[FILTERMOD] Added support for UDM FW logs

.github/workflows/cd-ghcr.io.yaml

@@ -49,7 +49,7 @@ jobs:
         id: docker_action_meta
         uses: docker/metadata-action@v4
         with:
-          images: ghcr.io/${{ github.repository }}/container2
+          images: ghcr.io/${{ github.repository }}/container3
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}
@@ -63,6 +63,6 @@ jobs:
         name: Pull Container
         run: |
           VERSION=$(cat package/etc/VERSION)
-          for line in $CONTAINER_SOURCE_TAGS; do echo working on "$line"; /tmp/regctl image copy ghcr.io/${{ github.repository }}/container2:$VERSION $line; done
+          for line in $CONTAINER_SOURCE_TAGS; do echo working on "$line"; /tmp/regctl image copy ghcr.io/${{ github.repository }}/container3:$VERSION $line; done
         env:
           CONTAINER_SOURCE_TAGS: ${{ steps.docker_action_meta.outputs.tags }}

.github/workflows/cd-oci-container.yaml

@@ -38,8 +38,8 @@ jobs:
         run: |
           VERSION=$(cat package/etc/VERSION)
           echo Pulling $VERSION
-          docker pull ghcr.io/splunk/splunk-connect-for-syslog/container2:$VERSION
-          docker save ghcr.io/splunk/splunk-connect-for-syslog/container2:$VERSION | gzip -c > /tmp/oci_container.tar.gz
+          docker pull ghcr.io/splunk/splunk-connect-for-syslog/container3:$VERSION
+          docker save ghcr.io/splunk/splunk-connect-for-syslog/container3:$VERSION | gzip -c > /tmp/oci_container.tar.gz
           sha512sum -b /tmp/oci_container.tar.gz > /tmp/oci_container_checksum.txt
 
       - name: Release

.github/workflows/cd-pages.yaml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: oleksiyrudenko/gha-git-credentials@v2-latest
+      - uses: oleksiyrudenko/gha-git-credentials@v2.1.1
         with:
           token: "${{ secrets.GITHUB_TOKEN }}"
       - uses: actions/setup-python@v4

