From a1014178b13b1f1af6bb4d3a2d66a5b3cc972023 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Mon, 10 Feb 2020 11:06:16 -0500 Subject: [PATCH] updates for dedicated port --- .../etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl | 2 +- .../context_templates/splunk_index.csv.example | 1 + package/etc/go_templates/source_network.t | 17 +++++++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl index cde238a..e0823cf 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl @@ -1,6 +1,6 @@ # Cisco UCM {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "CISCO_UCM" "parser" "rfc3164" }} +{{- $context := dict "port_id" "CISCO_UCM" "parser" "cisco_ucm" }} {{- tmpl.Exec "t/source_network.t" $context }} log { diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 6d36fa8..f3975d7 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -18,6 +18,7 @@ #cisco_ios,index,netops #cisco_ise,index,netauth #cisco_nx_os,index,netops +#cisco_ucm,index,main #local_example,index,main #forcepoint_webprotect,index,netproxy #fortinet_fortios_event,index,netops diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 236247e..6eea6df 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -88,6 +88,23 @@ source s_{{ .port_id }} { {{ else if eq .parser "cisco_meraki_parser" }} parser (p_cisco_meraki); rewrite(set_rfc5424_epochtime); +{{ else if eq .parser "cisco_ucm" }} + parser { + #Oct 14 2015 05:50:19 AM.484 UTC + #Apr 21 19:01:35.638 UTC + date-parser(format( + '%b %d %Y %I:%M:%S %p.%f %Z', + '%b %d %H:%M:%S.%f %Z' + ) + template("$3")); + }; + rewrite { + set("cisco_ucm" value("fields.sc4s_syslog_format")); + set("cisco_ucm" value("fields.sc4s_vendor_product")); + set("$HOST_FROM" value("HOST") ); + set("$2" value("HOST") condition(match("^..." template("${2}"))) ); + set("$4" value("MESSAGE")); + }; {{ else if eq .parser "no_parse" }} rewrite(set_no_parse); {{ else }}