From d29bd31a5e7d49c1fd47ffada6e21ab75d94ef65 Mon Sep 17 00:00:00 2001 From: nkaleiya Date: Wed, 13 May 2020 16:43:02 +0530 Subject: [PATCH] Updated timestamp extraction and Updated example conf as per alphabatical order --- .../conf.d/log_paths/lp-cisco_wsa.conf.tmpl | 26 +++++++++++++++++++ .../vendor_product_by_source.conf.example | 12 ++++----- .../vendor_product_by_source.csv.example | 6 ++--- 3 files changed, 35 insertions(+), 9 deletions(-) diff --git a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl index 7722dd4..e9c3704 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl @@ -34,6 +34,19 @@ log{ } elif { filter(f_cisco_wsa11_7); + parser { + filter { + program( + '(?:(?\d{10})(?:.(?\d{1,9}))?)' + flags(store-matches) + ); + }; + parser { + date-parser-nofilter(format('%s.%f') + template("${EPOCH}.${TIMESECFRAC}") + ); + }; + }; rewrite { set("cisco_wsa11_7", value("fields.sc4s_vendor_product")); r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), index("netops"),source("wsa_11.7")) @@ -43,6 +56,19 @@ log{ rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; } else { + parser { + filter { + program( + '(?:(?\d{10})(?:.(?\d{1,9}))?)' + flags(store-matches) + ); + }; + parser { + date-parser-nofilter(format('%s.%f') + template("${EPOCH}.${TIMESECFRAC}") + ); + }; + }; rewrite { set("cisco_wsa", value("fields.sc4s_vendor_product")); r_set_splunk_dest_default(sourcetype("cisco:wsa:squid"), index("netops")) diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example index da7d7aa..8e27762 100644 --- a/package/etc/context_templates/vendor_product_by_source.conf.example +++ b/package/etc/context_templates/vendor_product_by_source.conf.example @@ -39,6 +39,12 @@ filter f_cisco_meraki { host("testcm-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) }; +filter f_cisco_wsa{ + host("cisco_wsa" type(glob)) +}; +filter f_cisco_wsa11_7{ + host("cisco_wsa11_7" type(glob)) +}; filter f_cisco_nx_os { host("csconx-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) @@ -80,9 +86,3 @@ filter f_tzfixny { host("tzfny-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) }; -filter f_cisco_wsa{ - host("cisco_wsa" type(glob)) -}; -filter f_cisco_wsa11_7{ - host("cisco_wsa11_7" type(glob)) -}; diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example index 8a69fea..d1e29bd 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv.example +++ b/package/etc/context_templates/vendor_product_by_source.csv.example @@ -2,6 +2,8 @@ f_test_test,sc4s_vendor_product,"test_test" f_brocade_syslog,sc4s_vendor_product,"brocade_syslog" f_null_queue,sc4s_vendor_product,"null_queue" f_cisco_meraki,sc4s_vendor_product,"cisco_meraki" +f_cisco_wsa,sc4s_vendor_product,"cisco_wsa" +f_cisco_wsa11_7,sc4s_vendor_product,"cisco_wsa11_7" f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler" f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid" f_f5_bigip,sc4s_vendor_product,"f5_bigip" @@ -17,6 +19,4 @@ f_proofpoint_pps_filter,sc4s_vendor_product,"proofpoint_pps_filter" f_schneider_apc,sc4s_vendor_product,"schneider_apc" f_ubiquiti_unifi_fw,sc4s_vendor_product,"ubiquiti_unifi_fw" f_tzfixhst,sc4s_time_zone,"Pacific/Honolulu" -f_tzfixny,sc4s_time_zone,"America/New_York" -f_cisco_wsa,sc4s_vendor_product,"cisco_wsa" -f_cisco_wsa11_7,sc4s_vendor_product,"cisco_wsa11_7" \ No newline at end of file +f_tzfixny,sc4s_time_zone,"America/New_York" \ No newline at end of file