kintyre / ta-postfix Goto Github PK
View Code? Open in Web Editor NEWPostfix Add-on for Splunk (Compliant with the Mail CIM model)
Home Page: https://splunkbase.splunk.com/app/3347/
License: Apache License 2.0
Postfix Add-on for Splunk (Compliant with the Mail CIM model)
Home Page: https://splunkbase.splunk.com/app/3347/
License: Apache License 2.0
The EXTRACT for reject_reason triggers when it shouldn't (when status!=reject) and collects erroneous results
My suggestion would be to remove EXTRACT-reject_reason and to extract the reject_reason within EXTRACT-status_reject - that way, reject_reason is only extracted when status==reject
Current:
EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?\<status\>reject):
EXTRACT-reject_reason = : (?<reject_reason>[^;:]+);
Proposed:
EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?\<status\>reject):\s(?<status_code_short>\d+)\s(?\<dsn\>(\d+\\.)+\d+)\s(.+?:\s)?(?<reject_reason>[^;]+);
I've also incorporated extractions for the status_code_short and dsn because they weren't being picked up in these reject events.
The proposed regex works for the data that I have access to but please test against your data.
Invalid key in stanza [postfix_email] in /opt/splunk/etc/apps/TA-postfix/default/eventtypes.conf, line 2: sourcetype (value: postfix_syslog).
Did you mean 'search'?
correct is:
[postfix_email]
search = sourcetype = postfix_syslog
Thank you,
Meno
We'd like to release this app on Splunkbase as a direct download rather than as an "externally hosted" app. Splunk doesn't allow us to just convert an existing app between these types, therefore we need to upload a new app.
Additionally, Splunk now frowns upon reusing an existing sourcetype name that ships with Splunk enterprise, see #10. So we have to change the sourcetype postfix_syslog
to something new. At the moment, I'm assuming that we also have to update the app id
(folder name) to something new as well.
We would move the existing "master" branch to a new branch representing the "NEW" version of the app, the existing branch would be kept for some time for anyone still on the older version. Each branch would have some clear instructions in the README explaining the situation (and linking to the other), and there would be some "upgrade" notes on how to migrate from the legacy version to the updated and Splunkbase-available version.
Here's what I'm thinking in terms of renaming stuff. Please provide feedback with any recommendations or gotchas.
Name | Current value | New app (SplunkBase) | Old app (git-only) |
---|---|---|---|
App id | TA-postifx |
TA-postfix2 * |
TA-postfix |
App version | 0.8.x | 2.x.x * | 0.8. |
Splunkbase id | 3347 | TBD * | 3347 |
Label | Postfix Add-on for Splunk | Postfix Add-on for Splunk | Postfix Add-on for Splunk (Legacy) * |
Sourcetype | postfix_syslog | mail:postfix * | postfix_syslog |
Git branch | master | main * | legacy * |
Where * indicates a change.
I've downloaded the .tgz as per our email yesterday, but Splunk Support still came back with "Review fails vetting and cannot be installed.". Would you consider the recommendations in the email below?
Thank you for your recent Splunk Cloud App request. Our Splunk Cloud operations and security teams have determined that the App you've requested is not compatible and/or secure within the Splunk Cloud service architecture. Please see their comments below:
#Custom 0.8.5 - TA-postfix
Review fails vetting and cannot be installed.
Props Configuration file standards Ensure that all props.conf files located in the default (or local) folder are well formed and valid. props.conf transforms.conf [failure] Check that pretrained sourctypes in props.conf have only "TRANSFORM-" or "SEDCMD" settings, and that those transforms only modify the host, source, or sourcetype.
Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes. File: default/props.conf Line Number: 7
If you wish to make changes to the app, you can find documentation and utilities to assist you here: https://urldefense.com/v3/__http://dev.splunk.com/view/appinspect/SP-CAAAE9U__;!!NVzLfOphnbDXSw!XbGBHNAefhEhdcB_1AQ7C0yaD4OpwjXeIcOWxRR1cuVsKZxm5mAwg-YabOjkqtRyCw$
We look forward to working with you in the future to develop and install Apps that will further improve your Splunk Cloud experience.?If you have any immediate questions or concerns, please let me know. If there are no questions at this time, please let me know and I will close this case.
Best Regards,
Ashanjot
Splunk Support
The app name does not comply with the spec that ES uses to auto load eventtypes and tags into its CIM Data models...
it requires TA-appname or Splunk_TA_appname to be the naming convention or the app is ignored
https://answers.splunk.com/answers/238170/splunk-enterprise-security-add-on-nomenclature.html
The regex in this line, which is in /default/props.conf, needs to be adjusted.
From:
EXTRACT-queue_id = postfix/\w+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}):
To (or something similar):
EXTRACT-queue_id = postfix/[\w\\/]+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}):
The existing regex doesn't pick up cases where the process has more than one backslash - such as postfix/submission/smtpd
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.