Merge pull request #7 from ZachChristensen28/development

Version 1.3.7
ZachChristensen28 · Aug 20, 2021 · 31aa61d · 31aa61d
2 parents 7ec991a + f19a8f9
commit 31aa61d
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 18 deletions.
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 Zach Christensen
+Copyright (c) 2021 Zach Christensen
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -2,34 +2,31 @@
 
 ![GitHub](https://img.shields.io/github/license/zachchristensen28/TA-linux_iptables)
 [![Documentation Status](https://readthedocs.org/projects/splunk-iptables-ta-documentation/badge/?version=latest)](https://splunk-iptables-ta-documentation.readthedocs.io/en/latest/?badge=latest)
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/TA-linux_iptables)
+[![Splunkbase App](https://img.shields.io/badge/Splunkbase-TA--linux__iptables-blue)](https://splunkbase.splunk.com/app/4490/)
+[![Splunk CIM Version](https://img.shields.io/badge/Splunk%20CIM%20Version-4.x-success)](https://docs.splunk.com/Documentation/CIM/latest/User/Overview)
 
 Info | Description
 ------|----------
-Version | 1.3.6 - See on [Splunkbase](https://splunkbase.splunk.com/app/4490/)
+Version | 1.3.7 - See on [Splunkbase](https://splunkbase.splunk.com/app/4490/)
 Vendor Product | RHEL/CentOS - Firewalld, Ubuntu - UFW, built-in IPtables
 Add-on has a web UI | No. This add-on does not contain any views.
 
 The TA-linux_iptables Add-on allows Splunk data administrators to map the linux firewall events to the [CIM](https://docs.splunk.com/Splexicon:CommonInformationModel) enabling the data to be used with other Splunk Apps, such as Enterprise Security.
 
 ## Release Notes
 
-```
-Version: 1.3.6
-
-Notice:
-   This updated simplifies the number of sourcetypes down to a single sourcetype (linux:iptables). Any existing reports/alerts/views that are utilizing the old sourcetypes ("linux:iptables:ufw" or "linux:iptables:firewalld") will be impacted. Verify before updating to this version. 
+```text
+Version: 1.3.7
 
-- added support for firewalld rich rules - #2
-- updated to only use the single sourcetype, 'linux:iptables'
-- updated action lookup to use wildcards
+- fixed incorrect app value for UFW events - #5
+- updated regex for different UFW log formats - #8
 ```
 
 ## Documentation
 
 Full documentation can be found at https://splunk-iptables-ta-documentation.rtfd.io.
 
-
 ## Issues or Feature Requests
 
 Please open an issue or submit feature requests at [github.com](https://github.com/ZachChristensen28/TA-iptables)
-
diff --git a/app.manifest b/app.manifest
@@ -5,7 +5,7 @@
         "id": {
             "group": null,
             "name": "TA-linux_iptables",
-            "version": "1.3.6"
+            "version": "1.3.7"
         },
         "author": [
             {

diff --git a/default/app.conf b/default/app.conf
@@ -10,8 +10,8 @@ label = Iptables Add-on
 
 [launcher]
 author = Zach Christensen
-description = This Technology Add-on provides CIM compliant field extractions, eventtypes and tags for the linux iptables. This add-on also supports UFW (Uncomplicated Firewall).
-version = 1.3.6
+description = This Technology Add-on provides CIM compliant field extractions, eventtypes and tags for the linux iptables. This add-on also supports UFW (Uncomplicated Firewall) and Firewalld.
+version = 1.3.7
 
 [package]
 id = TA-linux_iptables
diff --git a/default/props.conf b/default/props.conf
@@ -6,6 +6,8 @@
 # linux:iptables
 #====================================
 [linux:iptables]
+category                           = Linux IPTables Add-on for Splunk
+description                        = Collect logs from built-in IPTables, UFW, or Firewalld.
 KV_MODE                            = none
 REPORT-iptables_extract_kv         = iptables_extract_kv
 REPORT-iptables_log_prefix         = iptables_log_prefix
@@ -27,7 +29,7 @@ FIELDALIAS-iptabels_tos            = TOS AS tos
 FIELDALIAS-iptabels_ttl            = TTL AS ttl
 FIELDALIAS-iptabels_icmp_type      = TYPE as icmp_type
 EVAL-action                        = case(isnull(log_prefix), "unknown")
-EVAL-app                           = case(match(log_prefix, "ufw"), "UFW", match(log_prefix, "_REJECT|_DROP"), "firewalld", true(), "iptables")
+EVAL-app                           = case(match(log_prefix, "(?i)ufw"), "ufw", match(log_prefix, "(?i)_REJECT|_DROP"), "firewalld", true(), "iptables")
 EVAL-vendor_product                = "Linux Netfilter"
 EVAL-log_prefix                    = replace(log_prefix, "[\[\]:]", "")
 EVAL-protocol                      = "ip"

diff --git a/default/transforms.conf b/default/transforms.conf
@@ -20,7 +20,7 @@ FORMAT = $1::$2
 REPEAT_MATCH = true
 
 [iptables_log_prefix]
-REGEX = kernel: (?:\[[\d.]+\] )?(?:([^=]+)\s)?IN=
+REGEX = kernel.+?((?:\[UFW)? \S+)\s*IN=
 FORMAT = log_prefix::$1
 
 [iptables_flags]
@@ -63,4 +63,4 @@ min_matches = 1
 filename = iptables_frametypes.csv
 default_match = unknown
 max_matches = 1
-min_matches = 1
+min_matches = 1