Skip to content

Commit

Permalink
Merge pull request #1179 from splunk/fix-cp-hostname
Browse files Browse the repository at this point in the history
fix: Correct ordering of host selection
  • Loading branch information
Ryan Faircloth authored Jun 18, 2021
2 parents 0659fcb + e3ff321 commit 2c53892
Show file tree
Hide file tree
Showing 3 changed files with 111 additions and 50 deletions.
8 changes: 5 additions & 3 deletions docs/sources/Checkpoint/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,15 @@ to allow routing to appropriate indexes. All other source meta data is left at d

MSG Parse: This filter parses message content

The Splunk `host` field will be derived as follows
The Splunk `host` field will be derived as follows using the first match

* Use the hostname field
* Use the first CN component of origin_sic_name/originsicname
* If the CN component is in the format `<host>-v_<bladename>` use `bladename` for host
* If host is not set from CN use the `hostname` field
* If host is not set use the BSD syslog header host

If the host is in the format `<host>-v_<bladename>` use `bladename` for host


### Setup and Configuration

Expand All @@ -66,7 +68,7 @@ The Splunk `host` field will be derived as follows
| SC4S_ARCHIVE_CHECKPOINT_SPLUNK | no | Enable archive to disk for this specific source |
| SC4S_DEST_CHECKPOINT_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
| SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL | no | Suppress any duplicate product+loguid pairs processed within 2 seconds of the last matching event |
| SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL_SECONDS | 2 | Number of seconds to wait for no update before forwarding an event |
| SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES | empty string | when set to `yes` reverts host name selection order to originsicname-->origin_sic_name-->hostname |

### Verification

Expand Down
77 changes: 53 additions & 24 deletions package/etc/conf.d/conflib/raw/app-checkpoint_splunk.conf
Original file line number Diff line number Diff line change
Expand Up @@ -59,32 +59,61 @@ block parser checkpoint_splunk-parser() {
set("checkpoint_splunk", value("fields.sc4s_syslog_format"));
};


if {
# If hostname field is not empty, host should be evaluated from there
filter {
match('(\S+)' value(".cp.hostname") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the originsicname
filter {
match('^[Cc][Nn]\\?=([^,]+)' value(".cp.originsicname") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the origin_sic_name
filter {
match('^[Cc][Nn]\\?=([^,]+)' value(".cp.origin_sic_name") flags(store-matches));
if (
"`SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES`" eq "yes")
{
if {
#Get the FW host from the originsicname
filter {
match('^[Cc][Nn]\\?=([^,]+)' value(".cp.originsicname") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the origin_sic_name
filter {
match('^[Cc][Nn]\\?=([^,]+)' value(".cp.origin_sic_name") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
# If hostname field is not empty, host should be evaluated from there
filter {
match('(\S+)' value(".cp.hostname") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
};
rewrite {
set("$1", value("HOST"));
} else {
if {
# If hostname field is not empty, host should be evaluated from there
filter {
match('(\S+)' value(".cp.hostname") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the originsicname
filter {
match('^[Cc][Nn]\\?=([^,]+)' value(".cp.originsicname") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the origin_sic_name
filter {
match('^[Cc][Nn]\\?=([^,]+)' value(".cp.origin_sic_name") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
};
};
};
# If this device is a v host we need to get the firewall name
if {
filter {
Expand Down
76 changes: 53 additions & 23 deletions package/etc/conf.d/conflib/syslog/app-checkpoint_syslog.conf
Original file line number Diff line number Diff line change
Expand Up @@ -54,31 +54,61 @@ block parser checkpoint_syslog-parser() {
};


if {
# If hostname field is not empty, host should be evaluated from there
filter {
match('(\S+)' value("[email protected]") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the originsicname
filter {
match('^[Cc][Nn]\\?=([^,]+)' value("[email protected]") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the origin_sic_name
filter {
match('^[Cc][Nn]\\?=([^,]+)' value("[email protected]_sic_name") flags(store-matches));
if (
"`SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES`" eq "yes")
{
if {
#Get the FW host from the originsicname
filter {
match('^[Cc][Nn]\\?=([^,]+)' value("[email protected]") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the origin_sic_name
filter {
match('^[Cc][Nn]\\?=([^,]+)' value("[email protected]_sic_name") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
# If hostname field is not empty, host should be evaluated from there
filter {
match('(\S+)' value("[email protected]") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
};
rewrite {
set("$1", value("HOST"));
} else {
if {
# If hostname field is not empty, host should be evaluated from there
filter {
match('(\S+)' value("[email protected]") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the originsicname
filter {
match('^[Cc][Nn]\\?=([^,]+)' value("[email protected]") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
} elif {
#Get the FW host from the origin_sic_name
filter {
match('^[Cc][Nn]\\?=([^,]+)' value("[email protected]_sic_name") flags(store-matches));
};
rewrite {
set("$1", value("HOST"));
};
};
};
};
# If this device is a v host we need to get the firewall name
if {
filter {
Expand Down

0 comments on commit 2c53892

Please sign in to comment.