From 4c0790e1188946f5ea19595e95359f49c22b3c0f Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Thu, 12 Mar 2020 14:39:18 -0400
Subject: [PATCH 1/7] Update test_common.py

---
 tests/test_common.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_common.py b/tests/test_common.py
index 012e294..4520212 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -259,4 +259,4 @@ def test_check_sc4s_version(record_property, setup_wordlist, setup_splunk, setup
 
     record_property("resultCount", resultCount)
 
-    assert resultCount == 0
+    assert resultCount == 1

From aff2520114eb7531bd48f7325249af94eb0d33cd Mon Sep 17 00:00:00 2001
From: Jay Shah <jashah@splunk.com>
Date: Fri, 13 Mar 2020 14:49:16 +0530
Subject: [PATCH 2/7] Changed sourcetype of RT_IDS events of Juniper to
 juniper:junos:firewall

---
 package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl         | 2 +-
 .../etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl  | 2 +-
 tests/test_juniper_junos_rfc3164.py                             | 2 +-
 tests/test_juniper_junos_rfc5124.py                             | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
index 05d7e5d..826e3c7 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
@@ -32,7 +32,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_fw")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))};
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_ids")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
index d5ae714..2c7e5d8 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -31,7 +31,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_fw_structured")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) };
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_ids_structured")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py
index b127814..429b8b1 100644
--- a/tests/test_juniper_junos_rfc3164.py
+++ b/tests/test_juniper_junos_rfc3164.py
@@ -61,7 +61,7 @@ def test_juniper_idp_standard(record_property, setup_wordlist, get_host_key, set
 
     sendsingle(message)
 
-    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
+    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py
index 2e0b4e1..3e15a70 100644
--- a/tests/test_juniper_junos_rfc5124.py
+++ b/tests/test_juniper_junos_rfc5124.py
@@ -44,7 +44,7 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_
 
     sendsingle(message)
 
-    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
+    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)

From e4c53c084eeb93546c619b91de8b8ff03cbe05f8 Mon Sep 17 00:00:00 2001
From: Jay Shah <jashah@splunk.com>
Date: Fri, 13 Mar 2020 15:17:22 +0530
Subject: [PATCH 3/7] reverted changes of test file

---
 tests/test_juniper_junos_rfc3164.py | 2 +-
 tests/test_juniper_junos_rfc5124.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py
index 429b8b1..b127814 100644
--- a/tests/test_juniper_junos_rfc3164.py
+++ b/tests/test_juniper_junos_rfc3164.py
@@ -61,7 +61,7 @@ def test_juniper_idp_standard(record_property, setup_wordlist, get_host_key, set
 
     sendsingle(message)
 
-    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
+    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py
index 3e15a70..2e0b4e1 100644
--- a/tests/test_juniper_junos_rfc5124.py
+++ b/tests/test_juniper_junos_rfc5124.py
@@ -44,7 +44,7 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_
 
     sendsingle(message)
 
-    st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
+    st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
     search = st.render(host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)

From be51dd1943c5eb1b305eefb383e5fbd127368b91 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 13 Mar 2020 09:53:10 -0400
Subject: [PATCH 4/7] Revert "Changed sourcetype of RT_IDS events of Juniper to
 juniper:junos:firewall"

---
 package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl         | 2 +-
 .../etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
index f2a7120..c5a2786 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
@@ -32,7 +32,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_fw")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))};
         parser {p_add_context_splunk(key("juniper_junos_ids")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
index 7b743cb..e42756a 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -31,7 +31,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_fw_structured")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) };
         parser {p_add_context_splunk(key("juniper_junos_ids_structured")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };

From 317453b19dc1094737b3101370642096cf5481b0 Mon Sep 17 00:00:00 2001
From: Jay Shah <jashah@splunk.com>
Date: Fri, 13 Mar 2020 19:38:34 +0530
Subject: [PATCH 5/7] Changed sourcetype of RT_IDS events of Juniper to
 juniper:junos:firewall

---
 package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl         | 2 +-
 .../etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
index c5a2786..f2a7120 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
@@ -32,7 +32,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_fw")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))};
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
         parser {p_add_context_splunk(key("juniper_junos_ids")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
index e42756a..7b743cb 100644
--- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -31,7 +31,7 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_fw_structured")); };
     } elif (program('RT_IDS')) {
-        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) };
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_ids_structured")); };
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };

From 35d66a9f90f459f49fb65e9362a50fde0be58eec Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Fri, 13 Mar 2020 13:26:10 -0700
Subject: [PATCH 6/7] Add `d_hec_debug` destination

* Add `d_hec_debug` destination to output "curl" commands that can be directly run to debug HEC/token issues
---
 .../etc/conf.d/destinations/splunk_hec_debug.conf  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 package/etc/conf.d/destinations/splunk_hec_debug.conf

diff --git a/package/etc/conf.d/destinations/splunk_hec_debug.conf b/package/etc/conf.d/destinations/splunk_hec_debug.conf
new file mode 100644
index 0000000..e5e6714
--- /dev/null
+++ b/package/etc/conf.d/destinations/splunk_hec_debug.conf
@@ -0,0 +1,14 @@
+destination d_hec_debug {
+    file("/opt/syslog-ng/var/archive/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
+        template("curl -k -u \"sc4s HEC debug:$(env SPLUNK_HEC_TOKEN)\" \"$(env SPLUNK_HEC_URL)\" -d '$(format-json
+                 time=$S_UNIXTIME.$S_MSEC
+                 host=${HOST}
+                 source=${.splunk.source}
+                 sourcetype=${.splunk.sourcetype}
+                 index=${.splunk.index}
+                 event=$MSG
+                 fields.*)'\n")
+#       file("/var/log/messages_syslog"
+        create_dirs(yes)
+   );
+};

From fab5b46e8c93d8162590e3ee2d8f5f213f512667 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Fri, 13 Mar 2020 13:28:03 -0700
Subject: [PATCH 7/7] Update splunk_hec_debug.conf

---
 package/etc/conf.d/destinations/splunk_hec_debug.conf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/package/etc/conf.d/destinations/splunk_hec_debug.conf b/package/etc/conf.d/destinations/splunk_hec_debug.conf
index e5e6714..795757b 100644
--- a/package/etc/conf.d/destinations/splunk_hec_debug.conf
+++ b/package/etc/conf.d/destinations/splunk_hec_debug.conf
@@ -1,5 +1,5 @@
 destination d_hec_debug {
-    file("/opt/syslog-ng/var/archive/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
+    file("/opt/syslog-ng/var/archive/debug/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
         template("curl -k -u \"sc4s HEC debug:$(env SPLUNK_HEC_TOKEN)\" \"$(env SPLUNK_HEC_URL)\" -d '$(format-json
                  time=$S_UNIXTIME.$S_MSEC
                  host=${HOST}
@@ -8,7 +8,6 @@ destination d_hec_debug {
                  index=${.splunk.index}
                  event=$MSG
                  fields.*)'\n")
-#       file("/var/log/messages_syslog"
         create_dirs(yes)
    );
 };