Merge pull request #11 from ZachChristensen28/development

Version 1.3.8

README.md

@@ -14,7 +14,7 @@ Full documentation can be found at [https://splunk-iptables.ztsplunker.com](http
 
 Info | Description
 ------|----------
-Version | 1.3.7 - See on [Splunkbase](https://splunkbase.splunk.com/app/4490/)
+Version | 1.3.8 - See on [Splunkbase](https://splunkbase.splunk.com/app/4490/)
 Vendor Product | RHEL/CentOS - Firewalld, Ubuntu - UFW, built-in IPtables
 Add-on has a web UI | No. This add-on does not contain any views.
 
@@ -23,12 +23,12 @@ The TA-linux_iptables Add-on allows Splunk data administrators to map the linux
 ## Release Notes
 
 ```text
-Version: 1.3.7
+Version: 1.3.8
 
-- fixed incorrect app value for UFW events - #5
-- updated regex for different UFW log formats - #8
+- Added sample configuration for the syslog sourcetype if IPtable data is mixed with syslog data.
+- Updated log_prefix field extraction to consider log prefixes surrounded with quotes.
 ```
 
 ## Issues or Feature Requests
 
-Please open an issue or submit feature requests at [github.com](https://github.com/ZachChristensen28/TA-iptables)
+Please open an issue or submit feature requests at [github.com](https://github.com/ZachChristensen28/TA-iptables/issues)

src/TA-linux_iptables/README.txt

@@ -0,0 +1,5 @@
+TA-linux_iptables - Add-on for Linux Iptables
+
+Documentation
+
+Full documentation can be found at https://splunk-iptables.ztsplunker.com.

app.manifest → src/TA-linux_iptables/app.manifest

@@ -5,7 +5,7 @@
         "id": {
             "group": null,
             "name": "TA-linux_iptables",
-            "version": "1.3.7"
+            "version": "1.3.8"
         },
         "author": [
             {
@@ -36,8 +36,8 @@
         },
         "releaseNotes": {
             "name": "README",
-            "text": "./README.md",
-            "uri": "https: //splunk-iptables-ta-documentation.rtfd.io"
+            "text": "./README.txt",
+            "uri": "https://splunk-iptables.ztsplunker.com"
         }
     },
     "dependencies": null,
@@ -51,4 +51,4 @@
     "targetWorkloads": [
         "*"
     ]
-}
+}

default/app.conf → src/TA-linux_iptables/default/app.conf

@@ -11,7 +11,7 @@ label = Iptables Add-on
 [launcher]
 author = Zach Christensen
 description = This Technology Add-on provides CIM compliant field extractions, eventtypes and tags for the linux iptables. This add-on also supports UFW (Uncomplicated Firewall) and Firewalld.
-version = 1.3.7
+version = 1.3.8
 
 [package]
 id = TA-linux_iptables

default/props.conf → src/TA-linux_iptables/default/props.conf

@@ -31,9 +31,17 @@ FIELDALIAS-iptabels_icmp_type      = TYPE as icmp_type
 EVAL-action                        = case(isnull(log_prefix), "unknown")
 EVAL-app                           = case(match(log_prefix, "(?i)ufw"), "ufw", match(log_prefix, "(?i)_REJECT|_DROP"), "firewalld", true(), "iptables")
 EVAL-vendor_product                = "Linux Netfilter"
-EVAL-log_prefix                    = replace(log_prefix, "[\[\]:]", "")
+EVAL-log_prefix                    = replace(log_prefix, "[\[\]:\"]", "")
 EVAL-protocol                      = "ip"
 LOOKUP-iptables_action             = iptables_action_lookup log_prefix OUTPUTNEW action
 LOOKUP-iptables_icmp_codes         = iptables_icmp_codes_lookup TYPE OUTPUTNEW icmp_code
 LOOKUP-iptables_transport          = iptables_transport_lookup PROTO OUTPUTNEW transport
 LOOKUP-iptables_frame_type         = iptables_frametypes_lookup FRAME_TYPE OUTPUTNEW frame_description
+
+#====================================
+# Syslog
+#====================================
+# Use the following if iptable logs are mixed with normal syslog.
+# Copy and paste the below configuration to ../local/props.conf
+# [syslog]
+# TRANSFORMS-iptables_sourcetyper = iptables_sourcetyper

default/transforms.conf → src/TA-linux_iptables/default/transforms.conf

@@ -20,7 +20,7 @@ FORMAT = $1::$2
 REPEAT_MATCH = true
 
 [iptables_log_prefix]
-REGEX = kernel.+?((?:\[UFW)? \S+)\s*IN=
+REGEX = kernel.+?((?:\[UFW)? \"*\S+)\s*\"*IN=
 FORMAT = log_prefix::$1
 
 [iptables_flags]

metadata/default.meta → src/TA-linux_iptables/metadata/default.meta

@@ -2,7 +2,7 @@
 # Application-level permissions
 
 []
-access = read : [ * ], write : [ admin, power ]
+access = read : [ * ], write : [ admin, sc_admin, power ]
 export = system
 
 ### EVENT TYPES