From 744021d93054e409df2a2b9824e6e320aa0b0da2 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Wed, 18 Dec 2019 11:48:17 -0500 Subject: [PATCH 1/3] Update p_multi-vmware_nsx.conf.tmpl --- package/etc/conf.d/log_paths/p_multi-vmware_nsx.conf.tmpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_multi-vmware_nsx.conf.tmpl b/package/etc/conf.d/log_paths/p_multi-vmware_nsx.conf.tmpl index f5c1fa0..5396355 100644 --- a/package/etc/conf.d/log_paths/p_multi-vmware_nsx.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_multi-vmware_nsx.conf.tmpl @@ -21,7 +21,7 @@ log { filter(f_vmware_nsx); rewrite { - r_set_splunk_dest_default(sourcetype("vmware:nsx:vsphere:syslog"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${PROGRAM}")); set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; parser { @@ -34,7 +34,7 @@ log { rewrite { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:nsx:vsphere:syslog"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${.PROGRAM}")); set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; parser { @@ -46,7 +46,7 @@ log { filter(f_vmware_vsphere); rewrite { - r_set_splunk_dest_default(sourcetype("vmware:esx:vsphere:syslog"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${PROGRAM}")); set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; parser { @@ -59,7 +59,7 @@ log { rewrite { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:esx:vsphere:syslog"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${.PROGRAM}")); set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; parser { From eb73ca161c9a196cdb6a7dc76f8ceb88526d1bd5 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Wed, 18 Dec 2019 11:48:55 -0500 Subject: [PATCH 2/3] Update index.md --- docs/sources/VMWare/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/sources/VMWare/index.md b/docs/sources/VMWare/index.md index 3b9205e..7a9e54f 100644 --- a/docs/sources/VMWare/index.md +++ b/docs/sources/VMWare/index.md @@ -12,16 +12,16 @@ | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| vmware:nsx:vsphere:syslog | None | -| vmware:esx:vsphere:syslog | None | +| vmware:vsphere:nsx | None | +| vmware:vsphere:esx | None | | nix:syslog | When used with a default port this will follow the generic NIX configuration when using a dedicated port, IP or host rules events will follow the index configuration for vmware nsx | ### Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| vmware_nsx | vmware:nsx:vsphere:syslog | main | none | -| vmware_esx | vmware:esx:vsphere:syslog | main | none | +| vmware_nsx | vmware:vsphere:nsx | main | none | +| vmware_esx | vmware:vsphere:esx | main | none | ### Filter type From 704a40cc150fd278bac80f75dcbd9566f2edfcef Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Wed, 18 Dec 2019 15:08:44 -0500 Subject: [PATCH 3/3] fix test case --- ...ulti-vmware_nsx.conf.tmpl => p_vmware_vsphere.conf.tmpl} | 0 tests/test_vmware.py | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) rename package/etc/conf.d/log_paths/{p_multi-vmware_nsx.conf.tmpl => p_vmware_vsphere.conf.tmpl} (100%) diff --git a/package/etc/conf.d/log_paths/p_multi-vmware_nsx.conf.tmpl b/package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl similarity index 100% rename from package/etc/conf.d/log_paths/p_multi-vmware_nsx.conf.tmpl rename to package/etc/conf.d/log_paths/p_vmware_vsphere.conf.tmpl diff --git a/tests/test_vmware.py b/tests/test_vmware.py index e406ee8..4ed57ca 100644 --- a/tests/test_vmware.py +++ b/tests/test_vmware.py @@ -25,7 +25,7 @@ def test_linux_vmware(record_property, setup_wordlist, setup_splunk): sendsingle(message) - st = env.from_string("search index=main {{ pid }} sourcetype=\"vmware:esx:vsphere:syslog\" | head 2") + st = env.from_string("search index=main {{ pid }} sourcetype=\"vmware:vsphere:esx\" | head 2") search = st.render(host=host, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -46,7 +46,7 @@ def test_linux_vmware_nsx_ietf(record_property, setup_wordlist, setup_splunk): sendsingle(message) - st = env.from_string("search index=main host={{ host }} PID={{ pid }} sourcetype=\"vmware:nsx:vsphere:syslog\" | head 2") + st = env.from_string("search index=main host={{ host }} PID={{ pid }} sourcetype=\"vmware:vsphere:nsx\" | head 2") search = st.render(host=host, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -67,7 +67,7 @@ def test_linux_vmware_nsx_fw(record_property, setup_wordlist, setup_splunk): sendsingle(message) - st = env.from_string("search index=main host={{ host }} {{ pid }} sourcetype=\"vmware:nsx:vsphere:syslog\" | head 2") + st = env.from_string("search index=main host={{ host }} {{ pid }} sourcetype=\"vmware:vsphere:nsx\" | head 2") search = st.render(host=host, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search)