diff --git a/docs/sources/Brocade/index.md b/docs/sources/Brocade/index.md index 90173e9..a9ef70d 100644 --- a/docs/sources/Brocade/index.md +++ b/docs/sources/Brocade/index.md @@ -33,8 +33,8 @@ Device setup unknown | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_BROCADE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_BROCADE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_BROCADE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_BROCADE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_BROCADE | no | Enable archive to disk for this specific source | | SC4S_DEST_BROCADE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index 0c21d8e..1222800 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -33,8 +33,8 @@ PATTERN MATCH | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ACS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_ACS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_ACS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CISCO_ACS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CISCO_ACS | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_ACS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -82,8 +82,8 @@ PATTERN MATCH | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_APIC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_APIC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_APIC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CISCO_APIC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CISCO_APIC | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_APIC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -140,12 +140,12 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_ASA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CISCO_ASA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CISCO_ASA | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_ASA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | -| SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers expecting RFC3164 format | +| SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers expecting RFC3164 format | | SC4S_ARCHIVE_CISCO_ASA_LEGACY | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_ASA_LEGACY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -227,8 +227,8 @@ Cisco Network Products of multiple types share common logging characteristics th | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_IOS_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_IOS_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CISCO_IOS | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_IOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -273,8 +273,8 @@ PATTERN MATCH | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | | SC4S_ARCHIVE_CISCO_ISE | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_ISE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -323,8 +323,8 @@ IP, Netmask, Host or Port | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | +| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | | SC4S_ARCHIVE_CISCO_MERAKI | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_MERAKI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -371,8 +371,8 @@ PATTERN MATCH | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_UCM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_UCM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_UCM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CISCO_UCM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CISCO_UCM | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_UCM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -424,8 +424,8 @@ IP, Netmask or Host | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_WSA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_WSA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_WSA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CISCO_WSA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CISCO_WSA | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_WSA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -437,4 +437,4 @@ Use the following search to validate events are present index=netops sourcetype=cisco:wsa:* ``` -Verify timestamp, and host values match as expected \ No newline at end of file +Verify timestamp, and host values match as expected diff --git a/docs/sources/CommonEventFormat/index.md b/docs/sources/CommonEventFormat/index.md index 5688d47..c291333 100644 --- a/docs/sources/CommonEventFormat/index.md +++ b/docs/sources/CommonEventFormat/index.md @@ -10,31 +10,8 @@ Imperva, and Cyberark. Therefore, the CEF environment variables for unique port should be set only _once_. If your deployment has multiple CEF devices that send to