From 7585981eb42372846b3990b3f41f6ca9b3a323aa Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 8 May 2020 08:07:15 -0400 Subject: [PATCH 1/6] Fixes #273 make indexed fields optional The fields sc4s_syslog_product and sc4s_syslog_format are not made optional in this change as the current use is intergral to the logic tree a future change could change the internal field name and conditional include the field in the json payload. This change also adds new optional indexed fields for dest port when and container host. --- docs/configuration.md | 2 + docs/gettingstarted/docker-systemd-general.md | 1 + docs/gettingstarted/podman-systemd-general.md | 1 + .../conf.d/conflib/_splunk/splunkfields.conf | 23 ----------- .../conflib/_splunk/splunkfields.conf.tmpl | 41 +++++++++++++++++++ 5 files changed, 45 insertions(+), 23 deletions(-) delete mode 100644 package/etc/conf.d/conflib/_splunk/splunkfields.conf create mode 100644 package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl diff --git a/docs/configuration.md b/docs/configuration.md index 38bca4b..a30ec11 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -10,6 +10,7 @@ and variables needed to properly configure SC4S for your environment. | SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list | | SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token | | SC4S_GLOBAL_DNS_USE | yes or no(default) | use reverse DNS to identify hosts when HOST is not valid in the syslog header | +| SC4S_CONTAINER_HOST | string | variable passed to the container to identify the actual log host for container implementations | * NOTE: Do _not_ configure HEC Acknowledgement when deploying the HEC token on the Splunk side; the underlying syslog-ng http destination does not support this feature. Moreover, HEC Ack would significantly degrade performance for streaming data such as @@ -26,6 +27,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | +| SC4S_DEST_SPLUNK_INDEX_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) ) ## Alternate Destination Configuration diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index f7fde28..5614607 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -59,6 +59,7 @@ ExecStartPre=/usr/bin/docker run \ --name SC4S_preflight \ --rm $SC4S_IMAGE -s ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \ + -e "SC4S_CONTAINER_HOST=$(hostname -s)" \ --env-file=/opt/sc4s/env_file \ "$SC4S_PERSIST_VOLUME" \ "$SC4S_LOCAL_CONFIG_MOUNT" \ diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index b0c026d..2b2269a 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -77,6 +77,7 @@ ExecStartPre=/usr/bin/podman run \ --name SC4S_preflight \ --rm $SC4S_IMAGE -s ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \ + -e "SC4S_CONTAINER_HOST=$(hostname -s)" \ --env-file=/opt/sc4s/env_file \ "$SC4S_PERSIST_VOLUME" \ "$SC4S_LOCAL_CONFIG_MOUNT" \ diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf b/package/etc/conf.d/conflib/_splunk/splunkfields.conf deleted file mode 100644 index bf911a6..0000000 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf +++ /dev/null @@ -1,23 +0,0 @@ -#Used to set indexed fields we will always use to global defaults -rewrite r_set_splunk_default { - set("SC4S:$SOURCE", value(".splunk.source")); - set($FACILITY, value("fields.sc4s_syslog_facility")); - set($LEVEL, value("fields.sc4s_syslog_severity")); - set($LOGHOST, value("fields.sc4s_log_host")); - set($SOURCEIP, value("fields.sc4s_fromhostip")); -}; -#used by each log-path to set index and sourcetype which may be -#overridden by user defined values -block rewrite r_set_splunk_dest_default( - index() - source("${.splunk.source}") - sourcetype() - template(`splunk-template`) - ) { - set("`index`", value(".splunk.index")); - set("`source`", value(".splunk.source")); - set("`sourcetype`", value(".splunk.sourcetype")); -}; - - - diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl new file mode 100644 index 0000000..9f43664 --- /dev/null +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -0,0 +1,41 @@ +#Used to set indexed fields we will always use to global defaults +rewrite r_set_splunk_default { + set("SC4S:$SOURCE", value(".splunk.source")); +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }} + set($FACILITY, value("fields.sc4s_syslog_facility")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }} + set($LEVEL, value("fields.sc4s_syslog_severity")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }} +{{- if (getenv "SC4S_CONTAINER_HOST") }} + set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }} + set($LOGHOST, value("fields.sc4s_container")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} + set($SOURCEIP, value("fields.sc4s_fromhostip")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }} + set($DESTPORT, value("fields.sc4s_destport")); +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }} + set($PROTO, value("fields.sc4s_proto")); +{{- end}} +}; +#used