diff --git a/package/etc/conf.d/filters/cisco/ucm.conf b/package/etc/conf.d/filters/cisco/ucm.conf index 811ae0d..afe0bff 100644 --- a/package/etc/conf.d/filters/cisco/ucm.conf +++ b/package/etc/conf.d/filters/cisco/ucm.conf @@ -21,8 +21,8 @@ parser p_cisco_ucm_date { if { parser { date-parser(format( - '%b %d %Y %l:%M:%S %p.%f', - '%b %d %H:%M:%S.%f' + '%b %d %H:%M:%S.%f', + '%b %d %Y %I:%M:%S %p.%f' ) template("$3") flags(guess-timezone) diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl index a20bbd8..61d0274 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl @@ -44,7 +44,6 @@ log { rewrite { set("cisco_ucm", value("fields.sc4s_vendor_product")); - set("$S_UNIXTIME.$S_MSEC", value("fields.sc4s_time")); r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main")) }; parser {p_add_context_splunk(key("cisco_ucm")); }; diff --git a/tests/test_cisco_ise.py b/tests/test_cisco_ise.py index bee913c..a644218 100644 --- a/tests/test_cisco_ise.py +++ b/tests/test_cisco_ise.py @@ -49,7 +49,7 @@ def test_cisco_ise_multi(record_property, setup_wordlist, setup_splunk, setup_sc message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\"") + st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\" LicenseTypes=1") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_cisco_ucm.py b/tests/test_cisco_ucm.py index 99c09bd..6fc8a22 100644 --- a/tests/test_cisco_ucm.py +++ b/tests/test_cisco_ucm.py @@ -31,7 +31,7 @@ def test_cisco_ucm_nohost_auditlog(record_property, setup_wordlist, setup_splunk mt = env.from_string( "{{ mark }}8103: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.168.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n") - message = mt.render(mark="<189>", tzname=tzname, ucm_time=ucm_time, host=host, epoch=epoch) + message = mt.render(mark="<189>", tzname=tzname, ucm_time=ucm_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( @@ -60,8 +60,8 @@ def test_cisco_ucm_nohost_rtmt(record_property, setup_wordlist, setup_splunk, se epoch = epoch[:-3] mt = env.from_string( - "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application {{ ucm_time }} {{ epoch }}\n") - message = mt.render(mark="<189>", ucm_time=ucm_time, tzname=tzname, host=host, epoch=epoch) + "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n") + message = mt.render(mark="<189>", ucm_time=ucm_time, tzname=tzname, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( @@ -122,8 +122,8 @@ def test_cisco_ucm_nohost_alert(record_property, setup_wordlist, setup_splunk, s epoch = epoch[:-3] mt = env.from_string( - "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node {{ host }}, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:{{host}} {{ ucm_time }} {{ epoch }}\n") - message = mt.render(mark="<189>", epoch=epoch, ucm_time=ucm_time, host=host) + "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node {{ host }}, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:{{host}}\n") + message = mt.render(mark="<189>", ucm_time=ucm_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string(