diff --git a/docs/destinations.md b/docs/destinations.md index 057ce2f370..38e9e93fcd 100644 --- a/docs/destinations.md +++ b/docs/destinations.md @@ -40,7 +40,7 @@ SC4S_DEST_SPLUNK_HEC_OTHER_MODE=SELECT #filename: application sc4s-lp-cisco_ios_dest_fmt_other{{ source }}[sc4s-lp-dest-select-d_fmt_hec_OTHER] { filter { - match('CISCO_IOS' value('.dest_key')) + 'CISCO_IOS' eq "${fields.sc4s_vendor}_${fields.sc4s_product}" #Match any cisco event that is not like "%ACL-7-1234" and not message('^%[^\-]+-7-'); }; diff --git a/docs/sources/Dell_EMC/index.md b/docs/sources/Dell_EMC/index.md index fb85a7d227..1a87367d31 100644 --- a/docs/sources/Dell_EMC/index.md +++ b/docs/sources/Dell_EMC/index.md @@ -20,7 +20,7 @@ | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| dell_emc_powerswitch_n | all | netops | none | +| dellemc_powerswitch_n | all | netops | none | ### Filter type @@ -36,10 +36,10 @@ Message Format | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_DELL_DELL_EMC_POWERSWITCH_N_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_DELL_DELL_EMC_POWERSWITCH_N_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_DELL_DELL_EMC_POWERSWITCH_N | no | Enable archive to disk for this specific source | -| SC4S_DEST_DELL_DELL_EMC_POWERSWITCH_N_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_DELLEMC_POWERSWITCH_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_DELLEMC_POWERSWITCH_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_DELLEMC_POWERSWITCH | no | Enable archive to disk for this specific source | +| SC4S_DEST_DELLEMC_POWERSWITCH_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Verification diff --git a/docs/sources/InfoBlox/index.md b/docs/sources/InfoBlox/index.md index b28506a602..cbf8701e4f 100644 --- a/docs/sources/InfoBlox/index.md +++ b/docs/sources/InfoBlox/index.md @@ -23,11 +23,11 @@ Warning: Despite the TA indication this data source is CIM compliant the all ver | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| infoblox_dns | infoblox:dns | netdns | none | -| infoblox_dhcp | infoblox:dhcp | netipam | none | -| infoblox_threat | infoblox:threatprotect | netids | none | -| infoblox_audit | infoblox:audit | netops | none | -| infoblox_fallback | infoblox:port | netops | none | +| infoblox_nios_dns | infoblox:dns | netdns | none | +| infoblox_nios_dhcp | infoblox:dhcp | netipam | none | +| infoblox_nios_threat | infoblox:threatprotect | netids | none | +| infoblox_nios_audit | infoblox:audit | netops | none | +| infoblox_nios_fallback | infoblox:port | netops | none | ### Filter type @@ -43,10 +43,10 @@ Must be identified by host or ip assignment. Update the filter `f_infoblox` or c | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_INFOBLOX_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_INFOBLOX_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_INFOBLOX | no | Enable archive to disk for this specific source | -| SC4S_DEST_INFOBLOX_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_INFOBLOX_NIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_INFOBLOX_NIOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_INFOBLOX_NIOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_INFOBLOX_NIOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Verification diff --git a/docs/sources/Ossec/index.md b/docs/sources/Ossec/index.md index d6e2d182fb..c0b9fd826a 100644 --- a/docs/sources/Ossec/index.md +++ b/docs/sources/Ossec/index.md @@ -17,7 +17,7 @@ | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| ossec | ossec | main | None | +| ossec_ossec | ossec | main | None | ### Filter type @@ -34,10 +34,10 @@ IP, Netmask or Host | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_OSSEC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_OSSEC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_OSSEC | no | Enable archive to disk for this specific source | -| SC4S_DEST_OSSEC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_OSSEC_OSSEC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_OSSEC_OSSEC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_OSSEC_OSSEC | no | Enable archive to disk for this specific source | +| SC4S_DEST_OSSEC_OSSEC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Verification diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md index 778897af4d..93050ff141 100644 --- a/docs/sources/PaloaltoNetworks/index.md +++ b/docs/sources/PaloaltoNetworks/index.md @@ -25,14 +25,14 @@ | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| pan_log | pan:log | netops | none | -| pan_globalprotect | pan:pan_globalprotect | netfw | none | -| pan_traffic | pan:traffic | netfw | none | -| pan_threat | pan:threat | netproxy | none | -| pan_system | pan:system | netops | none | -| pan_config | pan:config | netops | none | -| hipmatch | pan:hipmatch | netops | none | -| pan_correlation | pan:correlation | netops | none | +| pan_panos_log | pan:log | netops | none | +| pan_panos_globalprotect | pan:pan_globalprotect | netfw | none | +| pan_tpanos_raffic | pan:traffic | netfw | none | +| pan_panos_threat | pan:threat | netproxy | none | +| pan_panos_system | pan:system | netops | none | +| pan_panos_config | pan:config | netops | none | +| pan_panos_hipmatch | pan:hipmatch | netops | none | +| pan_panos_correlation | pan:correlation | netops | none | ### Filter type @@ -51,10 +51,10 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_PULSE_PALOALTO_PANOS_RFC6587_PORT | empty string | Enable a TCP using IETF Framing (RFC6587) port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_PALOALTO_PANOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_PALOALTO_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_PULSE_PAN_PANOS_RFC6587_PORT | empty string | Enable a TCP using IETF Framing (RFC6587) port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_PAN_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_PAN_PANOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PAN_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Verification diff --git a/docs/sources/Tanium/index.md b/docs/sources/Tanium/index.md index 1e44174a42..a38210067e 100644 --- a/docs/sources/Tanium/index.md +++ b/docs/sources/Tanium/index.md @@ -21,7 +21,7 @@ The source is understood to require a valid certificate. | key | index | notes | |----------------|------------|----------------| -| tanium | epintel | none | +| tanium_syslog | epintel | none | ### Filter type @@ -32,8 +32,8 @@ timestamp: When present the field ``Client-Time-UTC`` will be used as the time s | Variable | default | description | |----------------|----------------|----------------| -| SC4S_ARCHIVE_TANIUM | no | Enable archive to disk for this specific source | -| SC4S_DEST_TANIUM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_ARCHIVE_TANIUM_SYSLOG | no | Enable archive to disk for this specific source | +| SC4S_DEST_TANIUM_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_SOURCE_TLS_ENABLE | no | This must be set to yes so that SC4S listens for encrypted syslog from ePO ### Additional setup diff --git a/docs/sources/Tintri/index.md b/docs/sources/Tintri/index.md index bcb407e63b..5a14059de6 100644 --- a/docs/sources/Tintri/index.md +++ b/docs/sources/Tintri/index.md @@ -14,14 +14,14 @@ The source is understood to require a valid certificate. | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| TINTRI | none | +| tintri | none | ### Index Configuration | key | index | notes | |----------------|------------|----------------| -| TINTRI | infraops | none | +| tintri_syslog | infraops | none | ### Filter type @@ -31,8 +31,8 @@ MSG Parse: This filter parses message content generic linux logs will use the os | Variable | default | description | |----------------|----------------|----------------| -| SC4S_ARCHIVE_TINTRI | no | Enable archive to disk for this specific source | -| SC4S_DEST_TINTRI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_ARCHIVE_TINTRI_SYSLOG | no | Enable archive to disk for this specific source | +| SC4S_DEST_TINTRI_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Additional setup diff --git a/docs/sources/VMWare/index.md b/docs/sources/VMWare/index.md index c96ecd49c7..c3882062e7 100644 --- a/docs/sources/VMWare/index.md +++ b/docs/sources/VMWare/index.md @@ -77,9 +77,9 @@ index= (sourcetype=cef source="carbonblack:protection:cef") | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| vmware_esx | vmware:vsphere:esx | main | none | -| vmware_nsx | vmware:vsphere:nsx | main | none | -| vmware_vcenter | vmware:vsphere:vcenter | main | none | +| vmware_vsphere_esx | vmware:vsphere:esx | main | none | +| vmware_vsphere_nsx | vmware:vsphere:nsx | main | none | +| vmware_vsphere_vcenter | vmware:vsphere:vcenter | main | none | ### Filter type diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md index 24dcebe566..4c1ec7985f 100644 --- a/docs/sources/Zscaler/index.md +++ b/docs/sources/Zscaler/index.md @@ -17,20 +17,20 @@ the IP or host name of the SC4S instance and port 514 | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | -| zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | -| zscalernss-web | None | -| zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | +| zscaler_nss_alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | +| zscaler_nss_dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | +| zscaler_nss_web | None | +| zscaler_nss_fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | ### Sourcetype and Index Configuration | key | sourcetype | index | notes | |---------------------|------------------------|----------|---------| -| zscaler_alerts | zscalernss-alerts | main | none | -| zscaler_dns | zscalernss-dns | netdns | none | -| zscaler_fw | zscalernss-fw | netfw | none | -| zscaler_web | zscalernss-web | netproxy | none | +| zscaler_nss_alerts | zscalernss-alerts | main | none | +| zscaler_nss_dns | zscalernss-dns | netdns | none | +| zscaler_nss_fw | zscalernss-fw | netfw | none | +| zscaler_nss_web | zscalernss-web | netproxy | none | | zscaler_zia_audit | zscalernss-zia-audit | netops | none | | zscaler_zia_sandbox | zscalernss-zia-sandbox | main | none | @@ -80,10 +80,10 @@ the IP or host name of the SC4S instance and port 514 | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| zscalerlss-zpa-app | None | -| zscalerlss-zpa-auth | None | -| zscalerlss-zpa-bba | None | -| zscalerlss-zpa-connector | None | +| zscaler_lss-app | None | +| zscaler_lss-auth | None | +| zscaler_lss-bba | None | +| zscaler_lss-connector | None | ### Sourcetype and Index Configuration diff --git a/docs/sources/index.md b/docs/sources/index.md index 29602b32a3..6c60f89154 100644 --- a/docs/sources/index.md +++ b/docs/sources/index.md @@ -67,7 +67,8 @@ block parser alcatel_switch-parser() { r_set_splunk_dest_default( index('netops') sourcetype('alcatel:switch') - vendor_product("alcatel_switch") + vendor('alcatel') + product('switch') template('t_hdr_msg') ); }; @@ -97,7 +98,9 @@ block parser dell_poweredge_cmc-parser() { r_set_splunk_dest_default( index('infraops') sourcetype('dell:poweredge:cmc:syslog') - vendor_product("dell_poweredge_cmc") + vendor('dell') + product('poweredge') + class('cmc') ); }; }; @@ -126,7 +129,7 @@ block parser cisco_ios_debug-postfilter() { #In this case the outcome is drop the event other logic such as adding indexed fields or editing the message is possible rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') ); }; }; diff --git a/docs/upgrade.md b/docs/upgrade.md index 3c84db8037..b03d864606 100644 --- a/docs/upgrade.md +++ b/docs/upgrade.md @@ -36,4 +36,28 @@ See the [release information](https://github.com/splunk/splunk-connect-for-syslo * Internal metrics will now use the _metrics index by default update vendor_product key 'sc4s_metrics' to change the index * Deprecated use of vendor_product_by_source for null queue or dropping events see See [Filtering events from output](https://splunk.github.io/splunk-connect-for-syslog/main/sources/) this use will be removed in v3 * Deprecated use of `SPLUNK_HEC_ALT_DESTS` this variable is no longer used and will be ignored -* Deprecated use of `SC4S_DEST_GLOBAL_ALTERNATES` this variable will be removed in future major versions see Destinations section in configuration \ No newline at end of file +* Deprecated use of `SC4S_DEST_GLOBAL_ALTERNATES` this variable will be removed in future major versions see Destinations section in configuration +* Corrected Vendor/Product keys *BREAKING* Please see source doc pages and revise configuration as part of upgrade + * Zscaler (multiple changes) + * dell_emc_powerswitch_n + * F5_BIGIP + * INFOBLOX + * Dell RSA SecureID + * ubiquiti + * SC4S will now use "splunk as the vendor value, "sc4s" as the product + * Fireye HX + * Juniper + * ossec + * Palo Alto Networks + * Pulse Connect + * ricoh + * tanium + * tintri + * Vmware esx,vcenter,nsx,horizon +* Internal Changes + * `.dest_key` field is no longer used + * `sc4s_vendor_product` is read only and will be removed + * `sc4s_vendor` new contains "vendor" portion of vendor_product + * `sc4s_vendor_product` new contains "product" portion of vendor product + * `sc4s_class` new contains additional data previously concatenated to vendor_product + * removed `meta_key` diff --git a/package/etc/conf.d/conflib/_splunk/splunk_context.conf b/package/etc/conf.d/conflib/_splunk/splunk_context.conf index 04bddf85bc..19a6f66266 100644 --- a/package/etc/conf.d/conflib/_splunk/splunk_context.conf +++ b/package/etc/conf.d/conflib/_splunk/splunk_context.conf @@ -3,16 +3,16 @@ block parser p_add_context_splunk(key('')) { parser { add-contextual-data( - selector("${fields.sc4s_vendor_product}"), + selector("${fields.sc4s_vendor}_${fields.sc4s_product}"), database("conf.d/local/context/splunk_metadata.csv"), prefix(".splunk."), ignore-case(yes) ); } ; - if ("${.meta_key}" ne "" and "${fields.sc4s_vendor_product}" ne "${.meta_key}" ){ + if ("${fields.sc4s_class}" ne ""){ parser { add-contextual-data( - selector("${.meta_key}"), + selector("${fields.sc4s_vendor}_${fields.sc4s_product}_${fields.sc4s_class}"), database("conf.d/local/context/splunk_metadata.csv"), prefix(".splunk."), ignore-case(yes) diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf b/package/etc/conf.d/conflib/_splunk/splunkfields.conf index ccb5947887..e5b032063c 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf @@ -33,16 +33,18 @@ block rewrite r_set_splunk_dest_default( sourcetype("${.splunk.sourcetype}") template('$(if (match("rfc5424_strict" value("fields.sc4s_syslog_format"))) "t_5424_hdr_sdata_msg" "t_hdr_msg")') tag("default") - vendor_product("${fields.sc4s_vendor_product}") - meta_key("${.meta_key}") - dest_key("") + vendor("${fields.sc4s_vendor}") + product("${fields.sc4s_product}") + class("${fields.sc4s_class}") ) { set("`index`", value(".splunk.index")); set("`source`", value(".splunk.source")); set("`sourcetype`", value(".splunk.sourcetype")); set("`template`", value(".splunk.sc4s_template")); - set("`vendor_product`", value("fields.sc4s_vendor_product")); - set('$(if ("`dest_key`" ne "") "`dest_key`" "$(uppercase `vendor_product`)")', value(".dest_key")); + set("`vendor`", value("fields.sc4s_vendor") condition('`vendor`' ne "")); + set("`product`", value("fields.sc4s_product") condition('`product`' ne "")); + set("`vendor`_`product`", value("fields.sc4s_vendor_product")); + set("`class`", value("fields.sc4s_class") condition('`class`' ne "")); }; block rewrite r_set_splunk_dest_update( @@ -52,8 +54,9 @@ block rewrite r_set_splunk_dest_update( sourcetype("${.splunk.sourcetype}") template("${.splunk.sc4s_template}") template_hec("${.splunk.sc4s_hec_template}") - vendor_product("${fields.sc4s_vendor_product}") - meta_key("${.meta_key}") + vendor("${fields.sc4s_vendor}") + product("${fields.sc4s_product}") + class("${fields.sc4s_class}") tag("") condition("1" eq "1") ) { @@ -65,8 +68,10 @@ block rewrite r_set_splunk_dest_update( set("`sourcetype`", value(".splunk.sourcetype")); set("`template`", value(".splunk.sc4s_template")); set("`template_hec`", value(".splunk.sc4s_hec_template")); - set("`vendor_product`", value("fields.sc4s_vendor_product")); - set("`meta_key`" value(".meta_key")); + set("`vendor`", value("fields.sc4s_vendor") condition('`vendor`' ne "")); + set("`product`", value("fields.sc4s_product") condition('`product`' ne "")); + set("`vendor`_`product`", value("fields.sc4s_vendor_product")); + set("`class`", value("fields.sc4s_class") condition('`class`' ne "")); }; }; flags(final); diff --git a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-arista_eos.conf b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-arista_eos.conf index df13e75e72..6308b1825f 100644 --- a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-arista_eos.conf +++ b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-arista_eos.conf @@ -17,8 +17,9 @@ block parser app-almost-syslog-arista_eos() { r_set_splunk_dest_default( index('netops') sourcetype('arista:eos:$(lowercase ${.tmp.program})') - vendor_product("arista_eos") - meta_key('arista_eos_$(lowercase ${.tmp.program})') + vendor("arista") + product("eos") + class('$(lowercase ${.tmp.program})') ); }; rewrite { diff --git a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_syslog.conf b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_syslog.conf index 09614e45da..580148bf03 100644 --- a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_syslog.conf +++ b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_syslog.conf @@ -88,7 +88,8 @@ block parser app-almost-syslog-cisco_syslog() { r_set_splunk_dest_default( index('netops') sourcetype('cisco:ios') - vendor_product("cisco_ios") + vendor('cisco') + product('ios') ); set("cisco_syslog", value("fields.sc4s_syslog_format")); set('%${.tmp.message}' value("MESSAGE")); diff --git a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf index 8b840e9cb1..ee13f68f58 100644 --- a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf +++ b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf @@ -37,7 +37,8 @@ block parser app-almost-syslog-citrix_netscaler() { r_set_splunk_dest_default( index('netfw') sourcetype('citrix:netscaler:syslog') - vendor_product("citrix_netscaler") + vendor('citrix') + product('netscaler') ); set("citrix_netscaler", value("fields.sc4s_syslog_format")); r_set_splunk_dest_update( diff --git a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-juniper_netscreen_raw.conf b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-juniper_netscreen_raw.conf index c034ac2102..12150e1eca 100644 --- a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-juniper_netscreen_raw.conf +++ b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-juniper_netscreen_raw.conf @@ -20,8 +20,9 @@ block parser app-almost-syslog-juniper_netscreen_raw() { r_set_splunk_dest_default( index('netfw') sourcetype('netscreen:firewall') - vendor_product("juniper_netscreen_raw") - dest_key("JUNIPER_NETSCREEN") + vendor("juniper") + product("netscreen") + class("raw") ); set("${.tmp.host}", value("HOST")); set("${.tmp.model}", value("fields.model") condition("${.tmp.model}" ne "")); diff --git a/package/etc/conf.d/conflib/app-lp_dest_archive/plugin.jinja b/package/etc/conf.d/conflib/app-lp_dest_archive/plugin.jinja index 048eacae01..022c540506 100644 --- a/package/etc/conf.d/conflib/app-lp_dest_archive/plugin.jinja +++ b/package/etc/conf.d/conflib/app-lp_dest_archive/plugin.jinja @@ -1,6 +1,6 @@ application sc4s-lp-dest-archive-{{ source }}[sc4s-lp-archive] { filter { - match('{{ source }}' value('.dest_key')) + '{{ source }}' eq "${fields.sc4s_vendor}_${fields.sc4s_product}" }; }; diff --git a/package/etc/conf.d/conflib/app-lp_dest_selected_alts/plugin.jinja b/package/etc/conf.d/conflib/app-lp_dest_selected_alts/plugin.jinja index ff202418f4..6d18d40366 100644 --- a/package/etc/conf.d/conflib/app-lp_dest_selected_alts/plugin.jinja +++ b/package/etc/conf.d/conflib/app-lp_dest_selected_alts/plugin.jinja @@ -1,6 +1,6 @@ application sc4s-lp-dest-select-{{ source }}-{{ dest }}[sc4s-lp-dest-select-{{ destination }}] { filter { - match('{{ source }}' value('.dest_key')) + '{{ source }}' eq "${fields.sc4s_vendor}_${fields.sc4s_product}" }; }; diff --git a/package/etc/conf.d/conflib/cef/app-cef-cisco_esa.conf b/package/etc/conf.d/conflib/cef/app-cef-cisco_esa.conf index 240457d418..1dc2d83263 100644 --- a/package/etc/conf.d/conflib/cef/app-cef-cisco_esa.conf +++ b/package/etc/conf.d/conflib/cef/app-cef-cisco_esa.conf @@ -5,7 +5,8 @@ block parser app-cef-cisco_esa() { index('email'), source('esa:consolidated'), sourcetype('cisco:esa:cef') - vendor_product('cisco_esa') + vendor('cisco') + product('esa') ); }; diff --git a/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_agent.conf b/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_agent.conf index dbd17748e7..63d3d29148 100644 --- a/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_agent.conf +++ b/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_agent.conf @@ -4,7 +4,6 @@ block parser app-cef-trendmicro_deep_agent() { r_set_splunk_dest_default( index('epintel') sourcetype('deepsecurity') - vendor_product("Trend Micro_Deep Security Agent") ); }; if { @@ -15,7 +14,7 @@ block parser app-cef-trendmicro_deep_agent() { set("intrusion prevention" value("fields.cef_device_event_class")); r_set_splunk_dest_update( sourcetype('deepsecurity-intrusion_prevention') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') ); }; } elif { @@ -25,7 +24,7 @@ block parser app-cef-trendmicro_deep_agent() { rewrite { r_set_splunk_dest_update( sourcetype('deepsecurity-firewall') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') ); }; } elif { @@ -39,7 +38,7 @@ block parser app-cef-trendmicro_deep_agent() { r_set_splunk_dest_update( index('epav') sourcetype('deepsecurity-antimalware') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') ); }; } elif { @@ -52,7 +51,7 @@ block parser app-cef-trendmicro_deep_agent() { rewrite { r_set_splunk_dest_update( sourcetype('deepsecurity-integrity_monitoring') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') ); }; } elif { @@ -65,7 +64,7 @@ block parser app-cef-trendmicro_deep_agent() { rewrite { r_set_splunk_dest_update( sourcetype('deepsecurity-log_inspection') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') ); }; } elif { @@ -76,7 +75,7 @@ block parser app-cef-trendmicro_deep_agent() { set("web reputation" value("fields.cef_device_event_class")); r_set_splunk_dest_update( sourcetype('deepsecurity-web_reputation') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') ); }; } elif { @@ -89,7 +88,7 @@ block parser app-cef-trendmicro_deep_agent() { rewrite { r_set_splunk_dest_update( sourcetype('deepsecurity-app_control') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') ); }; } else { }; diff --git a/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_manager.conf b/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_manager.conf index d7dda0935c..c30756487e 100644 --- a/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_manager.conf +++ b/package/etc/conf.d/conflib/cef/app-cef-trendmicro_deep_manager.conf @@ -4,7 +4,6 @@ block parser app-cef-trendmicro_deep_manager() { r_set_splunk_dest_default( index('epintel') sourcetype('deepsecurity-system_events') - vendor_product("Trend Micro_Deep Security Manager") ); }; diff --git a/package/etc/conf.d/conflib/cef/app-cef-vectra.conf b/package/etc/conf.d/conflib/cef/app-cef-vectra.conf index 92495ce71d..f0bedae778 100644 --- a/package/etc/conf.d/conflib/cef/app-cef-vectra.conf +++ b/package/etc/conf.d/conflib/cef/app-cef-vectra.conf @@ -13,49 +13,49 @@ block parser app-cef-vectra() { rewrite { r_set_splunk_dest_update( sourcetype('vectra:cognito:accountdetect') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') condition( "${fields.cef_device_event_class}" eq "accountdetect" ) ); }; rewrite { r_set_splunk_dest_update( sourcetype('vectra:cognito:accountscoring') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') condition( "${fields.cef_device_event_class}" eq "asc" ) ); }; rewrite { r_set_splunk_dest_update( sourcetype('vectra:cognito:audit') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') condition( "${fields.cef_device_event_class}" eq "audit" ) ); }; rewrite { r_set_splunk_dest_update( sourcetype('vectra:cognito:campaigns') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') condition( "${fields.cef_device_event_class}" eq "campaigns" ) ); }; rewrite { r_set_splunk_dest_update( sourcetype('vectra:cognito:health') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') condition( "${fields.cef_device_event_class}" eq "health" ) ); }; rewrite { r_set_splunk_dest_update( sourcetype('vectra:cognito:hostscoring') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') condition( "${fields.cef_device_event_class}" eq "hsc" ) ); }; rewrite { r_set_splunk_dest_update( sourcetype('vectra:cognito:accountlockdown') - meta_key('${fields.sc4s_vendor_product}_${fields.cef_device_event_class}') + class('${fields.cef_device_event_class}') condition( "${fields.cef_device_event_class}" eq "lockdown" ) ); }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ace.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ace.conf index 95df32451c..181c1d2615 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ace.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ace.conf @@ -4,7 +4,8 @@ block parser app-cisco-cisco_ace() { r_set_splunk_dest_default( index("netops") sourcetype('cisco:ace') - vendor_product("cisco_ace") + vendor('cisco') + product('ace') ); }; }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_asa.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_asa.conf index 9a283700d0..f189266d25 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_asa.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_asa.conf @@ -4,7 +4,9 @@ block parser app-cisco-cisco_asa() { r_set_splunk_dest_default( index("netfw") sourcetype('cisco:asa') - vendor_product("cisco_asa") + vendor('cisco') + product('asa') + ); }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_cimc.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_cimc.conf index 9111e19389..22e1e3d01c 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_cimc.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_cimc.conf @@ -4,7 +4,9 @@ block parser app-cisco-cisco_cimc() { r_set_splunk_dest_default( index("infraops") sourcetype('cisco:cimc') - vendor_product("cisco_cimc") + vendor('cisco') + product('cimc') + ); }; }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ftd.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ftd.conf index 0d76e0d7d2..ed7f1d4614 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ftd.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ftd.conf @@ -4,7 +4,8 @@ block parser app-cisco-cisco_ftd() { r_set_splunk_dest_default( index("netfw") sourcetype('cisco:ftd') - vendor_product("cisco_ftd") + vendor('cisco') + product('ftd') ); }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_fwsm.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_fwsm.conf index cf9d3d1331..ab9cf8e3e8 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_fwsm.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_fwsm.conf @@ -4,7 +4,8 @@ block parser app-cisco-cisco_fwsm() { r_set_splunk_dest_default( index("netfw") sourcetype('cisco:fwsm') - vendor_product("cisco_fwsm") + vendor('cisco') + product('fwsm') ); }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_pix.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_pix.conf index 2c6e13d30e..ce1b3a21b1 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_pix.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_pix.conf @@ -4,7 +4,8 @@ block parser app-cisco-cisco_pix() { r_set_splunk_dest_default( index("netfw") sourcetype('cisco:pix') - vendor_product("cisco_pix") + vendor('cisco') + product('pix') ); }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucm.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucm.conf index 7408174faa..1b87872555 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucm.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucm.conf @@ -3,7 +3,8 @@ block parser app-cisco-cisco_ucm() { rewrite { r_set_splunk_dest_default( sourcetype('cisco:ucm') - vendor_product("cisco_ucm") + vendor('cisco') + product('ucm') ); }; diff --git a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucs.conf b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucs.conf index efccf9fa89..9ede29a821 100644 --- a/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucs.conf +++ b/package/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ucs.conf @@ -4,7 +4,8 @@ block parser app-cisco-cisco_ucs() { r_set_splunk_dest_default( index("infraops") sourcetype('cisco:ucs') - vendor_product("cisco_ucs") + vendor('cisco') + product('ucs') ); }; diff --git a/package/etc/conf.d/conflib/fallback/app-fallback-nix_syslog.conf b/package/etc/conf.d/conflib/fallback/app-fallback-nix_syslog.conf index 28cc53c0d0..63a670bf22 100644 --- a/package/etc/conf.d/conflib/fallback/app-fallback-nix_syslog.conf +++ b/package/etc/conf.d/conflib/fallback/app-fallback-nix_syslog.conf @@ -4,7 +4,9 @@ block parser app-fallback-nix_syslog() { r_set_splunk_dest_default( index("osnix") sourcetype('nix:syslog') - vendor_product("nix_syslog") + vendor('${.netsource.sc4s_vendor}') + product('${.netsource.sc4s_product}') + class('${.netsource.sc4s_class}') ); }; @@ -13,7 +15,7 @@ block parser app-fallback-nix_syslog() { subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); r_set_splunk_dest_update( source('program:${.PROGRAM}') - meta_key('${.netsource.sc4s_vendor_product}_nix_syslog') + class('nix_syslog') ); }; }; @@ -28,7 +30,8 @@ application app-fallback-nix_syslog[fallback] { and "${MESSAGE}" ne "" ) ) - and "${fields.sc4s_vendor_product}" eq "" + and "${fields.sc4s_vendor}" eq "" + and "${fields.sc4s_product}" eq "" }; parser { app-fallback-nix_syslog(); }; }; diff --git a/package/etc/conf.d/conflib/fallback/app-fallbackz-lastchance.conf b/package/etc/conf.d/conflib/fallback/app-fallbackz-lastchance.conf index 35459b0481..fad78d62a9 100644 --- a/package/etc/conf.d/conflib/fallback/app-fallbackz-lastchance.conf +++ b/package/etc/conf.d/conflib/fallback/app-fallbackz-lastchance.conf @@ -3,7 +3,9 @@ block parser app-fallbackz-lastchance() { rewrite { r_set_splunk_dest_default( sourcetype('sc4s:fallback') - vendor_product("sc4s_fallback") + vendor('splunk') + product('sc4s') + class("fallback") template('t_fallback_kv') ); }; diff --git a/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf b/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf index 36c3285f5d..c770122099 100644 --- a/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf +++ b/package/etc/conf.d/conflib/json/app-json-novell_netiq.conf @@ -3,7 +3,8 @@ block parser app-json-novell_netiq() { rewrite { r_set_splunk_dest_default( - vendor_product('novell_netiq'), + vendor('novell') + product('netiq') index('netauth'), source('novell:netiq:${.values.component}'), sourcetype('novell:netiq') diff --git a/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf b/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf index 7768b46060..0617fffd73 100644 --- a/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf +++ b/package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf @@ -11,7 +11,8 @@ block parser app-json-zscaler_lss() { r_set_splunk_dest_default( index("netproxy") sourcetype('zscalerlss-zpa-app') - vendor_product("zscaler_lss") + vendor('zscaler') + product('lss') ); }; } elif { @@ -24,7 +25,8 @@ block parser app-json-zscaler_lss() { r_set_splunk_dest_default( index("netproxy") sourcetype('zscalerlss-zpa-bba') - vendor_product("zscaler_lss") + vendor('zscaler') + product('lss') ); }; } elif { @@ -37,7 +39,8 @@ block parser app-json-zscaler_lss() { r_set_splunk_dest_default( index("netproxy") sourcetype('zscalerlss-zpa-connector') - vendor_product("zscaler_lss") + vendor('zscaler') + product('lss') ); }; } elif { @@ -49,7 +52,8 @@ block parser app-json-zscaler_lss() { r_set_splunk_dest_default( index("netproxy") sourcetype('zscalerlss-zpa-auth') - vendor_product("zscaler_lss") + vendor('zscaler') + product('lss') ); }; }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf b/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf index af215e90c1..c5badd5646 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf @@ -4,7 +4,8 @@ block parser app-netsource-aruba_clearpass() { r_set_splunk_dest_default( index('netops') sourcetype('aruba:clearpass') - vendor_product("aruba_clearpass") + vendor('aruba') + product('clearpass') template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-brocade_syslog.conf b/package/etc/conf.d/conflib/netsource/app-netsource-brocade_syslog.conf index 0510e51fd4..6ba4dcf4f6 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-brocade_syslog.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-brocade_syslog.conf @@ -7,9 +7,9 @@ block parser app-netsource-brocade_syslog() { index('netops') source('brocade:${.PROGRAM}') sourcetype('brocade:syslog') - vendor_product("brocade_syslog") + vendor("brocade") + product("syslog") template('t_hdr_msg') - dest_key("BROCADE") ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-buffalo_terastation.conf b/package/etc/conf.d/conflib/netsource/app-netsource-buffalo_terastation.conf index 8a514c2724..e8ac7260fa 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-buffalo_terastation.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-buffalo_terastation.conf @@ -4,8 +4,9 @@ block parser app-netsource-buffalo_terastation() { r_set_splunk_dest_default( index('infraops') sourcetype('buffalo:terastation:$(lowercase $PROGRAM)') - vendor_product("buffalo_terastation") - meta_key(vendor_product("buffalo_terastation_$(lowercase $PROGRAM)")) + vendor('buffalo') + product('terastation') + class("$PROGRAM") template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-checkpoint_fw.conf b/package/etc/conf.d/conflib/netsource/app-netsource-checkpoint_fw.conf index 66ff977230..1c6cbdf4fe 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-checkpoint_fw.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-checkpoint_fw.conf @@ -4,7 +4,8 @@ block parser app-netsource-checkpoint_fw() { r_set_splunk_dest_default( index('netops') sourcetype('cp_log:fw:syslog') - vendor_product("checkpoint_fw") + vendor('checkpoint') + product('fw') template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_esa.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_esa.conf index 6d0d42f91f..bbda7bfd14 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_esa.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_esa.conf @@ -64,7 +64,8 @@ block parser app-netsource-cisco_esa() { index('email') source('program:${.PROGRAM}') sourcetype('cisco:esa') - vendor_product("cisco_esa") + vendor('cisco') + product('esa') template('t_msg_only') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf index ea5f966496..06020fc5e3 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_meraki.conf @@ -4,7 +4,8 @@ block parser app-netsource-cisco_meraki() { r_set_splunk_dest_default( index('netfw') sourcetype('meraki') - vendor_product("cisco_meraki") + vendor('cisco') + product('meraki') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa.conf index 384726ca2c..2dbee3b544 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa.conf @@ -7,7 +7,8 @@ block parser app-netsource-cisco_wsa() { index('netproxy') source("cisco_wsa") sourcetype('cisco:wsa') - vendor_product("cisco_wsa") + vendor('cisco') + product('wsa') ); }; if{ @@ -35,7 +36,6 @@ block parser app-netsource-cisco_wsa() { }; rewrite { r_set_splunk_dest_update( - meta_key('cisco_wsa') sourcetype('cisco:wsa:squid') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_11_7.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_11_7.conf index aac3725bfe..ddacbdde2f 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_11_7.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_11_7.conf @@ -7,7 +7,8 @@ block parser app-netsource-cisco_wsa_11_7() { index('netproxy') source("cisco_wsa_11.7") sourcetype('cisco:wsa:squid:new') - vendor_product("cisco_wsa") + vendor('cisco') + product('wsa') ); }; if{ @@ -35,7 +36,6 @@ block parser app-netsource-cisco_wsa_11_7() { }; rewrite { r_set_splunk_dest_update( - meta_key('cisco_wsa') sourcetype('cisco:wsa:squid:new') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_splunk.conf b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_splunk.conf index 4ec8739dc7..763952b3f0 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_splunk.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-cisco_wsa_splunk.conf @@ -7,7 +7,8 @@ block parser app-netsource-cisco_wsa_splunk() { index('netproxy') source("cisco_wsa_splunk") sourcetype('cisco:wsa') - vendor_product("cisco_wsa") + vendor('cisco') + product('wsa') ); }; if{ @@ -36,7 +37,6 @@ block parser app-netsource-cisco_wsa_splunk() { rewrite { r_set_splunk_dest_update( - meta_key('cisco_wsa') sourcetype('cisco:wsa:w3c:recommended') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-dell_poweredge_cmc.conf b/package/etc/conf.d/conflib/netsource/app-netsource-dell_poweredge_cmc.conf index 071375c1b4..fbec93ea1b 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-dell_poweredge_cmc.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-dell_poweredge_cmc.conf @@ -5,7 +5,10 @@ block parser app-netsource-dell_poweredge_cmc() { r_set_splunk_dest_default( index('infraops') sourcetype('dell:poweredge:cmc:syslog') - vendor_product("dell_poweredge_cmc") + vendor('dell') + product('poweredge') + class('cmc') + ); }; }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf b/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf index ceda68327d..e2d57b9b0c 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-dell_rsa_secureid.conf @@ -4,7 +4,9 @@ block parser app-netsource-dell_rsa_secureid() { r_set_splunk_dest_default( index('netauth') sourcetype('rsa:securid:trace') - vendor_product("dell_rsa_secureid") + vendor('dell-rsa') + product('secureid') + ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-dell_switch_n.conf b/package/etc/conf.d/conflib/netsource/app-netsource-dell_switch_n.conf index 38d308ad06..e1007bb5ce 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-dell_switch_n.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-dell_switch_n.conf @@ -16,7 +16,10 @@ block parser app-netsource-dell_switch_n() { r_set_splunk_dest_default( index('netops') sourcetype('dell:emc:powerswitch:n') - vendor_product("dell_emc_powerswitch_n") + vendor('dellemc') + product('powerswitch') + class('n') + ); set("dell_emc_powerswitch_n", value("fields.sc4s_syslog_format")); set("${.tmp.host}" value("HOST")); diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-f5_bigip.conf b/package/etc/conf.d/conflib/netsource/app-netsource-f5_bigip.conf index 1a0cf096f7..5573a1810c 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-f5_bigip.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-f5_bigip.conf @@ -5,8 +5,8 @@ block parser app-netsource-f5_bigip() { index("netops") source("program:${PROGRAM}") sourcetype('f5:bigip:syslog') - vendor_product("f5_bigip") - dest_key("F5_BIGIP") + vendor("f4") + product("bigip") ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-ibm_datapower.conf b/package/etc/conf.d/conflib/netsource/app-netsource-ibm_datapower.conf index 683e57dbbc..e632bdc7e9 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-ibm_datapower.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-ibm_datapower.conf @@ -4,7 +4,8 @@ block parser app-netsource-ibm_datapower() { r_set_splunk_dest_default( index('infraops') sourcetype('ibm:datapower:syslog') - vendor_product("ibm_datapower") + vendor('ibm') + product('datapower') template('t_msg_only') ); }; @@ -20,7 +21,7 @@ block parser app-netsource-ibm_datapower() { rewrite{ r_set_splunk_dest_update( sourcetype('ibm:datapower:${.tmp.category}') - meta_key("${.tmp.category}") + class("${.tmp.category}") ); }; }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-infoblox.conf b/package/etc/conf.d/conflib/netsource/app-netsource-infoblox.conf index 24d41e6cd3..b8a283d85a 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-infoblox.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-infoblox.conf @@ -7,7 +7,8 @@ block parser app-netsource-infoblox() { index('netops') source('program:${.PROGRAM}') sourcetype('infoblox') - vendor_product("infoblox") + vendor("infoblox") + vendor("nios") template('t_hdr_msg') ); }; @@ -17,7 +18,7 @@ block parser app-netsource-infoblox() { rewrite { r_set_splunk_dest_update( index('netdns') - meta_key('infoblox_dns') + class('dns') source('program:${PROGRAM}') sourcetype('infoblox:dns') ); @@ -27,7 +28,7 @@ block parser app-netsource-infoblox() { rewrite { r_set_splunk_dest_update( index('netipam') - meta_key('infoblox_dhcp') + class('dhcp') source('program:${PROGRAM}') sourcetype('infoblox:dhcp') ); @@ -37,7 +38,7 @@ block parser app-netsource-infoblox() { rewrite { r_set_splunk_dest_update( index('netids') - meta_key('infoblox') + class('threatprotect') source('program:${PROGRAM}') sourcetype('infoblox:threatprotect') ); @@ -46,7 +47,7 @@ block parser app-netsource-infoblox() { filter{message('^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}(\.\d+)Z\s+\[[^\]]+\]:')}; rewrite { r_set_splunk_dest_update( - meta_key('infoblox_audit') + class('audit') source('program:${PROGRAM}') sourcetype('infoblox:audit') ); @@ -54,7 +55,7 @@ block parser app-netsource-infoblox() { } else { rewrite { r_set_splunk_dest_update( - meta_key('infoblox') + class('${PROGRAM}') source('program:${PROGRAM}') sourcetype('infoblox:port') ); diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-mikrotik_routeros.conf b/package/etc/conf.d/conflib/netsource/app-netsource-mikrotik_routeros.conf index 1b28f746fc..43f212a7f1 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-mikrotik_routeros.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-mikrotik_routeros.conf @@ -5,7 +5,8 @@ block parser app-netsource-mikrotik_routeros() { index('netops') source('program:${.PROGRAM}') sourcetype('routeros') - vendor_product("mikrotik_routeros") + vendor("mikrotik") + product("routeros") template('t_hdr_msg') ); }; @@ -15,7 +16,7 @@ block parser app-netsource-mikrotik_routeros() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('mikrotik_routeros_fw') + class('fw') ); }; }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-nix_syslog.conf b/package/etc/conf.d/conflib/netsource/app-netsource-nix_syslog.conf index d11410f0c3..6571d9f331 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-nix_syslog.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-nix_syslog.conf @@ -7,7 +7,8 @@ block parser app-netsource-nix_syslog() { index('osnix') source('program:${.PROGRAM}') sourcetype('nix:syslog') - vendor_product("nix_syslog") + vendor('nix') + product('syslog') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-pfsense.conf b/package/etc/conf.d/conflib/netsource/app-netsource-pfsense.conf index 6507842e65..9262122d87 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-pfsense.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-pfsense.conf @@ -8,14 +8,15 @@ block parser app-netsource-pfsense() { index('netops') source('program:${.PROGRAM}') sourcetype('pfsense:${PROGRAM}') - vendor_product("pfsense") + vendor("pfsense") + product("firewall") template('t_hdr_msg') ); r_set_splunk_dest_update( index('netfw') sourcetype('pfsense:filterlog') - meta_key('pfsense_filterlog') + class('filterlog') condition( program('filterlog' type(string) flags(prefix)) ) ); diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-proofpoint_pps.conf b/package/etc/conf.d/conflib/netsource/app-netsource-proofpoint_pps.conf index 05733a8074..06c616640d 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-proofpoint_pps.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-proofpoint_pps.conf @@ -15,19 +15,20 @@ block parser app-netsource-proofpoint_pps() { r_set_splunk_dest_default( index('email') sourcetype('pps_mail_log') - vendor_product("proofpoint_pps") + vendor("proofpoint") + product("pps") template('t_hdr_msg') ); }; rewrite { r_set_splunk_dest_update( - meta_key('proofpoint_pps_sendmail') + class('sendmail') ); }; rewrite { r_set_splunk_dest_update( - meta_key('proofpoint_pps_filter') + class('filter') sourcetype('pps_filter_log') condition(filter(f_proofpoint_pps_filter)) ); diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-raritan_dsx.conf b/package/etc/conf.d/conflib/netsource/app-netsource-raritan_dsx.conf index 1250184f83..1e5adff70a 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-raritan_dsx.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-raritan_dsx.conf @@ -4,7 +4,8 @@ block parser app-netsource-raritan_dsx() { r_set_splunk_dest_default( index('infraops') sourcetype('raritan:dsx') - vendor_product("raritan_dsx") + vendor('raritan') + product('dsx') template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-schneider_apc.conf b/package/etc/conf.d/conflib/netsource/app-netsource-schneider_apc.conf index 20b76da474..e46f76b5f5 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-schneider_apc.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-schneider_apc.conf @@ -4,7 +4,8 @@ block parser app-netsource-schneider_apc() { r_set_splunk_dest_default( index('main') sourcetype('apc:syslog') - vendor_product("schneider_apc") + vendor('schneider') + product('apc') template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-simple_source.conf b/package/etc/conf.d/conflib/netsource/app-netsource-simple_source.conf index 923e442bd0..b82c278541 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-simple_source.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-simple_source.conf @@ -8,7 +8,7 @@ block parser app-netsource-simple_source() { r_set_splunk_dest_default( source('program:${.PROGRAM}') sourcetype('sc4s:simple:$(lowercase ${.simple_dest_key})') - vendor_product("$(lowercase ${.simple_dest_key})") + vendor("$(lowercase ${.simple_dest_key})") ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf b/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf index 96283a4534..7af1530c06 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-sophos_webappliance.conf @@ -4,7 +4,8 @@ block parser app-netsource-sophos_webappliance() { r_set_splunk_dest_default( index("netproxy") sourcetype('sophos:webappliance') - vendor_product("sophos_webappliance") + vendor("sophos") + product("webappliance") ); }; rewrite{ diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-spectracom-ntp.conf b/package/etc/conf.d/conflib/netsource/app-netsource-spectracom-ntp.conf index eb71905ff5..ba52572c9a 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-spectracom-ntp.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-spectracom-ntp.conf @@ -8,7 +8,8 @@ block parser app-netsource-spectracom-ntp() { r_set_splunk_dest_default( index("netops") sourcetype('spectracom:ntp') - vendor_product("spectracom_ntp") + vendor("spectracom") + product("ntp") ); }; }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-symantec_dlp.conf b/package/etc/conf.d/conflib/netsource/app-netsource-symantec_dlp.conf index 1d4fd865dd..de7e9d6f95 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-symantec_dlp.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-symantec_dlp.conf @@ -4,7 +4,8 @@ block parser app-netsource-symantec_dlp() { r_set_splunk_dest_default( index('netdlp') sourcetype('symantec:dlp:syslog') - vendor_product("symantec_dlp") + vendor("symantec") + product('dlp') template('t_msg_only') ); }; diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-ubiquiti_unifi.conf b/package/etc/conf.d/conflib/netsource/app-netsource-ubiquiti_unifi.conf index 136df125ab..ead4c9d0a5 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-ubiquiti_unifi.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-ubiquiti_unifi.conf @@ -4,8 +4,8 @@ block parser app-netsource-ubiquiti_unifi() { r_set_splunk_dest_default( index('netfw') sourcetype('ubnt:fw') - vendor_product("ubiquiti_unifi_fw") - dest_key("UBIQUITI_UNIFI") + vendor("ubiquiti") + product("unifi") ); set("${LEGACY_MSGHDR}${MSG}" value("MSG")); unset(value("PROGRAM")); @@ -14,7 +14,7 @@ block parser app-netsource-ubiquiti_unifi() { if (match("[^)]\s\S+\skernel:\s[^ll\sheader][^\[\d+.\d+\]]\S+\s\w+:" value("MSG"))) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi_threat') + class('threat') index('netids') sourcetype('ubnt:threat') ); @@ -22,7 +22,7 @@ block parser app-netsource-ubiquiti_unifi() { } elif (match("\S+\slinkcheck:" value("MSG"))) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi_link') + class('link') index('netops') sourcetype('ubnt:link') ); @@ -30,7 +30,7 @@ block parser app-netsource-ubiquiti_unifi() { } elif (match("\d+:\d+:\d+\s\S+\ssudo:" value("MSG"))) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi_sudo') + class('sudo') index('netops') sourcetype('ubnt:sudo') ); diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_01-partials.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_01-partials.conf index a6e290900d..5629623458 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_01-partials.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_01-partials.conf @@ -2,7 +2,7 @@ block parser app-postfilter-checkpoint_splunk_01-partials() { channel { rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') ); }; }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_02-group.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_02-group.conf index 1cf3f9b66f..5afdfd2848 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_02-group.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_splunk_02-group.conf @@ -15,7 +15,7 @@ block parser app-postfilter-checkpoint_splunk_02-group() { }; rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') condition("${.gb.complete}" ne "1") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_01-partials.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_01-partials.conf index 87104fa126..81c56277bd 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_01-partials.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_01-partials.conf @@ -2,7 +2,7 @@ block parser app-postfilter-checkpoint_syslog_01-partials() { channel { rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') ); }; }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_02-group.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_02-group.conf index 496b78516b..8d250f0857 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_02-group.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-checkpoint_syslog_02-group.conf @@ -17,7 +17,7 @@ block parser app-postfilter-checkpoint_syslog_02-group() { rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') condition("${.gb.complete}" ne "1") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf index f5b7d23482..1779192079 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf @@ -48,7 +48,7 @@ block parser app-postfilter-cisco_acs() { rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') condition("${.gb.complete}" ne "1") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf index 2883d43521..66c9dc436b 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf @@ -47,7 +47,7 @@ block parser app-postfilter-cisco_ise() { rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') condition("${.gb.complete}" ne "1") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-mark.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-mark.conf index 9327046fb9..cc39c2d620 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-mark.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-mark.conf @@ -5,13 +5,15 @@ block parser app-syslog-mark() { r_set_splunk_dest_default( index("main") sourcetype('sc4s:remote_mark') - vendor_product("sc4s_events") + vendor('splunk') + product('sc4s') + class("events") ); }; rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') condition("`SC4S_SOURCE_MARK_MESSAGE_NULLQUEUE`" ne "no") ); }; diff --git a/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf b/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf index 59d68b955f..d0b07f970c 100644 --- a/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf +++ b/package/etc/conf.d/conflib/raw/app-raw-checkpoint_splunk.conf @@ -5,7 +5,8 @@ block parser app-raw-checkpoint_splunk() { r_set_splunk_dest_default( index('netfw') sourcetype('cp_log') - vendor_product("checkpoint_splunk") + vendor("checkpoint") + product("splunk") ); }; parser { @@ -105,7 +106,6 @@ block parser app-raw-checkpoint_splunk() { rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk') index('netops') source('program:${PROGRAM}') sourcetype('nix:syslog') @@ -126,7 +126,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_firewall') + class('firewall') index('netfw') source('checkpoint:firewall') ); @@ -137,7 +137,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_web') + class('web') index('netproxy') source('checkpoint:web') ); @@ -172,7 +172,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_audit') + class('audit') index('netops') source('checkpoint:audit') ); @@ -188,7 +188,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_endpoint') + class('endpoint') index('netops') source('checkpoint:endpoint') ); @@ -203,7 +203,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_sessions') + class('sessions') index('netops') source('checkpoint:sessions') ); @@ -218,7 +218,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_network') + class('network') index('netops') source('checkpoint:network') ); @@ -246,7 +246,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_ids_malware') + class('ids_malware') index('netids') source('checkpoint:ids_malware') ); @@ -259,7 +259,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_ids') + class('ids') index('netids') source('checkpoint:ids') ); @@ -272,7 +272,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_email') + class('email') index('email') source('checkpoint:email') ); @@ -283,7 +283,7 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_dlp') + class('dlp') index('netfw') source('checkpoint:firewall') ); @@ -294,14 +294,13 @@ block parser app-raw-checkpoint_splunk() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_os') + class('os') index('netops') ); }; } else { rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk') index('netops') source('checkpoint:cp_default') ); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-alcatel_switch.conf b/package/etc/conf.d/conflib/syslog/app-syslog-alcatel_switch.conf index 07cf47a50e..a0d74db0a2 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-alcatel_switch.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-alcatel_switch.conf @@ -4,7 +4,8 @@ block parser app-syslog-alcatel_switch() { r_set_splunk_dest_default( index('netops') sourcetype('alcatel:switch') - vendor_product("alcatel_switch") + vendor("alcatel") + product("switch") template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-alsid_syslog.conf b/package/etc/conf.d/conflib/syslog/app-syslog-alsid_syslog.conf index 06762d8130..7ca998f2a8 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-alsid_syslog.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-alsid_syslog.conf @@ -4,7 +4,8 @@ block parser app-syslog-alsid_syslog() { r_set_splunk_dest_default( index('oswinsec') sourcetype('alsid:syslog') - vendor_product("alsid_syslog") + vendor("alsid") + product("syslog") template('t_standard') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-aruba_ap.conf b/package/etc/conf.d/conflib/syslog/app-syslog-aruba_ap.conf index ed82e55d0d..d3a5f8bb6e 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-aruba_ap.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-aruba_ap.conf @@ -5,7 +5,8 @@ block parser app-syslog-aruba_ap() { index('netops') source('aruba:${PROGRAM}') sourcetype('aruba:syslog') - vendor_product("aruba_ap") + vendor("aruba") + product("ap") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-avaya_sipmgr.conf b/package/etc/conf.d/conflib/syslog/app-syslog-avaya_sipmgr.conf index 87e3d04eb9..ef2af9562e 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-avaya_sipmgr.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-avaya_sipmgr.conf @@ -5,7 +5,8 @@ block parser app-syslog-avaya_sipmgr() { index('main') source('avaya:${PROGRAM}') sourcetype('avaya:sipmgr') - vendor_product("avaya_sipmgr") + vendor("avaya") + product("sipmgr") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_legacy.conf b/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_legacy.conf index 01d489c2f4..e15eeb50f6 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_legacy.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_legacy.conf @@ -5,7 +5,8 @@ block parser app-syslog-avi_controller_legacy() { r_set_splunk_dest_default( index('netops') sourcetype('avi:events') - vendor_product("avi_vantage") + vendor("avi") + product("vantage") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_rfc5424.conf b/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_rfc5424.conf index eee183d9ba..f7e9c7d1bc 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_rfc5424.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-avi_controller_rfc5424.conf @@ -12,7 +12,8 @@ block parser app-syslog-avi_controller_rfc5424() { r_set_splunk_dest_default( index('netops') sourcetype('avi:events') - vendor_product("avi_vantage") + vendor("avi") + product("vantage") ); }; rewrite { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-avi_vantage.conf b/package/etc/conf.d/conflib/syslog/app-syslog-avi_vantage.conf index c603548649..782ac5a746 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-avi_vantage.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-avi_vantage.conf @@ -4,7 +4,9 @@ block parser app-syslog-avi_vantage() { r_set_splunk_dest_default( index('netops') sourcetype('avi:logs') - vendor_product("avi_vantage_logs") + vendor("avi") + product("vantage") + class('logs') template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-broadcom_sslva.conf b/package/etc/conf.d/conflib/syslog/app-syslog-broadcom_sslva.conf index e0d484300a..0ca84604c6 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-broadcom_sslva.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-broadcom_sslva.conf @@ -4,7 +4,8 @@ block parser app-syslog-broadcom_sslva() { r_set_splunk_dest_default( index('netproxy') sourcetype('broadcom:sslva') - vendor_product("broadcom_sslva") + vendor("broadcom") + product("sslva") template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf index f5ddb9f948..a8ed53ce81 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cef.conf @@ -41,7 +41,8 @@ block parser app-syslog-cef() { r_set_splunk_dest_default( index('main') sourcetype('cef') - vendor_product("cef") + vendor("cef") + product('generic') #template('t_cef_message') ); @@ -89,8 +90,9 @@ block parser app-syslog-cef() { set("${.values.cef_severity}", value("fields.cef_severity")); r_set_splunk_dest_update( - vendor_product('${.values.cef_device_vendor}_${.values.cef_device_product}') - meta_key('${.values.cef_device_vendor}_${.values.cef_device_product}_${.values.cef_device_event_class}') + vendor('${.values.cef_device_vendor}') + product('${.values.cef_device_product}') + class('${.values.cef_device_event_class}') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-checkpoint_syslog.conf b/package/etc/conf.d/conflib/syslog/app-syslog-checkpoint_syslog.conf index a784bfe206..d39b1abdef 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-checkpoint_syslog.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-checkpoint_syslog.conf @@ -12,7 +12,8 @@ block parser app-syslog-checkpoint_syslog() { r_set_splunk_dest_default( index('netfw') sourcetype('cp_log:syslog') - vendor_product("checkpoint_syslog") + vendor("checkpoint") + product("syslog") template('t_5424_hdr_sdata_msg') ); }; @@ -97,7 +98,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk') + class('nix_${PROGRAM}') index('netops') source('program:${PROGRAM}') sourcetype('nix:syslog') @@ -118,7 +119,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_firewall') + class('firewall') index('netfw') source('checkpoint:firewall') ); @@ -129,7 +130,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_web') + class('web') index('netproxy') source('checkpoint:web') ); @@ -164,7 +165,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_audit') + class('audit') index('netops') source('checkpoint:audit') ); @@ -180,7 +181,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_endpoint') + class('endpoint') index('netops') source('checkpoint:endpoint') ); @@ -195,7 +196,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_sessions') + class('sessions') index('netops') source('checkpoint:sessions') ); @@ -210,7 +211,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_network') + class('network') index('netops') source('checkpoint:network') ); @@ -238,7 +239,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_ids_malware') + class('ids_malware') index('netids') source('checkpoint:ids_malware') ); @@ -251,7 +252,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_ids') + class('ids') index('netids') source('checkpoint:ids') ); @@ -264,7 +265,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_email') + class('email') index('email') source('checkpoint:email') ); @@ -275,7 +276,7 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_dlp') + class('dlp') index('netfw') source('checkpoint:firewall') ); @@ -286,14 +287,13 @@ block parser app-syslog-checkpoint_syslog() { }; rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk_os') + class('os') index('netops') ); }; } else { rewrite { r_set_splunk_dest_update( - meta_key('checkpoint_splunk') index('netops') source('checkpoint:cp_default') ); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf index 419bbcfbbb..fbf17411ab 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_acs.conf @@ -36,8 +36,8 @@ block parser app-syslog-cisco_acs() { r_set_splunk_dest_default( index('netauth') sourcetype('cisco:acs') - vendor_product("cisco_acs") - #template('t_acs_message') + vendor("cisco") + product('acs') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_firepower.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_firepower.conf index 7ba2aa308a..3180e92140 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_firepower.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_firepower.conf @@ -4,7 +4,8 @@ block parser app-syslog-cisco_firepower() { r_set_splunk_dest_default( index('netids') sourcetype('cisco:firepower:syslog') - vendor_product("cisco_firepower") + vendor("cisco") + product('firepower') template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf index dc7cbb3fd5..c5fa804ac8 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf @@ -36,7 +36,8 @@ block parser app-syslog-cisco_ise() { r_set_splunk_dest_default( index('netauth') sourcetype('cisco:ise:syslog') - vendor_product("cisco_ise") + vendor("cisco") + product('ise') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_syslog.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_syslog.conf index 133bd5aa29..ac4663f96f 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_syslog.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_syslog.conf @@ -11,7 +11,8 @@ block parser app-syslog-cisco_syslog() { r_set_splunk_dest_default( index('netops') sourcetype('cisco:ios') - vendor_product("cisco_ios") + vendor("cisco") + product('ios') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_tvcs.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_tvcs.conf index 7132c083e7..9a2328759c 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_tvcs.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_tvcs.conf @@ -3,7 +3,8 @@ block parser app-syslog-cisco_tvcs() { rewrite { r_set_splunk_dest_default( sourcetype('cisco:tvcs') - vendor_product("cisco_tvcs") + vendor("cisco") + product('tvcs') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ucs_hx.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ucs_hx.conf index 3ae6c74a32..5bae78c29d 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ucs_hx.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_ucs_hx.conf @@ -5,7 +5,9 @@ block parser app-syslog-cisco_ucs_hx() { index("infraops") source("program:${PROGRAM}") sourcetype('cisco:ucs:hx') - vendor_product("cisco_ucs_hx") + vendor("cisco") + product('ucs') + class("hx") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-citrix-netscaler_aaa.conf b/package/etc/conf.d/conflib/syslog/app-syslog-citrix-netscaler_aaa.conf index 9c0c3e377e..ac945b52b3 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-citrix-netscaler_aaa.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-citrix-netscaler_aaa.conf @@ -7,7 +7,8 @@ block parser app-syslog-citrix-netscaler_aaa() { r_set_splunk_dest_default( index('netfw') sourcetype('citrix:netscaler:syslog') - vendor_product("citrix_netscaler") + vendor("citrix") + product("netscaler") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-citrix_netscaler_svm.conf b/package/etc/conf.d/conflib/syslog/app-syslog-citrix_netscaler_svm.conf index cb7ad6c8fb..7abe927d1d 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-citrix_netscaler_svm.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-citrix_netscaler_svm.conf @@ -31,7 +31,8 @@ block parser app-syslog-citrix_netscaler_svm() { r_set_splunk_dest_default( index('netfw') sourcetype('citrix:netscaler:syslog') - vendor_product("citrix_netscaler") + vendor("citrix") + product("netscaler") ); set("citrix_netscaler", value("fields.sc4s_syslog_format")); r_set_splunk_dest_update( diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_audit.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_audit.conf index 981b615e2c..cd8c052c65 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_audit.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_audit.conf @@ -19,7 +19,9 @@ block parser app-syslog-cohesity_cluster_audit() { r_set_splunk_dest_default( index('infraops') sourcetype('cohesity:cluster:audit') - vendor_product("cohesity_cluster_audit") + vendor("cohesity") + product("cluster") + class('audit') template('t_msg_only') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_dataprotection.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_dataprotection.conf index 9cb5f1f2df..4247ee73e3 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_dataprotection.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_cluster_dataprotection.conf @@ -19,7 +19,9 @@ block parser app-syslog-cohesity_cluster_dataprotection() { r_set_splunk_dest_default( index('infraops') sourcetype('cohesity:cluster:dataprotection') - vendor_product("cohesity_cluster_dataprotection") + vendor("cohesity") + product("cluster") + class('dataprotection') template('t_msg_only') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cylance_protect.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cylance_protect.conf index 91f9f26a66..c36a7895c2 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cylance_protect.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cylance_protect.conf @@ -6,7 +6,8 @@ block parser app-syslog-cylance_protect() { r_set_splunk_dest_default( index('epintel') sourcetype('syslog_protect') - vendor_product("cylance_protect") + vendor("cylance") + product("protect") ); }; if { @@ -15,7 +16,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_auditlog') + class('auditlog') index('epintel') sourcetype('syslog_audit_log') ); @@ -26,7 +27,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_threatclassification') + class('threatclassification') index('epintel') sourcetype('syslog_threat_classification') ); @@ -37,7 +38,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_exploitattempt') + class('exploitattempt') index('epintel') sourcetype('syslog_exploit') ); @@ -48,7 +49,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_appcontrol') + class('appcontrol') index('epintel') sourcetype('syslog_app_control') ); @@ -59,7 +60,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_threat') + class('threat') index('epintel') sourcetype('syslog_threat') ); @@ -70,7 +71,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_device') + class('device') index('epintel') sourcetype('syslog_device') ); @@ -81,7 +82,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_devicecontrol') + class('devicecontrol') index('epintel') sourcetype('syslog_device_control') ); @@ -92,7 +93,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_scriptcontrol') + class('scriptcontrol') index('epintel') sourcetype('syslog_script_control') ); @@ -103,7 +104,7 @@ block parser app-syslog-cylance_protect() { }; rewrite { r_set_splunk_dest_update( - meta_key('cylance_protect_optics') + class('optics') index('epintel') sourcetype('syslog_optics') ); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf b/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf index 440b49dfe8..5d2a3503f6 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-dell_poweredge_idrac.conf @@ -22,7 +22,9 @@ block parser app-syslog-dell_poweredge_idrac() { r_set_splunk_dest_default( index('infraops') sourcetype('dell:poweredge:idrac:syslog') - vendor_product("dell_poweredge_idrac") + vendor("dell") + product("poweredge") + class('idrac') ); }; rewrite{ diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-example.conf b/package/etc/conf.d/conflib/syslog/app-syslog-example.conf index 3275636095..b926edfbd7 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-example.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-example.conf @@ -4,12 +4,10 @@ block parser app-syslog-example() { r_set_splunk_dest_default( index('main') sourcetype('sc4s:local_example') - vendor_product("local_example") - dest_key("LOCAL_EXAMPLE") + vendor('local') + product('example') ); }; - - }; }; application app-syslog-example[sc4s-syslog] { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip.conf b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip.conf index e67a0bc336..8bb9cfede4 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip.conf @@ -5,8 +5,8 @@ block parser app-syslog-f5_bigip() { index("netops") source("program:${PROGRAM}") sourcetype('f5:bigip:syslog') - vendor_product("f5_bigip") - dest_key("F5_BIGIP") + vendor('f5') + product('bigip') ); }; if { @@ -65,7 +65,7 @@ block parser app-syslog-f5_bigip() { }; rewrite { r_set_splunk_dest_update( - meta_key('f5_bigip_nix') + class('nix') sourcetype('nix:syslog') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_asm.conf b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_asm.conf index 919cb3df9b..7e923a023c 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_asm.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_asm.conf @@ -4,8 +4,9 @@ block parser app-syslog-f5_bigip_irule_asm() { r_set_splunk_dest_default( index("netwaf") sourcetype('f5:bigip:asm:syslog') - vendor_product("f5_bigip_asm") - dest_key("F5_BIGIP") + vendor('f5') + product('bigip') + class("asm") ); set("f5_bigip_asm", value("fields.sc4s_syslog_format")); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_json.conf b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_json.conf index a6c3ade718..03c392b9b1 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_json.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_json.conf @@ -4,8 +4,9 @@ block parser app-syslog-f5_bigip_irule_json() { r_set_splunk_dest_default( index("netops") sourcetype('f5:bigip:ltm:access_json') - vendor_product("f5_bigip_access_json") - dest_key("F5_BIGIP") + vendor('f5') + product('bigip') + class("access_json") ); set("f5_bigip_irule_json", value("fields.sc4s_syslog_format")); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_splunk.conf b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_splunk.conf index d78a6b898a..c814f5850f 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_splunk.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_irule_splunk.conf @@ -11,8 +11,9 @@ block parser app-syslog-f5_bigip_irule_splunk() { index('netops') source('f5:hsl') sourcetype('f5:bigip:irule') - vendor_product("f5_bigip_irule") - dest_key("F5_BIGIP") + vendor('f5') + product('bigip') + class("irule") ); set("${.tmp.host}", value("HOST")); set("${.tmp.category}", value(".f5.irule")); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_structured.conf b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_structured.conf index d730dd7bc0..42cba844bc 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_structured.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-f5_bigip_structured.conf @@ -4,8 +4,8 @@ block parser app-syslog-f5_bigip_structured() { r_set_splunk_dest_default( index("netops") sourcetype('f5:bigip:syslog') - vendor_product("f5_bigip") - dest_key("F5_BIGIP") + vendor('f5') + product('bigip') ); }; @@ -24,7 +24,7 @@ block parser app-syslog-f5_bigip_structured() { }; rewrite { r_set_splunk_dest_update( - meta_key('f5_bigip_nix') + class('nix') sourcetype('nix:syslog') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf b/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf index fe4f9af7f9..b00c599d2c 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf @@ -19,8 +19,8 @@ block parser app-syslog-fireeye-json() { r_set_splunk_dest_default( index('fireeye') sourcetype('fe_json') - vendor_product("fireeye_json") - dest_key("FIREEYE") + vendor("fireeye") + product('${.values.product}') ); set("hx_json", value(".splunk.sourcetype") condition( "${.values.product}" eq "HX" )); set("${.values.alert.host.hostname}", value("HOST") condition( "${.values.alert.host.hostname}" ne "")); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf b/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf index cc73943e11..f07b363eb2 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-forcepoint_webprotect.conf @@ -4,7 +4,7 @@ block parser app-syslog-forcepoint_webprotect() { r_set_splunk_dest_default( index("netproxy") sourcetype('websense:cg:kv') - vendor_product("forcepoint") + vendor("forcepoint") ); subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global")); }; @@ -23,7 +23,7 @@ block parser app-syslog-forcepoint_webprotect() { sourcetype('websense:cg:kv') template('t_msg_only') index("netproxy") - meta_key('forcepoint_webprotect') + product("webprotect") ); }; } elif { @@ -36,7 +36,7 @@ block parser app-syslog-forcepoint_webprotect() { sourcetype('forcepoint:email:kv') template('t_msg_only') index('email') - meta_key('forcepoint_email') + product('email') ); }; }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf index 6a0c2b0d53..9701a67547 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortios.conf @@ -19,8 +19,8 @@ block parser app-syslog-fortigate_fortios() { r_set_splunk_dest_default( index('netops') sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_log') - vendor_product("fortinet_fortios") - dest_key("FORTINET") + vendor("fortinet") + product("fortios") ); set("${.values.devname}", value("HOST")); set("$(template t_hdr_msg)" value("MESSAGE")); @@ -74,7 +74,7 @@ block parser app-syslog-fortigate_fortios() { rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortios_${.values.type}') + class('${.values.type}') index('netops') sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.values.type}') condition(match("event" value(".values.type"))) @@ -82,7 +82,7 @@ block parser app-syslog-fortigate_fortios() { }; rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortios_${.values.type}') + class('${.values.type}') index('netfw') sourcetype('`SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX`_${.values.type}') condition(match("traffic|utm|anomaly" value(".values.type"))) diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf index 1a6c2af9cb..e80f8fb189 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-fortigate_fortiweb.conf @@ -19,8 +19,8 @@ block parser app-syslog-fortigate_fortiweb() { r_set_splunk_dest_default( index('netops') sourcetype('fwb_log') - vendor_product("fortigate_fortiweb") - dest_key("FORTINET") + vendor("fortigate") + product("fortiweb") ); set("${.values.devname}", value("HOST")); @@ -47,7 +47,7 @@ block parser app-syslog-fortigate_fortiweb() { if (match("traffic" value(".values.type"))) { rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortiweb_traffic') + class('traffic') index('netfw') sourcetype('fwb_traffic') ); @@ -55,7 +55,7 @@ block parser app-syslog-fortigate_fortiweb() { } elif (match("attack" value(".values.type"))) { rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortiweb_attack') + class('attack') index('netids') sourcetype('fwb_attack') ); @@ -63,7 +63,7 @@ block parser app-syslog-fortigate_fortiweb() { } elif (match("event" value(".values.type"))) { rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortiweb_event') + class('event') index('netops') sourcetype('fwb_event') ); @@ -71,7 +71,7 @@ block parser app-syslog-fortigate_fortiweb() { } else { rewrite { r_set_splunk_dest_update( - meta_key('fortinet_fortiweb_log') + class('log') index('netops') sourcetype('fwb_log') ); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-github_ent.conf b/package/etc/conf.d/conflib/syslog/app-syslog-github_ent.conf index 4ddc406ac8..12710e45e1 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-github_ent.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-github_ent.conf @@ -5,7 +5,9 @@ block parser app-syslog-github_ent() { index("gitops") source("github:enterprise:audit") sourcetype('github:enterprise:audit') - vendor_product("github_ent") + vendor("github") + product("ent") + class('audit') template("t_msg_only") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-haproxy.conf b/package/etc/conf.d/conflib/syslog/app-syslog-haproxy.conf index 264f51b4e3..d3f3b63beb 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-haproxy.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-haproxy.conf @@ -6,7 +6,9 @@ block parser app-syslog-haproxy() { index("netlb") source("program:haproxy") sourcetype('haproxy:tcp') - vendor_product("haproxy_syslog") + vendor("haproxy") + product("syslog") + class('idrac') template('t_hdr_msg') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_ilo.conf b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_ilo.conf index e343e3665c..2a27db4a82 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_ilo.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_ilo.conf @@ -5,7 +5,8 @@ block parser app-syslog-hpe_ilo() { r_set_splunk_dest_default( index("infraops") sourcetype('hpe:ilo') - vendor_product("hpe_ilo") + vendor("hpe") + product("ilo") template('t_5424_hdr_sdata_msg') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_jetdirect.conf b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_jetdirect.conf index 9ce4bb880d..f1413b4265 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_jetdirect.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_jetdirect.conf @@ -43,7 +43,8 @@ block parser app-syslog-hpe_jetdirect() { r_set_splunk_dest_default( index('print') sourcetype('hpe:jetdirect') - vendor_product("hpe_jetdirect") + vendor("hpe") + product("jetdirect") ); set("hpe_jetdirect", value("fields.sc4s_syslog_format")); groupunset(values('.tmp.*')); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt1.conf b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt1.conf index cd3a26c81a..d77efc7483 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt1.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt1.conf @@ -27,7 +27,9 @@ block parser app-syslog-hpe_procurve_fmt1() { index("netops") source('hpe:procurve:$(lowercase ${.tmp.category})') sourcetype('hpe:procurve') - vendor_product("hpe_procurve") + vendor("hpe") + product("procurve") + class('$(lowercase ${.tmp.category})') ); groupunset(values('.tmp.*')); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt2.conf b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt2.conf index 57d0ffc86c..a249addc19 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt2.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_procurve_fmt2.conf @@ -14,7 +14,9 @@ block parser app-syslog-hpe_procurve_fmt2() { index("netops") source('hpe:procurve:${tmp.category}') sourcetype('hpe:procurve') - vendor_product("hpe_procurve") + vendor("hpe") + product("procurve") + class('$(lowercase ${.tmp.category})') ); }; rewrite { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-isc_bind.conf b/package/etc/conf.d/conflib/syslog/app-syslog-isc_bind.conf index db710bd8a2..1f045c4d5a 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-isc_bind.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-isc_bind.conf @@ -5,7 +5,8 @@ block parser app-syslog-isc_bind() { index("netdns") source("program:named") sourcetype('isc:bind') - vendor_product("isc_bind") + vendor("isc") + product("bind") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-isc_dhcp.conf b/package/etc/conf.d/conflib/syslog/app-syslog-isc_dhcp.conf index f6b1ac383c..080aa0b0f1 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-isc_dhcp.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-isc_dhcp.conf @@ -5,7 +5,8 @@ block parser app-syslog-isc_dhcp() { index("netipam") source("program:dhcpd") sourcetype('isc:dhcp') - vendor_product("isc_dhcpd") + vendor("isc") + product("dhcpd") ); set("1", value(".is_known_nix")); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-json.conf b/package/etc/conf.d/conflib/syslog/app-syslog-json.conf index 209d11066a..4619238037 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-json.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-json.conf @@ -3,7 +3,8 @@ block parser app-syslog-json() { rewrite { r_set_splunk_dest_default( sourcetype('json') - vendor_product("generic_json") + vendor("json") + product('generic') ); set("json", value("fields.sc4s_syslog_format")); set("t_msg_trim", value(".splunk.sc4s_template")); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-juniper.conf b/package/etc/conf.d/conflib/syslog/app-syslog-juniper.conf index 8938b12a67..e409683f5a 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-juniper.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-juniper.conf @@ -4,7 +4,8 @@ block parser app-syslog-juniper() { r_set_splunk_dest_default( index("netops") sourcetype('juniper:unknown') - vendor_product("juniper_structured") + vendor("juniper") + product("junos_structured") ); }; if { @@ -14,8 +15,6 @@ block parser app-syslog-juniper() { r_set_splunk_dest_default( index('netops') sourcetype('juniper:structured') - vendor_product("juniper_structured") - dest_key("JUNIPER_JUNOS_STRUCTURED") ); }; @@ -23,7 +22,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netids') - meta_key('juniper_idp_structured') + class('idp') sourcetype('juniper:junos:idp:structured') ); }; @@ -31,7 +30,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('juniper_junos_fw_structured') + class('fw') sourcetype('juniper:junos:firewall:structured') ); }; @@ -39,7 +38,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netids') - meta_key('juniper_junos_ids_structured') + class('ids') sourcetype('juniper:junos:firewall:structured') ); }; @@ -47,7 +46,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('juniper_junos_utm_structured') + class('utm') sourcetype('juniper:junos:firewall:structured') ); }; @@ -55,7 +54,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('juniper_junos_aamw_structured') + class('aamw') sourcetype('juniper:junos:aamw:structured') ); }; @@ -63,7 +62,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('juniper_junos_secintel_structured') + class('secintel') sourcetype('juniper:junos:secintel:structured') ); }; @@ -74,15 +73,15 @@ block parser app-syslog-juniper() { r_set_splunk_dest_default( index('netops') sourcetype('juniper:legacy') - vendor_product("juniper_junos") - dest_key("JUNIPER_JUNOS") + vendor("juniper") + product("junos") ); }; if (program('RT_IDP' type(string) flags(prefix))) { rewrite { r_set_splunk_dest_update( index('netids') - meta_key('juniper_idp') + class('idp') sourcetype('juniper:junos:idp') ); }; @@ -90,7 +89,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('juniper_junos_fw') + class('firewall') sourcetype('juniper:junos:firewall') ); }; @@ -98,7 +97,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('juniper_junos_fw') + class('firewall') sourcetype('juniper:junos:firewall') ); }; @@ -106,7 +105,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netids') - meta_key('juniper_junos_ids') + class('ids') sourcetype('juniper:junos:firewall') ); }; @@ -114,7 +113,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('juniper_junos_utm') + class('utm') sourcetype('juniper:junos:firewall') ); }; @@ -122,7 +121,7 @@ block parser app-syslog-juniper() { rewrite { r_set_splunk_dest_update( index('netops') - meta_key('juniper_legacy') + class('snmp') sourcetype('juniper:junos:snmp') ); }; @@ -130,7 +129,7 @@ block parser app-syslog-juniper() { else { rewrite { r_set_splunk_dest_update( - meta_key('juniper_legacy') + class('legacy') sourcetype('juniper:legacy') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-juniper_netscreen.conf b/package/etc/conf.d/conflib/syslog/app-syslog-juniper_netscreen.conf index c8986ecc2d..95b3017829 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-juniper_netscreen.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-juniper_netscreen.conf @@ -5,7 +5,8 @@ block parser app-syslog-juniper_netscreen() { index("netfw") source("program:dhcpd") sourcetype('netscreen:firewall') - vendor_product("juniper_netscreen") + vendor("juniper") + product("netscreen") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-leef.conf b/package/etc/conf.d/conflib/syslog/app-syslog-leef.conf index 2f6fc9ec1c..62389efcef 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-leef.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-leef.conf @@ -111,7 +111,8 @@ block parser app-syslog-leef() { rewrite { r_set_splunk_dest_default( sourcetype('leef') - vendor_product("leef") + vendor("leef") + product('generic') ); set("leef", value("fields.sc4s_syslog_format")); set("t_leef_event", value(".splunk.sc4s_template")); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_epo.conf b/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_epo.conf index bbac8d10ea..90c65d053c 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_epo.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_epo.conf @@ -5,7 +5,8 @@ block parser app-syslog-mcafee_epo() { index("epav") source("epo") sourcetype('mcafee:epo:syslog') - vendor_product("mcafee_epo") + vendor("mcafee") + product("epo") ); }; parser { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_nsp.conf b/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_nsp.conf index 25e3056dd6..9365566b7f 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_nsp.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_nsp.conf @@ -4,7 +4,8 @@ block parser app-syslog-mcafee_nsp() { r_set_splunk_dest_default( index("netids") sourcetype('mcafee:nsp') - vendor_product("mcafee_nsp") + vendor("mcafee") + product("nsp") template("t_msg_only") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_wg.conf b/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_wg.conf index 863035e990..8848802260 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_wg.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_wg.conf @@ -5,7 +5,8 @@ block parser app-syslog-mcafee_wg() { index("netproxy") source("mcafee:wg") sourcetype('mcafee:wg:kv') - vendor_product("mcafee_wg") + vendor("mcafee") + product("wg") ); }; parser { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf b/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf index 48eafcfcd1..41c7219bea 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf @@ -22,13 +22,14 @@ block parser app-syslog-netapp_ontap() { r_set_splunk_dest_default( index("infraops") sourcetype('ontap:ems') - vendor_product("netapp_ontap") + vendor("netapp") + product("ontap") ); }; rewrite { r_set_splunk_dest_update( - meta_key('netapp_ontap_ems') + class('ems') ); }; rewrite { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-netmotion_reporting.conf b/package/etc/conf.d/conflib/syslog/app-syslog-netmotion_reporting.conf index 80020d1ee6..5cfb04412c 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-netmotion_reporting.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-netmotion_reporting.conf @@ -4,7 +4,8 @@ block parser app-syslog-netmotion_reporting() { r_set_splunk_dest_default( index("netops") sourcetype('netmotion:reporting') - vendor_product("netmotion_reporting") + vendor("netmotion") + product("reporting") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-ossec.conf b/package/etc/conf.d/conflib/syslog/app-syslog-ossec.conf index 44fb062dd2..010fb3b7e4 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-ossec.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-ossec.conf @@ -5,7 +5,8 @@ block parser app-syslog-ossec() { index("main") source("ossec:alerts") sourcetype('ossec') - vendor_product("ossec") + vendor("ossec") + product("agent") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf b/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf index 18b7d64168..fd62904f19 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf @@ -4,8 +4,8 @@ block parser app-syslog-pan_panos() { r_set_splunk_dest_default( index("netops") sourcetype('pan:log') - vendor_product("pan_log") - dest_key("PALOALTO_PANOS") + vendor("pan") + product('panos') ); set("$HOST", value("fields.pan_forwarder"), condition( program("logforwarder"))); }; @@ -24,7 +24,7 @@ block parser app-syslog-pan_panos() { rewrite { r_set_splunk_dest_update( index('netproxy') - meta_key('pan_threat') + class('threat') sourcetype('pan:threat') ); }; @@ -41,7 +41,7 @@ block parser app-syslog-pan_panos() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('pan_traffic') + class('traffic') sourcetype('pan:traffic') ); }; @@ -58,7 +58,7 @@ block parser app-syslog-pan_panos() { rewrite { r_set_splunk_dest_update( index('netops') - meta_key('pan_system') + class('system') sourcetype('pan:system') ); }; @@ -75,7 +75,7 @@ block parser app-syslog-pan_panos() { rewrite { r_set_splunk_dest_update( index('netops') - meta_key('pan_config') + class('config') sourcetype('pan:config') ); }; @@ -92,7 +92,7 @@ block parser app-syslog-pan_panos() { rewrite { r_set_splunk_dest_update( index('epintel') - meta_key('pan_hipmatch') + class('hipmatch') sourcetype('pan:hipmatch') ); }; @@ -108,7 +108,7 @@ block parser app-syslog-pan_panos() { }; rewrite{ r_set_splunk_dest_update( - meta_key('pan_correlation') + class('correlation') sourcetype('pan:correlation') ); }; @@ -125,7 +125,7 @@ block parser app-syslog-pan_panos() { rewrite { r_set_splunk_dest_update( index('netauth') - meta_key('pan_userid') + class('userid') sourcetype('pan:userid') ); }; @@ -133,7 +133,7 @@ block parser app-syslog-pan_panos() { rewrite { r_set_splunk_dest_update( index('netfw') - meta_key('pan_globalprotect') + class('globalprotect') sourcetype('pan:globalprotect') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-polycom_rprm.conf b/package/etc/conf.d/conflib/syslog/app-syslog-polycom_rprm.conf index c9645a158f..3dcce35fad 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-polycom_rprm.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-polycom_rprm.conf @@ -4,7 +4,8 @@ block parser app-syslog-polycom_rprm() { r_set_splunk_dest_default( index('netops') sourcetype('polycom:rprm:syslog') - vendor_product("polycom_rprm") + vendor("polycom") + product("rprm") template('t_5424_hdr_sdata_msg') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-pulse_connect_secure.conf b/package/etc/conf.d/conflib/syslog/app-syslog-pulse_connect_secure.conf index 6541fdcb42..b3ba63a656 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-pulse_connect_secure.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-pulse_connect_secure.conf @@ -4,14 +4,15 @@ block parser app-syslog-pulse_connect_secure() { r_set_splunk_dest_default( index("netfw") sourcetype('pulse:connectsecure') - vendor_product("pulse_connect_secure") + vendor("pulse_connect") + product("secure") ); }; if { filter{message("Access blocked" type(string) flags(substring)) or message("WebRequest" type(string) flags(substring))}; rewrite { r_set_splunk_dest_update( - meta_key('pulse_connect_secure_web') + class('web') index('netproxy') sourcetype('pulse:connectsecure:web') ); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-pure_storage.conf b/package/etc/conf.d/conflib/syslog/app-syslog-pure_storage.conf index e8ac1808f4..aed45b732c 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-pure_storage.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-pure_storage.conf @@ -4,7 +4,8 @@ block parser app-syslog-pure_storage() { r_set_splunk_dest_default( index("infraops") sourcetype('purestorage:array') - vendor_product("purestorage_array") + vendor("purestorage") + product("array") template('t_msg_only') ); }; @@ -18,7 +19,7 @@ block parser app-syslog-pure_storage() { rewrite { r_set_splunk_dest_update( sourcetype('purestorage:array:${.tmp.category}') - meta_key('purestorage_array_${.tmp.category}') + class('${.tmp.category}') ); }; rewrite { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-qumulo.conf b/package/etc/conf.d/conflib/syslog/app-syslog-qumulo.conf index 20b562229d..1134fb4c61 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-qumulo.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-qumulo.conf @@ -4,7 +4,8 @@ block parser app-syslog-qumulo() { r_set_splunk_dest_default( index("infraops") sourcetype('qumulo:storage') - vendor_product("qumulo_storage") + vendor("qumulo") + product("storage") template('t_msg_only') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_a.conf b/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_a.conf index 1ff2ca9255..628c19052f 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_a.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_a.conf @@ -9,7 +9,8 @@ block parser app-syslog-rawdware_defensepro_a() { r_set_splunk_dest_default( index('netops') sourcetype('radware:defensepro') - vendor_product("radware_defensepro") + vendor("radware") + product("defensepro") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_b.conf b/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_b.conf index e88f80fb4b..0ea78189de 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_b.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-rawdware_defensepro_b.conf @@ -12,7 +12,8 @@ block parser app-syslog-rawdware_defensepro_b() { r_set_splunk_dest_default( index('netops') sourcetype('radware:defensepro') - vendor_product("radware_defensepro") + vendor("radware") + product("defensepro") ); set("${.tmp.host}", value('HOST')); set("radware_defensepro", value("fields.sc4s_syslog_format")); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-ricoh_syslog.conf b/package/etc/conf.d/conflib/syslog/app-syslog-ricoh_syslog.conf index 009ad95d4d..9e3b031734 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-ricoh_syslog.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-ricoh_syslog.conf @@ -4,7 +4,8 @@ block parser app-syslog-ricoh_syslog() { r_set_splunk_dest_default( index("print") sourcetype('ricoh:mfp') - vendor_product("ricoh_syslog") + vendor("ricoh") + product("mfp") ); set("${PROGRAM}", value("HOST") condition("`SC4S_SOURCE_RICOH_SYSLOG_FIXHOST`" eq "yes")); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf b/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf index 25310feb92..41496f5f93 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf @@ -5,7 +5,8 @@ block parser app-syslog-solace_eventbroker() { r_set_splunk_dest_default( index('main') sourcetype('solace:eventbroker') - vendor_product("solace_eventbroker") + vendor("solace") + product("eventbroker") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-splunk_cooked.conf b/package/etc/conf.d/conflib/syslog/app-syslog-splunk_cooked.conf index 4a96b6276e..2b59af7a00 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-splunk_cooked.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-splunk_cooked.conf @@ -3,8 +3,9 @@ block parser app-syslog-splunk_cooked() { rewrite { r_set_splunk_dest_default( index("main") - sourcetype('splunk:relay') - vendor_product("splunk_cooked") + sourcetype('splunk:cooked') + vendor("splunk") + product("cooked") ); }; rewrite { @@ -13,7 +14,6 @@ block parser app-syslog-splunk_cooked() { source('${.SDATA.fields@274489.s}') sourcetype('${.SDATA.fields@274489.st}') template("t_msg_only") - vendor_product("splunk_cooked") ); }; rewrite{ diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf index d625e01358..5c9c951265 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_brightmail.conf @@ -5,7 +5,8 @@ block parser app-syslog-symantec_brightmail() { index("email") source("program:${PROGRAM}") sourcetype('symantec:smg') - vendor_product("symantec_brightmail") + vendor("symantec") + product("brightmail") ); }; if { diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_ep.conf b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_ep.conf index 5c827f21d6..a2dd38eca6 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_ep.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_ep.conf @@ -4,8 +4,8 @@ block parser app-syslog-symantec_ep() { r_set_splunk_dest_default( index("epav") sourcetype('symantec:ep:syslog') - vendor_product("symantec_ep") - dest_key("SYMANTEC_EP") + vendor("symantec") + product("ep") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_proxysg.conf b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_proxysg.conf index 7df2b7012b..eca8184e61 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-symantec_proxysg.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-symantec_proxysg.conf @@ -4,8 +4,9 @@ block parser app-syslog-symantec_proxysg() { r_set_splunk_dest_default( index("netproxy") sourcetype('bluecoat:proxysg:access:kv') - vendor_product("bluecoat_proxy") - dest_key("SYMANTEC_PROXY") + vendor('symantec') + product('proxy') + class('splunkkv') ); subst( "([-_a-zA-Z\(\)]+=(\"-\"|-| ))", diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_error.conf b/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_error.conf index 1a11f588e3..1f6053dbe4 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_error.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_error.conf @@ -4,8 +4,9 @@ block parser app-syslog-syslog-ng_error() { r_set_splunk_dest_default( index("main") sourcetype('sc4s:fallback') - vendor_product("sc4s_fallback") - dest_key("SYSLOGNG_ERROR") + vendor('splunk') + product('sc4s') + class('fallback') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_loggen.conf b/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_loggen.conf index b61d70bd7d..cc10af7e6a 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_loggen.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-syslog-ng_loggen.conf @@ -4,7 +4,8 @@ block parser app-syslog-syslog-ng_loggen() { r_set_splunk_dest_default( index("main") sourcetype('syslogng:loggen') - vendor_product("syslogng_loggen") + vendor("syslogng") + product("loggen") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-tanium.conf b/package/etc/conf.d/conflib/syslog/app-syslog-tanium.conf index 94a3592aa5..0db71f40bc 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-tanium.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-tanium.conf @@ -9,7 +9,8 @@ block parser app-syslog-tanium() { r_set_splunk_dest_default( index("epintel") sourcetype('tanium') - vendor_product("tanium") + vendor("tanium") + product("syslog") ); set("${.SDATA.tanium_droid@017472.Question}", value(".tmp.question")); subst(" ", '', value(".tanium.question")); diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-tenable_syslog.conf b/package/etc/conf.d/conflib/syslog/app-syslog-tenable_syslog.conf index 54f92b042b..61b3ddd74b 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-tenable_syslog.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-tenable_syslog.conf @@ -4,7 +4,8 @@ block parser app-syslog-tenable_syslog() { r_set_splunk_dest_default( index('netfw') sourcetype('tenable:nnm:vuln') - vendor_product("tenable_nnm") + vendor("tenable") + product("nnm") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-tintri.conf b/package/etc/conf.d/conflib/syslog/app-syslog-tintri.conf index 3cfcd1afc3..8980c3af3d 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-tintri.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-tintri.conf @@ -4,7 +4,8 @@ block parser app-syslog-tintri() { r_set_splunk_dest_default( index('infraops') sourcetype('tintri') - vendor_product("tintri") + vendor("tintri") + product("syslog") ); }; }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-ubiquiti_unifi.conf b/package/etc/conf.d/conflib/syslog/app-syslog-ubiquiti_unifi.conf index 5af55c61ef..91fd0f3932 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-ubiquiti_unifi.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-ubiquiti_unifi.conf @@ -12,7 +12,8 @@ block parser app-syslog-ubiquiti_unifi() { r_set_splunk_dest_default( index('netops') sourcetype('ubnt') - vendor_product("ubiquiti_unifi") + vendor("ubiquiti") + product("unifi") ); set("${.tmp.host}" value("HOST") condition("$1" ne "" and not match('^U[A-Z0-9\-a-z]+$', value("1")))); groupunset(values('.tmp.*')); @@ -21,84 +22,84 @@ block parser app-syslog-ubiquiti_unifi() { if (message('^\S+\slinkcheck:')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('link') sourcetype('ubnt:link') ); }; } elif (message('^\S+\sdhcpd:\s\w+')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('dhcp') sourcetype('ubnt:dhcp') ); }; } elif (message('dnsmasq-dhcp\[\d+\]')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('dhcp') sourcetype('ubnt:dhcp') ); }; } elif (message('dnsmasq\[\d+\]')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('dns') sourcetype('ubnt:dns') ); }; } elif (message('kernel:\s\[\S+-[A|B|D]')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('fw') sourcetype('ubnt:fw') ); }; } elif (message('\d+:\d+:\d+\s\S+\smcad:')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('mcad') sourcetype('ubnt:mcad') ); }; } elif (message('\d+:\d+:\d+\s\S+\ssudo')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('sudo') sourcetype('ubnt:sudo') ); }; } elif (message('hostapd:\s+ath')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('hostapd') sourcetype('ubnt:hostapd') ); }; } elif (message('[^)]\s\S+\skernel:\s[^ll\sheader][^\[\d+.\d+\]]\S+\s\w+:')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi') + class('threat') sourcetype('ubnt:threat') ); }; } elif (message('EVT_AP_STA_ASSOC_TRACKER_DBG:')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi_wireless') + class('wireless') sourcetype('ubnt:wireless') ); }; } elif (message('wevent.ubnt_custom_event\(\):')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi_wireless') + class('wireless') sourcetype('ubnt:wireless') ); }; } elif (message('traputil.c\(696\) ')) { rewrite { r_set_splunk_dest_update( - meta_key('ubiquiti_unifi_edgeswitch') + class('edgeswitch') sourcetype('ubnt:edgeswitch') ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_esx.conf b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_esx.conf index c52729ba67..d5e1aa0025 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_esx.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_esx.conf @@ -7,8 +7,9 @@ block parser app-syslog-vmware_esx() { index("infraops") source("program:${.PROGRAM}") sourcetype('vmware:vsphere:esx') - vendor_product("vmware_esx") - dest_key("VMWARE_VSPHERE") + vendor("vmware") + product("vsphere") + class("esx") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_nsx.conf b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_nsx.conf index e97f95f5c5..61c2f09e7f 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_nsx.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_nsx.conf @@ -7,8 +7,9 @@ block parser app-syslog-vmware_nsx() { index("infraops") source("program:${.PROGRAM}") sourcetype('vmware:vsphere:nsx') - vendor_product("vmware_nsx") - dest_key("VMWARE_VSPHERE") + vendor("vmware") + product("vsphere") + class("nsx") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_vcenter.conf b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_vcenter.conf index a3182e0704..257527efd8 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_vcenter.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_vcenter.conf @@ -7,8 +7,9 @@ block parser app-syslog-vmware_vcenter() { index("infraops") source("program:${.PROGRAM}") sourcetype('vmware:vsphere:vcenter') - vendor_product("vmware_vcenter") - dest_key("VMWARE_VSPHERE") + vendor("vmware") + product("vsphere") + class("vcenter") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_view.conf b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_view.conf index 9ad051bdea..921bc3df2b 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-vmware_view.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-vmware_view.conf @@ -7,8 +7,9 @@ block parser app-syslog-vmware_view() { index("infraops") source("program:${.PROGRAM}") sourcetype('vmware:horizon') - vendor_product("vmware_horizon") - dest_key("VMWARE_VSPHERE") + vendor("vmware") + product("vsphere") + class("horizon") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-wallx_proxy.conf b/package/etc/conf.d/conflib/syslog/app-syslog-wallx_proxy.conf index 5755554cb7..e6824f6253 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-wallx_proxy.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-wallx_proxy.conf @@ -4,7 +4,8 @@ block parser app-syslog-wallx_proxy() { r_set_splunk_dest_default( index("infraops") sourcetype('WB:syslog') - vendor_product("walllix_bastion") + vendor("walllix") + product("bastion") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_alerts.conf b/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_alerts.conf index 9bd618e149..f7946bdfd0 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_alerts.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_alerts.conf @@ -5,8 +5,9 @@ block parser app-syslog-zscaler_nss_alerts() { r_set_splunk_dest_default( index('netops') sourcetype('zscalernss-alerts') - vendor_product("zscaler_alerts") - dest_key("ZSCALER_NSS") + vendor("zscaler") + product("nss") + class("alerts") ); }; diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf b/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf index 1fb460a0e0..c94cfe99c4 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-zscaler_nss_proxy.conf @@ -4,8 +4,8 @@ block parser app-syslog-zscaler_nss_proxy() { r_set_splunk_dest_default( index('netproxy') sourcetype('zscalernss-web') - vendor_product("zscaler_web") - dest_key("ZSCALER_NSS") + vendor("zscaler") + product("nss") ); }; @@ -24,8 +24,7 @@ block parser app-syslog-zscaler_nss_proxy() { rewrite { r_set_splunk_dest_update( index('netdns') - sourcetype('zscalernss-dns') - meta_key('zscaler_dns') + class('dns') ); }; } elif (match("fw" value(".values.product"))) { @@ -33,14 +32,13 @@ block parser app-syslog-zscaler_nss_proxy() { r_set_splunk_dest_update( index('netfw') sourcetype('zscalernss-fw') - meta_key('zscaler_fw') ); }; } elif (match("NSS" value(".values.product"))) { rewrite { r_set_splunk_dest_update( sourcetype('zscalernss-web') - meta_key('zscaler_web') + class('web') ); }; } elif (match("audit" value(".values.product"))) { @@ -48,7 +46,8 @@ block parser app-syslog-zscaler_nss_proxy() { r_set_splunk_dest_update( index('netops') sourcetype('zscalernss-zia-audit') - meta_key('zscaler_zia_audit') + product('zia') + class('audit') ); }; } elif (match("sandbox" value(".values.product"))) { @@ -56,7 +55,8 @@ block parser app-syslog-zscaler_nss_proxy() { r_set_splunk_dest_update( index('main') sourcetype('zscalernss-zia-sandbox') - meta_key('zscaler_zia_sandbox') + product('zia') + class('sandbox') ); }; }; diff --git a/package/etc/conf.d/log_paths/0/lp_dest_filtered_alts_select/plugin.jinja b/package/etc/conf.d/log_paths/0/lp_dest_filtered_alts_select/plugin.jinja index 9ff65c01af..af52204b48 100644 --- a/package/etc/conf.d/log_paths/0/lp_dest_filtered_alts_select/plugin.jinja +++ b/package/etc/conf.d/log_paths/0/lp_dest_filtered_alts_select/plugin.jinja @@ -5,10 +5,8 @@ log{ # Example given the following env vars # SC4S_DEST_SPECTRACOM_XXX_ALT_FILTER="f_is_rfc3dfsfs" # SC4S_DEST_SPECTRACOM_XXX_FILTERED_ALTERNATES="d_hec_debug" - # Output - # ("${.dest_key}" eq "SPECTRACOM_XXX" and filter(f_is_rfc3dfsfs) ) - "${.dest_key}" eq "{{ dest_key }}" + '{{ dest_key }}' eq "${fields.sc4s_vendor}_${fields.sc4s_product}" }; {% for f in filters %} diff --git a/package/etc/conf.d/log_paths/2/lp-zzz-fallback.conf b/package/etc/conf.d/log_paths/2/lp-zzz-fallback.conf index 5a7c05c758..8c7108ee51 100644 --- a/package/etc/conf.d/log_paths/2/lp-zzz-fallback.conf +++ b/package/etc/conf.d/log_paths/2/lp-zzz-fallback.conf @@ -9,7 +9,9 @@ log { rewrite { r_set_splunk_dest_default( sourcetype("sc4s:fallback") - vendor_product('sc4s_fallback') + vendor('splunk') + product('sc4s') + class("fallback") ); }; parser { p_add_context_splunk(); }; @@ -20,7 +22,9 @@ log { rewrite { r_set_splunk_dest_default( sourcetype("sc4s:fallback") - vendor_product('sc4s_fallback') + vendor('splunk') + product('sc4s') + class("fallback") template("t_JSON_3164") ); }; diff --git a/package/etc/conf.d/sc4slib/app-lp-global-archive/plugin.jinja b/package/etc/conf.d/sc4slib/app-lp-global-archive/plugin.jinja index f49db1e9b5..7a2b995f9d 100644 --- a/package/etc/conf.d/sc4slib/app-lp-global-archive/plugin.jinja +++ b/package/etc/conf.d/sc4slib/app-lp-global-archive/plugin.jinja @@ -1,5 +1,5 @@ application app-lp-global_archive_{{ key }}[sc4s-lp-archive] { filter { - "${.dest_key}" eq "{{ key }}" + '{{ key }}' eq "${fields.sc4s_vendor}_${fields.sc4s_product}" }; }; \ No newline at end of file diff --git a/package/etc/conf.d/sc4slib/app-lp-global-default_hec/plugin.jinja b/package/etc/conf.d/sc4slib/app-lp-global-default_hec/plugin.jinja index aab72c3135..3e02b5320e 100644 --- a/package/etc/conf.d/sc4slib/app-lp-global-default_hec/plugin.jinja +++ b/package/etc/conf.d/sc4slib/app-lp-global-default_hec/plugin.jinja @@ -1,5 +1,5 @@ application app-lp-global_default_hec_{{ key }}[sc4s-lp-default-hec] { filter { - "${.dest_key}" eq "{{ key }}" + '{{ key }}' eq "${fields.sc4s_vendor}_${fields.sc4s_product}" }; }; \ No newline at end of file diff --git a/package/etc/conf.d/sources/internal.conf b/package/etc/conf.d/sources/internal.conf index 48cb9d2100..ba04dbcdc9 100644 --- a/package/etc/conf.d/sources/internal.conf +++ b/package/etc/conf.d/sources/internal.conf @@ -15,7 +15,9 @@ source s_internal { index('main') source("sc4s") sourcetype("sc4s:events") - vendor_product('sc4s_events') + vendor('splunk') + product('sc4s') + class("events") template('t_5424_hdr_sdata_msg') ) }; @@ -39,7 +41,9 @@ source s_internal { r_set_splunk_dest_update( index('_metrics') sourcetype("sc4s:metrics") - vendor_product("sc4s_metrics") + vendor('splunk') + product('sc4s') + class("metrics") template_hec("t_splunk_hec_metric_multi") ); }; @@ -53,7 +57,9 @@ source s_internal { r_set_splunk_dest_update( index('_metrics') sourcetype("sc4s:metrics") - vendor_product("sc4s_metrics") + vendor('splunk') + product('sc4s') + class("metrics") template_hec("t_splunk_hec_metric_single") condition("`SC4S_DEST_SPLUNK_SC4S_METRICS_HEC`" eq "single" or "`SC4S_DEST_SPLUNK_SC4S_METRICS_HEC`" eq "yes") ); @@ -62,7 +68,7 @@ source s_internal { } else { rewrite { r_set_splunk_dest_update( - vendor_product('null_queue') + vendor('null') product('queue') condition( match("Input is valid utf8, but the log message is not tagged as such," value("MESSAGE")) or match("Syslog connection closed; fd=" value("MESSAGE")) @@ -101,7 +107,9 @@ source s_startup_out { r_set_splunk_dest_default( source("sc4s") sourcetype("sc4s:events:startup:out") - vendor_product("sc4s_events") + vendor('splunk') + product('sc4s') + class("events") ) }; @@ -129,7 +137,9 @@ source s_startup_err { r_set_splunk_dest_default( source("sc4s") sourcetype("sc4s:events:startup:err") - vendor_product("sc4s_events") + vendor('splunk') + product('sc4s') + class("events") ) }; parser {p_add_context_splunk(); }; diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example index 104ba9f7bb..edab476b2a 100644 --- a/package/etc/context_templates/splunk_metadata.csv.example +++ b/package/etc/context_templates/splunk_metadata.csv.example @@ -1 +1 @@ -vmware_esx_nix_syslog,index,infraops \ No newline at end of file +vmware_vcenter_nix_syslog,index,infraops \ No newline at end of file diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example index 12f33dbf8b..2a28427e0b 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv.example +++ b/package/etc/context_templates/vendor_product_by_source.csv.example @@ -5,11 +5,9 @@ f_cisco_meraki,sc4s_vendor_product,"cisco_meraki" f_cisco_wsa,sc4s_vendor_product,"cisco_wsa" f_cisco_wsa11_7,sc4s_vendor_product,"cisco_wsa11_7" f_cisco_wsa_w3crecommended,sc4s_vendor_product,"cisco_wsa_recommended" -f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler" f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid" f_f5_bigip,sc4s_vendor_product,"f5_bigip" f_infoblox,sc4s_vendor_product,"infoblox" -f_juniper_netscreen,sc4s_vendor_product,"juniper_netscreen" f_pfsense,sc4s_vendor_product,"pfsense" f_proofpoint_pps,sc4s_vendor_product,"proofpoint_pps" f_schneider_apc,sc4s_vendor_product,"schneider_apc" @@ -18,7 +16,8 @@ f_ubiquiti_unifi_fw,sc4s_vendor_product,"ubiquiti_unifi_fw" f_tzfixny,sc4s_time_zone,"America/New_York" f_cisco_esa,sc4s_vendor_product,"cisco_esa" f_sophos_webappliance,sc4s_vendor_product,"sophos_webappliance" -f_vmware_esx,sc4s_vendor_product,"vmware_esx" +f_vmware_esx,sc4s_vendor,"vmware" +f_vmware_esx,sc4s_product,"vcenter" f_dell_cmc,sc4s_vendor_product,"dell_poweredge_cmc" f_ibm_datapower,sc4s_vendor_product,"ibm_datapower" f_mikrotik_routeros,sc4s_vendor_product,"mikrotik_routeros" diff --git a/package/etc/local_config/app_parsers/syslog/app-nix_example.conf b/package/etc/local_config/app_parsers/syslog/app-nix_example.conf index f72b370a2d..87417004a3 100644 --- a/package/etc/local_config/app_parsers/syslog/app-nix_example.conf +++ b/package/etc/local_config/app_parsers/syslog/app-nix_example.conf @@ -9,7 +9,8 @@ block parser nix_example-parser() { source("os:nix:example") sourcetype('os:nix:example') #this value is used to lookup runtime settings such as index from splunk_metadata.csv - vendor_product("os_nix_example") + vendor("nix") + product("example") #Common values are t_hdr_msg (BSD Style syslog without timestamp and host) and t_5424_hdr_sdata_msg RFC5424 with optional sdata and msg #These values will be automatically selected based on the format of the source the specific value is only needed in special cases #template("t_hdr_msg") diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index 1cbc8e61b9..e3100e23ea 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -38,7 +38,7 @@ services: - SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no - SC4S_DEST_SYSLOG_NC_HOST=nc - SC4S_DEST_SYSLOG_NC_PORT=2514 - - SC4S_DEST_SYSLOG_NC_MODE=SELECT + - SC4S_DEST_SYSLOG_NC_MODE=GLOBAL - SC4S_DEST_SYSLOG_NC_IETF=no # - SC4S_DEST_SPLUNK_HEC_SECOND_URL=https://splunk:8088 # - SC4S_DEST_SPLUNK_HEC_SECOND_TOKEN=${SPLUNK_HEC_TOKEN}