From e47a3adf032702801c6ed26e8cf62ae996969236 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 5 Mar 2020 13:08:02 -0500 Subject: [PATCH 1/2] Seperate zscaler LSS and NSS provide proper LSS support --- docs/sources/Zscaler/index.md | 70 ++++++++- .../conf.d/conflib/_common/syslog_format.conf | 19 +++ package/etc/conf.d/filters/zscaler/nss.conf | 7 +- .../conf.d/log_paths/lp-zscaler_lss.conf.tmpl | 98 ++++++++++++ .../conf.d/log_paths/lp-zscaler_nss.conf.tmpl | 83 +++++----- package/etc/go_templates/source_network.t | 39 +++++ tests/test_zscaler_proxy.py | 144 +++++++++++++++++- 7 files changed, 404 insertions(+), 56 deletions(-) create mode 100644 package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md index 67b70e1..d922ef7 100644 --- a/docs/sources/Zscaler/index.md +++ b/docs/sources/Zscaler/index.md @@ -1,6 +1,6 @@ # Vendor - Zscaler -## Product - All Products +## Product - ZIA The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page 26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize @@ -20,9 +20,6 @@ the IP or host name of the SC4S instance and port 514 | zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | | zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | | zscalernss-web | None | -| zscalernss-zpa-app | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-auth | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-connector | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth_connector`` immediately prior to the ``\n`` in the LSS Connector format. See Zscaler manual for more info. | | zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | @@ -34,9 +31,6 @@ the IP or host name of the SC4S instance and port 514 | zscalernss_dns | zscalernss-dns | netdns | none | | zscalernss_fw | zscalernss-fw | netfw | none | | zscalernss_web | zscalernss-web | netproxy | none | -| zscalernss-zpa-app | zscalernss_zpa-app | netids | none | -| zscalernss-zpa-auth | zscalernss_zpa_auth | netauth | none | -| zscalernss-zpa-connector | zscalernss_zpa_connector | netops | none | ### Filter type @@ -67,3 +61,65 @@ An active proxy will generate frequent events. Use the following search to valid ``` index= sourcetype=zscalernss-* | stats count by host ``` + +## Product - LSS + +The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page +26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the LSS to utilize +the IP or host name of the SC4S instance and port 514 + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | +| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| zscalerlss-zpa-app | None | +| zscalerlss-zpa-auth | None | +| zscalerlss-zpa-bba | None | +| zscalerlss-zpa-connector | None | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| zscalernss-zpa-app | zscalerlss_zpa-app | netproxy | none | +| zscalernss-zpa-auth | zscalerlss_zpa_auth | netauth | none | +| zscalernss-zpa-bba | zscalerlss_zpa_auth | netproxy | none | +| zscalernss-zpa-connector | zscalerlss_zpa_connector | netproxy | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_ZSCALER_LSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_ZSCALER_LSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_ZSCALER_LSS | no | Enable archive to disk for this specific source | +| SC4S_DEST_ZSCALER_LSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=zscalernss-* | stats count by host +``` diff --git a/package/etc/conf.d/conflib/_common/syslog_format.conf b/package/etc/conf.d/conflib/_common/syslog_format.conf index 96ab5dc..1a8ed16 100644 --- a/package/etc/conf.d/conflib/_common/syslog_format.conf +++ b/package/etc/conf.d/conflib/_common/syslog_format.conf @@ -49,4 +49,23 @@ filter f_is_no_parse{ rewrite set_rfc3164_no_version_string{ subst('(^<\d+>)\d', $1, value("MESSAGE")); +}; +filter f_is_rfc3164_json{ + match("rfc3164_json" value("fields.sc4s_syslog_format")) +}; +rewrite set_rfc3164_json{ + set("rfc3164_json" value("fields.sc4s_syslog_format")); +}; + +filter f_is_tcp_json{ + match("tcp_json" value("fields.sc4s_syslog_format")) +}; +rewrite set_tcp_json{ + set("tcp_json" value("fields.sc4s_syslog_format")); +}; + +filter f_msg_is_tcp_json{ + match("rfc3164_json" value("fields.sc4s_syslog_format")) + or + match("tcp_json" value("fields.sc4s_syslog_format")) }; \ No newline at end of file diff --git a/package/etc/conf.d/filters/zscaler/nss.conf b/package/etc/conf.d/filters/zscaler/nss.conf index 9ee4e1a..543e1ad 100644 --- a/package/etc/conf.d/filters/zscaler/nss.conf +++ b/package/etc/conf.d/filters/zscaler/nss.conf @@ -1,3 +1,8 @@ filter f_zscaler_nss { message('\tvendor=Zscaler\t'); -}; \ No newline at end of file + or message('^ZscalerNSS:'); +}; +# filter f_zscaler_lss { +# match() + +# }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl new file mode 100644 index 0000000..ca822aa --- /dev/null +++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl @@ -0,0 +1,98 @@ +# Zscaler + +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "ZSCALER_LSS" "parser" "rfc3164" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +log { + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_ZSCALER_LSS_TCP_PORT")) (getenv (print "SC4S_LISTEN_ZSCALER_LSS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_ZSCALER_LSS_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for ZSCALER_LSS traffic + source (s_ZSCALER_LSS); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for ZSCALER_LSS traffic + source (s_DEFAULT); + filter(f_msg_is_tcp_json); + flags(final); + }; + }; + parser { + #.jsonLog.Timestamp Mar 04 20:37:53 2020 + date-parser( + format("%b %d %H:%M:%S %Y", + "%h %d %H:%M:%S %Y", + "%b %d %k:%M:%S %Y", + "%h %d %k:%M:%S %Y") + template("${.json.LogTimestamp}") + time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) + flags(guess-timezone) + ); + + }; + if { + filter { + match('.' value('.json.ClientZEN')) + and match('.' value('.json.AppGroup')) + and match('.' value('.json.Application')) + }; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"), index("netproxy"))}; + parser { p_add_context_splunk(key("zscaler_lss")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + } elif { + filter { + match('.' value('.json.Exporter')) + and match('.' value('.json.Customer')) + and match('.' value('.json.ConnectionID')) + }; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"), index("netproxy"))}; + parser { p_add_context_splunk(key("zscaler_lss")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + } elif { + filter { + match('.' value('.json.Connector')) + and match('.' value('.json.Customer')) + and match('.' value('.json.ConnectorGroup')) + }; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"), index("netproxy"))}; + parser { p_add_context_splunk(key("zscaler_lss")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + } elif { + filter { + match('.' value('.json.SAMLAttributes')) + and match('.' value('.json.Customer')) + }; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netauth"))}; + parser { p_add_context_splunk(key("zscaler_lss")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + }; + + + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + +{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_ZSCALER_LSS_HEC" "no")) }} + destination(d_hec); +{{- end}} + +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_ZSCALER_LSS" "no")) }} + destination(d_archive); +{{- end}} + +{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }} + {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + +{{- if (print (getenv "SC4S_DEST_ZSCALER_LSS_ALTERNATES")) }} + {{ getenv "SC4S_DEST_ZSCALER_LSS_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + + flags(flow-control,final); +}; diff --git a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl index 3e26753..cc14627 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl @@ -20,57 +20,48 @@ log { flags(final); }; }; - - parser { date-parser(format("%Y-%m-%d %H:%M:%S") template('$(substr "$LEGACY_MSGHDR$MSG" "0" "19")') flags(guess-timezone)); }; - rewrite { - set("zscaler_nss", value("fields.sc4s_vendor_product")); - subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); - }; - parser { - #basic parsing - kv-parser(prefix(".kv.") pair-separator("\t") template("${MSG}")); - }; - - if (match("alerts" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"), index("main"))}; - parser { p_add_context_splunk(key("zscaler_alerts")); }; - } elif (match("dns" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"), index("netdns"))}; - parser { p_add_context_splunk(key("zscaler_dns")); }; - } elif (match("fw" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"), index("netfw"))}; - parser { p_add_context_splunk(key("zscaler_fw")); }; - } elif (match("NSS" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"), index("netproxy"))}; - parser { p_add_context_splunk(key("zscaler_web")); }; - } elif (match("audit" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"), index("netops"))}; - parser { p_add_context_splunk(key("zscaler_zia_audit")); }; - } elif (match("sandbox" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"), index("main"))}; - parser { p_add_context_splunk(key("zscaler_zia_sandbox")); }; - } elif (match("zpa" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zpa-app"), index("netids"))}; - parser { p_add_context_splunk(key("zscaler_zpa")); }; - } elif (match("zpa_auth" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zpaauth"), index("netauth"))}; - parser { p_add_context_splunk(key("zscaler_zpa_auth")); }; - } elif (match("zpa_auth_connector" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zpa-connector"), index("netops"))}; - parser { p_add_context_splunk(key("zscaler_zpa_connector")); }; - } elif (match("zpa_bba" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-bba"), index("main"))}; - parser { p_add_context_splunk(key("zscaler_zpa_bba")); }; + if (message('^ZscalerNSS:')) { + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"), index("netops"))}; + parser { p_add_context_splunk(key("zscaler_alerts")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"), index("main"))}; + parser { date-parser(format("%Y-%m-%d %H:%M:%S") template('$(substr "$LEGACY_MSGHDR$MSG" "0" "19")') flags(guess-timezone)); }; + rewrite { + set("zscaler_nss", value("fields.sc4s_vendor_product")); + subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); + }; parser { - p_add_context_splunk(key("zscaler_nss")); + #basic parsing + kv-parser(prefix(".kv.") pair-separator("\t") template("${MSG}")); }; - }; - parser (compliance_meta_by_source); - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + + if (match("dns" value(".kv.product"))) { + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"), index("netdns"))}; + parser { p_add_context_splunk(key("zscaler_dns")); }; + } elif (match("fw" value(".kv.product"))) { + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"), index("netfw"))}; + parser { p_add_context_splunk(key("zscaler_fw")); }; + } elif (match("NSS" value(".kv.product"))) { + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"), index("netproxy"))}; + parser { p_add_context_splunk(key("zscaler_web")); }; + } elif (match("audit" value(".kv.product"))) { + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"), index("netops"))}; + parser { p_add_context_splunk(key("zscaler_zia_audit")); }; + } elif (match("sandbox" value(".kv.product"))) { + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"), index("main"))}; + parser { p_add_context_splunk(key("zscaler_zia_sandbox")); }; + } else { + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"), index("main"))}; + parser { + p_add_context_splunk(key("zscaler_nss")); + }; + }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_ZSCALER_NSS_HEC" "no")) }} destination(d_hec); {{- end}} diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index ea83f05..8ef31fb 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -96,11 +96,28 @@ source s_{{ .port_id }} { rewrite (r_cisco_ucm_message); {{ else if eq .parser "no_parse" }} rewrite(set_no_parse); +{{ else if eq .parser "tcp_json" }} + filter { message('^{') and message('}$') }; + parser { + json-parser( + prefix('.json.') + ); + }; + rewrite(set_tcp_json); {{ else }} if { filter(f_citrix_netscaler_message); parser(p_citrix_netscaler_date); rewrite(r_citrix_netscaler_message); + } elif { + #JSON over IP its not syslog but it can work + filter { message('^{') and message('}$') }; + parser { + json-parser( + prefix('.json.') + ); + }; + rewrite(set_tcp_json); } elif { filter(f_rfc5424_strict); parser { @@ -135,6 +152,28 @@ source s_{{ .port_id }} { syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}})); }; rewrite(set_rfc3164); + if { + filter { message('^{') and message('}$') }; + parser { + json-parser( + prefix('.json.') + ); + }; + rewrite(set_rfc3164_json); + } elif { + filter { match('^{' value('LEGACY_MSGHDR')) and message('}$') }; + parser { + json-parser( + prefix('.json.') + template('${LEGACY_MSGHDR}${MSG}') + ); + }; + rewrite { + set('${LEGACY_MSGHDR}${MSG}' value('MSG')); + unset(value('LEGACY_MSGHDR')); + }; + rewrite(set_rfc3164_json); + }; }; {{ end }} rewrite(r_set_splunk_default); diff --git a/tests/test_zscaler_proxy.py b/tests/test_zscaler_proxy.py index 595eb08..3873592 100644 --- a/tests/test_zscaler_proxy.py +++ b/tests/test_zscaler_proxy.py @@ -4,7 +4,7 @@ # license that can be found in the LICENSE-BSD2 file or at # https://opensource.org/licenses/BSD-2-Clause import random - +import pytest from jinja2 import Environment from .sendmessage import * @@ -32,6 +32,26 @@ def test_zscaler_proxy(record_property, setup_wordlist, setup_splunk, setup_sc4s assert resultCount == 1 +#2020-03-02 02:51:56 reason=Allowed event_id=6799437957281873922 protocol=HTTP action=Allowed transactionsize=623 responsesize=512 requestsize=111 urlcategory=Internet Services serverip=13.107.4.52 clienttranstime=3 requestmethod=GET refererURL="None" useragent=Microsoft NCSI product=NSS location=Road Warrior ClientIP=136.35.16.85 status=200 user=mdutta@acme.com url="www.msftconnecttest.com/connecttest.txt" vendor=Zscaler hostname=www.msftconnecttest.com clientpublicIP=136.35.16.85 threatcategory=None threatname=None filetype=None appname=generalbrowsing pagerisk=0 department=Default Department urlsupercategory=Internet Communication appclass=General Browsing dlpengine=None urlclass=Business Use threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=3 md5=None contenttype=text/plain trafficredirectmethod=Z_APP rulelabel=None ruletype=None mobappname=None mobappcat=None mobdevtype=None bwclassname=General Surfing bwrulename=No Bandwidth Control throttlereqsize=0 throttlerespsize=0 deviceappversion=1.5.1.8 devicemodel=20QF000CUS devicemodel=20QF000CUS devicename=mdutta devicename=mdutta deviceostype=Windows OS deviceostype=Windows OS deviceosversion=Windows 10 Enterprise deviceplatform= clientsslcipher=None clientsslsessreuse=UNKNOWN clienttlsversion=None serversslsessreuse=UNKNOWN servertranstime=3 srvcertchainvalpass=UNKNOWN srvcertvalidationtype=None srvcertvalidityperiod=None srvocspresult=None srvsslcipher=None srvtlsversion=None srvwildcardcert=UNKNOWN serversslsessreuse="UNKNOWN" dlpidentifier="0" dlpmd5="None" epochtime="1583117516" filename="None" filesubtype="None" module="General Browsing" productversion="5.7r.78.218665_84" reqdatasize="0" reqhdrsize="111" respdatasize="22" resphdrsize="490" respsize="512" respversion="1.1" tz="GMT" +def test_zscaler_proxy_new(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{% now 'local', '%Y-%m-%d %H:%M:%S' %}"+ ' reason=Allowed event_id=6799437957281873922 protocol=HTTP action=Allowed transactionsize=623 responsesize=512 requestsize=111 urlcategory=Internet Services serverip=13.107.4.52 clienttranstime=3 requestmethod=GET refererURL="None" useragent=Microsoft NCSI product=NSS location=Road Warrior ClientIP=136.35.16.85 status=200 user=mdutta@acme.com url="www.msftconnecttest.com/connecttest.txt" vendor=Zscaler hostname={{host}}.fls.doubleclick.net clientpublicIP=136.35.16.85 threatcategory=None threatname=None filetype=None appname=generalbrowsing pagerisk=0 department=Default Department urlsupercategory=Internet Communication appclass=General Browsing dlpengine=None urlclass=Business Use threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=3 md5=None contenttype=text/plain trafficredirectmethod=Z_APP rulelabel=None ruletype=None mobappname=None mobappcat=None mobdevtype=None bwclassname=General Surfing bwrulename=No Bandwidth Control throttlereqsize=0 throttlerespsize=0 deviceappversion=1.5.1.8 devicemodel=20QF000CUS devicemodel=20QF000CUS devicename=mdutta devicename=mdutta deviceostype=Windows OS deviceostype=Windows OS deviceosversion=Windows 10 Enterprise deviceplatform= clientsslcipher=None clientsslsessreuse=UNKNOWN clienttlsversion=None serversslsessreuse=UNKNOWN servertranstime=3 srvcertchainvalpass=UNKNOWN srvcertvalidationtype=None srvcertvalidityperiod=None srvocspresult=None srvsslcipher=None srvtlsversion=None srvwildcardcert=UNKNOWN serversslsessreuse="UNKNOWN" dlpidentifier="0" dlpmd5="None" epochtime="1583117516" filename="None" filesubtype="None" module="General Browsing" productversion="5.7r.78.218665_84" reqdatasize="0" reqhdrsize="111" respdatasize="22" resphdrsize="490" respsize="512" respversion="1.1" tz="GMT"') + message = mt.render(mark="<134>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + # def test_zscaler_proxy_pri(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -52,4 +72,124 @@ def test_zscaler_proxy_pri(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 -# +#<118>Mar 1 22:05:35 [10.225.64.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}} +def test_zscaler_nss_alerts(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} [10.0.0.