more than one port, -set the CEF unique port variable(s) to just one of the ports in use. Then, map the others with -container networking to the port chosen, similar to the way default ports are configured (see the -"Getting Started" runtime documents for more details). - -Example: If you have three CEF devices, -sending on TCP ports 2000,2001, and 2002, set `SC4S_LISTEN_CEF_TCP_PORT=2000`. Then, change the -unit/compose files to route the three external ports to the single port 2000 on the container. -Here is the example for podman/systemd: - -``` -ExecStart=/usr/bin/podman -p 514:514 -p 514:514/udp -p 6514:6514 -p 2000-2002:2000 \ -``` - -or this, for docker-compose/swarm installations: - -``` -# Comment the following line out if using docker-compose - mode: host - - target: 2000 - published: 2000-2002 - protocol: tcp -``` - -These changes will route all three ports to TCP port 2000 inside the container, and the single CEF log -path will properly process data from all three devices. +set the CEF unique port variable(s) as a comma-separated list. See [Unique Listening Ports](https://splunk-connect-for-syslog.readthedocs.io/en/develop/sources/#unique-listening-ports) +for details. The source documentation included below is a reference baseline for any product that sends data using the CEF log path. @@ -46,19 +23,45 @@ using the CEF log path. | Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | -### Sourcetypes +### Splunk Metadata with CEF events + +The keys (first column) in `splunk_metadata.csv` for CEF data sources have a slightly different meaning than those for non-CEF ones. +The typical `vendor_product` syntax is instead replaced by checks against specific columns of the CEF event -- namely the first, +second, and fourth columns following the leading `CEF:0` ("column 0"). These specific columns refer to the CEF `device_vendor`, +`device_product`, and `device_event_class`, respectively. The third column, `device_version`, is not used for metadata assignment. + +SC4S sets metadata based on the first two columns, and (optionally) the fourth. While the key (first column) in the +`splunk_metadata` file for non-CEF sources uses a "vendor_product" syntax that is arbitrary, the syntax for this key for CEF +events is based on the actual contents of columns 1,2 and 4 from the CEF event, namely: + +`device_vendor`\_`device_product`\_`device_class` + +The final `device_class` portion is optional. Therefore, CEF entries in `splunk_metadata` can have a key representing the vendor and +product, and others representing a vendor and product coupled with one or more additional classes. This allows for more granular +metadata assignment (or overrides). + +Here is a snippet of a sample Imperva CEF event that includes a CEF device class entry (which is "Firewall"): +``` +Apr 19 10:29:53 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium| +``` +and the corresponding match in `splunk_metadata.csv`: +``` +Imperva Inc._SecureSphere_Firewall,sourcetype,imperva:waf:firewall:cef +``` + +### Default Sourcetype | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | cef | Common sourcetype | -### Typical Source +### Default Source | source | notes | |----------------|---------------------------------------------------------------------------------------------------------| | Varies | Varies | -### Typical Index Configuration +### Default Index Configuration | key | source | index | notes | |----------------|----------------|----------------|----------------| @@ -72,9 +75,9 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CEF_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/CyberArk/index.md b/docs/sources/CyberArk/index.md index 40aee14..dfe0bf0 100644 --- a/docs/sources/CyberArk/index.md +++ b/docs/sources/CyberArk/index.md @@ -28,7 +28,7 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | * NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the "Common Event Format" source @@ -72,7 +72,7 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | * NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the "Common Event Format" source diff --git a/docs/sources/Dell_RSA/index.md b/docs/sources/Dell_RSA/index.md index 0070e8f..e89e1fb 100644 --- a/docs/sources/Dell_RSA/index.md +++ b/docs/sources/Dell_RSA/index.md @@ -41,8 +41,8 @@ NOTE: Java trace and exception will default to sc4s:fallback if the host/ip filt | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_DELL_RSA_SECUREID_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_DELL_RSA_SECUREID_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_DELL_RSA_SECUREID_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_DELL_RSA_SECUREID_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_DELL_RSA_SECUREID | no | Enable archive to disk for this specific source | | SC4S_DEST_DELL_RSA_SECUREID_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/F5/index.md b/docs/sources/F5/index.md index 7e70536..fc964ae 100644 --- a/docs/sources/F5/index.md +++ b/docs/sources/F5/index.md @@ -49,8 +49,8 @@ When F5 blades are identified as part of the host name the blade will be indicat | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_F5_BIGIP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_F5_BIGIP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_F5_BIGIP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_F5_BIGIP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_F5_BIGIP | no | Enable archive to disk for this specific source | | SC4S_DEST_F5_BIGIP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Forcepoint/index.md b/docs/sources/Forcepoint/index.md index 61c4bcd..19ae9d6 100644 --- a/docs/sources/Forcepoint/index.md +++ b/docs/sources/Forcepoint/index.md @@ -36,8 +36,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_FORCEPOINT_WEBPROTECT | no | Enable archive to disk for this specific source | | SC4S_DEST_FORCEPOINT_WEBPROTECT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Fortinet/FortiGate_event.png b/docs/sources/Fortinet/FortiGate_event.png index 9a0113d..291a494 100644 Binary files a/docs/sources/Fortinet/FortiGate_event.png and b/docs/sources/Fortinet/FortiGate_event.png differ diff --git a/docs/sources/Fortinet/FortiGate_traffic.png b/docs/sources/Fortinet/FortiGate_traffic.png index 5bf2971..5d4ebb9 100644 Binary files a/docs/sources/Fortinet/FortiGate_traffic.png and b/docs/sources/Fortinet/FortiGate_traffic.png differ diff --git a/docs/sources/Fortinet/FortiGate_utm.png b/docs/sources/Fortinet/FortiGate_utm.png index dc36625..3f859d8 100644 Binary files a/docs/sources/Fortinet/FortiGate_utm.png and b/docs/sources/Fortinet/FortiGate_utm.png differ diff --git a/docs/sources/Fortinet/index.md b/docs/sources/Fortinet/index.md index 2b3d1c8..bc7c607 100644 --- a/docs/sources/Fortinet/index.md +++ b/docs/sources/Fortinet/index.md @@ -114,8 +114,8 @@ are in use. See the introductory note above for more details. | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_FORTINET_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_LISTEN_FORTINET_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORTINET_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_FORTINET_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_FORTINET | no | Enable archive to disk for this specific source | | SC4S_DEST_FORTINET_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -218,8 +218,8 @@ are in use. See the introductory note above for more details. | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_FORTINET_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_LISTEN_FORTINET_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORTINET_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_FORTINET_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_FORTINET | no | Enable archive to disk for this specific source | | SC4S_DEST_FORTINET_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md index 083fe1c..c84f571 100644 --- a/docs/sources/Imperva/index.md +++ b/docs/sources/Imperva/index.md @@ -37,8 +37,8 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -87,8 +87,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/InfoBlox/index.md b/docs/sources/InfoBlox/index.md index 61b52ba..4ffe6ec 100644 --- a/docs/sources/InfoBlox/index.md +++ b/docs/sources/InfoBlox/index.md @@ -42,8 +42,8 @@ Must be identified by host or ip assignment. Update the filter `f_infoblox` or c | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_INFOBLOX_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_INFOBLOX_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_INFOBLOX_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_INFOBLOX_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_INFOBLOX | no | Enable archive to disk for this specific source | | SC4S_DEST_INFOBLOX_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md index 8110f6b..ac86e49 100644 --- a/docs/sources/Juniper/index.md +++ b/docs/sources/Juniper/index.md @@ -41,11 +41,11 @@ | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | -| SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined using 5424 format || SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| +| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| +| SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| +| SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers using 5424 format | +| SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers using 5424 format || SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | | SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Verification @@ -93,9 +93,9 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_JUNIPER_NETSCREEN | no | Enable archive to disk for this specific source | | SC4S_DEST_JUNIPER_NETSCREEN_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Loggen/index.md b/docs/sources/Loggen/index.md index 16047b8..44c1623 100644 --- a/docs/sources/Loggen/index.md +++ b/docs/sources/Loggen/index.md @@ -28,8 +28,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_SYSLOGNG_LOGGEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_SYSLOGNG_LOGGEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYSLOGNG_LOGGEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_SYSLOGNG_LOGGEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_SYSLOGNG_LOGGEN | no | Enable archive to disk for this specific source | | SC4S_DEST_SYSLOGNG_LOGGEN_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/McAfee/index.md b/docs/sources/McAfee/index.md index 9759e13..0ebec61 100644 --- a/docs/sources/McAfee/index.md +++ b/docs/sources/McAfee/index.md @@ -36,8 +36,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_MCAFEE_EPO_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_MCAFEE_EPO_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MCAFEE_EPO_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_MCAFEE_EPO_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_MCAFEE_EPO | no | Enable archive to disk for this specific source | | SC4S_DEST_MCAFEE_EPO_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Microfocus/index.md b/docs/sources/Microfocus/index.md index 953f3e6..475df7f 100644 --- a/docs/sources/Microfocus/index.md +++ b/docs/sources/Microfocus/index.md @@ -34,7 +34,7 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Deprecated equivalent of above variable. This is included for backward compatibility and will be removed in a future version. _Do not use_ in new installations. | * NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how @@ -88,8 +88,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_WWW_XXX_MICROFOCUS_ARCSIGHT_YYY_ZZZ | no | Deprecated equivalents of the above variables. These are included for backward compatibility, and will be removed in a future version. _Do not use_ in new installations. | diff --git a/docs/sources/Microsoft/index.md b/docs/sources/Microsoft/index.md index 6a1c2e7..fd562b6 100644 --- a/docs/sources/Microsoft/index.md +++ b/docs/sources/Microsoft/index.md @@ -37,8 +37,8 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md index 71297ce..f57e6c6 100644 --- a/docs/sources/PaloaltoNetworks/index.md +++ b/docs/sources/PaloaltoNetworks/index.md @@ -49,8 +49,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_PALOALTO_PANOS | no | Enable archive to disk for this specific source | | SC4S_DEST_PALOALTO_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Pfsense/index.md b/docs/sources/Pfsense/index.md index 09e3fcb..e363d7b 100644 --- a/docs/sources/Pfsense/index.md +++ b/docs/sources/Pfsense/index.md @@ -43,8 +43,8 @@ Source does not provide a hostname, port or IP based filter is required | Variable | default | description | |----------------|----------------|----------------| -| SC4S_PFSENSE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_PFSENSE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_PFSENSE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_PFSENSE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_PFSENSE | no | Enable archive to disk for this specific source | | SC4S_DEST_PFSENSE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Proofpoint/index.md b/docs/sources/Proofpoint/index.md index f06407b..1008578 100644 --- a/docs/sources/Proofpoint/index.md +++ b/docs/sources/Proofpoint/index.md @@ -39,8 +39,8 @@ messages to create meaningful final output. This will require follow-on process | Variable | default | description | |----------------|----------------|----------------| -| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | -| SC4S_PROOFPOINT_PPS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined. | +| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. | +| SC4S_PROOFPOINT_PPS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. | | SC4S_ARCHIVE_PROOFPOINT_PPS | no | Enable archive to disk for this specific source | | SC4S_DEST_PROOFPOINT_PPS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -50,4 +50,4 @@ One or two sourcetypes are included in Proofpoint PPS logs. The search below wi ``` index= sourcetype=pps_*_log | stats count by host -``` \ No newline at