Skip to content

Commit

Permalink
Merge branch 'release/1.8.1'
Browse files Browse the repository at this point in the history 
Fix order of add-context calls for cef
  • Loading branch information
rfaircloth-splunk committed Jan 27, 2020
2 parents c788fd6 + 69efd34 commit d2a582f
Show file tree
Hide file tree
Showing 5 changed files with 4 additions and 4 deletions.
0 ...c/conf.d/filters/fortinet/webprotect.conf → ...conf.d/filters/forcepoint/webprotect.conf
View file
File renamed without changes.
0 .../etc/conf.d/filters/infoblox/pfsense.conf → package/etc/conf.d/filters/infoblox/ddi.conf
View file
File renamed without changes.
0 package/etc/conf.d/filters/nix/syslog.conf → package/etc/conf.d/filters/nix/os.conf
View file
File renamed without changes.
0 ...ge/etc/conf.d/filters/pfsense/syslog.conf → ...e/etc/conf.d/filters/pfsense/pfsense.conf
View file
File renamed without changes.
8 changes: 4 additions & 4 deletions package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,6 @@ log {
set("${fields.cef_device_vendor}_${fields.cef_device_product}", value("fields.sc4s_vendor_product"));
};

parser {
p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}"));
};

# We already have the syslog msg time stamp however that may not be the best one
# If we have an rt or end field that is best we use the If trick here so if this parser fails
# We don't get sent to fallback.
Expand All @@ -78,6 +74,10 @@ log {
#CEF TAs use the source as their bounds in props.conf
parser(p_cef_source);

parser {
p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}"));
};

parser (compliance_meta_by_source);

#We want to unset the fields we won't need, as this is copied into the
Expand Down

0 comments on commit d2a582f

Please sign in to comment.