.github/workflows/ci-lite.yaml

@@ -0,0 +1,255 @@
+#   ########################################################################
+#   Copyright 2021 Splunk Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#   ########################################################################
+
+name: ci-lite
+on:
+  push:
+    branches:
+      - "main"
+      - "releases/*"
+      - "develop"
+      - "next*"
+  pull_request:
+    branches:
+      - "main"
+      - "releases/*"
+      - "develop"
+      - "next*"
+
+permissions:
+  actions: read
+  contents: write
+  deployments: write
+  packages: write
+
+jobs:
+  meta:
+    runs-on: ubuntu-latest
+    outputs:
+      sc4s: ghcr.io/${{ github.repository }}/container3lite:${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.version'] }}
+      container_tags: ${{ steps.docker_action_meta.outputs.tags }}
+      container_labels: ${{ steps.docker_action_meta.outputs.labels }}
+      container_buildtime: ${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.created'] }}
+      container_version: ${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.version'] }}
+      container_revision: ${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+      container_base: ${{ fromJSON(steps.docker_action_meta.outputs.json).tags[0] }}
+      matrix_supportedSplunk: ${{ steps.matrix.outputs.supportedSplunk }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: false
+          persist-credentials: false
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+      - name: Semantic Release
+        id: version
+        uses: cycjimmy/semantic-release-action@v3
+        with:
+          semantic_version: 18
+          extra_plugins: |
+            @semantic-release/exec
+            @semantic-release/git
+            semantic-release-helm
+            @google/semantic-release-replace-plugin@1.2.0
+            conventional-changelog-conventionalcommits
+          dry_run: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Docker meta
+        id: docker_action_meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}/container3lite
+          tags: |
+            type=sha,format=long
+            type=sha
+            type=semver,pattern={{version}},value=${{ steps.version.outputs.new_release_version }}
+            type=semver,pattern={{major}},value=${{ steps.version.outputs.new_release_version }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.new_release_version }}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=ref,event=tag
+      - name: matrix
+        id: matrix
+        uses: splunk/addonfactory-test-matrix-action@v1.8.32
+
+  security-fossa-scan:
+    continue-on-error: true
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: run fossa anlyze and create report
+        run: |
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+          fossa analyze --debug
+          fossa report attribution --format text > /tmp/THIRDPARTY
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+      - name: upload THIRDPARTY file
+        uses: actions/upload-artifact@v3
+        with:
+          name: THIRDPARTY
+          path: /tmp/THIRDPARTY
+      - name: run fossa test
+        run: |
+          fossa test --debug
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+
+  build_action:
+    runs-on: ubuntu-latest
+    name: Build Action
+    needs:
+      - meta
+    steps:
+      # To use this repository's private action,
+      # you must check out the repository
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: false
+          persist-credentials: false
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to GitHub Packages Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push action
+        id: docker_action_build
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          provenance: false
+          file: package/Dockerfile.lite
+          #platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64
+          push: true
+          #tags: ${{ needs.meta.outputs.container_tags }}
+          tags: ${{ needs.meta.outputs.container_base }}
+          labels: ${{ needs.meta.outputs.container_labels }}
+          build-args: |
+            BUILDTIME=${{ needs.meta.outputs.container_buildtime }}
+            VERSION=${{ needs.meta.outputs.container_version }}
+            REVISION=${{ needs.meta.outputs.container_revision }}
+          cache-from: type=registry,ref=${{ needs.meta.outputs.container_base }}
+          cache-to: type=inline
+
+  test-container:
+    runs-on: ubuntu-latest
+    needs:
+      - meta
+      - build_action
+    strategy:
+      matrix:
+        splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
+    # runs all of the steps inside the specified container rather than on the VM host.
+    # Because of this the network configuration changes from host based network to a container network.
+    container:
+      image: python:3.9-buster
+
+    services:
+      splunk:
+        image: splunk/splunk:${{ matrix.splunk.version }}
+        ports:
+          - 8000:8000
+          - 8088:8088
+          - 8089:8089
+        env:
+          SPLUNK_HEC_TOKEN: 70b6ae71-76b3-4c38-9597-0c5b37ad9630
+          SPLUNK_PASSWORD: Changed@11
+          SPLUNK_START_ARGS: --accept-license
+          SPLUNK_APPS_URL: https://github.com/splunk/splunk-configurations-base-indexes/releases/download/v1.0.0/splunk_configurations_base_indexes-1.0.0.tar.gz
+
+      sc4s:
+        image: ${{ needs.meta.outputs.container_base }}
+        ports:
+          - 514:514
+          - 601:601
+          - 5614:5514
+          - 5601:5601
+          - 6000:6000
+          - 6002:6002
+          - 9000:9000
+        env:
+          SC4S_DEST_SPLUNK_HEC_DEFAULT_URL: https://splunk:8088
+          SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN: 70b6ae71-76b3-4c38-9597-0c5b37ad9630
+          SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY: "no"
+          SC4S_LISTEN_PFSENSE_FIREWALL_TCP_PORT: 6000
+          SC4S_LISTEN_SIMPLE_TEST_ONE_TCP_PORT: 5514
+          SC4S_LISTEN_SIMPLE_TEST_ONE_UDP_PORT: 5514
+          SC4S_LISTEN_SIMPLE_TEST_TWO_TCP_PORT: 5601
+          SC4S_LISTEN_SPECTRACOM_NTP_TCP_PORT: 6002
+          SC4S_LISTEN_CISCO_ESA_TCP_PORT: 9000
+          SC4S_LISTEN_RARITAN_DSX_TCP_PORT: 9001
+          SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL: "yes"
+          SC4S_SOURCE_RICOH_SYSLOG_FIXHOST: "yes"
+          TEST_SC4S_ACTIVATE_EXAMPLES: "yes"
+          SC4S_DEBUG_CONTAINER: "yes"
+          SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG: "yes"
+          SC4S_USE_VPS_CACHE: "yes"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: false
+          persist-credentials: false
+      - name: Run tests
+        run: |
+          pip3 install poetry
+          poetry install
+          mkdir -p test-results || true
+          poetry run pytest -v --tb=long \
+            --splunk_type=external \
+            --splunk_hec_token=70b6ae71-76b3-4c38-9597-0c5b37ad9630 \
+            --splunk_host=splunk \
+            --sc4s_host=sc4s \
+            --junitxml=test-results/test.xml \
+            -n 14  tests/test_linux_syslog.py  tests/test_common_lite.py
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs:
+      - meta
+      - build_action
+      - test-container
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: false
+          persist-credentials: false
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+      - name: Semantic Release
+        id: version
+        uses: cycjimmy/semantic-release-action@v3
+        with:
+          semantic_version: 18
+          extra_plugins: |
+            @semantic-release/exec
+            @semantic-release/git
+            semantic-release-helm
+            @google/semantic-release-replace-plugin@1.2.0
+            conventional-changelog-conventionalcommits
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}

