From 741438622d60edaca232d242621e32d2e298d188 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Tue, 21 Apr 2020 10:49:41 -0700
Subject: [PATCH] Add "else" catchall clause to zscaler-lss

* Add "else" catchall clause to `lp-zscaler_lss.conf.tmpl`
---
 package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
index 1fb6b8c..b614728 100644
--- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
@@ -78,6 +78,15 @@ log {
         parser { p_add_context_splunk(key("zscaler_lss")); };
         parser (compliance_meta_by_source);
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };    
+    } else {
+        rewrite {
+            set("zscaler_lss_rogue_message", value("fields.sc4s_vendor_product"));
+            set("Possible rogue message on zscaler_lss unique port", value("fields.sc4s_error"));
+            r_set_splunk_dest_default(sourcetype("zscalerlss:rogue"), index("netproxy"))
+        };
+        parser { p_add_context_splunk(key("zscaler_lss")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
     };