by each log-path to set index and sourcetype which may be +#overridden by user defined values +block rewrite r_set_splunk_dest_default( + index() + source("${.splunk.source}") + sourcetype() + template(`splunk-template`) + ) { + set("`index`", value(".splunk.index")); + set("`source`", value(".splunk.source")); + set("`sourcetype`", value(".splunk.sourcetype")); +}; + + + From e873be4b9d55a7f15873a42aa6f5d7e09c21abf5 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 8 May 2020 12:54:57 -0400 Subject: [PATCH 2/6] INDEXED not INDEX and fix missing end --- docs/configuration.md | 2 +- .../conf.d/conflib/_splunk/splunkfields.conf.tmpl | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index a30ec11..eeffb1e 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -27,7 +27,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | -| SC4S_DEST_SPLUNK_INDEX_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) ) +| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) ) ## Alternate Destination Configuration diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 9f43664..1d838f9 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -1,26 +1,27 @@ #Used to set indexed fields we will always use to global defaults rewrite r_set_splunk_default { set("SC4S:$SOURCE", value(".splunk.source")); -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }} set($FACILITY, value("fields.sc4s_syslog_facility")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }} set($LEVEL, value("fields.sc4s_syslog_severity")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }} {{- if (getenv "SC4S_CONTAINER_HOST") }} set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }} +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }} set($LOGHOST, value("fields.sc4s_container")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} set($SOURCEIP, value("fields.sc4s_fromhostip")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }} set($DESTPORT, value("fields.sc4s_destport")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }} set($PROTO, value("fields.sc4s_proto")); {{- end}} }; From 832da7a1d23d31aa451ae6aac83b2cbac7495bda Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 8 May 2020 12:59:41 -0400 Subject: [PATCH 3/6] include all fields in default --- docs/configuration.md | 2 +- .../conf.d/conflib/_splunk/splunkfields.conf.tmpl | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index eeffb1e..7d77fd9 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -27,7 +27,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | -| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) ) +| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is all fields ) ## Alternate Destination Configuration diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 1d838f9..62bfca7 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -1,27 +1,27 @@ #Used to set indexed fields we will always use to global defaults rewrite r_set_splunk_default { set("SC4S:$SOURCE", value(".splunk.source")); -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "facility" }} set($FACILITY, value("fields.sc4s_syslog_facility")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "severity" }} set($LEVEL, value("fields.sc4s_syslog_severity")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "log_host" }} {{- if (getenv "SC4S_CONTAINER_HOST") }} set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host")); {{- end}} {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "container" }} set($LOGHOST, value("fields.sc4s_container")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} set($SOURCEIP, value("fields.sc4s_fromhostip")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,destport,fromhostip,proto") ",") has "destport" }} set($DESTPORT, value("fields.sc4s_destport")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,destport,fromhostip,proto") ",") has "proto" }} set($PROTO, value("fields.sc4s_proto")); {{- end}} }; From 01fbe9fec602bf18cd1486267ddf4ee08fcd8eb8 Mon Sep 17 00:00:00 2001 From: mbonsack Date: Fri, 8 May 2020 11:04:54 -0700 Subject: [PATCH 4/6] Update splunkfields.conf.tmpl --- package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 62bfca7..f340bb3 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -9,7 +9,7 @@ rewrite r_set_splunk_default { {{- end}} {{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "log_host" }} {{- if (getenv "SC4S_CONTAINER_HOST") }} - set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host")); + set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost")); {{- end}} {{- end}} {{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "container" }} From 0e9e17c30438d0cef5f69f772654643c4761acdf Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 8 May 2020 14:05:53 -0400 Subject: [PATCH 5/6] change sc4s_log_host to sc4s_loghost --- docs/troubleshooting.md | 2 +- package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 03c4d48..fdf331c 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -75,7 +75,7 @@ don't expect, check to see that the index is created in Splunk, or that a `lastC cause for almost _all_ `400` errors. * If you continue to the individual log entries in these directories, you will see entries of the form ```bash -curl -k -u "sc4s HEC debug:a778f63a-5dff-4e3c-a72c-a03183659e94" "https://splunk.smg.aws:8088/services/collector/event" -d '{"time":"1584556114.271","sourcetype":"sc4s:events","source":"SC4S:s_internal","index":"main","host":"e3563b0ea5d8","fields":{"sc4s_syslog_severity":"notice","sc4s_syslog_facility":"syslog","sc4s_log_host":"e3563b0ea5d8","sc4s_fromhostip":"127.0.0.1"},"event":"syslog-ng starting up; version='3.26.1'"}' +curl -k -u "sc4s HEC debug:a778f63a-5dff-4e3c-a72c-a03183659e94" "https://splunk.smg.aws:8088/services/collector/event" -d '{"time":"1584556114.271","sourcetype":"sc4s:events","source":"SC4S:s_internal","index":"main","host":"e3563b0ea5d8","fields":{"sc4s_syslog_severity":"notice","sc4s_syslog_facility":"syslog","sc4s_loghost":"e3563b0ea5d8","sc4s_fromhostip":"127.0.0.1"},"event":"syslog-ng starting up; version='3.26.1'"}' ``` * These commands, with minimal modifications (e.g. multiple URLs specified or elements that needs shell escapes) can be run directly on the command line to determine what, exactly, the HEC endpoint is returning. This can be used to refine th index or other parameter to correct the diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 62bfca7..f340bb3 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -9,7 +9,7 @@ rewrite r_set_splunk_default { {{- end}} {{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "log_host" }} {{- if (getenv "SC4S_CONTAINER_HOST") }} - set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host")); + set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost")); {{- end}} {{- end}} {{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "container" }} From 0f6081415eea1e4cb53ec3a5bfb82d014ac76de4 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 8 May 2020 14:11:34 -0400 Subject: [PATCH 6/6] loghost --- docs/configuration.md | 2 +- .../conf.d/conflib/_splunk/splunkfields.conf.tmpl | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 7d77fd9..f8f3920 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -27,7 +27,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | -| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is all fields ) +| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,loghost,dport,fromhostip,proto | list of sc4s indexed fields default list is all fields ) ## Alternate Destination Configuration diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index f340bb3..320acf8 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -1,27 +1,27 @@ #Used to set indexed fields we will always use to global defaults rewrite r_set_splunk_default { set("SC4S:$SOURCE", value(".splunk.source")); -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "facility" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "facility" }} set($FACILITY, value("fields.sc4s_syslog_facility")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "severity" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "severity" }} set($LEVEL, value("fields.sc4s_syslog_severity")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "log_host" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "loghost" }} {{- if (getenv "SC4S_CONTAINER_HOST") }} set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost")); {{- end}} {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "container" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "container" }} set($LOGHOST, value("fields.sc4s_container")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "fromhostip" }} set($SOURCEIP, value("fields.sc4s_fromhostip")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,destport,fromhostip,proto") ",") has "destport" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,destport,fromhostip,proto") ",") has "destport" }} set($DESTPORT, value("fields.sc4s_destport")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,destport,fromhostip,proto") ",") has "proto" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,destport,fromhostip,proto") ",") has "proto" }} set($PROTO, value("fields.sc4s_proto")); {{- end}} };