-
Notifications
You must be signed in to change notification settings - Fork 111
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor: Convert inline null-queue to postfilter (#1410)
Finish refactor so that all "null_queue" tasks are managed in post filter
- Loading branch information
Ryan Faircloth
authored
Jan 30, 2022
1 parent
b154557
commit c9a156f
Showing
8 changed files
with
112 additions
and
99 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_01-partials.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| block parser app-postfilter-checkpoint_splunk_01-partials() { | ||
| channel { | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| vendor_product('null_queue') | ||
| ); | ||
| }; | ||
| }; | ||
| }; | ||
|
|
||
| application app-postfilter-checkpoint_splunk_01-partials[sc4s-postfilter] { | ||
| filter { | ||
| "fields.sc4s_vendor_product" eq "checkpoint_splunk" | ||
| and "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_INCOMPLETE_EVENTS`" eq "yes" | ||
| and "${.values.loguid}" ne "" | ||
| and "${.values.bytes}" eq "" | ||
| and ( "${.values.product}" eq "Application Control" or "${.values.product}" eq "Firewall" or "${.values.product}" eq "URL Filtering") | ||
| and ( "${.values.rule_action}" eq "Accept" or "${.values.rule_action}" eq "Inline") | ||
| ; | ||
| }; | ||
| parser { app-postfilter-checkpoint_splunk_01-partials(); }; | ||
| }; |
32 changes: 32 additions & 0 deletions
32
package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_02-group.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| block parser app-postfilter-checkpoint_splunk_02-group() { | ||
| channel { | ||
| parser { | ||
| grouping-by( | ||
| key("${.values.loguid}") | ||
| #This looks silly but we have no way of knowing if an event is complete so | ||
| #We must make an impossible condition and rely on time out | ||
| trigger("1" == "2") | ||
| aggregate( | ||
| value(".gb.complete" "1") | ||
| inherit-mode(last-message) | ||
| ) | ||
| timeout(`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL_SECONDS`) | ||
| ); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| vendor_product('null_queue') | ||
| condition("${.gb.complete}" ne "1") | ||
| ); | ||
| }; | ||
| }; | ||
| }; | ||
|
|
||
| application app-postfilter-checkpoint_splunk_02-group[sc4s-postfilter] { | ||
| filter { | ||
| "fields.sc4s_vendor_product" eq "checkpoint_splunk" | ||
| and "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL`" eq "yes" | ||
| and "${.values.loguid}" ne "" | ||
| }; | ||
| parser { app-postfilter-checkpoint_splunk_02-group(); }; | ||
| }; |
22 changes: 22 additions & 0 deletions
22
package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_01-partials.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| block parser app-postfilter-checkpoint_syslog_01-partials() { | ||
| channel { | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| vendor_product('null_queue') | ||
| ); | ||
| }; | ||
| }; | ||
| }; | ||
|
|
||
| application app-postfilter-checkpoint_syslog_01-partials[sc4s-postfilter] { | ||
| filter { | ||
| program('CheckPoint') | ||
| and "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_INCOMPLETE_EVENTS`" eq "yes" | ||
| and ("${[email protected]}" ne "" | ||
| and "${[email protected]}" eq "" | ||
| and ( "${[email protected]}" eq "Application Control" or "${[email protected]}" eq "Firewall" or "${[email protected]}" eq "URL Filtering") | ||
| and ( "${[email protected]_action}" eq "Accept" or "${[email protected]_action}" eq "Inline") | ||
| ); | ||
| }; | ||
| parser { app-postfilter-checkpoint_syslog_01-partials(); }; | ||
| }; |
33 changes: 33 additions & 0 deletions
33
package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_02-group.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| block parser app-postfilter-checkpoint_syslog_02-group() { | ||
| channel { | ||
|
|
||
| parser { | ||
| grouping-by( | ||
| key("${[email protected]}") | ||
| #This looks silly but we have no way of knowing if an event is complete so | ||
| #We must make an impossible condition and rely on time out | ||
| trigger("1" == "2") | ||
| aggregate( | ||
| value(".gb.complete" "1") | ||
| inherit-mode(last-message) | ||
| ) | ||
| timeout(`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL_SECONDS`) | ||
| ); | ||
| }; | ||
|
|
||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| vendor_product('null_queue') | ||
| condition("${.gb.complete}" ne "1") | ||
| ); | ||
| }; | ||
| }; | ||
| }; | ||
| application app-postfilter-checkpoint_syslog_02-group[sc4s-postfilter] { | ||
| filter { | ||
| program('CheckPoint') | ||
| and "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL`" eq "yes" | ||
| and "${[email protected]}" ne ""; | ||
| }; | ||
| parser { app-postfilter-checkpoint_syslog_02-group(); }; | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,41 +1,6 @@ | ||
| block parser app-syslog-checkpoint_syslog() { | ||
| channel { | ||
|
|
||
| if ( | ||
| "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_INCOMPLETE_EVENTS`" eq "yes" | ||
| and "${[email protected]}" ne "" | ||
| and "${[email protected]}" eq "" | ||
| and ( "${[email protected]}" eq "Application Control" or "${[email protected]}" eq "Firewall" or "${[email protected]}" eq "URL Filtering") | ||
| and ( "${[email protected]_action}" eq "Accept" or "${[email protected]_action}" eq "Inline") | ||
| ){ | ||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| vendor_product('null_queue') | ||
| ); | ||
| }; | ||
| } elif { | ||
| filter { | ||
| "`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL`" eq "yes" | ||
| and "${[email protected]}" ne "" | ||
| }; | ||
| parser { | ||
| grouping-by( | ||
| key("${[email protected]}") | ||
| #This looks silly but we have no way of knowing if an event is complete so | ||
| #We must make an impossible condition and rely on time out | ||
| trigger("1" == "2") | ||
| aggregate( | ||
| value(".gb.complete" "1") | ||
| inherit-mode(last-message) | ||
| ) | ||
| timeout(`SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL_SECONDS`) | ||
| ); | ||
| }; | ||
| } else { | ||
| rewrite { | ||
| set("1", value(".gb.complete")); | ||
| }; | ||
| }; | ||
| channel { | ||
|
|
||
| parser { | ||
| date-parser-nofilter(format("%s") template("${[email protected]}")); | ||
| }; | ||
|
|
@@ -335,15 +300,6 @@ block parser app-syslog-checkpoint_syslog() { | |
| ); | ||
| }; | ||
| }; | ||
|
|
||
|
|
||
| rewrite { | ||
| r_set_splunk_dest_update( | ||
| vendor_product('null_queue') | ||
| condition("${.gb.complete}" ne "1") | ||
| ); | ||
| }; | ||
|
|
||
| }; | ||
|
|
||
| }; | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 0 additions & 1 deletion
1
package/etc/context_templates/vendor_product_by_source.csv.example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters