From 2065d7980f985005d2351fc681e9dc667bc6ba9e Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Wed, 25 Mar 2020 15:15:12 -0400 Subject: [PATCH 1/3] Initial support --- package/Dockerfile | 2 ++ .../etc/conf.d/conflib/_common/templates.conf | 5 +++ .../conf.d/log_paths/lp-snmp_traps.conf.tmpl | 31 +++++++++++++++++++ package/sbin/entrypoint.sh | 3 ++ package/snmp/snmptrapd.conf | 3 ++ 5 files changed, 44 insertions(+) create mode 100644 package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl create mode 100644 package/snmp/snmptrapd.conf diff --git a/package/Dockerfile b/package/Dockerfile index 75af89c..bd5e477 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -21,6 +21,8 @@ COPY etc/local_config /opt/syslog-ng/etc/local_config COPY reset_persist /opt/syslog-ng/etc/ COPY sbin/entrypoint.sh / +RUN mkdir -p /opt/syslog-ng/var/log/ +COPY snmp/snmptrapd.conf /opt/net-snmp/etc/snmp/ COPY VERSION / RUN /opt/syslog-ng/sbin/syslog-ng -V diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index bf8a218..a7f8139 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -85,3 +85,8 @@ template t_JSON_5424 { --exclude PRIORITY )'); }; + + +template t_snmp_traps { + template('$(format-json .snmp.*)'); + }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl new file mode 100644 index 0000000..6e74397 --- /dev/null +++ b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl @@ -0,0 +1,31 @@ +# Startup events + +log { + source {snmptrap( + filename("/opt/syslog-ng/var/log/snmptrapd.log") + ); + }; + + rewrite { r_set_splunk_dest_default(sourcetype("snmp:traps"), index("main"))}; + parser {p_add_context_splunk(key("snmp_traps")); }; + + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_snmp_traps))" value("MSG")); }; + +{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_SNMP_TRAPS_HEC" "no")) }} + destination(d_hec); +{{- end}} + +{{- if eq (getenv "SC4S_DEBUG_STDOUT" "yes") "no"}} + destination(d_stdout); +{{- end}} + +{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }} + {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + +{{- if (print (getenv "SC4S_DEST_SNMP_TRAPS_ALTERNATES")) }} + {{ getenv "SC4S_DEST_SNMP_TRAPS_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + + flags(flow-control,final); + }; diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 3494307..caaa3aa 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -21,6 +21,9 @@ cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/contex for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose -n $file ${file%.example}; done cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ mkdir -p /opt/syslog-ng/var/log + +/opt/net-snmp/sbin/snmptrapd -Lf /opt/syslog-ng/var/log/snmptrapd.log + echo syslog-ng checking config echo sc4s version=$(cat /VERSION) echo sc4s version=$(cat /VERSION) >/opt/syslog-ng/var/log/syslog-ng.out diff --git a/package/snmp/snmptrapd.conf b/package/snmp/snmptrapd.conf new file mode 100644 index 0000000..c14e9a6 --- /dev/null +++ b/package/snmp/snmptrapd.conf @@ -0,0 +1,3 @@ +authCommunity log,execute,net public +format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]:\n%v\n +outputOption s \ No newline at end of file From 6bb753aa1d1520bde1f776361b72faa0c774435b Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Wed, 25 Mar 2020 16:23:20 -0400 Subject: [PATCH 2/3] Update templates.conf --- package/etc/conf.d/conflib/_common/templates.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index a7f8139..d428a86 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -88,5 +88,5 @@ template t_JSON_5424 { template t_snmp_traps { - template('$(format-json .snmp.*)'); + template('$(format-json .snmp.* --rekey .snmp.* --shift-levels 2)'); }; \ No newline at end of file From 1c2b63638b84ddd610500822e93cdde6bb027a41 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Wed, 25 Mar 2020 17:01:23 -0400 Subject: [PATCH 3/3] trap not traps --- package/etc/conf.d/conflib/_common/templates.conf | 2 +- package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index d428a86..1c4259a 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -87,6 +87,6 @@ template t_JSON_5424 { }; -template t_snmp_traps { +template t_snmp_trap { template('$(format-json .snmp.* --rekey .snmp.* --shift-levels 2)'); }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl index 6e74397..66b22cc 100644 --- a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl @@ -6,10 +6,10 @@ log { ); }; - rewrite { r_set_splunk_dest_default(sourcetype("snmp:traps"), index("main"))}; - parser {p_add_context_splunk(key("snmp_traps")); }; + rewrite { r_set_splunk_dest_default(sourcetype("snmp:trap"), index("main"))}; + parser {p_add_context_splunk(key("snmp_trap")); }; - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_snmp_traps))" value("MSG")); }; + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_snmp_trap))" value("MSG")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_SNMP_TRAPS_HEC" "no")) }} destination(d_hec);