From 644a29d1a0145d5d1711b8cbad35c1595854f01f Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Fri, 27 Mar 2020 07:37:34 -0400
Subject: [PATCH] Correct log path

---
 package/etc/conf.d/filters/f5/bigip.conf.tmpl      | 7 ++++++-
 package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/package/etc/conf.d/filters/f5/bigip.conf.tmpl b/package/etc/conf.d/filters/f5/bigip.conf.tmpl
index 7d509a2..de35dec 100644
--- a/package/etc/conf.d/filters/f5/bigip.conf.tmpl
+++ b/package/etc/conf.d/filters/f5/bigip.conf.tmpl
@@ -1,5 +1,10 @@
 filter f_f5_bigip {
-    match("^f5_bigip", value("fields.sc4s_vendor_product"));
+    match("^f5_bigip", value("fields.sc4s_vendor_product"))
+    or
+    program("tmsh")
+    or program("mcpd")
+    or program("tmm\d?")
+    or program('^,f5_irule');
 };
 filter f_f5_bigip_message {
     message(
diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
index 90fb26a..537de44 100644
--- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
@@ -15,6 +15,7 @@ log {
         channel {
         # Listen on the default port (typically 514) for F5_BIGIP traffic
             source (s_DEFAULT);
+            filter(f_f5_bigip);
             flags(final);
         };
     };