.github/workflows/ci-main.yaml

@@ -39,7 +39,7 @@ jobs:
   meta:
     runs-on: ubuntu-latest
     outputs:
-      sc4s: ghcr.io/${{ github.repository }}/container2:${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.version'] }}
+      sc4s: ghcr.io/${{ github.repository }}/container3:${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.version'] }}
       container_tags: ${{ steps.docker_action_meta.outputs.tags }}
       container_labels: ${{ steps.docker_action_meta.outputs.labels }}
       container_buildtime: ${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.created'] }}
@@ -55,7 +55,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v3
         with:
-          node-version: "16"
+          node-version: "20"
       - name: Semantic Release
         id: version
         uses: cycjimmy/semantic-release-action@v3
@@ -74,7 +74,7 @@ jobs:
         id: docker_action_meta
         uses: docker/metadata-action@v4
         with:
-          images: ghcr.io/${{ github.repository }}/container2
+          images: ghcr.io/${{ github.repository }}/container3
           tags: |
             type=sha,format=long
             type=sha
@@ -207,6 +207,7 @@ jobs:
           SC4S_DEBUG_CONTAINER: "yes"
           SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG: "yes"
           SC4S_USE_VPS_CACHE: "yes"
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -224,7 +225,8 @@ jobs:
             --splunk_host=splunk \
             --sc4s_host=sc4s \
             --junitxml=test-results/test.xml \
-            -n 14
+            -n 14 \
+            -k 'not lite'
   mike:
     runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/heads/main' }} || ${{ github.ref == 'refs/heads/develop' }}
@@ -233,7 +235,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: oleksiyrudenko/gha-git-credentials@v2-latest
+      - uses: oleksiyrudenko/gha-git-credentials@v2.1.1
         with:
           token: "${{ secrets.GITHUB_TOKEN }}"
       - uses: actions/setup-python@v4
@@ -262,7 +264,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v3
         with:
-          node-version: "16"
+          node-version: "20"
       - name: Semantic Release
         id: version
         uses: cycjimmy/semantic-release-action@v3

charts/splunk-connect-for-syslog/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: splunk-connect-for-syslog
 description: Deploy Splunk Connect for Syslog
 type: application
-version: 2.49.8
-appVersion: "2.49.8"
+version: 2.49.9-develop.1
+appVersion: "2.49.9-develop.1"

docs/sources/vendor/Ubiquiti/unifi.md

@@ -22,13 +22,13 @@ All Ubiquity Unfi firewalls, switches, and access points share a common syslog c
 
 ## Sourcetypes
 
-| sourcetype     | notes                                                                                                   |
-|----------------|---------------------------------------------------------------------------------------------------------|
+| sourcetype     | notes                                              |
+|----------------|----------------------------------------------------|
 | ubnt  | Used when no sub source type is required by add on |
-| ubnt:fw  | USG events |
-| ubnt:threat | USG IDS events    |
-| ubnt:switch  | Unifi Switches |
-| ubnt:wireless  | Access Point logs |
+| ubnt:fw  | USG/UDM events                                     |
+| ubnt:threat | USG IDS events                                     |
+| ubnt:switch  | Unifi Switches                                     |
+| ubnt:wireless  | Access Point logs                                  |
 
 ## Sourcetype and Index Configuration
 
@@ -45,7 +45,7 @@ All Ubiquity Unfi firewalls, switches, and access points share a common syslog c
 
 application app-vps-test-ubiquiti_unifi_fw[sc4s-vps] {
  filter { 
-        host("usg-*" type(glob))
+        host("usg-*" type(glob)) or host("udm-*" type(glob))
     }; 
     parser { 
         p_set_netsource_fields(