feat: add post-filter and syslog topics to sc4s lite (#2111)

* feat: add post-filter and syslog topics to sc4s lite * Updated topic order for lite as per the existing behaviour
splunk · Jul 27, 2023 · 976ab1a · 976ab1a
1 parent 88dd3d7
commit 976ab1a
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/package/lite/etc/conf.d/log_paths/2/lp_dest_alts_global/plugin.jinja b/package/lite/etc/conf.d/log_paths/2/lp_dest_alts_global/plugin.jinja
@@ -43,7 +43,11 @@ log{
         if {
             parser (compliance_meta_by_source);
         };
-
+        if {
+            parser {
+                app-parser(topic(sc4s-postfilter));
+            };
+        };
         if {
             filter(f_is_dest_splunk_null_queue);
         } else {

diff --git a/package/lite/etc/conf.d/plugin/app_parser_topics.conf b/package/lite/etc/conf.d/plugin/app_parser_topics.conf
@@ -1,6 +1,14 @@
+parser app-group-sc4s-syslog{
+    app-parser(topic(sc4s-syslog));
+};
 parser app-group-sc4s-raw{
     app-parser(topic(sc4s-raw-syslog));
 };
 parser app-group-sc4s-fallback{
     app-parser(topic(fallback));
 };
+
+parser app-plugin-source-postprocess{
+    app-parser(topic(sc4s-postfilter));
+};
+
diff --git a/package/lite/etc/conf.d/sources/source_syslog/plugin.jinja b/package/lite/etc/conf.d/sources/source_syslog/plugin.jinja
@@ -11,6 +11,9 @@ source s_{{ port_id }} {
                 transport("udp")
                 so-reuseport(1)
                 persist-name("{{ port_id }}_{{ port }}_{{ i }}")
+                {%- if enable_ebpf == True %}
+                ebpf(reuseport(sockets({{ ebpf_no_sockets }})))
+                {%- endif %}
                 port({{ port }})
                 ip-protocol({{ enable_ipv6 }})
                 {%- if port_udp_sorecvbuff >0 %}
@@ -210,7 +213,15 @@ source s_{{ port_id }} {
                 parser(vendor_product_by_source);
             };
             {%- endif %}
-
+             if {
+                filter {
+                    not filter(f_is_source_identified);
+                };
+                if {
+                    parser(app-group-sc4s-syslog);
+                    rewrite(r_set_source_identified);
+                };
+            };
         };
         rewrite {
             groupunset(values('.tmp.*'));
@@ -379,6 +390,14 @@ source s_{{ port_id }} {
             parser(vendor_product_by_source);
         };
         {%- endif %}
+        if {
+            parser(app-group-sc4s-syslog);
+            rewrite(r_set_source_identified);
+
+        };
+        rewrite{
+            groupunset(values('.tmp.*'));
+        };
 
         if {
             filter(f_is_source_identified);