From bb92e3b63e6ff6bf5346de80f5194ca74cec4fdf Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Wed, 13 May 2020 15:47:15 -0700 Subject: [PATCH 1/2] Reformat indexed fields list for proper rendering * Reformat indexed fields env var list so that single line renders properly as multiple lines --- docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.md b/docs/configuration.md index 60b9800..79fbb94 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -27,7 +27,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | -| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,loghost,destport,fromhostip,proto, or none | List of sc4s indexed fields (default is the entire list except "none"). If this veriable is not set, the default indexed fields `sc4s_vendor_product` and `sc4d_syslog_format` _will_ appear. If no indexed fields are desired (including the two defaults mentioned), set the value to the single value of "none". This list maps to the following indexed fields that will appear in all Splunk events:
facility: sc4s_syslog_facility
severity: sc4s_syslog_severity
container: sc4s_container
loghost: sc4s_loghost
dport: sc4s_destport
fromhostip: sc4s_fromhostip
proto: sc4s_proto +| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,
severity,
container,
loghost,
destport,
fromhostip,
proto

none | List of sc4s indexed fields that will be included with each event in Splunk (default is the entire list except "none"). Two other indexed fields, `sc4s_vendor_product` and `sc4s_syslog_format`, will also appear along with the fields selected via the list and cannot be turned on or off individually. If no indexed fields are desired (including the two internal ones), set the value to the single value of "none". When setting this variable, separate multiple entries with commas and do not include extra spaces.

This list maps to the following indexed fields that will appear in all Splunk events:
facility: sc4s_syslog_facility
severity: sc4s_syslog_severity
container: sc4s_container
loghost: sc4s_loghost
dport: sc4s_destport
fromhostip: sc4s_fromhostip
proto: sc4s_proto ## Alternate Destination Configuration From 8b79d9a68696921231aaee19e675f77e27dbd6fd Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Wed, 13 May 2020 21:02:23 -0700 Subject: [PATCH 2/2] Update splunkfields gomplate template logic * Update `splunkfields.conf.tmpl` gomplate logic to fix typo in desthost field --- docs/gettingstarted/docker-systemd-general.md | 3 ++- docs/gettingstarted/podman-systemd-general.md | 3 ++- .../conf.d/conflib/_splunk/splunkfields.conf.tmpl | 14 +++++++------- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index f18cb08..f23926c 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -53,13 +53,14 @@ TimeoutStartSec=0 Restart=always ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE +ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)" ExecStartPre=/usr/bin/docker run \ --env-file=/opt/sc4s/env_file \ "$SC4S_LOCAL_CONFIG_MOUNT" \ --name SC4S_preflight \ --rm $SC4S_IMAGE -s ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \ - -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \ + -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \ --env-file=/opt/sc4s/env_file \ "$SC4S_PERSIST_VOLUME" \ "$SC4S_LOCAL_CONFIG_MOUNT" \ diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index afbcefd..f033343 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -71,13 +71,14 @@ TimeoutStartSec=0 Restart=always ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE +ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)" ExecStartPre=/usr/bin/podman run \ --env-file=/opt/sc4s/env_file \ "$SC4S_LOCAL_CONFIG_MOUNT" \ --name SC4S_preflight \ --rm $SC4S_IMAGE -s ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \ - -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \ + -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \ --env-file=/opt/sc4s/env_file \ "$SC4S_PERSIST_VOLUME" \ "$SC4S_LOCAL_CONFIG_MOUNT" \ diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index fea713b..989e4bf 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -1,27 +1,27 @@ #Used to set indexed fields we will always use to global defaults rewrite r_set_splunk_default { set("SC4S:$SOURCE", value(".splunk.source")); -{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "facility") }} +{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility") ",") "facility") }} set($FACILITY, value("fields.sc4s_syslog_facility")); {{- end}} -{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "severity") }} +{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "severity") ",") "severity") }} set($LEVEL, value("fields.sc4s_syslog_severity")); {{- end}} -{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "loghost") }} +{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "loghost") ",") "loghost") }} {{- if (getenv "SC4S_CONTAINER_HOST") }} set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost")); {{- end}} {{- end}} -{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "container") }} +{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container") ",") "container") }} set($LOGHOST, value("fields.sc4s_container")); {{- end}} -{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "fromhostip") }} +{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "fromhostip") ",") "fromhostip") }} set($SOURCEIP, value("fields.sc4s_fromhostip")); {{- end}} -{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "destport") }} +{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "destport") ",") "destport") }} set($DESTPORT, value("fields.sc4s_destport")); {{- end}} -{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "proto") }} +{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "proto") ",") "proto") }} channel { if (match("6" value("PROTO"))) { rewrite { set("TCP", value("fields.sc4s_proto")); };