From b154557eac0f75fc65b55ae022e67e2709c67325 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth Date: Sun, 30 Jan 2022 09:37:53 -0500 Subject: [PATCH] refactor: Adopt consistent structure for vars (#1409) Continue cleanup for v2, Refactor variables to use .tmp. for vars that do not need to be retained. Use .values. for values to be used after parser --- .../conflib/json/app-json-novell_netiq.conf | 6 +- .../conflib/json/app-json-zscaler_lss.conf | 24 +-- .../app-netsource-dell_rsa_secureid.conf | 15 +- .../app-netsource-sophos_webappliance.conf | 8 +- .../post-filter/app-postfilter-cisco_acs.conf | 24 +-- .../post-filter/app-postfilter-cisco_ise.conf | 19 +- .../raw/app-raw-checkpoint_splunk.conf | 192 +++++++++--------- .../conf.d/conflib/syslog/app-syslog-cef.conf | 38 ++-- .../conflib/syslog/app-syslog-cisco_acs.conf | 10 +- .../conflib/syslog/app-syslog-cisco_ise.conf | 8 +- .../app-syslog-dell_poweredge_idrac.conf | 12 +- .../syslog/app-syslog-fireeye-json.conf | 16 +- .../app-syslog-forcepoint_webprotect.conf | 6 +- .../syslog/app-syslog-fortigate_fortios.conf | 38 ++-- .../syslog/app-syslog-fortigate_fortiweb.conf | 32 +-- .../conflib/syslog/app-syslog-json.conf | 4 +- .../conflib/syslog/app-syslog-pan_panos.conf | 20 +- .../app-syslog-symantec_brightmail.conf | 8 +- .../syslog/app-syslog-zscaler_nss_proxy.conf | 14 +- 19 files changed, 245 insertions(+), 249 deletions(-) diff --git a/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf b/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf index c9eddb5e5c..36c3285f5d 100644 --- a/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf +++ b/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf @@ -5,7 +5,7 @@ block parser app-json-novell_netiq() { r_set_splunk_dest_default( vendor_product('novell_netiq'), index('netauth'), - source('novell:netiq:${.json.component}'), + source('novell:netiq:${.values.component}'), sourcetype('novell:netiq') ); }; @@ -14,14 +14,14 @@ block parser app-json-novell_netiq() { date-parser-nofilter(format( '%a, %d %b %Y %H:%M:%S %z', ) - template("${.json.timeStamp}") + template("${.values.timeStamp}") ); }; }; }; application app-json-novell_netiq[json] { filter{ - "${.json.appName}" eq "Novell Access Manager"; + "${.values.appName}" eq "Novell Access Manager"; }; parser { app-json-novell_netiq(); }; }; diff --git a/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf b/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf index 82f0788c68..7768b46060 100644 --- a/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf +++ b/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf @@ -3,9 +3,9 @@ block parser app-json-zscaler_lss() { if { filter { - match('.' value('.json.ClientZEN')) - and match('.' value('.json.AppGroup')) - and match('.' value('.json.Application')) + match('.' value('.values.ClientZEN')) + and match('.' value('.values.AppGroup')) + and match('.' value('.values.Application')) }; rewrite { r_set_splunk_dest_default( @@ -16,9 +16,9 @@ block parser app-json-zscaler_lss() { }; } elif { filter { - match('.' value('.json.Exporter')) - and match('.' value('.json.Customer')) - and match('.' value('.json.ConnectionID')) + match('.' value('.values.Exporter')) + and match('.' value('.values.Customer')) + and match('.' value('.values.ConnectionID')) }; rewrite { r_set_splunk_dest_default( @@ -29,9 +29,9 @@ block parser app-json-zscaler_lss() { }; } elif { filter { - match('.' value('.json.Connector')) - and match('.' value('.json.Customer')) - and match('.' value('.json.ConnectorGroup')) + match('.' value('.values.Connector')) + and match('.' value('.values.Customer')) + and match('.' value('.values.ConnectorGroup')) }; rewrite { r_set_splunk_dest_default( @@ -42,8 +42,8 @@ block parser app-json-zscaler_lss() { }; } elif { filter { - match('.' value('.json.SAMLAttributes')) - and match('.' value('.json.Customer')) + match('.' value('.values.SAMLAttributes')) + and match('.' value('.values.Customer')) }; rewrite { r_set_splunk_dest_default( @@ -58,7 +58,7 @@ block parser app-json-zscaler_lss() { date-parser( format('%a %b %d %H:%M:%S %Y', '%a %b %d %k:%M:%S %Y') - template("${.json.LogTimestamp}") + template("${.values.LogTimestamp}") flags(guess-timezone) ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf b/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf index 8d1b195abc..ceda68327d 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf @@ -18,21 +18,16 @@ block parser app-netsource-dell_rsa_secureid() { #we need to actual even time from the field GeneratedTime. Use csv-parser to extract it. csv-parser( columns("time","ms","host","type") - prefix(".rsa.") + prefix(".tmp.") delimiters(',') ); #2012/04/10 04:39:55 #parse the date date-parser-nofilter(format( '%Y-%m-%d %H:%M:%S,%f') - template("${LEGACY_MSGHDR} ${.rsa.time},${.rsa.ms}") + template("${LEGACY_MSGHDR} ${.tmp.time},${.tmp.ms}") ); }; - # rewrite { - # set("${.rsa.host}" value("HOST") - # condition( match('^.' value('.rsa.host') )) ); - # subst('\..