diff --git a/docs/configuration.md b/docs/configuration.md index 38bca4b..a30ec11 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -10,6 +10,7 @@ and variables needed to properly configure SC4S for your environment. | SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list | | SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token | | SC4S_GLOBAL_DNS_USE | yes or no(default) | use reverse DNS to identify hosts when HOST is not valid in the syslog header | +| SC4S_CONTAINER_HOST | string | variable passed to the container to identify the actual log host for container implementations | * NOTE: Do _not_ configure HEC Acknowledgement when deploying the HEC token on the Splunk side; the underlying syslog-ng http destination does not support this feature. Moreover, HEC Ack would significantly degrade performance for streaming data such as @@ -26,6 +27,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | +| SC4S_DEST_SPLUNK_INDEX_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) ) ## Alternate Destination Configuration diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index f7fde28..5614607 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -59,6 +59,7 @@ ExecStartPre=/usr/bin/docker run \ --name SC4S_preflight \ --rm $SC4S_IMAGE -s ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \ + -e "SC4S_CONTAINER_HOST=$(hostname -s)" \ --env-file=/opt/sc4s/env_file \ "$SC4S_PERSIST_VOLUME" \ "$SC4S_LOCAL_CONFIG_MOUNT" \ diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index b0c026d..2b2269a 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -77,6 +77,7 @@ ExecStartPre=/usr/bin/podman run \ --name SC4S_preflight \ --rm $SC4S_IMAGE -s ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \ + -e "SC4S_CONTAINER_HOST=$(hostname -s)" \ --env-file=/opt/sc4s/env_file \ "$SC4S_PERSIST_VOLUME" \ "$SC4S_LOCAL_CONFIG_MOUNT" \ diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf b/package/etc/conf.d/conflib/_splunk/splunkfields.conf deleted file mode 100644 index bf911a6..0000000 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf +++ /dev/null @@ -1,23 +0,0 @@ -#Used to set indexed fields we will always use to global defaults -rewrite r_set_splunk_default { - set("SC4S:$SOURCE", value(".splunk.source")); - set($FACILITY, value("fields.sc4s_syslog_facility")); - set($LEVEL, value("fields.sc4s_syslog_severity")); - set($LOGHOST, value("fields.sc4s_log_host")); - set($SOURCEIP, value("fields.sc4s_fromhostip")); -}; -#used by each log-path to set index and sourcetype which may be -#overridden by user defined values -block rewrite r_set_splunk_dest_default( - index() - source("${.splunk.source}") - sourcetype() - template(`splunk-template`) - ) { - set("`index`", value(".splunk.index")); - set("`source`", value(".splunk.source")); - set("`sourcetype`", value(".splunk.sourcetype")); -}; - - - diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl new file mode 100644 index 0000000..9f43664 --- /dev/null +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -0,0 +1,41 @@ +#Used to set indexed fields we will always use to global defaults +rewrite r_set_splunk_default { + set("SC4S:$SOURCE", value(".splunk.source")); +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }} + set($FACILITY, value("fields.sc4s_syslog_facility")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }} + set($LEVEL, value("fields.sc4s_syslog_severity")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }} +{{- if (getenv "SC4S_CONTAINER_HOST") }} + set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }} + set($LOGHOST, value("fields.sc4s_container")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} + set($SOURCEIP, value("fields.sc4s_fromhostip")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }} + set($DESTPORT, value("fields.sc4s_destport")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }} + set($PROTO, value("fields.sc4s_proto")); +{{- end}} +}; +#used by each log-path to set index and sourcetype which may be +#overridden by user defined values +block rewrite r_set_splunk_dest_default( + index() + source("${.splunk.source}") + sourcetype() + template(`splunk-template`) + ) { + set("`index`", value(".splunk.index")); + set("`source`", value(".splunk.source")); + set("`sourcetype`", value(".splunk.sourcetype")); +}; + + +