From 9f1b31eada0950f80a7bcee02e92bcf3e737d9d2 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Sat, 13 Jun 2020 20:50:42 -0400
Subject: [PATCH] Correct hidden bugs not using splunk_index correctly

---
 package/etc/conf.d/context/common_event_format_source.csv     | 1 +
 package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl   | 4 ++--
 .../conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl    | 4 ++--
 package/etc/context_templates/splunk_index.csv.example        | 4 ++--
 tests/test_juniper_junos_rfc3164.py                           | 2 +-
 5 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/package/etc/conf.d/context/common_event_format_source.csv b/package/etc/conf.d/context/common_event_format_source.csv
index 695314e..17947e0 100644
--- a/package/etc/conf.d/context/common_event_format_source.csv
+++ b/package/etc/conf.d/context/common_event_format_source.csv
@@ -1,4 +1,5 @@
 ArcSight_ArcSight,source,ArcSight:ArcSight
+ArcSight_ArcSight,index,main
 Carbon Black_Protection,sourcetype,carbonblack:protection:cef
 Carbon Black_Protection,index,cb:cef
 Cyber-Ark_Vault,sourcetype,cyberark:epv:cef
diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
index 413dea2..9e23d49 100644
--- a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
@@ -83,7 +83,7 @@ log {
             subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
             r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}"))
         };
-        parser { p_add_context_splunk(key("nix_syslog")); };
+        parser { p_add_context_splunk(key("dell_rsa_secureid")); };
         parser (compliance_meta_by_source);
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
     } else {
@@ -101,7 +101,7 @@ log {
             set("dell_rsa_secureid", value("fields.sc4s_vendor_product"));
             r_set_splunk_dest_default(sourcetype("rsa:securid:trace"), index("netauth"));
         };
-        parser { p_add_context_splunk(key("nix_syslog")); };
+        parser { p_add_context_splunk(key("p_add_context_splunk")); };
         parser (compliance_meta_by_source);
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
 
diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
index 8f4371b..91707cf 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -25,7 +25,7 @@ log {
         set("juniper_junos", value("fields.sc4s_vendor_product"));
     };
     if (program('RT_IDP')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) };
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_idp_structured")); };
     } elif (program('RT_FLOW')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
@@ -43,7 +43,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); };
     } else {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) };
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_structured")); };
     };
 
diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
index 3f3cf64..1222873 100644
--- a/package/etc/context_templates/splunk_index.csv.example
+++ b/package/etc/context_templates/splunk_index.csv.example
@@ -1,5 +1,5 @@
 bluecoat_proxy,index,netproxy
-ArcSight_ArcSight,index,netwaf
+ArcSight_ArcSight,index,main
 Cyber-Ark_Vault,index,netauth
 CyberArk_PTA,index,main
 Incapsula_SIEMintegration,index,netwaf
@@ -73,7 +73,7 @@ symantec_ep,index,epav
 vmware_esx,index,main
 vmware_nsx,index,main
 vmware_vcenter,index,main
-zscaler_alerts,index,main
+zscaler_alerts,index,netops
 zscaler_dns,index,netdns
 zscaler_fw,index,netfw
 zscaler_web,index,netproxy
diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py
index 686fb91..b27a8a1 100644
--- a/tests/test_juniper_junos_rfc3164.py
+++ b/tests/test_juniper_junos_rfc3164.py
@@ -28,7 +28,7 @@ def test_juniper_utm_standard(record_property, setup_wordlist, get_host_key, set
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"")
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"")
     search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)