*$' , '' , value('HOST')); - # }; rewrite { r_set_splunk_dest_update( sourcetype('rsa:securid:syslog') @@ -41,19 +36,19 @@ block parser app-netsource-dell_rsa_secureid() { rewrite { r_set_splunk_dest_update( sourcetype('rsa:securid:admin:syslog') - condition(match('audit\.admin' value('.rsa.type'))) + condition(match('audit\.admin' value('.tmp.type'))) ); }; rewrite { r_set_splunk_dest_update( sourcetype('rsa:securid:system:syslog') - condition(match('system\.com\.rsa|,\s+system\.erationsconsole' value('.rsa.type'))) + condition(match('system\.com\.rsa|,\s+system\.erationsconsole' value('.tmp.type'))) ); }; rewrite { r_set_splunk_dest_update( sourcetype('rsa:securid:runtime:syslog') - condition(match('audit\.runtime\.com\.rsa' value('.rsa.type'))) + condition(match('audit\.runtime\.com\.rsa' value('.tmp.type'))) ); }; } elif { diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf b/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf index ce2454bd5c..96283a4534 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf @@ -11,11 +11,13 @@ block parser app-netsource-sophos_webappliance() { subst(' [^=]+=(?:"-"|-)', '' flags(global)); }; parser { - kv-parser(prefix(".swa.") pair-separator(" ") ); - + kv-parser( + prefix(".values.") + pair-separator(" ") + ); }; parser { - date-parser-nofilter(format("%s") template("${.swa.t}")); + date-parser-nofilter(format("%s") template("${.values.t}")); }; }; }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf index 7abea79ed5..f5b7d23482 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf @@ -2,20 +2,20 @@ parser p_acs_event_time_multi { csv-parser( columns(DATE, TIME, TZ) - prefix(".cisco.") + prefix(".tmp.") delimiters(chars(" ")) - template('${.cisco.date_seg}') + template('${.tmp.date_seg}') ); date-parser-nofilter( #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm format('%Y-%m-%d %H:%M:%S.%f %z') - template("${.cisco.DATE} ${.cisco.TIME} ${.cisco.TZ}") + template("${.tmp.DATE} ${.tmp.TIME} ${.tmp.TZ}") ); }; template t_acs_message { - template("${PROGRAM} ${.cisco.serial} 1 0 ${.gb.message}"); + template("${PROGRAM} ${.values.serial} 1 0 ${.gb.message}"); }; block parser app-postfilter-cisco_acs() { @@ -24,16 +24,16 @@ block parser app-postfilter-cisco_acs() { parser{ grouping-by( scope(program) - key("${.cisco.serial}") - trigger("$(context-length)" >= "${.cisco.num}") - sort-key("${.cisco.seq}") + key("${.values.serial}") + trigger("$(context-length)" >= "${.values.num}") + sort-key("${.values.seq}") aggregate( value(".gb.complete" "1") - #value(".gb.message" "$(context-lookup ("1" eq "1" ) ${.cisco.message})") - value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.cisco.message})))") + #value(".gb.message" "$(context-lookup ("1" eq "1" ) ${.values.message})") + value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.values.message})))") value("PROGRAM" "${PROGRAM}@1") - value(".cisco.serial" "${.cisco.serial}@1") - value(".cisco.date_seg" "$(list-head $(context-values ${.cisco.message}))") + value(".values.serial" "${.values.serial}@1") + value(".tmp.date_seg" "$(list-head $(context-values ${.values.message}))") value(".splunk.sc4s_template", "t_acs_message") value("fields.sc4s_merge_count", "$(context-length)") inherit-mode(context) @@ -59,7 +59,7 @@ block parser app-postfilter-cisco_acs() { application app-postfilter-cisco_acs[sc4s-postfilter] { filter { program('CSCOacs' type(string) flags(prefix)) - and "${.cisco.num}" ne "1"; + and "${.values.num}" ne "1"; }; parser { app-postfilter-cisco_acs(); }; }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf index 1db3db7964..2883d43521 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf @@ -2,7 +2,7 @@ parser p_ise_event_time_multi { csv-parser( columns(DATE, TIME, TZ) - prefix(".cisco.") + prefix(".tmp.") delimiters(chars(" ")) template('${.gb.date_seg}') ); @@ -10,12 +10,12 @@ parser p_ise_event_time_multi { date-parser-nofilter( #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm format('%Y-%m-%d %H:%M:%S.%f %z') - template("${.cisco.DATE} ${.cisco.TIME} ${.cisco.TZ}") + template("${.tmp.DATE} ${.tmp.TIME} ${.tmp.TZ}") ); }; template t_ise_message { - template("${PROGRAM} ${.cisco.serial} 1 0 ${.gb.message}"); + template("${PROGRAM} ${.values.serial} 1 0 ${.gb.message}"); }; block parser app-postfilter-cisco_ise() { @@ -24,16 +24,15 @@ block parser app-postfilter-cisco_ise() { parser{ grouping-by( scope(program) - key("${.cisco.serial}") - trigger("$(context-length)" >= "${.cisco.num}") - sort-key("${.cisco.seq}") + key("${.values.serial}") + trigger("$(context-length)" >= "${.values.num}") + sort-key("${.values.seq}") aggregate( value(".gb.complete" "1") - #value(".gb.message" "$(context-lookup ("1" eq "1" ) ${.cisco.message})") - value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.cisco.message})))") + value(".gb.message" "$(implode '' $(list-slice 0:-1 $(context-values ${.values.message})))") value("PROGRAM" "${PROGRAM}@1") - value(".cisco.serial" "${.cisco.serial}@1") - value(".gb.date_seg" "$(list-head $(context-values ${.cisco.message}))") + value(".values.serial" "${.values.serial}@1") + value(".gb.date_seg" "$(list-head $(context-values ${.values.message}))") value(".splunk.sc4s_template", "t_ise_message") value("fields.sc4s_merge_count", "$(context-length)") inherit-mode(context) diff --git a/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf b/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf index 63f2b6c2f8..521dd980a0 100644 --- a/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf +++ b/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf @@ -9,15 +9,15 @@ block parser app-raw-checkpoint_splunk() { ); }; parser { - kv-parser(prefix(".cp.") pair-separator("|") template(t_hdr_msg)); + kv-parser(prefix(".values.") pair-separator("|") template(t_hdr_msg)); }; if ( "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_INCOMPLETE_EVENTS`" eq "yes" - and "${.cp.loguid}" ne "" - and "${.cp.bytes}" eq "" - and ( "${.cp.product}" eq "Application Control" or "${.cp.product}" eq "Firewall" or "${.cp.product}" eq "URL Filtering") - and ( "${.cp.rule_action}" eq "Accept" or "${.cp.rule_action}" eq "Inline") + and "${.values.loguid}" ne "" + and "${.values.bytes}" eq "" + and ( "${.values.product}" eq "Application Control" or "${.values.product}" eq "Firewall" or "${.values.product}" eq "URL Filtering") + and ( "${.values.rule_action}" eq "Accept" or "${.values.rule_action}" eq "Inline") ){ rewrite { r_set_splunk_dest_update( @@ -28,11 +28,11 @@ block parser app-raw-checkpoint_splunk() { if { filter { "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL`" eq "yes" - and "${.cp.loguid}" ne "" + and "${.values.loguid}" ne "" }; parser { grouping-by( - key("${.cp.loguid}") + key("${.values.loguid}") #This looks silly but we have no way of knowing if an event is complete so #We must make an impossible condition and rely on time out trigger("1" == "2") @@ -50,12 +50,12 @@ block parser app-raw-checkpoint_splunk() { }; parser { - date-parser-nofilter(format("%s") template("${.cp.time}")); + date-parser-nofilter(format("%s") template("${.values.time}")); }; rewrite { - set("${.cp.hostname}", value("HOST")); - set("${.cp.hostname}", value("fields.cp_lm")); + set("${.values.hostname}", value("HOST")); + set("${.values.hostname}", value("fields.cp_lm")); set("checkpoint_splunk", value("fields.sc4s_syslog_format")); }; @@ -67,7 +67,7 @@ block parser app-raw-checkpoint_splunk() { parser { regexp-parser( patterns('^[Cc][Nn]\\?=(?[^,]+)') - template("${.cp.originsicname}") + template("${.values.originsicname}") ); }; } elif { @@ -75,7 +75,7 @@ block parser app-raw-checkpoint_splunk() { parser { regexp-parser( patterns('^[Cc][Nn]\\?=(?[^,]+)') - template("${.cp.origin_sic_name}") + template("${.values.origin_sic_name}") ); }; } elif { @@ -83,7 +83,7 @@ block parser app-raw-checkpoint_splunk() { parser { regexp-parser( patterns('(?\S+)') - template("${.cp.hostname}") + template("${.values.hostname}") ); }; }; @@ -93,7 +93,7 @@ block parser app-raw-checkpoint_splunk() { parser { regexp-parser( patterns('(?\S+)') - template("${.cp.hostname}") + template("${.values.hostname}") ); }; } elif { @@ -101,7 +101,7 @@ block parser app-raw-checkpoint_splunk() { parser { regexp-parser( patterns('^[Cc][Nn]\\?=(?[^,]+)') - template("${.cp.originsicname}") + template("${.values.originsicname}") ); }; } elif { @@ -109,7 +109,7 @@ block parser app-raw-checkpoint_splunk() { parser { regexp-parser( patterns('^[Cc][Nn]\\?=(?[^,]+)') - template("${.cp.origin_sic_name}") + template("${.values.origin_sic_name}") ); }; }; @@ -126,16 +126,16 @@ block parser app-raw-checkpoint_splunk() { if { filter { - "${.cp.product}" eq "Syslog" + "${.values.product}" eq "Syslog" }; parser { syslog-parser( flags(assume-utf8, no-hostname) - template("${.cp.default_device_message}") + template("${.values.default_device_message}") ); }; parser { - date-parser-nofilter(format("%s") template("${.cp.time}")); + date-parser-nofilter(format("%s") template("${.values.time}")); }; rewrite { @@ -149,15 +149,15 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('Firewall' value('.cp.product')) - or match('Application\h+Control' value('.cp.product')) - or match('RAD' value('.cp.product')) - or match('HTTPS\h+Inspection' value('.cp.product')) - or match('Compliance\h+Blade' value('.cp.product')) - or match('^Compliance' value('.cp.product')) - or match('VPN-1\h+&\h+Fire[wW]all-1' value('.cp.product')) - or match('Network\h+Security' value('.cp.product')) - and not match('VPN' value('.cp.fw_subproduct')) + match('Firewall' value('.values.product')) + or match('Application\h+Control' value('.values.product')) + or match('RAD' value('.values.product')) + or match('HTTPS\h+Inspection' value('.values.product')) + or match('Compliance\h+Blade' value('.values.product')) + or match('^Compliance' value('.values.product')) + or match('VPN-1\h+&\h+Fire[wW]all-1' value('.values.product')) + or match('Network\h+Security' value('.values.product')) + and not match('VPN' value('.values.fw_subproduct')) }; rewrite { r_set_splunk_dest_update( @@ -168,7 +168,7 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('U[rR][lL]\h+Filtering' value('.cp.product')) + match('U[rR][lL]\h+Filtering' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -179,31 +179,31 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('Scheduled\h+system\h+update' value('.cp.product')) - or match('WEB_API' value('.cp.product')) - or match('SmartDefense' value('.cp.product')) - or match('Smart\h+Defense' value('.cp.product')) - or match('W[eE][bB]-UI' value('.cp.product')) - or match('SmartDashboard' value('.cp.product')) - or match('System\h+Monitor' value('.cp.product')) - or match('Log\h+Update' value('.cp.product')) - or match('license-mgmt' value('.cp.product')) - or match('smart_event' value('.cp.product')) - or match('SmartConsole' value('.cp.product')) - or match('SmartEvent\h+Client' value('.cp.product')) - or match('SmartUpdate' value('.cp.product')) - or match('SmartView' value('.cp.product')) - or match('Security\h+Gateway\/Management' value('.cp.product')) - or match('Smart\h+Defense' value('.cp.product')) - or match('WEB_API_INTERNAL' value('.cp.product')) - or match('Eventia\h+Analyzer\h+Client' value('.cp.product')) - or match('SmartProvisioning\h+Connector' value('.cp.product')) - or match('SmartLSM\h+Endpoint\h+Security\h+Console' value('.cp.product')) - or match('SmartLSM' value('.cp.product')) - or match('ROBO\h+GUI' value('.cp.product')) - or match('Management\h+Blade' value('.cp.product')) - or match('Connectra' value('.cp.product')) - or match('Check\h+Point\h+Security\h+Management\h+Server' value('.cp.product')) + match('Scheduled\h+system\h+update' value('.values.product')) + or match('WEB_API' value('.values.product')) + or match('SmartDefense' value('.values.product')) + or match('Smart\h+Defense' value('.values.product')) + or match('W[eE][bB]-UI' value('.values.product')) + or match('SmartDashboard' value('.values.product')) + or match('System\h+Monitor' value('.values.product')) + or match('Log\h+Update' value('.values.product')) + or match('license-mgmt' value('.values.product')) + or match('smart_event' value('.values.product')) + or match('SmartConsole' value('.values.product')) + or match('SmartEvent\h+Client' value('.values.product')) + or match('SmartUpdate' value('.values.product')) + or match('SmartView' value('.values.product')) + or match('Security\h+Gateway\/Management' value('.values.product')) + or match('Smart\h+Defense' value('.values.product')) + or match('WEB_API_INTERNAL' value('.values.product')) + or match('Eventia\h+Analyzer\h+Client' value('.values.product')) + or match('SmartProvisioning\h+Connector' value('.values.product')) + or match('SmartLSM\h+Endpoint\h+Security\h+Console' value('.values.product')) + or match('SmartLSM' value('.values.product')) + or match('ROBO\h+GUI' value('.values.product')) + or match('Management\h+Blade' value('.values.product')) + or match('Connectra' value('.values.product')) + or match('Check\h+Point\h+Security\h+Management\h+Server' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -214,12 +214,12 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('Endpoint\h+Management' value('.cp.product')) - or match('Core' value('.cp.product')) - or match('Endpoint\h+Compliance' value('.cp.product')) - or match('MEPP' value('.cp.product')) - or match('Media\h+Encryption\h+&\h+Port\h+Protection' value('.cp.product')) - or match('Endpoint\h+Security\h+Console' value('.cp.product')) + match('Endpoint\h+Management' value('.values.product')) + or match('Core' value('.values.product')) + or match('Endpoint\h+Compliance' value('.values.product')) + or match('MEPP' value('.values.product')) + or match('Media\h+Encryption\h+&\h+Port\h+Protection' value('.values.product')) + or match('Endpoint\h+Security\h+Console' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -230,11 +230,11 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('^VPN$' value('.cp.product')) - or match('^Mobile$' value('.cp.product')) - or match('Mobile\h+App' value('.cp.product')) - or match('^VPN' value('.cp.fw_subproduct')) - or match('^VPN-1' value('.cp.fw_subproduct')) + match('^VPN$' value('.values.product')) + or match('^Mobile$' value('.values.product')) + or match('Mobile\h+App' value('.values.product')) + or match('^VPN' value('.values.fw_subproduct')) + or match('^VPN-1' value('.values.fw_subproduct')) }; rewrite { r_set_splunk_dest_update( @@ -245,11 +245,11 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('IOS\h+Profile' value('.cp.product')) - or match('iOS\h+Profiles' value('.cp.product')) - or match('Device' value('.cp.product')) - or match('WIFI\h+Network' value('.cp.product')) - or match('Mobile\h+Access' value('.cp.product')) + match('IOS\h+Profile' value('.values.product')) + or match('iOS\h+Profiles' value('.values.product')) + or match('Device' value('.values.product')) + or match('WIFI\h+Network' value('.values.product')) + or match('Mobile\h+Access' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -260,24 +260,24 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('Threat\h+Emulation' value('.cp.product')) - or match('Anti-Virus' value('.cp.product')) - or match('New\h+Anti\h+Virus' value('.cp.product')) - or match('Anti-Bot' value('.cp.product')) - or match('Threat\h+Extraction' value('.cp.product')) - or match('Anti-Ransomware' value('.cp.product')) - or match('Anti-Exploit' value('.cp.product')) - or match('Forensics' value('.cp.product')) - or match('OS\h+Exploit' value('.cp.product')) - or match('OS\h+Exploits' value('.cp.product')) - or (match('Application' value('.cp.product')) and not match('Application Control' value('.cp.product'))) - or match('Text\h+Message' value('.cp.product')) - or match('Network\h+Access' value('.cp.product')) - or match('Zero\h+Phishing' value('.cp.product')) - or match('Anti-Malware' value('.cp.product')) - or match('Anti\h+Malware' value('.cp.product')) - or match('Anti\h+Malware\h+New\h+Anti\h+Virus' value('.cp.product')) - or match('New\h+Anti\h+Virus\h+Anti\h+Malware' value('.cp.product')) + match('Threat\h+Emulation' value('.values.product')) + or match('Anti-Virus' value('.values.product')) + or match('New\h+Anti\h+Virus' value('.values.product')) + or match('Anti-Bot' value('.values.product')) + or match('Threat\h+Extraction' value('.values.product')) + or match('Anti-Ransomware' value('.values.product')) + or match('Anti-Exploit' value('.values.product')) + or match('Forensics' value('.values.product')) + or match('OS\h+Exploit' value('.values.product')) + or match('OS\h+Exploits' value('.values.product')) + or (match('Application' value('.values.product')) and not match('Application Control' value('.values.product'))) + or match('Text\h+Message' value('.values.product')) + or match('Network\h+Access' value('.values.product')) + or match('Zero\h+Phishing' value('.values.product')) + or match('Anti-Malware' value('.values.product')) + or match('Anti\h+Malware' value('.values.product')) + or match('Anti\h+Malware\h+New\h+Anti\h+Virus' value('.values.product')) + or match('New\h+Anti\h+Virus\h+Anti\h+Malware' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -288,9 +288,9 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('IPS' value('.cp.product')) - or match('W[iI][fF][iI]' value('.cp.product')) - or match('Cellular' value('.cp.product')) + match('IPS' value('.values.product')) + or match('W[iI][fF][iI]' value('.values.product')) + or match('Cellular' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -301,9 +301,9 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('MTA' value('.cp.product')) - or match('Anti-Spam' value('.cp.product')) - or match('Anti\h+Spam' value('.cp.product')) + match('MTA' value('.values.product')) + or match('Anti-Spam' value('.values.product')) + or match('Anti\h+Spam' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -314,7 +314,7 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('DLP' value('.cp.product')) + match('DLP' value('.values.product')) }; rewrite { r_set_splunk_dest_update( @@ -325,7 +325,7 @@ block parser app-raw-checkpoint_splunk() { }; } elif { filter { - match('Syslog' value('.cp.product')) + match('Syslog' value('.values.product')) }; rewrite { r_set_splunk_dest_update( diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf index 766d9b3f03..f5ddb9f948 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf @@ -17,7 +17,7 @@ parser p_cef_ts_rt { '%b %d %Y %T UTC', '%b %d %Y %T %Z', ) - template("${.cef.rt}") + template("${.values.rt}") ); }; parser p_cef_ts_end { @@ -31,7 +31,7 @@ parser p_cef_ts_end { '%b %d %Y %T UTC', '%b %d %Y %T %Z', ) - template("${.cef.end}") + template("${.values.end}") ); }; @@ -53,7 +53,7 @@ block parser app-syslog-cef() { }; if (program('CEF:0', type('string') flags(prefix))) { rewrite{ - set('${.cef.message}' value('MESSAGE')); + set('${.values.message}' value('MESSAGE')); unset(value('PROGRAM')); }; }; @@ -73,24 +73,24 @@ block parser app-syslog-cef() { csv-parser( delimiters(chars('') strings('|')) columns('cef_version', 'cef_device_vendor', 'cef_device_product', 'cef_device_version', 'cef_device_event_class', 'cef_name', 'cef_severity', 'message') - prefix('.cef.') + prefix('.values.') flags(greedy, drop-invalid)); kv-parser( - prefix(".cef.") + prefix(".values.") ); }; rewrite { - set("${.cef.cef_version}", value("fields.cef_version")); - set("${.cef.cef_device_vendor}", value("fields.cef_device_vendor")); - set("${.cef.cef_device_product}", value("fields.cef_device_product")); - set("${.cef.cef_device_version}", value("fields.cef_device_version")); - set("${.cef.cef_device_event_class}", value("fields.cef_device_event_class")); - set("${.cef.cef_name}", value("fields.cef_name")); - set("${.cef.cef_severity}", value("fields.cef_severity")); + set("${.values.cef_version}", value("fields.cef_version")); + set("${.values.cef_device_vendor}", value("fields.cef_device_vendor")); + set("${.values.cef_device_product}", value("fields.cef_device_product")); + set("${.values.cef_device_version}", value("fields.cef_device_version")); + set("${.values.cef_device_event_class}", value("fields.cef_device_event_class")); + set("${.values.cef_name}", value("fields.cef_name")); + set("${.values.cef_severity}", value("fields.cef_severity")); r_set_splunk_dest_update( - vendor_product('${.cef.cef_device_vendor}_${.cef.cef_device_product}') - meta_key('${.cef.cef_device_vendor}_${.cef.cef_device_product}_${.cef.cef_device_event_class}') + vendor_product('${.values.cef_device_vendor}_${.values.cef_device_product}') + meta_key('${.values.cef_device_vendor}_${.values.cef_device_product}_${.values.cef_device_event_class}') ); }; @@ -102,16 +102,16 @@ block parser app-syslog-cef() { # Non-standard strptime formats also choke the syslog-ng date parser, which outputs wildy random timestamps # Simply filter and ignore filter{ - match('^\d{12}', value('.cef.start')) or match('^\d{12}', value('.cef.end')) or match('^\d{12}', value('.cef.rt')); + match('^\d{12}', value('.values.start')) or match('^\d{12}', value('.values.end')) or match('^\d{12}', value('.values.rt')); }; } elif { filter{ - match('^.', value('.cef.rt')) + match('^.', value('.values.rt')) }; parser (p_cef_ts_rt); } elif { filter{ - match('^.', value('.cef.end')) + match('^.', value('.values.end')) }; parser (p_cef_ts_end); } else { }; @@ -119,9 +119,9 @@ block parser app-syslog-cef() { #Do nothing this is allows for both rt and end to be missing and still pass with the message ts rewrite { set( - "${.cef.dvchost}", + "${.values.dvchost}", value("HOST") - condition("${.cef.dvchost}" ne "") + condition("${.values.dvchost}" ne "") ); }; # CEF TAs use the source as their bounds in props.conf diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf index 377f42705f..419bbcfbbb 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf @@ -3,15 +3,15 @@ parser p_acs_event_time { csv-parser( columns(DATE, TIME, TZ) - prefix(".cisco.") + prefix(".tmp.") delimiters(chars(" ")) - template('${.cisco.message}') + template('${.values.message}') ); date-parser-nofilter( #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm format('%Y-%m-%d %H:%M:%S.