Merge branch 'main' into issue_template_update

.github/workflows/ci-lite.yaml

@@ -136,7 +136,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push action
         id: docker_action_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           provenance: false

.github/workflows/ci-main.yaml

@@ -136,7 +136,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push action
         id: docker_action_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           provenance: false

ansible/resources/docker_sc4s.service

@@ -30,6 +30,8 @@ ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/docker rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/docker run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -41,4 +43,4 @@ ExecStart=/usr/bin/docker run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure

ansible/resources/podman_sc4s.service

@@ -29,6 +29,8 @@ ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/podman rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/podman run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -42,4 +44,4 @@ ExecStart=/usr/bin/podman run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure

charts/splunk-connect-for-syslog/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: splunk-connect-for-syslog
 description: Deploy Splunk Connect for Syslog
 type: application
-version: 3.28.1
-appVersion: "3.28.1"
+version: 3.30.1
+appVersion: "3.30.1"

docs/destinations.md

@@ -7,6 +7,8 @@ You can configure Splunk Connect for Syslog to use any destination available in
 * RFC5424 Syslog, 
 * and Legacy BSD Syslog.
 
+**Note:** Some external SIEM systems do not correctly parse host information. Instead of extracting the host from the message, they immediately rely on the header. SC4S, as a relay, places its own IP address in the UDP or TCP header, which is the correct behavior. In this situation, the SIEM may display the SC4S IP as the source IP, but this is not a fault of SC4S.
+
 # HEC destination
 
 ## Configuration options
@@ -34,8 +36,6 @@ Compression affects the content but does not affect the HTTP headers. Enable bat
 
 The use of "syslog" as a network protocol has been defined in Internet Engineering Task Force standards RFC5424, RFC5425, and RFC6587.
 
-**Note**: SC4S sending messages to a syslog destination behaves like a relay. This means overwriting some original information, for example the original source IP.
-
 ## Configuration options
 
