From e275d43c8275af6d661e4c463072009e019c16d4 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sat, 13 Jun 2020 18:53:19 -0400 Subject: [PATCH 1/8] Remove comment from splunk_indexes.csv --- .../splunk_index.csv.example | 164 +++++++++--------- package/sbin/entrypoint.sh | 2 + 2 files changed, 84 insertions(+), 82 deletions(-) diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index b740247..3f3cf64 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -1,82 +1,82 @@ -#bluecoat_proxy,index,netproxy -#ArcSight_ArcSight,index,netwaf -#Cyber-Ark_Vault,index,netauth -#CyberArk_PTA,index,main -#Incapsula_SIEMintegration,index,netwaf -#Microsoft_Microsoft Windows,index,oswinsec -#Microsoft_System or Application Event,index,oswin -#checkpoint_splunk,index,netops -#checkpoint_splunk_dlp,index,netdlp -#checkpoint_splunk_email,index,email -#checkpoint_splunk_firewall,index,netfw -#checkpoint_splunk_sessions,index,netops -#checkpoint_splunk_web,index,netproxy -#checkpoint_splunk,index,netops -#checkpoint_splunk,index,netops -#cisco_apic_acl,index,netfw -#cisco_apic_events,index,netops -#cisco_acs,index,netauth -#cisco_asa,index,netfw -#cisco_ios,index,netops -#cisco_ise,index,netauth -#cisco_nx_os,index,netops -#cisco_ucm,index,main -#dell_rsa_secureid,index,netauth -#citrix_netscaler,index,netfw -#local_example,index,main -#forcepoint_webprotect,index,netproxy -#f5_bigip,index,netops -#f5_bigip_irule,index,netops -#f5_bigip_asm,index,netwaf -#f5_bigip_nix,index,netops -#fortinet_fortios_event,index,netops -#fortinet_fortios_log,index,netops -#fortinet_fortios_traffic,index,netfw -#fortinet_fortios_utm,index,netids -#fortinet_fortweb_log,index,netops -#fortinet_fortweb_traffic,index,netfw -#fortinet_fortweb_attack,index,netids -#infoblox_dns,index,netdns -#infoblox_dhcp,index,netipam -#infoblox_threat,index,netids -#juniper_idp,index,netids -#juniper_structured,index,netops -#juniper_idp_structured,index,netids -#juniper_junos_fw_structured,index,netfw -#juniper_junos_ids_structured,index,netids -#juniper_junos_utm_structured,index,netfw -#juniper_junos_aamw_structured,index,netfw -#juniper_junos_secintel_structured,index,netfw -#juniper_junos_fw,index,netfw -#juniper_junos_ids,index,netids -#juniper_junos_utm,index,netfw -#juniper_netscreen,index,netfw -#juniper_legacy,index,netops -#mcafee_epo,index,epav -#nix_syslog,index,osnix -#pan_traffic,index,netfw -#pan_threat,index,netproxy -#pan_system,index,netops -#pan_config,index,netops -#pan_hipmatch,index,main -#pan_correlation,index,main -#pan_userid,index,netauth -#pan_unknown,index,netops -#pfsense,index,netops -#pfsense_filterlog,index,netfw -#proofpoint_pps_filter,index,email -#proofpoint_pps_sendmail,index,email -#sc4s_events,index,main -#sc4s_fallback,index,main -#sc4s_metrics,index,em_metrics -#symantec_ep,index,epav -#vmware_esx,index,main -#vmware_nsx,index,main -#vmware_vcenter,index,main -#zscaler_alerts,index,main -#zscaler_dns,index,netdns -#zscaler_fw,index,netfw -#zscaler_web,index,netproxy -#zscaler_zia_audit,index,netops -#zscaler_zia_sandbox,index,main -#zscaler_lss,index,netproxy \ No newline at end of file +bluecoat_proxy,index,netproxy +ArcSight_ArcSight,index,netwaf +Cyber-Ark_Vault,index,netauth +CyberArk_PTA,index,main +Incapsula_SIEMintegration,index,netwaf +Microsoft_Microsoft Windows,index,oswinsec +Microsoft_System or Application Event,index,oswin +checkpoint_splunk,index,netops +checkpoint_splunk_dlp,index,netdlp +checkpoint_splunk_email,index,email +checkpoint_splunk_firewall,index,netfw +checkpoint_splunk_sessions,index,netops +checkpoint_splunk_web,index,netproxy +checkpoint_splunk,index,netops +checkpoint_splunk,index,netops +cisco_apic_acl,index,netfw +cisco_apic_events,index,netops +cisco_acs,index,netauth +cisco_asa,index,netfw +cisco_ios,index,netops +cisco_ise,index,netauth +cisco_nx_os,index,netops +cisco_ucm,index,main +dell_rsa_secureid,index,netauth +citrix_netscaler,index,netfw +local_example,index,main +forcepoint_webprotect,index,netproxy +f5_bigip,index,netops +f5_bigip_irule,index,netops +f5_bigip_asm,index,netwaf +f5_bigip_nix,index,netops +fortinet_fortios_event,index,netops +fortinet_fortios_log,index,netops +fortinet_fortios_traffic,index,netfw +fortinet_fortios_utm,index,netids +fortinet_fortweb_log,index,netops +fortinet_fortweb_traffic,index,netfw +fortinet_fortweb_attack,index,netids +infoblox_dns,index,netdns +infoblox_dhcp,index,netipam +infoblox_threat,index,netids +juniper_idp,index,netids +juniper_structured,index,netops +juniper_idp_structured,index,netids +juniper_junos_fw_structured,index,netfw +juniper_junos_ids_structured,index,netids +juniper_junos_utm_structured,index,netfw +juniper_junos_aamw_structured,index,netfw +juniper_junos_secintel_structured,index,netfw +juniper_junos_fw,index,netfw +juniper_junos_ids,index,netids +juniper_junos_utm,index,netfw +juniper_netscreen,index,netfw +juniper_legacy,index,netops +mcafee_epo,index,epav +nix_syslog,index,osnix +pan_traffic,index,netfw +pan_threat,index,netproxy +pan_system,index,netops +pan_config,index,netops +pan_hipmatch,index,main +pan_correlation,index,main +pan_userid,index,netauth +pan_unknown,index,netops +pfsense,index,netops +pfsense_filterlog,index,netfw +proofpoint_pps_filter,index,email +proofpoint_pps_sendmail,index,email +sc4s_events,index,main +sc4s_fallback,index,main +sc4s_metrics,index,em_metrics +symantec_ep,index,epav +vmware_esx,index,main +vmware_nsx,index,main +vmware_vcenter,index,main +zscaler_alerts,index,main +zscaler_dns,index,netdns +zscaler_fw,index,netfw +zscaler_web,index,netproxy +zscaler_zia_audit,index,netops +zscaler_zia_sandbox,index,main +zscaler_lss,index,netproxy \ No newline at end of file diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 58eef70..49bfa5f 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -41,6 +41,8 @@ mkdir -p /opt/syslog-ng/etc/conf.d/local/context/ mkdir -p /opt/syslog-ng/etc/conf.d/local/config/ cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context/ for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose -n $file ${file%.example}; done +sed -i 's/^#//' /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv + cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ mkdir -p /opt/syslog-ng/var/log From 9f1b31eada0950f80a7bcee02e92bcf3e737d9d2 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sat, 13 Jun 2020 20:50:42 -0400 Subject: [PATCH 2/8] Correct hidden bugs not using splunk_index correctly --- package/etc/conf.d/context/common_event_format_source.csv | 1 + package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl | 4 ++-- .../conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl | 4 ++-- package/etc/context_templates/splunk_index.csv.example | 4 ++-- tests/test_juniper_junos_rfc3164.py | 2 +- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/package/etc/conf.d/context/common_event_format_source.csv b/package/etc/conf.d/context/common_event_format_source.csv index 695314e..17947e0 100644 --- a/package/etc/conf.d/context/common_event_format_source.csv +++ b/package/etc/conf.d/context/common_event_format_source.csv @@ -1,4 +1,5 @@ ArcSight_ArcSight,source,ArcSight:ArcSight +ArcSight_ArcSight,index,main Carbon Black_Protection,sourcetype,carbonblack:protection:cef Carbon Black_Protection,index,cb:cef Cyber-Ark_Vault,sourcetype,cyberark:epv:cef diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl index 413dea2..9e23d49 100644 --- a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl @@ -83,7 +83,7 @@ log { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) }; - parser { p_add_context_splunk(key("nix_syslog")); }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; } else { @@ -101,7 +101,7 @@ log { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); r_set_splunk_dest_default(sourcetype("rsa:securid:trace"), index("netauth")); }; - parser { p_add_context_splunk(key("nix_syslog")); }; + parser { p_add_context_splunk(key("p_add_context_splunk")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index 8f4371b..91707cf 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -25,7 +25,7 @@ log { set("juniper_junos", value("fields.sc4s_vendor_product")); }; if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netfw")) }; parser {p_add_context_splunk(key("juniper_idp_structured")); }; } elif (program('RT_FLOW')) { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; @@ -43,7 +43,7 @@ log { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) }; parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netfw")) }; parser {p_add_context_splunk(key("juniper_structured")); }; }; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 3f3cf64..1222873 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -1,5 +1,5 @@ bluecoat_proxy,index,netproxy -ArcSight_ArcSight,index,netwaf +ArcSight_ArcSight,index,main Cyber-Ark_Vault,index,netauth CyberArk_PTA,index,main Incapsula_SIEMintegration,index,netwaf @@ -73,7 +73,7 @@ symantec_ep,index,epav vmware_esx,index,main vmware_nsx,index,main vmware_vcenter,index,main -zscaler_alerts,index,main +zscaler_alerts,index,netops zscaler_dns,index,netdns zscaler_fw,index,netfw zscaler_web,index,netproxy diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py index 686fb91..b27a8a1 100644 --- a/tests/test_juniper_junos_rfc3164.py +++ b/tests/test_juniper_junos_rfc3164.py @@ -28,7 +28,7 @@ def test_juniper_utm_standard(record_property, setup_wordlist, get_host_key, set sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"") + st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) From 0cfc3c9288d40f1569649bbcb23bf03ff81d5df6 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sat, 13 Jun 2020 21:05:04 -0400 Subject: [PATCH 3/8] Remove set of index in code in favor of configutation only --- .../conflib/_splunk/splunkfields.conf.tmpl | 2 -- .../config/log_paths/lp-example.conf.tmpl | 2 +- .../log_paths/lp-bbb-ietf_syslog.conf.tmpl | 2 +- .../etc/conf.d/log_paths/lp-brocade.conf.tmpl | 2 +- .../log_paths/lp-checkpoint_splunk.conf.tmpl | 20 +++++++------- .../conf.d/log_paths/lp-cisco_acs.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_apic.conf.tmpl | 4 +-- .../conf.d/log_paths/lp-cisco_asa.conf.tmpl | 4 +-- .../log_paths/lp-cisco_asa_legacy.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_ise.conf.tmpl | 2 +- .../log_paths/lp-cisco_meraki.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_nxos.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_ucm.conf.tmpl | 2 +- .../conf.d/log_paths/lp-cisco_wsa.conf.tmpl | 6 ++--- .../conf.d/log_paths/lp-cisco_z_ios.conf.tmpl | 2 +- .../log_paths/lp-citrix-netscaler.conf.tmpl | 2 +- .../lp-common_event_format.conf.tmpl | 2 +- .../log_paths/lp-dell_rsa_secureid.conf.tmpl | 12 ++++----- .../conf.d/log_paths/lp-f5_bigip.conf.tmpl | 20 +++++++------- .../lp-forcepoint_webprotect.conf.tmpl | 2 +- .../conf.d/log_paths/lp-fortinet.conf.tmpl | 16 ++++++------ .../conf.d/log_paths/lp-infoblox.conf.tmpl | 8 +++--- .../log_paths/lp-juniper_junos.conf.tmpl | 10 +++---- .../lp-juniper_junos_structured.conf.tmpl | 14 +++++----- .../log_paths/lp-juniper_netscreen.conf.tmpl | 2 +- .../conf.d/log_paths/lp-mcafee_epo.conf.tmpl | 2 +- .../log_paths/lp-paloalto_panos.conf.tmpl | 16 ++++++------ .../etc/conf.d/log_paths/lp-pfsense.conf.tmpl | 4 +-- .../log_paths/lp-proofpoint_pps.conf.tmpl | 4 +-- .../log_paths/lp-sc4s_internal.conf.tmpl | 6 ++--- .../log_paths/lp-sc4s_startup.conf.tmpl | 4 +-- .../log_paths/lp-schneider_apc.conf.tmpl | 2 +- .../conf.d/log_paths/lp-snmp_traps.conf.tmpl | 2 +- .../lp-symantec_brightmail.conf.tmpl | 4 +-- .../conf.d/log_paths/lp-symantec_ep.conf.tmpl | 26 +++++++++---------- .../log_paths/lp-symantec_proxy.conf.tmpl | 2 +- .../log_paths/lp-ubiquiti_unifi.conf.tmpl | 20 +++++++------- .../log_paths/lp-vmware_vsphere.conf.tmpl | 14 +++++----- .../conf.d/log_paths/lp-zscaler_lss.conf.tmpl | 10 +++---- .../conf.d/log_paths/lp-zscaler_nss.conf.tmpl | 14 +++++----- .../log_paths/lp-zzy-nix_syslog.conf.tmpl | 2 +- .../log_paths/lp-zzz-fallback.conf.tmpl | 4 +-- .../log_paths/lp-example.conf.tmpl | 2 +- 43 files changed, 140 insertions(+), 142 deletions(-) diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 989e4bf..0e85478 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -36,12 +36,10 @@ rewrite r_set_splunk_default { #used by each log-path to set index and sourcetype which may be #overridden by user defined values block rewrite r_set_splunk_dest_default( - index() source("${.splunk.source}") sourcetype() template(`splunk-template`) ) { - set("`index`", value(".splunk.index")); set("`source`", value(".splunk.source")); set("`sourcetype`", value(".splunk.sourcetype")); }; diff --git a/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl index 918530b..5f8b1e0 100644 --- a/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl +++ b/package/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl @@ -53,7 +53,7 @@ log { rewrite { set("local_example", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("sc4s:local_example"), index("main")); + r_set_splunk_dest_default(sourcetype("sc4s:local_example")); }; # using the key "local_example" find any customized index,source or sourcetype meta values diff --git a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl index 35366a8..6630fda 100644 --- a/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-bbb-ietf_syslog.conf.tmpl @@ -13,7 +13,7 @@ log { set("IETF_SYSLOG", value("fields.sc4s_vendor_product")); }; - rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), index("main"), source("${APP}:${PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ietf:syslog"), source("${APP}:${PROGRAM}")) }; parser { p_add_context_splunk(key("IETF_SYSLOG")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl index 9ddf47b..354a6c6 100644 --- a/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl @@ -27,7 +27,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("brocade:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("brocade:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("brocade_syslog")); }; diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl index 778ac9b..f08ee05 100644 --- a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl @@ -45,7 +45,7 @@ log { set("${.kv.hostname}", value("HOST")); set("${.kv.hostname}", value("fields.cp_lm")); set("checkpoint_splunk", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cp_log"), index("netops")) + r_set_splunk_dest_default(sourcetype("cp_log")) }; if { @@ -89,31 +89,31 @@ log { if { filter(f_checkpoint_splunk_NetworkTraffic); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"))}; parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; } elif { filter(f_checkpoint_splunk_Web); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"))}; parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; } elif { filter(f_checkpoint_splunk_NetworkSessions); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"))}; parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; } elif { filter(f_checkpoint_splunk_IDS_Malware); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"))}; parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; } elif { filter(f_checkpoint_splunk_IDS); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"))}; parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; } elif { filter(f_checkpoint_splunk_email); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"))}; parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; } elif { filter(f_checkpoint_splunk_DLP); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"))}; parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; } elif { filter(f_checkpoint_splunk_syslog); @@ -130,7 +130,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("checkpoint_os")); }; }; @@ -163,7 +163,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("checkpoint_os")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl index 97b7d4c..fc1b7a7 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl @@ -86,7 +86,7 @@ log { parser(acs_event_time); rewrite { set("cisco_acs", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:acs"), index("netauth")) + r_set_splunk_dest_default(sourcetype("cisco:acs")) }; parser {p_add_context_splunk(key("cisco_acs")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl index 64c123b..a7e3331 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl @@ -29,14 +29,14 @@ log { }; rewrite { set("cisco_APIC_acl", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), index("netfw"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_apic_acl")); }; } elif { rewrite { set("cisco_APIC_events", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:apic:events"), index("netops"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:apic:events"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_apic_events")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl index b60f1d6..54cb420 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl @@ -28,7 +28,7 @@ log { }; rewrite { set("cisco_ftd", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog")) }; parser {p_add_context_splunk(key("cisco_ftd")); }; parser (compliance_meta_by_source); @@ -37,7 +37,7 @@ log { } else { rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:asa")) }; parser {p_add_context_splunk(key("cisco_asa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl index 27acbc8..743c94b 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_asa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw")) + r_set_splunk_dest_default(sourcetype("cisco:asa")) }; parser {p_add_context_splunk(key("cisco_asa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl index 9722fe1..aa1210d 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl @@ -86,7 +86,7 @@ log { parser(ise_event_time); rewrite { set("cisco_ise", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:ise:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("cisco:ise:syslog")) }; parser {p_add_context_splunk(key("cisco_ise")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl index 3822ee6..630b6ed 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_meraki.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("cisco_meraki", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("meraki"), index("netfw")) + r_set_splunk_dest_default(sourcetype("meraki")) }; parser {p_add_context_splunk(key("cisco_meraki")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl index b490903..6cfbc47 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_nxos.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_nxos", value("fields.sc4s_vendor_product")); guess-time-zone(); - r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_hdr_msg")) + r_set_splunk_dest_default(sourcetype("cisco:ios"), template("t_hdr_msg")) }; parser { p_add_context_splunk(key("cisco_nx_os")); }; diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl index 61d0274..6bb6021 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl @@ -44,7 +44,7 @@ log { rewrite { set("cisco_ucm", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main")) + r_set_splunk_dest_default(sourcetype("cisco:ucm")) }; parser {p_add_context_splunk(key("cisco_ucm")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl index 9403f7d..785b988 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl @@ -26,7 +26,7 @@ log{ }; rewrite { set("cisco_wsa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:l4tm"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:l4tm")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); @@ -51,7 +51,7 @@ log{ }; rewrite { set("cisco_wsa11_7", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), index("netops"),source("wsa_11.7")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), source("wsa_11.7")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); @@ -75,7 +75,7 @@ log{ }; rewrite { set("cisco_wsa", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cisco:wsa:squid"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:wsa:squid")) }; parser { p_add_context_splunk(key("cisco_wsa")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl index d7ba89c..dd3260f 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_z_ios.conf.tmpl @@ -23,7 +23,7 @@ log { rewrite { set("cisco_ios", value("fields.sc4s_vendor_product")); guess-time-zone(); - r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops")) + r_set_splunk_dest_default(sourcetype("cisco:ios")) }; parser { p_add_context_splunk(key("cisco_ios")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl b/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl index ed6f197..94b5005 100644 --- a/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-citrix-netscaler.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("citrix_netscaler", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("citrix:netscaler:syslog"), index("netfw")) + r_set_splunk_dest_default(sourcetype("citrix:netscaler:syslog")) }; parser {p_add_context_splunk(key("citrix_netscaler")); }; diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index dbbf675..54e1b77 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -63,7 +63,7 @@ log { }; rewrite { - r_set_splunk_dest_default(sourcetype("cef"), index("main")) + r_set_splunk_dest_default(sourcetype("cef")) }; parser (p_cef_header); diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl index 9e23d49..2758af4 100644 --- a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl @@ -44,27 +44,27 @@ log { filter{match('audit\.admin' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } elif { filter{match('system\.com\.rsa|,\s+system\.erationsconsole' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } elif { filter{match('audit\.runtime\.com\.rsa' value('.rsa.type'))}; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; } else { rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:syslog"), index("netauth")) + r_set_splunk_dest_default(sourcetype("rsa:securid:syslog")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; }; @@ -81,7 +81,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("dell_rsa_secureid")); }; parser (compliance_meta_by_source); @@ -99,7 +99,7 @@ log { }; rewrite { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("rsa:securid:trace"), index("netauth")); + r_set_splunk_dest_default(sourcetype("rsa:securid:trace")); }; parser { p_add_context_splunk(key("p_add_context_splunk")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl index a12ca6b..308d60d 100644 --- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl @@ -31,7 +31,7 @@ log { set("f5_bigip", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("f5:bigip:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("f5:bigip:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); @@ -42,7 +42,7 @@ log { }; rewrite { set("f5_bigip_access_json", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:access_json"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:access_json")) }; parser { p_add_context_splunk(key("f5_bigip_access_json")); }; parser (compliance_meta_by_source); @@ -56,32 +56,32 @@ log { program('^f5_irule=Splunk-iRule-HTTP') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:http:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:http:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-DNS_REQUEST') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:request:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:request:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-DNS_RESPONSE') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:response:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:response:irule")) }; } elif { filter { program('^f5_irule=Splunk-iRule-LB_FAILED') }; rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:failed:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:failed:irule")) }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("f5:bigip:irule"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:irule")) }; }; rewrite { @@ -96,7 +96,7 @@ log { }; rewrite { set("f5_bigip_asm", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("f5:bigip:asm:syslog"), index("netwaf")) + r_set_splunk_dest_default(sourcetype("f5:bigip:asm:syslog")) }; parser { p_add_context_splunk(key("f5_bigip_asm")); }; parser (compliance_meta_by_source); @@ -108,7 +108,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); @@ -117,7 +117,7 @@ log { rewrite { set("f5_bigip_rogue_message", value("fields.sc4s_vendor_product")); set("rogue-f5", value("fields.sc4s_error")); - r_set_splunk_dest_default(sourcetype("f5:bigip:rogue"), index("netops")) + r_set_splunk_dest_default(sourcetype("f5:bigip:rogue")) }; parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl index 40c072f..dbf9c3c 100644 --- a/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-forcepoint_webprotect.conf.tmpl @@ -24,7 +24,7 @@ log { rewrite { subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global")); set("forcepoint_webprotect", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("websense:cg:kv"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("websense:cg:kv")) }; parser {p_add_context_splunk(key("forcepoint_webprotect")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl index 4f0351c..438a1a6 100644 --- a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl @@ -65,16 +65,16 @@ log { set("${.kv.devname}", value("HOST")); }; if (match("traffic" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_traffic"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_traffic")); }; } elif (match("attack" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_attack"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_attack"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_attack")); }; } elif (match("event" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_event"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_event"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_event")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("fwb_log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fwb_log"))}; parser {p_add_context_splunk(key("fortinet_fortiweb_log")); }; }; #FortiOS @@ -84,16 +84,16 @@ log { set("${.kv.devname}", value("HOST")); }; if (match("traffic" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"))}; parser {p_add_context_splunk(key("fortinet_fortios_traffic")); }; } elif (match("utm" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"))}; parser {p_add_context_splunk(key("fortinet_fortios_utm")); }; } elif (match("event" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"))}; parser {p_add_context_splunk(key("fortinet_fortios_event")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"))}; parser {p_add_context_splunk(key("fortinet_fortios_log")); }; }; }; diff --git a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl index 086e3a5..261dbe4 100644 --- a/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-infoblox.conf.tmpl @@ -27,7 +27,7 @@ log { set("infoblox_dns", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:dns"), index("netdns"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:dns"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_dns")); }; } elif { @@ -36,7 +36,7 @@ log { set("infoblox_dhcp", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:dhcp"), index("netipam"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:dhcp"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_dhcp")); }; } elif { @@ -45,7 +45,7 @@ log { set("infoblox_threat", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("infoblox:threat"), index("netids"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("infoblox:threat"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("infoblox_threat")); }; } else { @@ -54,7 +54,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl index 432c393..b5d3cf9 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl @@ -26,19 +26,19 @@ log { }; if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"))}; parser {p_add_context_splunk(key("juniper_idp")); }; } elif (program('RT_FLOW') or message('PFE_FW_|DFWD_')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_fw")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_ids")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"))}; parser {p_add_context_splunk(key("juniper_junos_utm")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"))}; parser {p_add_context_splunk(key("juniper_legacy")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index 91707cf..3b3dd45 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -25,25 +25,25 @@ log { set("juniper_junos", value("fields.sc4s_vendor_product")); }; if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured")) }; parser {p_add_context_splunk(key("juniper_idp_structured")); }; } elif (program('RT_FLOW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_fw_structured")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_ids_structured")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured")) }; parser {p_add_context_splunk(key("juniper_junos_utm_structured")); }; } elif (program('RT_AAMW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured")) }; parser {p_add_context_splunk(key("juniper_junos_aamw_structured")); }; } elif (program('RT_SECINTEL')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured")) }; parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netfw")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured")) }; parser {p_add_context_splunk(key("juniper_structured")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl index 49cdbb9..d10b21c 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_netscreen.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("juniper_netscreen", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("netscreen:firewall"), index("netfw")) + r_set_splunk_dest_default(sourcetype("netscreen:firewall")) }; parser { p_add_context_splunk(key("juniper_netscreen")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl index 36419fb..f484bf6 100644 --- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl @@ -24,7 +24,7 @@ log { rewrite { set("mcafee_epo", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog")) }; parser {p_add_context_splunk(key("mcafee_epo")); }; diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl index f07df1c..52131be 100644 --- a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl @@ -58,7 +58,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"))}; parser {p_add_context_splunk(key("pan_threat")); }; } elif (match('TRAFFIC', value('.pan.type'))) { parser { @@ -68,7 +68,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"))}; parser {p_add_context_splunk(key("pan_traffic")); }; } elif (match('SYSTEM', value('.pan.type'))) { parser { @@ -78,7 +78,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:system"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:system"))}; parser {p_add_context_splunk(key("pan_system")); }; } elif (match('CONFIG', value('.pan.type'))) { parser { @@ -88,7 +88,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:config"))}; parser {p_add_context_splunk(key("pan_config")); }; } elif (match('HIPMATCH', value('.pan.type'))) { parser { @@ -98,7 +98,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:hipmatch"))}; parser {p_add_context_splunk(key("pan_hipmatch")); }; } elif (match('CORRELATION', value('.pan.type'))) { parser { @@ -108,7 +108,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"))}; parser {p_add_context_splunk(key("pan_correlation")); }; } elif (match('USERID', value('.pan.type'))) { parser { @@ -118,7 +118,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"), index("netauth"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"))}; parser {p_add_context_splunk(key("pan_userid")); }; } else { parser { @@ -128,7 +128,7 @@ log { delimiters(',') ); }; - rewrite { r_set_splunk_dest_default(sourcetype("pan:log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:log"))}; parser {p_add_context_splunk(key("pan_log")); }; }; rewrite { diff --git a/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl b/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl index 293f428..4fb3fcb 100644 --- a/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-pfsense.conf.tmpl @@ -27,7 +27,7 @@ log { set("pfsense_filterlog", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("pfsense:filterlog"), index("netfw"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("pfsense:filterlog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("pfsense_filterlog")); }; parser (compliance_meta_by_source); @@ -38,7 +38,7 @@ log { subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("pfsense:${.PROGRAM}"), index("netops"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("pfsense:${.PROGRAM}"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("pfsense")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl index 8881d4c..6968eda 100644 --- a/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-proofpoint_pps.conf.tmpl @@ -23,12 +23,12 @@ log { if (filter(f_proofpoint_pps_filter)) { rewrite { set("proofpoint_pps_filter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_filter_log"), index("email"))}; + r_set_splunk_dest_default(sourcetype("pps_filter_log"))}; parser { p_add_context_splunk(key("proofpoint_pps_filter")); }; } else { rewrite { set("proofpoint_pps_sendmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_mail_log"), index("email"))}; + r_set_splunk_dest_default(sourcetype("pps_mail_log"))}; parser { p_add_context_splunk(key("proofpoint_pps_sendmail")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl index 91214a2..01e5993 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl @@ -3,12 +3,12 @@ log { if (match("Log statistics; " value("MESSAGE"))) { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:metrics"), index("em_metrics")) }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:metrics")) }; parser {p_add_context_splunk(key("sc4s_metrics")); }; rewrite { subst('.*Log statistics; ', '', value("MESSAGE"), flags("utf8" "global")); - subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:, )?)', '', value("MESSAGE"), flags("utf8" "global")); + subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:)?)', '', value("MESSAGE"), flags("utf8" "global")); subst('(?[^= ]+)=\x27(?[^\(]+)\((?\S+(?=\)[=,]))(?:,(?[^,]+),(?[^\)]+))?\)\=(?\d+)\x27,? ?', '{"time": "$S_UNIXTIME","event": "metric","host": "$HOST","index": "${.splunk.index}","source": "internal","sourcetype": "${.splunk.sourcetype}","fields": {"source_name": "${SourceName}","source_instance": "${SourceInstance}","state": "${State}","type": "${Type}","_value": ${Number},"metric_name": "syslogng.