Skip to content

Commit

Permalink
[filtermod] Fix vendor_product lookup for LEEF (#666)
Browse files Browse the repository at this point in the history
  • Loading branch information
Ryan Faircloth authored and GitHub committed Aug 26, 2020
1 parent 18a0497 commit a1d07ed
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions package/etc/conf.d/log_paths/lp-log_extended_event_format.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ class leef_kv(object):
else:
log_message['.splunk.sourcetype'] = f"LEEF:{lv}:{hex_sep}"
log_message['.splunk.source'] = f"{structure[1]}:{structure[2]}"
log_message['fields.sc4s_vendor_product'] = f"{structure[1]}:{structure[2]}"
log_message['fields.sc4s_vendor_product'] = f"{structure[1]}_{structure[2]}"

pairs = event.split(separator)
for p in pairs:
Expand Down Expand Up @@ -155,7 +155,7 @@ log {
# leef source entries in splunk_metadata.csv should reflect the proper source as well as sourcetype

parser {
p_add_context_splunk(key("${fields.leef_device_vendor}_${fields.leef_device_product}"));
p_add_context_splunk(key("${fields.leef_vendor}_${fields.leef_product}"));
};

parser (compliance_meta_by_source);
Expand Down

0 comments on commit a1d07ed

Please sign in to comment.