From ed10930032e64944810e9da313d52b2f8b8e0bc1 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Tue, 21 Apr 2020 12:09:47 -0700
Subject: [PATCH] Use `t_legacy_hdr_msg` for rogue lss messages

* Update sc4s template to `t_legacy_hdr_msg` for rogue lss messages
---
 package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
index b614728..ff95eea 100644
--- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
@@ -86,7 +86,7 @@ log {
         };
         parser { p_add_context_splunk(key("zscaler_lss")); };
         parser (compliance_meta_by_source);
-        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
     };