From c7142e07c63f50cadb8567941f3e9b7a47682f45 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Thu, 2 Apr 2020 07:33:12 -0400
Subject: [PATCH] Update lp-checkpoint_splunk.conf.tmpl

---
 .../log_paths/lp-checkpoint_splunk.conf.tmpl  | 88 +++++++++----------
 1 file changed, 43 insertions(+), 45 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
index 07f0aff..2a15a21 100644
--- a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
@@ -22,9 +22,51 @@ log {
     };
 
     if {
+        parser {
+            kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}"));
+            date-parser-nofilter(format("%s") template("${.kv.time}"));
+        };
+        rewrite {
+           set("${.kv.hostname}", value("HOST"));
+           set("checkpoint_splunk", value("fields.sc4s_vendor_product"));
+           r_set_splunk_dest_default(sourcetype("cp_log"), index("netops"))
+        };
+
+        parser {p_add_context_splunk(key("checkpoint_splunk")); };
+
+        if  {
+            filter(f_checkpoint_splunk_NetworkTraffic);
+            rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))};
+            parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); };
+        } elif  {
+            filter(f_checkpoint_splunk_Web);
+            rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))};
+            parser {p_add_context_splunk(key("checkpoint_splunk_web")); };
+        } elif  {
+            filter(f_checkpoint_splunk_NetworkSessions);
+            rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))};
+            parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); };
+        } elif  {
+            filter(f_checkpoint_splunk_IDS_Malware);
+            rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))};
+            parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
+        } elif  {
+            filter(f_checkpoint_splunk_IDS);
+            rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))};
+            parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
+        } elif  {
+            filter(f_checkpoint_splunk_email);
+            rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))};
+            parser {p_add_context_splunk(key("checkpoint_splunk_email")); };
+        } elif  {
+            filter(f_checkpoint_splunk_DLP);
+            rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))};
+            parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); };
+        };
+    } else {
         filter(f_nix_syslog);
         rewrite {
-          set("checkpoint_splunk", value("fields.sc4s_vendor_product"));
+            set("checkpoint_splunk", value("fields.sc4s_vendor_product"));
             subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
             set("${PROGRAM}", value(".PROGRAM"));
             subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
@@ -32,51 +74,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) };
         parser { p_add_context_splunk(key("checkpoint_os")); };
 
-    } else {
-        parser {
-            kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}"));
-            date-parser-nofilter(format("%s") template("${.kv.time}"));
-        };
-    };
-
-    rewrite {
-        set("${.kv.hostname}", value("HOST"));
-        set("checkpoint_splunk", value("fields.sc4s_vendor_product"));
-        r_set_splunk_dest_default(sourcetype("cp_log"), index("netops"))
     };
-
-    parser {p_add_context_splunk(key("checkpoint_splunk")); };
-
-    if  {
-       filter(f_checkpoint_splunk_NetworkTraffic);
-       rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))};
-       parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); };
-    } elif  {
-       filter(f_checkpoint_splunk_Web);
-       rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))};
-       parser {p_add_context_splunk(key("checkpoint_splunk_web")); };
-    } elif  {
-       filter(f_checkpoint_splunk_NetworkSessions);
-       rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))};
-       parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); };
-    } elif  {
-       filter(f_checkpoint_splunk_IDS_Malware);
-       rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))};
-       parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
-    } elif  {
-       filter(f_checkpoint_splunk_IDS);
-       rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))};
-       parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
-    } elif  {
-       filter(f_checkpoint_splunk_email);
-       rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))};
-       parser {p_add_context_splunk(key("checkpoint_splunk_email")); };
-    } elif  {
-       filter(f_checkpoint_splunk_DLP);
-       rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))};
-       parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); };
-    };
-
     parser (compliance_meta_by_source);
     rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); };