"}}
     source(s_DEFAULT);
@@ -35,7 +36,7 @@ log {
 
 {{- if or (or (getenv  (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv  (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }}
 # Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic
-    {{ tmpl.Exec "log_path" "no" }}
+{{ tmpl.Exec "log_path" "no" }}
 {{- end}}
 
 # Listen on the default port (typically 514) for JUNIPER_NSM_IDP traffic