splunk · ikheifets-splunk · Sep 18, 2024 · Sep 18, 2024 · Sep 18, 2024 · Sep 18, 2024
@@ -18,7 +18,7 @@ jobs:
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
         # Alpha Release
-        uses: contributor-assistant/github-action@v2.4.0
+        uses: contributor-assistant/github-action@v2.6.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
@@ -43,7 +43,7 @@ jobs:
       - name: "COC Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms') || github.event_name == 'pull_request_target'
         # Alpha Release
-        uses: contributor-assistant/github-action@v2.4.0
+        uses: contributor-assistant/github-action@v2.6.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret

@@ -86,7 +86,7 @@ jobs:
             type=ref,event=tag
       - name: matrix
         id: matrix
-        uses: splunk/addonfactory-test-matrix-action@v1.13.1
+        uses: splunk/addonfactory-test-matrix-action@v2.1.8
 
   security-fossa-scan:
     continue-on-error: true

@@ -86,7 +86,7 @@ jobs:
             type=ref,event=tag
       - name: matrix
         id: matrix
-        uses: splunk/addonfactory-test-matrix-action@v1.13.1
+        uses: splunk/addonfactory-test-matrix-action@v2.1.8
 
   security-fossa-scan:
     continue-on-error: true

@@ -38,8 +38,8 @@ ExecStart=/usr/bin/podman run \
         -v "$SC4S_ARCHIVE_MOUNT" \
         -v "$SC4S_TLS_MOUNT" \
         --env-file=/opt/sc4s/env_file \
-        --health-cmd="/healthcheck.sh" \
-        --health-interval=10s --health-retries=6 --health-timeout=6s \
+        --health-cmd="/usr/sbin/syslog-ng-ctl healthcheck --timeout 5" \
+        --health-interval=2m --health-retries=6 --health-timeout=5s \
         --network host \
         --name SC4S \
         --rm $SC4S_IMAGE

@@ -134,9 +134,6 @@ spec:
             - name: ietf-dflt-tls
               containerPort: 5425
               protocol: TCP
-            - name: health
-              containerPort: 8080
-              protocol: TCP
           {{- if .Values.sc4s }}
           {{- if .Values.sc4s.vendor_product }}
             {{- range $vp := .Values.sc4s.vendor_product }}
@@ -216,16 +213,14 @@ spec:
             readOnly: true
           {{- end }}
           livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 8080
+            exec:
+              command: ["syslog-ng-ctl", "healthcheck", "--timeout", "5"]
             initialDelaySeconds: 10
             periodSeconds: 3              
             timeoutSeconds: 5            
           readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 8080
+            exec:
+              command: ["syslog-ng-ctl", "healthcheck", "--timeout", "5"]
             initialDelaySeconds: 10
             failureThreshold: 60
             periodSeconds: 10

@@ -277,6 +277,16 @@ A syntax error will cause the runtime process to abort in the "preflight" phase
 
 To update your changes, restart SC4S.
 
+### Set source value as 'sc4s'
+
+User can set the source field value to 'sc4s' by using the `SC4S_SET_SOURCE_AS_SC4S` variable.
+
+**Note:** If the source field value is specified in a local parser or the splunk_metadata.csv file, it will take precedence over the `SC4S_SET_SOURCE_AS_SC4S` variable and overwrite the source field value.
+
+| Variable | Values        | Description |
+|----------|---------------|-------------|
+| SC4S_SET_SOURCE_AS_SC4S | yes or no(default) | Set the source field value to 'sc4s'. |
+
 ## Drop all data by IP or subnet (deprecated)
 
