Fix host parsing in RSA log path (#652)

* Fix host parsing in RSA log path to take into account the new `.splunk.host` macro for host output in Splunk `/event` JSON blob
CSVD · Aug 20, 2020 · 7d519c2 · 7d519c2
1 parent c4d0f57
commit 7d519c2
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
@@ -29,7 +29,7 @@ log {
 
             #we need to actual even time from the field GeneratedTime. Use csv-parser to extract it.
             csv-parser(
-                columns("time","ms","HOST","type")
+                columns("time","ms","host","type")
                 prefix(".rsa.")
                 delimiters(',')
                 );
@@ -40,6 +40,13 @@ log {
                     template("${LEGACY_MSGHDR} ${.rsa.time},${.rsa.ms}")
             );
         };
+        rewrite {
+            #Set both HOST and .splunk.host to allow compliance override
+            set("${.rsa.host}" value(".splunk.host")
+                condition( match('^.' value('.rsa.host') )) );
+            set("${.rsa.host}" value("HOST")
+                condition( match('^.' value('.rsa.host') )) );
+        };
         if {
             filter{match('audit\.admin' value('.rsa.type'))};
             rewrite {