From aff2520114eb7531bd48f7325249af94eb0d33cd Mon Sep 17 00:00:00 2001
From: Jay Shah <jashah@splunk.com>
Date: Fri, 13 Mar 2020 14:49:16 +0530
Subject: [PATCH 1/3] Changed sourcetype of RT_IDS events of Juniper to
 juniper:junos:firewall

---
 package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl         | 2 +-
 .../etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl  | 2 +-
 tests/test_juniper_junos_rfc3164.py                             | 2 +-
 tests/test_juniper_junos_rfc5124.py                             | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
index 05d7e5d..826e3c7 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
@@ -32,7 +32,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_fw")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))};
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_ids")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
index d5ae714..2c7e5d8 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -31,7 +31,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_fw_structured")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) };
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_ids_structured")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py
index b127814..429b8b1 100644
--- a/tests/test_juniper_junos_rfc3164.py
+++ b/tests/test_juniper_junos_rfc3164.py
@@ -61,7 +61,7 @@ def test_juniper_idp_standard(record_property, setup_wordlist, get_host_key, set
 
     sendsingle(message)
 
-    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
+    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py
index 2e0b4e1..3e15a70 100644
--- a/tests/test_juniper_junos_rfc5124.py
+++ b/tests/test_juniper_junos_rfc5124.py
@@ -44,7 +44,7 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_
 
     sendsingle(message)
 
-    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
+    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)

From e4c53c084eeb93546c619b91de8b8ff03cbe05f8 Mon Sep 17 00:00:00 2001
From: Jay Shah <jashah@splunk.com>
Date: Fri, 13 Mar 2020 15:17:22 +0530
Subject: [PATCH 2/3] reverted changes of test file

---
 tests/test_juniper_junos_rfc3164.py | 2 +-
 tests/test_juniper_junos_rfc5124.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py
index 429b8b1..b127814 100644
--- a/tests/test_juniper_junos_rfc3164.py
+++ b/tests/test_juniper_junos_rfc3164.py
@@ -61,7 +61,7 @@ def test_juniper_idp_standard(record_property, setup_wordlist, get_host_key, set
 
     sendsingle(message)
 
-    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
+    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py
index 3e15a70..2e0b4e1 100644
--- a/tests/test_juniper_junos_rfc5124.py
+++ b/tests/test_juniper_junos_rfc5124.py
@@ -44,7 +44,7 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_
 
     sendsingle(message)
 
-    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
+    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)

From be51dd1943c5eb1b305eefb383e5fbd127368b91 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 13 Mar 2020 09:53:10 -0400
Subject: [PATCH 3/3] Revert "Changed sourcetype of RT_IDS events of Juniper to
 juniper:junos:firewall"

---
 package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl         | 2 +-
 .../etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
index f2a7120..c5a2786 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
@@ -32,7 +32,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_fw")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))};
         parser {p_add_context_splunk(key("juniper_junos_ids")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
index 7b743cb..e42756a 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -31,7 +31,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_fw_structured")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) };
         parser {p_add_context_splunk(key("juniper_junos_ids_structured")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };