From e3ff3215da9bd54d83cda1a51eea385bc1a5190c Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 17 Jun 2021 18:21:51 -0400 Subject: [PATCH] feat: optional ordering of host selection Provide a new documented option to restore the host name logic to prior behavior. --- docs/sources/Checkpoint/index.md | 8 +- .../conflib/raw/app-checkpoint_splunk.conf | 77 +++++++++++++------ .../conflib/syslog/app-checkpoint_syslog.conf | 76 ++++++++++++------ 3 files changed, 111 insertions(+), 50 deletions(-) diff --git a/docs/sources/Checkpoint/index.md b/docs/sources/Checkpoint/index.md index 6efd266ae9..4db8635d0a 100644 --- a/docs/sources/Checkpoint/index.md +++ b/docs/sources/Checkpoint/index.md @@ -43,13 +43,15 @@ to allow routing to appropriate indexes. All other source meta data is left at d MSG Parse: This filter parses message content -The Splunk `host` field will be derived as follows +The Splunk `host` field will be derived as follows using the first match +* Use the hostname field * Use the first CN component of origin_sic_name/originsicname -* If the CN component is in the format `-v_` use `bladename` for host * If host is not set from CN use the `hostname` field * If host is not set use the BSD syslog header host +If the host is in the format `-v_` use `bladename` for host + ### Setup and Configuration @@ -66,7 +68,7 @@ The Splunk `host` field will be derived as follows | SC4S_ARCHIVE_CHECKPOINT_SPLUNK | no | Enable archive to disk for this specific source | | SC4S_DEST_CHECKPOINT_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL | no | Suppress any duplicate product+loguid pairs processed within 2 seconds of the last matching event | -| SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL_SECONDS | 2 | Number of seconds to wait for no update before forwarding an event | +| SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES | empty string | when set to `yes` reverts host name selection order to originsicname-->origin_sic_name-->hostname | ### Verification diff --git a/package/etc/conf.d/conflib/raw/app-checkpoint_splunk.conf b/package/etc/conf.d/conflib/raw/app-checkpoint_splunk.conf index 55b0f7cec6..69d4a0b2f2 100644 --- a/package/etc/conf.d/conflib/raw/app-checkpoint_splunk.conf +++ b/package/etc/conf.d/conflib/raw/app-checkpoint_splunk.conf @@ -59,32 +59,61 @@ block parser checkpoint_splunk-parser() { set("checkpoint_splunk", value("fields.sc4s_syslog_format")); }; - - if { - # If hostname field is not empty, host should be evaluated from there - filter { - match('(\S+)' value(".cp.hostname") flags(store-matches)); - }; - rewrite { - set("$1", value("HOST")); - }; - } elif { - #Get the FW host from the originsicname - filter { - match('^[Cc][Nn]\\?=([^,]+)' value(".cp.originsicname") flags(store-matches)); - }; - rewrite { - set("$1", value("HOST")); - }; - } elif { - #Get the FW host from the origin_sic_name - filter { - match('^[Cc][Nn]\\?=([^,]+)' value(".cp.origin_sic_name") flags(store-matches)); + if ( + "`SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES`" eq "yes") + { + if { + #Get the FW host from the originsicname + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".cp.originsicname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + #Get the FW host from the origin_sic_name + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".cp.origin_sic_name") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + # If hostname field is not empty, host should be evaluated from there + filter { + match('(\S+)' value(".cp.hostname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; }; - rewrite { - set("$1", value("HOST")); + } else { + if { + # If hostname field is not empty, host should be evaluated from there + filter { + match('(\S+)' value(".cp.hostname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + #Get the FW host from the originsicname + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".cp.originsicname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + #Get the FW host from the origin_sic_name + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".cp.origin_sic_name") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; }; - }; + }; # If this device is a v host we need to get the firewall name if { filter { diff --git a/package/etc/conf.d/conflib/syslog/app-checkpoint_syslog.conf b/package/etc/conf.d/conflib/syslog/app-checkpoint_syslog.conf index 3365cca886..62b558467f 100644 --- a/package/etc/conf.d/conflib/syslog/app-checkpoint_syslog.conf +++ b/package/etc/conf.d/conflib/syslog/app-checkpoint_syslog.conf @@ -54,31 +54,61 @@ block parser checkpoint_syslog-parser() { }; - if { - # If hostname field is not empty, host should be evaluated from there - filter { - match('(\S+)' value(".SDATA.sc4s@2620.hostname") flags(store-matches)); - }; - rewrite { - set("$1", value("HOST")); - }; - } elif { - #Get the FW host from the originsicname - filter { - match('^[Cc][Nn]\\?=([^,]+)' value(".SDATA.sc4s@2620.originsicname") flags(store-matches)); - }; - rewrite { - set("$1", value("HOST")); - }; - } elif { - #Get the FW host from the origin_sic_name - filter { - match('^[Cc][Nn]\\?=([^,]+)' value(".SDATA.sc4s@2620.origin_sic_name") flags(store-matches)); + if ( + "`SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES`" eq "yes") + { + if { + #Get the FW host from the originsicname + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".SDATA.sc4s@2620.originsicname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + #Get the FW host from the origin_sic_name + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".SDATA.sc4s@2620.origin_sic_name") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + # If hostname field is not empty, host should be evaluated from there + filter { + match('(\S+)' value(".SDATA.sc4s@2620.hostname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; }; - rewrite { - set("$1", value("HOST")); + } else { + if { + # If hostname field is not empty, host should be evaluated from there + filter { + match('(\S+)' value(".SDATA.sc4s@2620.hostname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + #Get the FW host from the originsicname + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".SDATA.sc4s@2620.originsicname") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; + } elif { + #Get the FW host from the origin_sic_name + filter { + match('^[Cc][Nn]\\?=([^,]+)' value(".SDATA.sc4s@2620.origin_sic_name") flags(store-matches)); + }; + rewrite { + set("$1", value("HOST")); + }; }; - }; + }; # If this device is a v host we need to get the firewall name if { filter {