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}}") + message = mt.render(mark="<134>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=\"zscalernss-alerts\" \"{{host}}\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +#{"LogTimestamp": "Mon Mar 2 02:57:01 2020","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "10.26.1.19","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"} +def test_zscaler_lss_zpa_app(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}') + message = mt.render(mark="<134>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +#<111>{"LogTimestamp": "Mon Mar 2 02:57:01 2020","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "10.26.1.19","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"} +def test_zscaler_lss_zpa_app_pri(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{{mark}}{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}') + message = mt.render(mark="<134>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +#{"LogTimestamp": "Mon Mar 2 02:57:05 2020","Customer": "Acme, Inc.","Username": "chuffma@acme.com","SessionID": "lCINpOrrZl3pGQCVYP+E","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "1.5.1.8.191135","ZEN": "US-IL-8706","CertificateCN": "WJJ26L69Y6bmncPqV/YRQXe17aDzRf6Z0M1n7CU7UaQ=@acme.com","PrivateIP": "","PublicIP": "174.97.166.11","Latitude": 44.000000,"Longitude": -88.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T13:04:55.000Z","TimestampUnAuthentication": "","TotalBytesRx": 46997613,"TotalBytesTx": 2232391,"Idp": "IDP Config","Hostname": "","Platform": "","ClientType": "zpn_client_type_zapp","TrustedNetworks": ,"TrustedNetworksNames": ,"SAMLAttributes": "{\"FirstName\":[\"Christopher\"],\"LastName\":[\"Huffman\"],\"Email\":[\"chuffma@acme.com\"],\"GroupName\":[\"zScaler_ZPA\"]}","PosturesHit": ,"PosturesMiss": ,"ZENLatitude": 41.000000,"ZENLongitude": -88.000000,"ZENCountryCode": "US"} +def test_zscaler_lss_zpa_bba(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","ConnectionID":"6N9BHIHZrwGXJXG7q4sn,dUPdoZAgr6vJKlv588GG","Exporter":"unset","TimestampRequestReceiveStart":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveHeaderFinish":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveFinish":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitStart":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitFinish":"2020-03-02T02:28:53.277Z","TimestampResponseReceiveStart":"2020-03-01T22:39:30.707Z","TimestampResponseReceiveFinish":"2020-03-02T02:28:53.309Z","TimestampResponseTransmitStart":"2020-03-01T22:39:30.707Z","TimestampResponseTransmitFinish":"2020-03-02T02:28:51.762Z","TotalTimeRequestReceive":1193,"TotalTimeRequestTransmit":13762597414,"TotalTimeResponseReceive":13762601379,"TotalTimeResponseTransmit":13761054628,"TotalTimeConnectionSetup":1037,"TotalTimeServerResponse":-13762570100,"Method":"GET","Protocol":"HTTPS","Host":"accountman.dfamilk.com","URL":"/remoteDesktopGateway","UserAgent":"","XFF":"","NameID":"carlos.garcia.11@acme.com","StatusCode":101,"RequestSize":2246,"ResponseSize":3823185,"ApplicationPort":443,"ClientPublicIp":"162.205.86.162","ClientPublicPort":49330,"ClientPrivateIp":"","Customer":"{{host}}","ConnectionStatus":"zfce_mt_remote_disconnect","ConnectionReason":"BRK_MT_CLOSED_FROM_ASSISTANT"}') + message = mt.render(mark="<134>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-bba\" \"{{host}}\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +#{"LogTimestamp": "Mon Mar 2 02:51:53 2020","Customer": "Acme, Inc.","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494} +def test_zscaler_lss_zpa_connector(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "{{host}}","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494}') + message = mt.render(mark="<134>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-connector\" \"{{host}}\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +#{"LogTimestamp": "Fri May 31 17:34:48 2019","Customer": "ANZ Team/zdemo in beta","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""} +def test_zscaler_lss_zpa_auth(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "{{host}}","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""}') + message = mt.render(mark="<134>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search earliest=-1m@m latest=+1m@m index=netauth sourcetype=\"zscalerlss-zpa-auth\" \"{{host}}\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 From 6aadb8b391866623942155b1de77be8776202ffa Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 5 Mar 2020 15:53:45 -0500 Subject: [PATCH 2/2] Update lp-zscaler_lss.conf.tmpl --- package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl index ca822aa..3df79f6 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl @@ -1,7 +1,7 @@ # Zscaler {{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "ZSCALER_LSS" "parser" "rfc3164" }} +{{- $context := dict "port_id" "ZSCALER_LSS" "parser" "common" }} {{- tmpl.Exec "t/source_network.t" $context }} log {