${SourceId}"}} ', @@ -34,7 +34,7 @@ log { } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"))}; parser {p_add_context_splunk(key("sc4s_events")); }; if (not match("Destination timeout has elapsed, closing connection; fd=" value("MESSAGE")) and diff --git a/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl index c0dedf6..1665e64 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_startup.conf.tmpl @@ -3,7 +3,7 @@ log { source(s_startup_out); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:out"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:out"))}; parser {p_add_context_splunk(key("sc4s_events")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no")) }} @@ -28,7 +28,7 @@ log { log { source(s_startup_err); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:err"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events:startup:err"))}; parser {p_add_context_splunk(key("sc4s_events")); }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no")) }} diff --git a/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl b/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl index 97d28d0..8c269c3 100644 --- a/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-schneider_apc.conf.tmpl @@ -22,7 +22,7 @@ log { }; rewrite { set("schneider_apc", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("apc:syslog"), index("main")) + r_set_splunk_dest_default(sourcetype("apc:syslog")) }; parser { p_add_context_splunk(key("schneider_apc")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl index 66b22cc..0bd3dda 100644 --- a/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-snmp_traps.conf.tmpl @@ -6,7 +6,7 @@ log { ); }; - rewrite { r_set_splunk_dest_default(sourcetype("snmp:trap"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("snmp:trap"))}; parser {p_add_context_splunk(key("snmp_trap")); }; rewrite { set("$(template ${.splunk.sc4s_template} $(template t_snmp_trap))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl index baa48a9..74bde79 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_brightmail.conf.tmpl @@ -56,7 +56,7 @@ log { rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("symantec:smg:mail"), index("email"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("symantec:smg:mail"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("symantec_brightmail")); }; parser (compliance_meta_by_source); @@ -76,7 +76,7 @@ log { rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("symantec:smg"), index("email"), source("program:${.PROGRAM}")) + r_set_splunk_dest_default(sourcetype("symantec:smg"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("symantec_brightmail")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl index e093563..c758541 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl @@ -24,66 +24,66 @@ log { if { filter(f_symantec_ep_proactive); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog")) }; } elif { filter(f_symantec_ep_risk); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog")) }; } elif { filter(f_symantec_ep_agt_system); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog")) }; } elif { filter(f_symantec_ep_packet); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog")) }; } elif { filter(f_symantec_ep_traffic); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog")) }; } elif { filter(f_symantec_ep_security); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog")) }; } elif { filter(f_symantec_ep_scan); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog")) }; } elif { filter(f_symantec_ep_behavior); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog")) }; } elif { filter(f_symantec_ep_policy); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog")) }; } elif { filter(f_symantec_ep_admin); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog")) }; } elif { filter(f_symantec_ep_agent); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog")) }; } elif { filter(f_symantec_ep_scm_system); rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog")) }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav")) + r_set_splunk_dest_default(sourcetype("symantec:ep:syslog")) }; }; rewrite { diff --git a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl index 1447711..30f725b 100644 --- a/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-symantec_proxy.conf.tmpl @@ -22,7 +22,7 @@ log { rewrite { set("bluecoat_proxy", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv")) subst( "([-_a-zA-Z\(\)]+=(\"-\"|-| ))", "", value(MESSAGE) diff --git a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl index bccf149..e1a643a 100644 --- a/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-ubiquiti_unifi.conf.tmpl @@ -32,17 +32,17 @@ log { rewrite { set("${LEGACY_MSGHDR}${MSG}" value("MSG")); }; if (match("[^)]\s\S+\skernel:\s[^ll\sheader][^\[\d+.\d+\]]\S+\s\w+:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:threat"), index("netids")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:threat")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_threat")); }; } elif (match("\S+\slinkcheck:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:link"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:link")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_link")); }; } elif (match("\d+:\d+:\d+\s\S+\ssudo:" value("MSG"))) { - rewrite { r_set_splunk_dest_default(sourcetype("ubnt:sudo"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("ubnt:sudo")) }; parser {p_add_context_splunk(key("ubiquiti_unifi_sudo")); }; } else { rewrite { - r_set_splunk_dest_default(sourcetype("ubnt:fw"), index("netfw")); + r_set_splunk_dest_default(sourcetype("ubnt:fw")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_fw")); }; }; @@ -57,21 +57,21 @@ log { if (match('hostapd:\s+ath' value("MSG"))) { rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:hostapd"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:hostapd")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; } elif (match('\d+:\d+:\d+\s\S+\smcad:' value("MSG"))) { rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:mcad"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:mcad")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; } else { rewrite { set("ubiquiti_unifi_switch", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:switch"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:switch")); set("${FULLHOST_FROM}",value("HOST")); set("${model}", value("fields.model")); set("${serial}", value("fields.serial")); @@ -87,7 +87,7 @@ log { }; rewrite { set("ubiquiti_unifi_wireless", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:wireless"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:wireless")); set("${FULLHOST_FROM}",value("HOST")); set("${model}", value("fields.model")); set("${serial}", value("fields.serial")); @@ -98,7 +98,7 @@ log { } elif (match("traputil.c\(696\) " value("MSG"))) { rewrite { set("ubiquiti_unifi_edge_switch", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt:edgeswitch"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt:edgeswitch")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi_edge_switch")); }; @@ -106,7 +106,7 @@ log { } else { rewrite { set("ubiquiti_unifi", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("ubnt"), index("netops")); + r_set_splunk_dest_default(sourcetype("ubnt")); set("${FULLHOST_FROM}", value("HOST")); }; parser {p_add_context_splunk(key("ubiquiti_unifi")); }; diff --git a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl index 2aeed34..a3cfc91 100644 --- a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl @@ -27,7 +27,7 @@ log { rewrite { set("vmware_nsx", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_nsx")); }; parser (compliance_meta_by_source); @@ -41,7 +41,7 @@ log { set("vmware_nsx", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:nsx"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_nsx")); }; parser (compliance_meta_by_source); @@ -52,7 +52,7 @@ log { rewrite { set("vmware_vcenter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_vcenter")); }; parser (compliance_meta_by_source); @@ -65,7 +65,7 @@ log { set("vmware_vcenter", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_vcenter")); }; parser (compliance_meta_by_source); @@ -78,7 +78,7 @@ log { rewrite { set("vmware_vsphere_esx", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), source("program:${PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_esx")); }; parser (compliance_meta_by_source); @@ -92,7 +92,7 @@ log { set("vmware_vsphere_esx", value("fields.sc4s_vendor_product")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), index("main"), source("program:${.PROGRAM}")); + r_set_splunk_dest_default(sourcetype("vmware:vsphere:esx"), source("program:${.PROGRAM}")); }; parser { p_add_context_splunk(key("vmware_esx")); }; parser (compliance_meta_by_source); @@ -107,7 +107,7 @@ log { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; parser (compliance_meta_by_source); if { diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl index 25d655a..0c6442e 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl @@ -45,7 +45,7 @@ log { and match('.' value('.json.AppGroup')) and match('.' value('.json.Application')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-app"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { @@ -53,7 +53,7 @@ log { and match('.' value('.json.Customer')) and match('.' value('.json.ConnectionID')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-bba"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { @@ -61,20 +61,20 @@ log { and match('.' value('.json.Customer')) and match('.' value('.json.ConnectorGroup')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-connector"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } elif { filter { match('.' value('.json.SAMLAttributes')) and match('.' value('.json.Customer')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; } else { rewrite { set("zscaler_lss_rogue_message", value("fields.sc4s_vendor_product")); set("rogue-zscaler_lss", value("fields.sc4s_error")); - r_set_splunk_dest_default(sourcetype("zscalerlss:rogue"), index("netproxy")) + r_set_splunk_dest_default(sourcetype("zscalerlss:rogue")) }; parser { p_add_context_splunk(key("zscaler_lss")); }; # Rogue message needs a different template than valid LSS events. Final rewrite (further below) will be a diff --git a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl index b38adf1..836a779 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl @@ -21,7 +21,7 @@ log { }; }; if (message('^ZscalerNSS:')) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-alerts"))}; parser { p_add_context_splunk(key("zscaler_alerts")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; @@ -37,22 +37,22 @@ log { }; if (match("dns" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"), index("netdns"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"))}; parser { p_add_context_splunk(key("zscaler_dns")); }; } elif (match("fw" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-fw"))}; parser { p_add_context_splunk(key("zscaler_fw")); }; } elif (match("NSS" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-web"))}; parser { p_add_context_splunk(key("zscaler_web")); }; } elif (match("audit" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-audit"))}; parser { p_add_context_splunk(key("zscaler_zia_audit")); }; } elif (match("sandbox" value(".kv.product"))) { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-zia-sandbox"))}; parser { p_add_context_splunk(key("zscaler_zia_sandbox")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-unknown"))}; parser { p_add_context_splunk(key("zscaler_nss")); }; diff --git a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl index 558818d..24fd1a4 100644 --- a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl @@ -26,7 +26,7 @@ log { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("nix_syslog")); }; parser (compliance_meta_by_source); diff --git a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl index d8bbd88..7a7b16d 100644 --- a/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zzz-fallback.conf.tmpl @@ -8,14 +8,14 @@ log { if { filter(f_is_rfc5424_strict); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_3164))" value("MSG")); }; diff --git a/package/etc/local_config/log_paths/lp-example.conf.tmpl b/package/etc/local_config/log_paths/lp-example.conf.tmpl index d168cc9..3eb4b0c 100644 --- a/package/etc/local_config/log_paths/lp-example.conf.tmpl +++ b/package/etc/local_config/log_paths/lp-example.conf.tmpl @@ -53,7 +53,7 @@ log { rewrite { set("local_example", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("sc4s:local_example"), index("main")); + r_set_splunk_dest_default(sourcetype("sc4s:local_example")); }; # using the key "local_example" find any customized index,source or sourcetype meta values From ddfe2afb3cf9290d973b1089cb7e19e8a1454a24 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sat, 13 Jun 2020 21:33:29 -0400 Subject: [PATCH 4/8] Bug squashing --- docs/sources/Cisco/index.md | 6 +++--- .../log_paths/lp-dell_rsa_secureid.conf.tmpl | 2 +- .../splunk_index.csv.example | 21 ++++++++++++++++--- tests/test_cisco_wsa.py | 6 +++--- 4 files changed, 25 insertions(+), 10 deletions(-) diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index 185e0c8..187f28d 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -405,9 +405,9 @@ Verify timestamp, and host values match as expected | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| cisco_wsa_l4tm | cisco:wsa:l4tm | netops | None | -| cisco_wsa_squid | cisco:wsa:squid | netops | None | -| cisco_wsa_squid_new | cisco:wsa:squid:new | netops | None | +| cisco_wsa | cisco:wsa:l4tm | netproxy | None | +| cisco_wsa | cisco:wsa:squid | netproxy | None | +| cisco_wsa | cisco:wsa:squid:new | netproxy | None | ### Filter type diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl index 2758af4..7ca852e 100644 --- a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl @@ -101,7 +101,7 @@ log { set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); r_set_splunk_dest_default(sourcetype("rsa:securid:trace")); }; - parser { p_add_context_splunk(key("p_add_context_splunk")); }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 1222873..7b8e14e 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -1,4 +1,5 @@ bluecoat_proxy,index,netproxy +brocade_syslog,index,netops ArcSight_ArcSight,index,main Cyber-Ark_Vault,index,netauth CyberArk_PTA,index,main @@ -9,6 +10,7 @@ checkpoint_splunk,index,netops checkpoint_splunk_dlp,index,netdlp checkpoint_splunk_email,index,email checkpoint_splunk_firewall,index,netfw +checkpoint_splunk_ids,index,netids checkpoint_splunk_sessions,index,netops checkpoint_splunk_web,index,netproxy checkpoint_splunk,index,netops @@ -17,15 +19,19 @@ cisco_apic_acl,index,netfw cisco_apic_events,index,netops cisco_acs,index,netauth cisco_asa,index,netfw +cisco_ftd,index,netfw cisco_ios,index,netops cisco_ise,index,netauth +cisco_meraki,index,netfw cisco_nx_os,index,netops cisco_ucm,index,main +cisco_wsa,index,netproxy dell_rsa_secureid,index,netauth citrix_netscaler,index,netfw local_example,index,main forcepoint_webprotect,index,netproxy f5_bigip,index,netops +f5_bigip_access_json,index,netops f5_bigip_irule,index,netops f5_bigip_asm,index,netwaf f5_bigip_nix,index,netops @@ -33,9 +39,10 @@ fortinet_fortios_event,index,netops fortinet_fortios_log,index,netops fortinet_fortios_traffic,index,netfw fortinet_fortios_utm,index,netids -fortinet_fortweb_log,index,netops -fortinet_fortweb_traffic,index,netfw -fortinet_fortweb_attack,index,netids +fortinet_fortiweb_attack,index,netids +fortinet_fortiweb_event,index,netops +fortinet_fortiweb_log,index,netops +fortinet_fortiweb_traffic,index,netfw infoblox_dns,index,netdns infoblox_dhcp,index,netipam infoblox_threat,index,netids @@ -70,6 +77,14 @@ sc4s_events,index,main sc4s_fallback,index,main sc4s_metrics,index,em_metrics symantec_ep,index,epav +symantec_brightmail,index,email +ubiquiti_unifi,index,netops +ubiquiti_unifi_fw,index,netfw +ubiquiti_unifi_link,index,netops +ubiquiti_unifi_sudo,index,netops +ubiquiti_unifi_switch,index,netops +ubiquiti_unifi_threat,index,netidss +ubiquiti_unifi_wireless,index,netops vmware_esx,index,main vmware_nsx,index,main vmware_vcenter,index,main diff --git a/tests/test_cisco_wsa.py b/tests/test_cisco_wsa.py index 3a4e2de..ff3e1f8 100644 --- a/tests/test_cisco_wsa.py +++ b/tests/test_cisco_wsa.py @@ -50,7 +50,7 @@ def test_cisco_wsa_squid_11_7(record_property, setup_wordlist, get_host_key, set sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops sourcetype=\"cisco:wsa:squid:new\" _raw=\"{{ message }}\"") + "search index=netproxy sourcetype=\"cisco:wsa:squid:new\" _raw=\"{{ message }}\"") message1 = mt.render(mark="", bsd="", host="") search = st.render(host=host, message=message1.lstrip().replace('"','\\"')) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -77,7 +77,7 @@ def test_cisco_wsa_squid(record_property, setup_wordlist, get_host_key, setup_sp sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops sourcetype=\"cisco:wsa:squid\" _raw=\"{{ message }}\"") + "search index=netproxy sourcetype=\"cisco:wsa:squid\" _raw=\"{{ message }}\"") message1 = mt.render(mark="", bsd="", host="") search = st.render(host=host, message=message1.lstrip().replace('"','\\"')) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -103,7 +103,7 @@ def test_cisco_wsa_l4tm(record_property, setup_wordlist, get_host_key, setup_spl sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"cisco:wsa:l4tm\" _raw=\"{{ message }}\"") + "search index=netproxy _time={{ epoch }} sourcetype=\"cisco:wsa:l4tm\" _raw=\"{{ message }}\"") message1 = mt.render(mark="", bsd="", host="") search = st.render(epoch=epoch, host=host, message=message1.lstrip()) From 04772fea9e3c14168667e1bd432bcb7ae73108e8 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 14 Jun 2020 09:47:59 -0400 Subject: [PATCH 5/8] Update the splunk_indexes.csv file to add new entries --- package/sbin/entrypoint.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 49bfa5f..56f9c20 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -39,9 +39,17 @@ gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl -- mkdir -p /opt/syslog-ng/etc/conf.d/local/context/ mkdir -p /opt/syslog-ng/etc/conf.d/local/config/ -cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context/ +cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/context_templates/ for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose -n $file ${file%.example}; done + +#splunk_indexes.csv updates +#Remove comment headers from existing config +touch /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv sed -i 's/^#//' /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv +# Add new entries +awk '{print $0}' /opt/syslog-ng/etc/context_templates/splunk_index.csv /opt/syslog-ng/etc/context_templates/splunk_index.csv.example | sort -b -t ',' -k1,2 -u +#We don't need this file anylonger +rm -f /opt/syslog-ng/etc/context_templates/splunk_index.csv.example cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ mkdir -p /opt/syslog-ng/var/log From cbaedfda3b6d61ac5cebfd367cf67e9e27bf803c Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 14 Jun 2020 09:58:26 -0400 Subject: [PATCH 6/8] Update entrypoint.sh --- package/sbin/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 56f9c20..94f70f6 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -39,7 +39,7 @@ gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl -- mkdir -p /opt/syslog-ng/etc/conf.d/local/context/ mkdir -p /opt/syslog-ng/etc/conf.d/local/config/ -cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/context_templates/ +cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose -n $file ${file%.example}; done #splunk_indexes.csv updates From c119281e9817d81b15fbd3c0e5b7b0b6e0ea15ef Mon Sep 17 00:00:00 2001 From: mbonsack Date: Sun, 14 Jun 2020 08:47:28 -0700 Subject: [PATCH 7/8] Fix comment in `splunkfields.conf.tmpl` * Fix comment referring to default index in `splunkfields.conf.tmpl` --- package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 0e85478..56e3017 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -33,7 +33,7 @@ rewrite r_set_splunk_default { }; {{- end}} }; -#used by each log-path to set index and sourcetype which may be +#used by each log-path to set source and sourcetype which may be #overridden by user defined values block rewrite r_set_splunk_dest_default( source("${.splunk.source}") From 9812901830e99711880527a9c76cceebd8e23b4e Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 14 Jun 2020 11:57:04 -0400 Subject: [PATCH 8/8] Update lp-sc4s_internal.conf.tmpl --- package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl index 01e5993..bb8c017 100644 --- a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl @@ -8,7 +8,7 @@ log { parser {p_add_context_splunk(key("sc4s_metrics")); }; rewrite { subst('.*Log statistics; ', '', value("MESSAGE"), flags("utf8" "global")); - subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:)?)', '', value("MESSAGE"), flags("utf8" "global")); + subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:, )?)', '', value("MESSAGE"), flags("utf8" "global")); subst('(?[^= ]+)=\x27(?[^\(]+)\((?\S+(?=\)[=,]))(?:,(?[^,]+),(?[^\)]+))?\)\=(?\d+)\x27,? ?', '{"time": "$S_UNIXTIME","event": "metric","host": "$HOST","index": "${.splunk.index}","source": "internal","sourcetype": "${.splunk.sourcetype}","fields": {"source_name": "${SourceName}","source_instance": "${SourceInstance}","state": "${State}","type": "${Type}","_value": ${Number},"metric_name": "syslogng.${SourceId}"}} ',