Merge pull request #426 from splunk/zscaler/lss_rewrite

Zscaler/lss rewrite
CSVD · Apr 21, 2020 · c0ec0c8 · c0ec0c8
2 parents f7e143f + ed10930
commit c0ec0c8
Showing 1 changed file with 28 additions and 8 deletions.
diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
@@ -10,24 +10,35 @@ log {
         channel {
         # Listen on the specified dedicated port(s) for ZSCALER_LSS traffic
             source (s_ZSCALER_LSS);
+            parser {
+                #.jsonLog.Timestamp Mar 04 20:37:53 2020
+                date-parser-nofilter(
+                format('%a %b %d %H:%M:%S %Y',
+                       '%a %b %d %k:%M:%S %Y')
+                template("${.json.LogTimestamp}")
+                );
+            };
             flags (final);
 	    };
 {{- end}}
         channel {
         # Listen on the default port (typically 514) for ZSCALER_LSS traffic
             source (s_DEFAULT);
             filter(f_msg_is_tcp_json);
+            parser {
+                #.jsonLog.Timestamp Mar 04 20:37:53 2020
+                date-parser(
+                format('%a %b %d %H:%M:%S %Y',
+                       '%a %b %d %k:%M:%S %Y')
+                template("${.json.LogTimestamp}")
+                time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})
+                flags(guess-timezone)
+                );
+            };
             flags(final);
         };
     };
-    parser {
-        #.jsonLog.Timestamp Mar 04 20:37:53 2020
-        date-parser-nofilter(
-        format('%a %b %d %H:%M:%S %Y',
-               '%a %b %d %k:%M:%S %Y')
-               template("${.json.LogTimestamp}")
-               );
-    };
+
     if {
         filter {
             match('.' value('.json.ClientZEN'))
@@ -67,6 +78,15 @@ log {
         parser { p_add_context_splunk(key("zscaler_lss")); };
         parser (compliance_meta_by_source);
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };    
+    } else {
+        rewrite {
+            set("zscaler_lss_rogue_message", value("fields.sc4s_vendor_product"));
+            set("Possible rogue message on zscaler_lss unique port", value("fields.sc4s_error"));
+            r_set_splunk_dest_default(sourcetype("zscalerlss:rogue"), index("netproxy"))
+        };
+        parser { p_add_context_splunk(key("zscaler_lss")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
     };