%f %z') - template("${.cisco.DATE} ${.cisco.TIME} ${.cisco.TZ}") + template("${.tmp.DATE} ${.tmp.TIME} ${.tmp.TZ}") ); }; @@ -21,14 +21,14 @@ block parser app-syslog-cisco_acs() { parser { csv-parser( columns(serial, num, seq, message) - prefix(".cisco.") + prefix(".values.") delimiters(chars(" ")) flags(greedy) ); }; if { - filter {"${.cisco.seq}" eq "0"}; + filter {"${.values.seq}" eq "0"}; parser(p_acs_event_time); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf index 72390d8969..dc7cbb3fd5 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf @@ -3,7 +3,7 @@ parser ise_event_time { csv-parser( columns(DATE, TIME, TZ) - prefix(".raw.") + prefix(".tmp.") delimiters(chars(" ")) template('${.cisco.message}') ); @@ -11,7 +11,7 @@ parser ise_event_time { date-parser-nofilter( #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm format('%Y-%m-%d %H:%M:%S.%f %z') - template("${.raw.DATE} ${.raw.TIME} ${.raw.TZ}") + template("${.tmp.DATE} ${.tmp.TIME} ${.tmp.TZ}") ); }; @@ -21,14 +21,14 @@ block parser app-syslog-cisco_ise() { parser { csv-parser( columns(serial, num, seq, message) - prefix(".cisco.") + prefix(".values.") delimiters(chars(" ")) flags(greedy) ); }; if { - filter {"${.cisco.seq}" eq "0"}; + filter {"${.values.seq}" eq "0"}; parser(ise_event_time); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf b/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf index 6db120c17a..440b49dfe8 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf @@ -4,18 +4,18 @@ block parser app-syslog-dell_poweredge_idrac() { parser { kv-parser( value-separator(":") - prefix(".idrac.") + prefix(".values.") template("${PROGRAM}: ${MESSAGE}") ); }; filter { - "${.idrac.Severity}" ne "" - and "${.idrac.Category}" ne "" - and "${.idrac.MessageID}" ne "" - and "${.idrac.Message}" ne "" - and match('[A-Z]{1,3}\d{1,4}' , value(".idrac.MessageID")) + "${.values.Severity}" ne "" + and "${.values.Category}" ne "" + and "${.values.MessageID}" ne "" + and "${.values.Message}" ne "" + and match('[A-Z]{1,3}\d{1,4}' , value(".values.MessageID")) }; rewrite { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf b/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf index d187954e0c..fe4f9af7f9 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf @@ -12,7 +12,7 @@ block parser app-syslog-fireeye-json() { }; parser { json-parser( - prefix('.json.') + prefix('.values.') ); }; rewrite { @@ -22,20 +22,20 @@ block parser app-syslog-fireeye-json() { vendor_product("fireeye_json") dest_key("FIREEYE") ); - set("hx_json", value(".splunk.sourcetype") condition( "${.json.product}" eq "HX" )); - set("${.json.alert.host.hostname}", value("HOST") condition( "${.json.alert.host.hostname}" ne "")); + set("hx_json", value(".splunk.sourcetype") condition( "${.values.product}" eq "HX" )); + set("${.values.alert.host.hostname}", value("HOST") condition( "${.values.alert.host.hostname}" ne "")); }; if { - filter { "${.json.alert.event_values.processEvent/timestamp}" ne "" }; + filter { "${.values.alert.event_values.processEvent/timestamp}" ne "" }; parser { date-parser-nofilter(format('%Y-%m-%dT%H:%M:%S.%f%z') - template("${.json.alert.event_values.processEvent/timestamp}")); + template("${.values.alert.event_values.processEvent/timestamp}")); }; } elif { - filter { "${.json.alert.event_at}" ne "" }; + filter { "${.values.alert.event_at}" ne "" }; parser { - date-parser-nofilter(format('${.json.alert.event_at}') - template("${.json.alert.event_values.processEvent/timestamp}")); + date-parser-nofilter(format('${.values.alert.event_at}') + template("${.values.alert.event_values.processEvent/timestamp}")); }; } else {}; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf b/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf index 201d60f538..cc73943e11 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf @@ -9,13 +9,13 @@ block parser app-syslog-forcepoint_webprotect() { subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global")); }; parser { - kv-parser(prefix(".fp.") pair-separator(" ") ); + kv-parser(prefix(".values.") pair-separator(" ") ); }; if { filter { - "${.fp.product}" eq "Security" + "${.values.product}" eq "Security" }; rewrite { @@ -28,7 +28,7 @@ block parser app-syslog-forcepoint_webprotect() { }; } elif { filter { - "${.fp.product}" eq "Email Security" + "${.values.product}" eq "Email Security" }; rewrite { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf index 9abe44b5ad..6a0c2b0d53 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf @@ -2,16 +2,16 @@ block parser app-syslog-fortigate_fortios() { channel { parser { - kv-parser(prefix(".kv.") template("$(template t_hdr_msg)")); + kv-parser(prefix(".values.") template("$(template t_hdr_msg)")); }; filter { - "${.kv.date}" ne "" - and "${.kv.time}" ne "" - and "${.kv.devid}" ne "" + "${.values.date}" ne "" + and "${.values.time}" ne "" + and "${.values.devid}" ne "" and ( - "${.kv.type}" ne "traffic" - or "${.kv.type}" ne "event" - or "${.kv.type}" ne "utm" + "${.values.type}" ne "traffic" + or "${.values.type}" ne "event" + or "${.values.type}" ne "utm" ) }; @@ -22,7 +22,7 @@ block parser app-syslog-fortigate_fortios() { vendor_product("fortinet_fortios") dest_key("FORTINET") ); - set("${.kv.devname}", value("HOST")); + set("${.values.devname}", value("HOST")); set("$(template t_hdr_msg)" value("MESSAGE")); unset(value("PROGRAM")); }; @@ -31,7 +31,7 @@ block parser app-syslog-fortigate_fortios() { parser { regexp-parser( prefix(".tmp.") - template("${.kv.eventtime}") + template("${.values.eventtime}") patterns('^(?\d{10})(?\d{3,6})\d*?$') ); }; @@ -45,7 +45,7 @@ block parser app-syslog-fortigate_fortios() { parser { regexp-parser( prefix(".tmp.") - template("${.kv.eventtime}") + template("${.values.eventtime}") patterns('^(?\d{10})$') ); }; @@ -56,36 +56,36 @@ block parser app-syslog-fortigate_fortios() { ); }; } elif { - filter { match('.{5}' value (".kv.tz")) }; + filter { match('.{5}' value (".values.tz")) }; parser { date-parser-nofilter( format('%Y-%m-%d:%H:%M:%S%z') - template("${.kv.date}:${.kv.time}${.kv.tz}") + template("${.values.date}:${.values.time}${.values.tz}") ); }; } else { parser { date-parser-nofilter( format('%Y-%m-%d:%H:%M:%S') - template("${.kv.date}:${.kv.time}") + template("${.values.date}:${.values.time}") ); }; }; rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortios_${.kv.type}') + meta_key('fortinet_fortios_${.values.type}') index('netops') - sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.kv.type}') - condition(match("event" value(".kv.type"))) + sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.values.type}') + condition(match("event" value(".values.type"))) ); }; rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortios_${.kv.type}') + meta_key('fortinet_fortios_${.values.type}') index('netfw') - sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.kv.type}') - condition(match("traffic|utm|anomaly" value(".kv.type"))) + sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.values.type}') + condition(match("traffic|utm|anomaly" value(".values.type"))) ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf index 11584d4242..1a6c2af9cb 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf @@ -2,16 +2,16 @@ block parser app-syslog-fortigate_fortiweb() { channel { parser { - kv-parser(prefix(".kv.") template("$(template t_hdr_msg)")); + kv-parser(prefix(".values.") template("$(template t_hdr_msg)")); }; filter { - "${.kv.date}" ne "" - and "${.kv.time}" ne "" - and "${.kv.device_id}" ne "" + "${.values.date}" ne "" + and "${.values.time}" ne "" + and "${.values.device_id}" ne "" and ( - "${.kv.type}" ne "traffic" - or "${.kv.type}" ne "attack" - or "${.kv.type}" ne "event" + "${.values.type}" ne "traffic" + or "${.values.type}" ne "attack" + or "${.values.type}" ne "event" ) }; @@ -23,28 +23,28 @@ block parser app-syslog-fortigate_fortiweb() { dest_key("FORTINET") ); - set("${.kv.devname}", value("HOST")); - subst('.*([\+-]\d+:\d+).*', $1, value(".kv.timezone")); - subst('([\+-])(\d)(?=:)(:\d+)', "${1}0${2}${3}", value(".kv.timezone")); + set("${.values.devname}", value("HOST")); + subst('.*([\+-]\d+:\d+).*', $1, value(".values.timezone")); + subst('([\+-])(\d)(?=:)(:\d+)', "${1}0${2}${3}", value(".values.timezone")); }; - if ("${.kv.eventtime}" ne "") { + if ("${.values.eventtime}" ne "") { parser { date-parser-nofilter( format('%s') - template("${.kv.eventtime}") + template("${.values.eventtime}") ); }; } else { parser { date-parser-nofilter( format('%Y-%m-%d:%H:%M:%S%z') - template("${.kv.date}:${.kv.time}${.kv.timezone}") + template("${.values.date}:${.values.time}${.values.timezone}") ); }; }; - if (match("traffic" value(".kv.type"))) { + if (match("traffic" value(".values.type"))) { rewrite { r_set_splunk_dest_update( meta_key('fortinet_fortiweb_traffic') @@ -52,7 +52,7 @@ block parser app-syslog-fortigate_fortiweb() { sourcetype('fwb_traffic') ); }; - } elif (match("attack" value(".kv.type"))) { + } elif (match("attack" value(".values.type"))) { rewrite { r_set_splunk_dest_update( meta_key('fortinet_fortiweb_attack') @@ -60,7 +60,7 @@ block parser app-syslog-fortigate_fortiweb() { sourcetype('fwb_attack') ); }; - } elif (match("event" value(".kv.type"))) { + } elif (match("event" value(".values.type"))) { rewrite { r_set_splunk_dest_update( meta_key('fortinet_fortiweb_event') diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-json.conf b/package/etc/conf.d/conflib/syslog/app-syslog-json.conf index c65af369cb..209d11066a 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-json.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-json.conf @@ -11,7 +11,7 @@ block parser app-syslog-json() { }; parser { json-parser( - prefix('.json.') + prefix('.values.') ); }; @@ -19,7 +19,7 @@ block parser app-syslog-json() { parser { app-parser(topic(json)); }; }; rewrite { - groupunset(values('.json.*')); + groupunset(values('.values.