Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Sources/Unique Listening Ports don't apply vendor_product_by_source metadata. #2415

Open
adri8n opened this issue Apr 21, 2024 · 0 comments
Open

Custom Sources/Unique Listening Ports don't apply vendor_product_by_source metadata. #2415

adri8n opened this issue Apr 21, 2024 · 0 comments

Comments

@adri8n
Copy link

adri8n commented Apr 21, 2024
edited

Was the issue replicated by support?
No

What is the sc4s version ?
sc4s version=3.22.3

Is there a pcap available?
No

Is the issue related to the environment of the customer or Software related issue?
No

Is it related to Data loss, please explain ?
Protocol? Hardware specs?
No

Last chance index/Fallback index?
No

Is the issue related to local customization?
Yes

Do we have all the default indexes created?
Yes

Describe the bug
A clear and concise description of what the bug is.
Have two unique listen ports defined in env_file:

SC4S_LISTEN_CISCO_ASA_515_TCP_PORT=515
SC4S_LISTEN_CISCO_ASA_TCP_PORT=516

Would like to use SC4S receive time instead of timestamp in event, so as a test set:

# vendor_product_by_source.conf
filter f_telus_syslog {
    host(".*")
};

and

# vendor_product_by_source.csv
f_telus_syslog,sc4s_use_recv_time,"yes"

With default sources, parser(vendor_product_by_source) is called, so the sc4s_use_recv_time field is set and the timestamp send to Splunk Cloud is correct.

With the configuration above, I can't find a place where it is called in the config/code/log path, so timestamp never gets replaced.

If I add a custom parser, and call it, it works:

# more /opt/sc4s/local/config/app_parsers/syslog/app-telus_asa.conf 
block parser telus_asa-parser() {
    channel {
        parser(vendor_product_by_source);
        rewrite {
            r_set_splunk_dest_default(
                source("cisco:asa")
                sourcetype('cisco:asa')
                vendor("cisco")
                product("asa")
                template("t_msg_only")
            );
            set("$(lowercase ${PROGRAM})", value('HOST') condition("${PROGRAM}" ne ""));
        };
    };
};
application telus_asa[sc4s-network-source] {
    filter {
        tags(".source.s_CISCO_ASA_515")
    };
    parser { telus_asa-parser(); };
};

If I call it here it also works (but this is likely not the best place to do it):

# more  /etc/syslog-ng/conf.d/conflib/_splunk/netsourcefields.conf
block parser p_set_netsource_fields(
    vendor()
    product()
) {
    channel {
#        parser(vendor_product_by_source);
        rewrite {
            set("`vendor`", value(".netsource.sc4s_vendor") condition('`vendor`' ne ""));
            set("`product`", value(".netsource.sc4s_product") condition('`product`' ne ""));
            set("`vendor`_`product`", value(".netsource.sc4s_vendor_product"));
            set-tag("vps");
            set-tag("ns_vendor:`vendor`");
            set-tag("ns_product:`product`");
        };
   };
};

Any guidance would be appreciated!

Happy to submit a pull request if I can determine where the appropriate place to call this would be.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adri8n