 | Variable | Values        | Description |

docs/gettingstarted/podman-systemd-general.md

@@ -168,6 +168,9 @@ ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE
 # Note: The path /usr/bin/bash may vary based on your operating system.
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl --user set-environment SC4SHOST=$(hostname -s)"
+
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/podman rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/podman run -p 2514:514 -p 2514:514/udp -p 6514:6514  \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -180,7 +183,7 @@ ExecStart=/usr/bin/podman run -p 2514:514 -p 2514:514/udp -p 6514:6514  \
         --network host \
         --name SC4S \
         --rm $SC4S_IMAGE
-Restart=on-abnormal
+Restart=on-failure
 ```
 
 5. Create your `env_file` file at ```/home/sc4s/env_file```

docs/resources/docker/sc4s.service

@@ -30,6 +30,8 @@ ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/docker rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/docker run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -41,4 +43,4 @@ ExecStart=/usr/bin/docker run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure

docs/resources/podman/sc4s.service

@@ -29,6 +29,8 @@ ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/podman rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/podman run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -42,4 +44,4 @@ ExecStart=/usr/bin/podman run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure

docs/sources/vendor/Aruba/silverpeak.md

@@ -0,0 +1,44 @@
+# Silverpeak
+
+## Key facts
+
+* Requires vendor product by source configuration
+* Legacy BSD Format default port 514
+
+## Links
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+
+## Sourcetypes
+
+| sourcetype       | notes |
+|------------------|-------|
+| aruba:silverpeak |       |    
+
+
+### Index Configuration
+
+| key                                      | index  | notes          |
+|------------------------------------------|--------|----------------|
+| aruba_silverpeak                         | netops | none           |
+
+
+## Parser Configuration
+
+```c
+#/opt/sc4s/local/config/app-parsers/app-vps-aruba_silverpeak.conf
+#File name provided is a suggestion it must be globally unique
+
+application app-vps-test-aruba_silverpeak[sc4s-vps] {
+ filter {
+        host("silverpeak-" type(string) flags(prefix))
+    };
+    parser {
+        p_set_netsource_fields(
+            vendor('aruba')
+            product('silverpeak')
+        );
+    };
+};
+```

package/Dockerfile

@@ -16,7 +16,7 @@
 #work.  If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
 
 
-ARG SYSLOGNG_VERSION=4.6.0
+ARG SYSLOGNG_VERSION=4.8.1
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 
@@ -41,7 +41,7 @@ RUN apk add -U --upgrade --no-cache \
       cargo \
       ca-certificates \
       poetry \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.7 sh \
+    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.8 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \

package/Dockerfile.lite

@@ -16,7 +16,7 @@
 #work.  If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
 
 
-ARG SYSLOGNG_VERSION=4.6.0
+ARG SYSLOGNG_VERSION=4.8.1
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 
@@ -41,7 +41,7 @@ RUN apk add -U --upgrade --no-cache \
       cargo \
       ca-certificates \
       poetry \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.7 sh \
+    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.8 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \

package/etc/VERSION

@@ -1 +1 @@
-3.28.1
+3.30.1

package/etc/conf.d/conflib/netsource/app-netsource-aruba_silverpeak.conf

@@ -0,0 +1,32 @@
+block parser app-netsource-aruba_silverpeak() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops')
+                sourcetype('aruba:silverpeak')
+                vendor('aruba')
+                product('silverpeak')
+            );
+        };
+    };
+};
+
+
+application app-netsource-aruba_silverpeak[sc4s-network-source] {
+    filter {
+        not filter(f_is_source_identified)
+        and (
+                (
+                    match("aruba", value('.netsource.sc4s_vendor'), type(string))
+                    and match("silverpeak", value('.netsource.sc4s_product'), type(string))
+                )
+                and (tags("ns_vendor:aruba") and tags("ns_product:silverpeak"))
+                or tags(".source.s_ARUBA_SILVERPEAK")
+                or "${.netsource.sc4s_vendor_product}" eq "aruba_silverpeak"
+            )
+        ;
+    };
+    parser { app-netsource-aruba_silverpeak(); };
+};
+
+

package/etc/pylib/parser_cef.py

@@ -39,7 +39,7 @@ def parse(self, log_message):
                             del pairs[vk]
                         del pairs[k]
                 elif k == "rawEvent":
-                    pairs[k] = pairs[k].replace("\=", "=").replace("&&", "\n")
+                    pairs[k] = pairs[k].replace(r"\=", "=").replace("&&", "\n")
 
             for k, v in pairs.items():
                 kc = k.replace(" ", "_").replace(".", "_")

package/etc/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version:4.6
+@version:4.8
 
 
 # syslog-ng configuration file.

package/etc/test_parsers/app-vps-test-aruba_silverpeak.conf

@@ -0,0 +1,11 @@
+application app-vps-aruba_silverpeak[sc4s-vps] {
+ filter {
+        host("silverpeak-" type(string) flags(prefix))
+    };
+    parser {
+        p_set_netsource_fields(
+            vendor('aruba')
+            product('silverpeak')
+        );
+    };
+};

package/lite/etc/addons/aruba/app-netsource-aruba_silverpeak.conf

@@ -0,0 +1,30 @@
+block parser app-netsource-aruba_silverpeak() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops')
+                sourcetype('aruba:silverpeak')
+                vendor('aruba')
+                product('silverpeak')
+            );
+        };
+    };
+};
+
+
+application app-netsource-aruba_silverpeak[sc4s-network-source] {
+    filter {
+        not filter(f_is_source_identified)
+        and (
+                (
+                    match("aruba", value('.netsource.sc4s_vendor'), type(string))
+                    and match("silverpeak", value('.netsource.sc4s_product'), type(string))
+                )
+                and (tags("ns_vendor:aruba") and tags("ns_product:silverpeak"))
+                or tags(".source.s_ARUBA_SILVERPEAK")
+                or "${.netsource.sc4s_vendor_product}" eq "aruba_silverpeak"
+            )
+        ;
+    };
+    parser { app-netsource-aruba_silverpeak(); };
+};

package/lite/etc/syslog-ng.conf.jinja

@@ -1,4 +1,4 @@
-@version:4.6
+@version:4.8
 
 
 # syslog-ng configuration file.