Fix: update Bluecoat sourcetype to match TA 3.8.1 #2370
Conversation
| | bluecoat:proxysg:access:kv | Requires version TA 3.6 | | ||
| | bluecoat:proxysg:syslog | Requires version TA 3.6 | | ||
| | bluecoat:proxysg:access:kv | Requires version TA 3.8.1 | | ||
| | bluecoat:proxysg:access:syslog | Requires version TA 3.8.1 | |
There was a problem hiding this comment.
Am I understood correctly that add-on maintainers broke backward compatibility (changed sourcetype) starting with 3.8.1 version ? Or it was our bug?
Can we talk with them to understand the reason? Probably they will rollback this change if add-on not very popular :)
If we need to provide new sourcetype, probably good idea will be use some env var like BLUECOAT_NEW_FORMAT=false and will determine that we need assign old or new sourcetype for bluecoat. If will help us to prevent of breaking backward compatibility
There was a problem hiding this comment.
that's a good question, 3.8.1 was released in September 2022 and I don't have access to older versions to check if that was changed on the TA side or there was a bug in SC4S
There was a problem hiding this comment.
especially that bluecoat:proxysg:access:syslog is more consistent with the rest than bluecoat:proxysg:syslog
There was a problem hiding this comment.
@mstopa-splunk you are right, it's impossible to check, because they deleted previous versions :)
Only 3.8.1 available on Splunkbase :)
There was a problem hiding this comment.
@ikheifets-splunk please see how this has been done previously:
https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Dell/sonicwall/
Note:[¶](https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Dell/sonicwall/#note)
The sourcetype has been changed in version 2.35.0 making it compliant with corresponding TA.
the practice seems to be updating the sourcetype and adding the note
solves #2347