Skip to content

Commit

Permalink
Mergeback proofpoint (#101)
Browse files Browse the repository at this point in the history
* Feature/proofpoint (#97)
* Add Proofpoint PPS filter support
* Fix parser/metdata/IOS filter
  • Loading branch information
Ryan Faircloth authored and GitHub committed Sep 28, 2019
1 parent 991b77e commit 8a12f67
Show file tree
Hide file tree
Showing 10 changed files with 42 additions and 34 deletions.
2 changes: 1 addition & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ services:
- SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD}
- SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX}
- SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX}
- SC4S_SOURCE_TLS_ENABLE=yes
- SC4S_SOURCE_TLS_ENABLE=no
- SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no
- SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000
volumes:
Expand Down
Empty file.
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,16 @@ rewrite set_rfc3164{
};
filter f_is_rfc3164{
match("rfc3164" value("fields.sc4s_syslog_format"))
};
rewrite set_cisco_ios{
set("cisco_ios" value("fields.sc4s_syslog_format"));
};
filter f_is_cisco_ios{
match("cisco_ios" value("fields.sc4s_syslog_format"))
};
rewrite set_no_parse{
set("no_parse" value("fields.sc4s_syslog_format"));
};
filter f_is_no_parse{
match("no_parse" value("fields.sc4s_syslog_format"))
};
4 changes: 0 additions & 4 deletions package/etc/conf.d/conflib/_common/utility.conf

This file was deleted.

6 changes: 2 additions & 4 deletions package/etc/conf.d/filters/cisco/ios.conf
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
rewrite set_metadata_vendor_product_cisco_ios{
set("cisco_ios" value(".metadata.vendor_product"));
};
# In general this will not be used; parser setting will override the need for this

filter f_cisco_ios{
match("cisco_ios", value(".metadata.vendor_product") type(glob));
match("cisco_ios", value("fields.sc4s_vendor_product") type(glob));
};

2 changes: 1 addition & 1 deletion package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
log {
{{- if eq (.) "yes" }}
source(s_default-ports);
filter(f_cisco_ios);
filter(f_is_cisco_ios);
{{- end }}
{{- if eq (.) "no" }}
source (s_dedicated_port_CISCO_IOS);
Expand Down
10 changes: 5 additions & 5 deletions package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@
{{- end -}}
{{ define "log_path" }}
log {
{{- if eq (.) "yes"}}
{{- if eq (.) "yes" }}
source(s_default-ports);
filter(f_cisco_nx_os);
{{- end}}
{{- if eq (.) "no"}}
{{- end }}
{{- if eq (.) "no" }}
source (s_dedicated_port_CISCO_NX_OS);
{{- end}}
{{- end }}

rewrite { r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_hdr_msg"))};
parser {
p_add_context_splunk(key("cisco_nx_os"));
p_add_context_splunk(key("cisco_nx_os"));
};

destination(d_hec); #--HEC--
Expand Down
4 changes: 2 additions & 2 deletions package/etc/conf.d/sources/network.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ source s_default-ports {
rewrite(set_rfc5424_noversion);
} elif {
parser {cisco-parser()};
rewrite(set_metadata_vendor_product_cisco_ios);
rewrite(set_cisco_ios);
} else {
parser {
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message));
Expand All @@ -94,5 +94,5 @@ source s_default-ports {
parser {
vendor_product_by_source();
};
};
};
};
30 changes: 15 additions & 15 deletions package/etc/context-local/vendor_product_by_source.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,34 +4,34 @@
#filter {match("f5_test" template("$(env PRESUME_SYSLOG)")); };

filter f_test_test {
host("testvp-*" type(glob))
or match("test_test" value("fields.sc4s_presume"))
host("testvp-*" type(glob)) or
netmask(192.168.100.1/24)
};
filter f_juniper_nsm {
host("jnpnsm-*" type(glob))
or match("juniper_nsm" value("fields.sc4s_presume"))
host("jnpnsm-*" type(glob)) or
netmask(192.168.1.0/24)
};
filter f_juniper_nsm_idp {
host("jnpnsmidp-*" type(glob))
or match("juniper_nsm_idp" value("fields.sc4s_presume"))
host("jnpnsmidp-*" type(glob)) or
netmask(192.168.2.0/24)
};
filter f_juniper_idp {
host("jnpidp-*" type(glob))
or match("juniper_idp" value("fields.sc4s_presume"))
host("jnpidp-*" type(glob)) or
netmask(192.168.3.0/24)
};
filter f_juniper_netscreen {
host("jnpns-*" type(glob) )
or match("juniper_netscreen" value("fields.sc4s_presume"))
host("jnpns-*" type(glob)) or
netmask(192.168.4.0/24)
};
filter f_cisco_nx_os {
host("csconx-*" type(glob) )
or match("cisco_nx_os" value("fields.sc4s_presume"))
};
host("csconx-*" type(glob)) or
netmask(192.168.5.0/24)
};
filter f_proofpoint_pps_sendmail {
host("pps-*" type(glob)) or
netmask(192.168.1.0/24)
netmask(192.168.6.0/24)
};
filter f_proofpoint_pps_filter {
host("pps-*" type(glob)) or
netmask(192.168.1.0/24)
netmask(192.168.7.0/24)
};
6 changes: 4 additions & 2 deletions package/etc/templates/source_network.t
Original file line number Diff line number Diff line change
Expand Up @@ -73,12 +73,14 @@ source s_dedicated_port_{{ .port_id}} {
rewrite(set_rfc5424_noversion);
{{- else if eq .parser "cisco_parser" }}
parser {cisco-parser()};
rewrite(set_metadata_vendor_product_cisco_ios);
rewrite(set_cisco_ios);
{{- else if eq .parser "rfc3164" }}
parser {
syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message));
};
rewrite(set_rfc3164);
{{- else if eq .parser "no_parse" }}
rewrite(set_no_parse);
{{- else }}
if {filter(f_rfc5424_strict);
parser {
Expand All @@ -93,7 +95,7 @@ source s_dedicated_port_{{ .port_id}} {
rewrite(set_rfc5424_noversion);
} elif {
parser {cisco-parser()};
rewrite(set_metadata_vendor_product_cisco_ios);
rewrite(set_cisco_ios);
} else {
parser {
syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message));
Expand Down

0 comments on commit 8a12f67

Please sign in to comment.