Thanks for your help Doug, the updates you've made work.

Splunk Answers is being difficult and won't let me accept your answer!

Anyway, we ended up adding monitor stanzas for /var/log/ufw.log (ubuntu) and /var/log/firewalld (RHEL) to input.conf for *nix systems. We then added an explicit source stanza setting both log paths to sourcetype=syslog in props.conf and it's working reliably.

Thank you!

Doug will need to convert his comment to an answer so you can accept it, as you cannot accept a comment as an answer...

Ah, I was going to release the new version on Splunkbase then answer with a link to it but Intermediate got there first 🙂

Well, feel free to post an answer here and I'll accept yours instead.
You did all the hard work after all!

Thanks @gjanders

Thanks @gjanders

@doksu Thanks for the fast response!

(I've removed some old responses I'd made here here which are irrelevant/confusing)

I'm sure that I've deployed 1.0.0 to an indexer cluster but I am not seeing events assigned the correct sourcetype. Could you please help me troubleshoot the problem?

Here's a sample:
Nov 14 09:59:01 examplesvr kernel: [  573.578259] [UFW BLOCK] IN=ens160 OUT= MAC=00:50:56:80:e1:23:01:51:55:88:04:aa:08:01 SRC=10.10.19.23 DST=10.10.19.13 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50776 DF PROTO=TCP SPT=51176 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0

Thanks!

The app by default only applies the sourcetype transformation to events with the original sourcetype of 'syslog'. Could you please check the UFW events' original sourcetype is 'syslog'? If not and it can't be changed, you may opt to add a local prop.conf like so:

[yoursourcetype]
TRANSFORMS-yoursourcetype_netfilter = netfilter_sourcetyping

The field extractions occur at search time, so the new version of the app will need to be installed on the search heads once the sourcetying issue is resolved.

Thanks, we'd been logging to /var/log/firewalld OR /var/log/ufw.log and it seems those logs weren't being ingested with the 'syslog' sourcetype.

I think the addon is working, but it will take me a little while to confirm.

I've got an issue on Ubuntu where we're getting duplicate UFW logs. The same event appears in /var/log/syslog,/var/log/kern.log AND /var/log/ufw.log but I'll sort that out. Possibly syslog config.

For the record, for reasons I don't understand, Ubuntu has default rsyslog configuration which logs UFW events to /var/log/ufw.log AND allows these events to also be reported in /var/log/syslog and /var/log/kern.log

Fixing this is as simple as uncommenting '& stop' at the end of the block included in /etc/rsyslog.d/20-ufw.conf and reloading rsyslog.

If the UFW logs are being put in a dedicated log file, then you could specify the sourcetype 'linux:netfilter' directly in the inputs.conf monitor stanza for that file.

Applying the TA to the indexer cluster didn't require a restart, but given this isn't working I've done a rolling restart anyway. No change.