From d03095b439546de406882b0bb13322b0b1886881 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 20 Dec 2019 12:30:31 -0500 Subject: [PATCH 1/6] Update p_zz_fallback.conf.tmpl resolve unexpected behaior with syslog-ng out of order processing of directives impactin g the hec format for json fallback due to archive support. --- .../conf.d/log_paths/p_zz_fallback.conf.tmpl | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index cb9ed87..465e2ae 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -26,31 +26,29 @@ log { {{- end}} } else { + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") ); set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + groupunset(values(".kv.*")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; - {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} - destination(d_hec); - {{- end}} + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + destination(d_hec); + {{- end}} #in fallback archive only write rawmsg as msg - rewrite { - set("$RAWMSG" value("MSG")); - unset(value("RAWMSG")); - unset(value("PROGRAM")); - unset(value("LEGACY_MSGHDR")); - groupunset(values(".kv.*")); - }; - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} - destination(d_archive); - {{- end}} + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} + destination(d_archive); + {{- end}} }; From 87df5d1a60fee8c2115d60f4497dcd0a1b755586 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 20 Dec 2019 12:40:14 -0500 Subject: [PATCH 2/6] Update test_common.py Update test case to ensure we fallback to json --- tests/test_common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_common.py b/tests/test_common.py index 9855cc9..f17c304 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -22,7 +22,7 @@ def test_defaultroute(record_property, setup_wordlist, setup_splunk): sendsingle(message) - st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" | head 2") + st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" PROGRAM=\"test\" | head 2") search = st.render(host=host) resultCount, eventCount = splunk_single(setup_splunk, search) From 2706617b8647e4a9535bc36ef3c3a97ed25b51a4 Mon Sep 17 00:00:00 2001 From: mbonsack Date: Fri, 20 Dec 2019 11:43:12 -0800 Subject: [PATCH 3/6] Update p_zz_fallback.conf.tmpl --- .../conf.d/log_paths/p_zz_fallback.conf.tmpl | 49 +++++++++---------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 465e2ae..5b7f404 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -3,55 +3,50 @@ log { if { filter(f_is_rfc5424_strict); - rewrite { - r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); - set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); - }; - parser { - p_add_context_splunk(key("sc4s_fallback")); - }; - {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + parser { p_add_context_splunk(key("sc4s_fallback")); }; + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; + {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} destination(d_hec); {{- end}} - #in fallback archive only write rawmsg as msg +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} + + #in fallback archive write rawmsg as msg rewrite { + set("$RAWMSG" value("MSG")); unset(value("RAWMSG")); groupunset(values(".kv.*")); }; - - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} destination(d_archive); {{- end}} } else { + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + parser { p_add_context_splunk(key("sc4s_fallback")); }; + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); }; + + {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} + destination(d_hec); + {{- end}} + +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} + + #in fallback archive write rawmsg as msg rewrite { - r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") ); - set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + set("$RAWMSG" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); groupunset(values(".kv.*")); }; - parser { - p_add_context_splunk(key("sc4s_fallback")); - }; - - {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} - destination(d_hec); - {{- end}} - + destination(d_archive); - #in fallback archive only write rawmsg as msg + {{- end}} - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} - destination(d_archive); - {{- end}} }; - - flags(flow-control,fallback); }; From 3a632955e19dbb21a26b1c73d7428344c23152c0 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 20 Dec 2019 15:22:39 -0500 Subject: [PATCH 4/6] Update p_zz_fallback.conf.tmpl revert changes from mbsonsack --- .../conf.d/log_paths/p_zz_fallback.conf.tmpl | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 5b7f404..1dd62cd 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -3,50 +3,55 @@ log { if { filter(f_is_rfc5424_strict); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; - parser { p_add_context_splunk(key("sc4s_fallback")); }; - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; - {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} + rewrite { + r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); + set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + }; + parser { + p_add_context_splunk(key("sc4s_fallback")); + }; + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} destination(d_hec); {{- end}} -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} - - #in fallback archive write rawmsg as msg + #in fallback archive only write rawmsg as msg rewrite { - set("$RAWMSG" value("MSG")); unset(value("RAWMSG")); groupunset(values(".kv.*")); }; + + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} destination(d_archive); {{- end}} } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; - parser { p_add_context_splunk(key("sc4s_fallback")); }; - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); }; - - {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} - destination(d_hec); - {{- end}} - -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} - - #in fallback archive write rawmsg as msg rewrite { - set("$RAWMSG" value("MSG")); + r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") ); + set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); groupunset(values(".kv.*")); }; - destination(d_archive); + parser { + p_add_context_splunk(key("sc4s_fallback")); + }; - {{- end}} + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + destination(d_hec); + {{- end}} + + #in fallback archive only write rawmsg as msg + + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} + destination(d_archive); + {{- end}} }; + + flags(flow-control,fallback); -}; +}; \ No newline at end of file From bbc83e8b2e43bb579269514e825dbc54bbfdb6ba Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 20 Dec 2019 15:24:33 -0500 Subject: [PATCH 5/6] Update p_zz_fallback.conf.tmpl --- package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 1dd62cd..22fc97b 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -6,6 +6,7 @@ log { rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + unset(value("RAWMSG")); }; parser { p_add_context_splunk(key("sc4s_fallback")); @@ -15,12 +16,6 @@ log { {{- end}} - #in fallback archive only write rawmsg as msg - rewrite { - unset(value("RAWMSG")); - groupunset(values(".kv.*")); - }; - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} destination(d_archive); {{- end}} From 76d5bec0e6e52f9660125831023a9e5e89acd64d Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 20 Dec 2019 15:27:00 -0500 Subject: [PATCH 6/6] Update p_zz_fallback.conf.tmpl --- package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 22fc97b..220916a 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -5,7 +5,7 @@ log { filter(f_is_rfc5424_strict); rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); - set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); unset(value("RAWMSG")); }; parser {