end of file +``` diff --git a/docs/sources/Schneider/index.md b/docs/sources/Schneider/index.md index 9b0f481..a4585b0 100644 --- a/docs/sources/Schneider/index.md +++ b/docs/sources/Schneider/index.md @@ -34,8 +34,8 @@ Port or IP based filter is required | Variable | default | description | |----------------|----------------|----------------| -| SC4S_SCHNEIDER_APC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_SCHNEIDER_APC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_SCHNEIDER_APC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_SCHNEIDER_APC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_SCHNEIDER_APC | no | Enable archive to disk for this specific source | | SC4S_DEST_SCHNEIDER_APC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md index 47ec0f1..3403330 100644 --- a/docs/sources/Symantec/index.md +++ b/docs/sources/Symantec/index.md @@ -42,8 +42,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_EP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_SYMANTEC_EP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_EP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_SYMANTEC_EP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_SYMANTEC_EP | no | Enable archive to disk for this specific source | | SC4S_DEST_SYMANTEC_EP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -97,8 +97,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | | SC4S_DEST_SYMANTEC_PROXY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -147,8 +147,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL | no | Enable archive to disk for this specific source | | SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG | yes | Email processing events generated by the bmserver process will be grouped by host+program+pid+msg ID into a single event | diff --git a/docs/sources/Ubiquiti/index.md b/docs/sources/Ubiquiti/index.md index e671337..996a56e 100644 --- a/docs/sources/Ubiquiti/index.md +++ b/docs/sources/Ubiquiti/index.md @@ -61,8 +61,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_UBIQUITI_UNIFI | no | Enable archive to disk for this specific source | | SC4S_DEST_UBIQUITI_UNIFI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/VMWare/index.md b/docs/sources/VMWare/index.md index 7c06973..42a7dc0 100644 --- a/docs/sources/VMWare/index.md +++ b/docs/sources/VMWare/index.md @@ -40,9 +40,9 @@ MSG Parse: This filter parses message content when using the default configurati | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined | +| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_VMWARE_VSPHERE | no | Enable archive to disk for this specific source | | SC4S_DEST_VMWARE_VSPHERE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -92,9 +92,9 @@ MSG Parse: This filter parses message content when using the default configurati | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined | +| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_VMWARE_VSPHERE | no | Enable archive to disk for this specific source | | SC4S_DEST_VMWARE_VSPHERE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md index 504a531..24dcebe 100644 --- a/docs/sources/Zscaler/index.md +++ b/docs/sources/Zscaler/index.md @@ -50,8 +50,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_ZSCALER_NSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_ZSCALER_NSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_ZSCALER_NSS | no | Enable archive to disk for this specific source | | SC4S_DEST_ZSCALER_NSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -112,8 +112,8 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_LSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_ZSCALER_LSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_ZSCALER_LSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_ZSCALER_LSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_ZSCALER_LSS | no | Enable archive to disk for this specific source | | SC4S_DEST_ZSCALER_LSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/package/etc/conf.d/context/common_event_format_class.csv b/package/etc/conf.d/context/common_event_format_class.csv deleted file mode 100644 index 46fffcf..0000000 --- a/package/etc/conf.d/context/common_event_format_class.csv +++ /dev/null @@ -1,4 +0,0 @@ -Imperva Inc._SecureSphere_Firewall,sourcetype,imperva:waf:firewall:cef -Imperva Inc._SecureSphere_Signature,sourcetype,imperva:waf:security:cef -Imperva Inc._SecureSphere_Protocol,sourcetype,imperva:waf:security:cef -Imperva Inc._SecureSphere_Worm,sourcetype,imperva:waf:security:cef diff --git a/package/etc/conf.d/context/common_event_format_source.csv b/package/etc/conf.d/context/common_event_format_source.csv deleted file mode 100644 index 17947e0..0000000 --- a/package/etc/conf.d/context/common_event_format_source.csv +++ /dev/null @@ -1,19 +0,0 @@ -ArcSight_ArcSight,source,ArcSight:ArcSight -ArcSight_ArcSight,index,main -Carbon Black_Protection,sourcetype,carbonblack:protection:cef -Carbon Black_Protection,index,cb:cef -Cyber-Ark_Vault,sourcetype,cyberark:epv:cef -Cyber-Ark_Vault,index,netauth -CyberArk_PTA,sourcetype,cyberark:pta:cef -CyberArk_PTA,index,main -MCAS_SIEM_Agent,index,main -MCAS_SIEM_Agent,source,microsoft:cas -Microsoft_System or Application Event,source,CEFEventLog:System or Application Event -Microsoft_System or Application Event,index,oswin -Microsoft_Microsoft Windows,source,CEFEventLog:Microsoft Windows -Microsoft_Microsoft Windows,index,oswinsec -Incapsula_SIEMintegration,source,Imperva:Incapsula -Incapsula_SIEMintegration,index,netwaf -Imperva Inc._SecureSphere,sourcetype,imperva:waf -Imperva Inc._SecureSphere,index,netwaf -unknown,source,CEF:unknown diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index 54e1b77..2dac3d6 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -26,20 +26,10 @@ parser p_cef_ts_end { ); }; -parser p_cef_source { - add-contextual-data( - selector("${fields.cef_device_vendor}_${fields.cef_device_product}"), - database("conf.d/context/common_event_format_source.csv") - ignore-case(yes) - prefix(".splunk.") - default-selector("unknown") - ); -}; - parser p_cef_class { add-contextual-data( selector("${fields.cef_device_vendor}_${fields.cef_device_product}_${fields.cef_device_event_class}"), - database("conf.d/context/common_event_format_class.csv") + database("conf.d/local/context/splunk_metadata.csv") ignore-case(yes) prefix(".splunk.") ); @@ -82,32 +72,17 @@ log { } else { }; #Do nothing this is allows for both rt and end to be missing and still pass with the message ts - #CEF TAs use the source as their bounds in props.conf - if { - parser(p_cef_source); - }; - if { - parser(p_cef_class); - }; + # CEF TAs use the source as their bounds in props.conf + # CEF source entries in splunk_metadata.csv should reflect the proper source as well as sourcetype + parser { p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}")); }; + parser(p_cef_class); parser (compliance_meta_by_source); - #We want to unset the fields we won't need, as this is copied into the - #disk queue for network destinations. This can be very disk expensive - #if we don't - - if { - filter { - match('^Imperva\sInc\._SecureSphere$', value("fields.sc4s_vendor_product")) - }; - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_cef_hdr_msg))" value("MSG")); }; - } - else{ - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; - }; + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CEF_HEC" "no")) }} destination(d_hec); diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example index 03413e0..3bc7e0e 100644 --- a/package/etc/context_templates/splunk_metadata.csv.example +++ b/package/etc/context_templates/splunk_metadata.csv.example @@ -1,11 +1,30 @@ bluecoat_proxy,index,netproxy brocade_syslog,index,netops ArcSight_ArcSight,index,main +ArcSight_ArcSight,source,ArcSight:ArcSight +Carbon Black_Protection,sourcetype,carbonblack:protection:cef +Carbon Black_Protection,index,cb:cef Cyber-Ark_Vault,index,netauth +Cyber-Ark_Vault,sourcetype,cyberark:epv:cef CyberArk_PTA,index,main +CyberArk_PTA,sourcetype,cyberark:pta:cef Incapsula_SIEMintegration,index,netwaf +Incapsula_SIEMintegration,source,Imperva:Incapsula +Incapsula_SIEMintegration,sourcetype,cef +Incapsula_SIEMintegration,sc4s_template,t_cef_hdr_msg +Imperva Inc._SecureSphere,index,netwaf +Imperva Inc._SecureSphere,sourcetype,imperva:waf +Imperva Inc._SecureSphere,sc4s_template,t_cef_hdr_msg +Imperva Inc._SecureSphere_Firewall,sourcetype,imperva:waf:firewall:cef +Imperva Inc._SecureSphere_Signature,sourcetype,imperva:waf:security:cef +Imperva Inc._SecureSphere_Protocol,sourcetype,imperva:waf:security:cef +Imperva Inc._SecureSphere_Worm,sourcetype,imperva:waf:security:cef Microsoft_Microsoft Windows,index,oswinsec Microsoft_System or Application Event,index,oswin +Microsoft_System or Application Event,source,CEFEventLog:System or Application Event +Microsoft_Microsoft Windows,source,CEFEventLog:Microsoft Windows +MCAS_SIEM_Agent,index,main +MCAS_SIEM_Agent,source,microsoft:cas checkpoint_splunk,index,netops checkpoint_splunk_dlp,index,netdlp checkpoint_splunk_email,index,email @@ -97,4 +116,7 @@ zscaler_fw,index,netfw zscaler_web,index,netproxy zscaler_zia_audit,index,netops zscaler_zia_sandbox,index,main -zscaler_lss,index,netproxy \ No newline at end of file +zscaler_lss,index,netproxy +unknown,index,main +unknown,source,SC4S:unknown +unknown,sourcetype,SC4S:unknown