Forcepoint matching is inop since upgrade from 2.9.2 > 2.26.5

[harv-qq]

Seems to always go into nix_os index since upgrade from 2.9.2 > 2.26.5

Original config: splunk_metadata.csv forcepoint_webprotect,index,forcepoint forcepoint_webaccess,index,forcepoint forcepoint_webaccess,sourcetype,websense:access forcepoint_weberror,index,forcepoint forcepoint_weberror,sourcetype,websense:error

vendor_product_by_source.csv f_forcepoint_web_access,sc4s_vendor_product,"forcepoint_webaccess" f_forcepoint_web_error,sc4s_vendor_product,"forcepoint_weberror"

vendor_product_by_source.conf filter f_forcepoint_web_access{ match("wcgextended") }; filter f_forcepoint_web_error{ match("wcgerror") };

Tried without filters: splunk_metadata.csv forcepoint_webprotect,index,forcepoint

AND tried various modifications to vendor_product_by_source.conf with filters 1. filter f_forcepoint_web_access{ message("wcgextended") };

filter f_forcepoint_web_access{ match("wcgextended" value("PROGRAM") };

filter f_forcepoint_web_access{ match("wcgextended" value("MESSAGE") };

Nothing seems to work. seems to always go to index nx_os with a sourcetype of nix:syslog and source or program:wcgextended or program:wcgerror

[rjha-splunk]

can you please attach pcap file?

[harv-qq]

i can supply some redacted logs, but i'm not able to supply a pcap i'm afraid

[harv-qq]

some logs are as follows, so the index isnt matching on some as well index=lastchance sourcetype="websense:cg:kv"

[rjha-splunk]

Sure please provide the redacted logs(anonymized) log

[harv-qq]

fixed using compliance_meta_by_source filter

filter f_forcepoint_audit { message('vendor=Forcepoint' type(string) flags(substring)) and message('logtype=Audit' type(string) flags(substring)) };

filter f_forcepoint_security { message('vendor=Forcepoint' type(string) flags(substring)) and message('product=Security' type(string) flags(substring)) };

filter f_forcepoint_web_access{ match("wcgextended" value("PROGRAM") type("string")); };

filter f_forcepoint_web_error{ match("wcgextended" value("PROGRAM") type("string")); };

i'll get some redacted logs over

[rjha-splunk]

Any update on pcap/redacted logs ?

[rjha-splunk]

I think the way as you described above can work, other way is splunk_metadata.csv with right key and third way is <>.conf in local/context/rewriters.