*')); }; }; }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf b/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf index 82d491f01a..18b7d64168 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf @@ -15,7 +15,7 @@ block parser app-syslog-pan_panos() { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name") - prefix(".pan.") + prefix(".values.") delimiters(',') quote-pairs('""') flags(escape-double-char) @@ -32,7 +32,7 @@ block parser app-syslog-pan_panos() { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","bytes","bytes_out","bytes_in","packets","start_time","duration","http_category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name") - prefix(".pan.") + prefix(".values.") delimiters(',') quote-pairs('""') flags(escape-double-char) @@ -49,7 +49,7 @@ block parser app-syslog-pan_panos() { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","vsys","event_id","object","future_use3","future_use4","module","severity","description","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name") - prefix(".pan.") + prefix(".values.") delimiters(',') quote-pairs('""') flags(escape-double-char) @@ -66,7 +66,7 @@ block parser app-syslog-pan_panos() { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","host_name","vsys","command","admin","client","result","configuration_path","sequence_number","action_flags","before_change_detail","after_change_detail","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name") - prefix(".pan.") + prefix(".values.") delimiters(',') quote-pairs('""') flags(escape-double-char) @@ -83,7 +83,7 @@ block parser app-syslog-pan_panos() { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_user","vsys","host_name","os","src_ip","hip_name","hip_count","hip_type","future_use3","future_use4","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name") - prefix(".pan.") + prefix(".values.") delimiters(',') quote-pairs('""') flags(escape-double-char) @@ -100,7 +100,7 @@ block parser app-syslog-pan_panos() { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","src_user","vsys","category","severity","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","object","object_id","evidence") - prefix(".pan.") + prefix(".values.") delimiters(',') quote-pairs('""') flags(escape-double-char) @@ -116,7 +116,7 @@ block parser app-syslog-pan_panos() { parser { csv-parser( columns("future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","vsys","src_ip","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name") - prefix(".pan.") + prefix(".values.") delimiters(',') quote-pairs('""') flags(escape-double-char) @@ -149,13 +149,13 @@ block parser app-syslog-pan_panos() { '%Y/%m/%d %H:%M:%S.%f', '%Y/%m/%d %H:%M:%S', '%Y-%m-%dT%H:%M:%S.%f%z',) - template("${.pan.generated_time}") + template("${.values.generated_time}") ); }; rewrite { - set("${.pan.dvc_name}" value("HOST") - condition( match('^.' value('.pan.dvc_name') )) ); + set("${.values.dvc_name}" value("HOST") + condition( match('^.' value('.values.dvc_name') )) ); }; }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf index c09a1e6fa7..d625e01358 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf @@ -18,21 +18,21 @@ block parser app-syslog-symantec_brightmail() { parser { csv-parser( columns(seq, id, field, data) - prefix('.smg.') + prefix('.tmp.') delimiters(chars("|")) flags(greedy) ); }; rewrite { - set("${.smg.field}|${.smg.data}", value(".smgdata.value")); + set("${.tmp.field}|${.tmp.data}", value(".smgdata.value")); }; parser { grouping-by( scope(program) - key("${.smg.id}") + key("${.tmp.id}") timeout(2) aggregate( - value("MESSAGE" "${.smg.seq}|${.smg.id}|$(implode ';' $(context-values ${.smgdata.value}))") + value("MESSAGE" "${.tmp.seq}|${.tmp.id}|$(implode ';' $(context-values ${.smgdata.value}))") value(".splunk.sourcetype", "symantec:smg:mail") ) ); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf b/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf index b0e26143db..1fb460a0e0 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf @@ -12,15 +12,15 @@ block parser app-syslog-zscaler_nss_proxy() { parser { #basic parsing kv-parser( - prefix(".kv.") + prefix(".values.") pair-separator("\t") ); }; filter { - match("Zscaler" value(".kv.vendor")); + match("Zscaler" value(".values.vendor")); }; - if (match("dns" value(".kv.product"))) { + if (match("dns" value(".values.product"))) { rewrite { r_set_splunk_dest_update( index('netdns') @@ -28,7 +28,7 @@ block parser app-syslog-zscaler_nss_proxy() { meta_key('zscaler_dns') ); }; - } elif (match("fw" value(".kv.product"))) { + } elif (match("fw" value(".values.product"))) { rewrite { r_set_splunk_dest_update( index('netfw') @@ -36,14 +36,14 @@ block parser app-syslog-zscaler_nss_proxy() { meta_key('zscaler_fw') ); }; - } elif (match("NSS" value(".kv.product"))) { + } elif (match("NSS" value(".values.product"))) { rewrite { r_set_splunk_dest_update( sourcetype('zscalernss-web') meta_key('zscaler_web') ); }; - } elif (match("audit" value(".kv.product"))) { + } elif (match("audit" value(".values.product"))) { rewrite { r_set_splunk_dest_update( index('netops') @@ -51,7 +51,7 @@ block parser app-syslog-zscaler_nss_proxy() { meta_key('zscaler_zia_audit') ); }; - } elif (match("sandbox" value(".kv.product"))) { + } elif (match("sandbox" value(".values.product"))) { rewrite { r_set_splunk_dest_update( index('main')