Merge pull request #388 from splunk/feature/updatedropfeaturename

Change f_catch_first to f_null_queue

docs/configuration.md

@@ -228,7 +228,7 @@ docker stack deploy --compose-file docker-compose.yml sc4s
 ## Dropping all data by ip or subnet
 
 In some cases rogue or port-probing data can be sent to SC4S from misconfigured devices or vulnerability scanners. Update
-the `vendor_product_by_source.conf` filter `f_catch_first` with one or more ip/subnet masks to drop events without
+the `vendor_product_by_source.conf` filter `f_null_queue` with one or more ip/subnet masks to drop events without
 logging. Note that drop metrics will be recorded.
 
 

package/etc/conf.d/filters/misc/null_queue.conf

@@ -0,0 +1,5 @@
+#f_null_queue
+filter f_null_queue {
+    match("^null_queue", value("fields.sc4s_vendor_product"));
+
+};

package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl → package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl

@@ -2,7 +2,7 @@
 # vulnerability scanners to be ignored
 log {
 
-    filter(f_catch_first);
+    filter(f_null_queue);
 
     flags(catchall,final);
 

package/etc/context_templates/vendor_product_by_source.conf.example

@@ -2,7 +2,7 @@ filter f_test_test {
     host("testvp-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
-filter f_catch_first {
+filter f_null_queue {
    netmask(169.254.100.0/24)
 };
 

package/etc/context_templates/vendor_product_by_source.csv.example

@@ -1,6 +1,6 @@
 f_test_test,sc4s_vendor_product,"test_test"
 f_brocade_syslog,sc4s_vendor_product,"brocade_syslog"
-f_catch_first,sc4s_vendor_product,"catch_first"
+f_null_queue,sc4s_vendor_product,"catch_first"
 f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
 f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
 f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid"