From 084d9364471a44681b836fd2c769d4b16f1e6c8b Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 7 May 2020 14:45:07 -0400 Subject: [PATCH 1/3] Support reverse DNS --- docs/configuration.md | 1 + package/Dockerfile | 2 +- package/etc/{syslog-ng.conf => syslog-ng.conf.tmpl} | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) rename package/etc/{syslog-ng.conf => syslog-ng.conf.tmpl} (94%) diff --git a/docs/configuration.md b/docs/configuration.md index 6fdf940..4105d17 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -9,6 +9,7 @@ and variables needed to properly configure SC4S for your environment. |----------|---------------|-------------| | SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list | | SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token | +| SC4S_GLOBAL_DNS_USE | yes/no (default) | use reverse DNS to identify hosts when HOST is not valid in the syslog header | * NOTE: Do _not_ configure HEC Acknowledgement when deploying the HEC token on the Splunk side; the underlying syslog-ng http destination does not support this feature. Moreover, HEC Ack would significantly degrade performance for streaming data such as diff --git a/package/Dockerfile b/package/Dockerfile index bd5e477..b461c2b 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -13,7 +13,7 @@ COPY --from=hairyhenderson/gomplate:v3.5.0 /gomplate /usr/local/bin/gomplate COPY goss.yaml goss.yaml -COPY etc/syslog-ng.conf /opt/syslog-ng/etc/syslog-ng.conf +COPY etc/syslog-ng.conf.tmpl /opt/syslog-ng/etc/syslog-ng.conf.tmpl COPY etc/conf.d /opt/syslog-ng/etc/conf.d COPY etc/go_templates /opt/syslog-ng/etc/go_templates COPY etc/context_templates /opt/syslog-ng/etc/context_templates diff --git a/package/etc/syslog-ng.conf b/package/etc/syslog-ng.conf.tmpl similarity index 94% rename from package/etc/syslog-ng.conf rename to package/etc/syslog-ng.conf.tmpl index 03ba65c..8730725 100644 --- a/package/etc/syslog-ng.conf +++ b/package/etc/syslog-ng.conf.tmpl @@ -18,9 +18,9 @@ options { time_reopen (10); log_fifo_size (10000); chain_hostnames (off); - use_dns (no); + use_dns ({{getenv "SC4S_GLOBAL_DNS_USE" "no"}}); use_fqdn (no); - dns-cache(no); + dns-cache({{getenv "SC4S_GLOBAL_DNS_CACHE" "yes"}}); create_dirs (no); keep-hostname (yes); create_dirs(yes); From 28b41d99ce3c0206a72e14b4f093132cf7354a41 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 7 May 2020 14:56:56 -0400 Subject: [PATCH 2/3] Update syslog-ng.conf.tmpl --- package/etc/syslog-ng.conf.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/etc/syslog-ng.conf.tmpl b/package/etc/syslog-ng.conf.tmpl index 8730725..98db6a2 100644 --- a/package/etc/syslog-ng.conf.tmpl +++ b/package/etc/syslog-ng.conf.tmpl @@ -17,12 +17,12 @@ options { flush_lines (100); time_reopen (10); log_fifo_size (10000); - chain_hostnames (off); + chain_hostnames (yes); use_dns ({{getenv "SC4S_GLOBAL_DNS_USE" "no"}}); use_fqdn (no); dns-cache({{getenv "SC4S_GLOBAL_DNS_CACHE" "yes"}}); create_dirs (no); - keep-hostname (yes); + keep-hostname (no); create_dirs(yes); dir_perm(0750); stats-freq(30); From 9eaebb30bf16d5991cde9cf592a236ce0e679aba Mon Sep 17 00:00:00 2001 From: mbonsack Date: Thu, 7 May 2020 13:01:24 -0700 Subject: [PATCH 3/3] Update configuration.md --- docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.md b/docs/configuration.md index 4105d17..38bca4b 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -9,7 +9,7 @@ and variables needed to properly configure SC4S for your environment. |----------|---------------|-------------| | SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list | | SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token | -| SC4S_GLOBAL_DNS_USE | yes/no (default) | use reverse DNS to identify hosts when HOST is not valid in the syslog header | +| SC4S_GLOBAL_DNS_USE | yes or no(default) | use reverse DNS to identify hosts when HOST is not valid in the syslog header | * NOTE: Do _not_ configure HEC Acknowledgement when deploying the HEC token on the Splunk side; the underlying syslog-ng http destination does not support this feature. Moreover, HEC Ack would significantly degrade performance for streaming data such as