 Using `vendor_product_by_source` to null queue is now a deprecated task. See the supported method for dropping data in [Filtering events from output](https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-events-from-output).
@@ -324,8 +334,8 @@ ExecStart=/usr/bin/podman run \
         -v "$SC4S_TLS_MOUNT" \
         --privileged \
         --env-file=/opt/sc4s/env_file \
-        --health-cmd="/healthcheck.sh" \
-        --health-interval=10s --health-retries=6 --health-timeout=6s \
+        --health-cmd="/usr/sbin/syslog-ng-ctl healthcheck --timeout 5" \
+        --health-interval=2m --health-retries=6 --health-timeout=5s \
         --network host \
         --name SC4S \
         --rm $SC4S_IMAGE

@@ -79,7 +79,6 @@ SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sour
 SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events...
 syslog-ng checking config
 sc4s version=v1.36.0
-starting goss
 starting syslog-ng
 ```
 

@@ -103,7 +103,6 @@ SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sour
 SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events...
 syslog-ng checking config
 sc4s version=v1.36.0
-starting goss
 starting syslog-ng
 ```
 

@@ -75,6 +75,5 @@ SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sour
 SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events...
 syslog-ng checking config
 sc4s version=v1.36.0
-starting goss
 starting syslog-ng
 ```
@@ -120,7 +120,6 @@ You should see events similar to those below in the output:
 ```ini
 syslog-ng checking config
 sc4s version=v1.36.0
-starting goss
 starting syslog-ng
 ```
 

@@ -112,7 +112,6 @@ You should see events similar to those below in the output:
 ```ini
 syslog-ng checking config
 sc4s version=v1.36.0
-starting goss
 starting syslog-ng
 ```
 

@@ -116,7 +116,6 @@ You should see events similar to those below in the output:
 ```ini
 syslog-ng checking config
 sc4s version=v1.36.0
-starting goss
 starting syslog-ng
 ```
 

@@ -109,7 +109,6 @@ You should see events similar to those below in the output:
 ```ini
 syslog-ng checking config
 sc4s version=v1.36.0
-starting goss
 starting syslog-ng
 ```
 
@@ -178,8 +177,8 @@ ExecStart=/usr/bin/podman run -p 2514:514 -p 2514:514/udp -p 6514:6514  \
         -v "$SC4S_ARCHIVE_MOUNT" \
         -v "$SC4S_TLS_MOUNT" \
         --env-file=/home/sc4s/env_file \
-        --health-cmd="/healthcheck.sh" \
-        --health-interval=10s --health-retries=6 --health-timeout=6s \
+        --health-cmd="/usr/sbin/syslog-ng-ctl healthcheck --timeout 5" \
+        --health-interval=2m --health-retries=6 --health-timeout=5s \
         --network host \
         --name SC4S \
         --rm $SC4S_IMAGE

@@ -38,8 +38,8 @@ ExecStart=/usr/bin/podman run \
         -v "$SC4S_ARCHIVE_MOUNT" \
         -v "$SC4S_TLS_MOUNT" \
         --env-file=/opt/sc4s/env_file \
-        --health-cmd="/healthcheck.sh" \
-        --health-interval=10s --health-retries=6 --health-timeout=6s \
+        --health-cmd="/usr/sbin/syslog-ng-ctl healthcheck --timeout 5" \
+        --health-interval=2m --health-retries=6 --health-timeout=5s \
         --network host \
         --name SC4S \
         --rm $SC4S_IMAGE

@@ -27,7 +27,6 @@ SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sour
 SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events...
 syslog-ng checking config
 sc4s version=3.0.0
-starting goss
 starting syslog-ng 
 ```
 

@@ -41,7 +41,6 @@ RUN apk add -U --upgrade --no-cache \
       cargo \
       ca-certificates \
       poetry \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.8 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \
@@ -56,9 +55,7 @@ EXPOSE 6514/tcp
 #/dev/log a low priv user cannot read this and the container will fail in SC4S
 #and other uses the low user may be selected
 
-HEALTHCHECK --interval=10s --retries=6 --timeout=6s CMD /healthcheck.sh
-
-COPY package/etc/goss.yaml /etc/syslog-ng/goss.yaml
+HEALTHCHECK --interval=2m --timeout=5s --start-period=30s CMD /usr/sbin/syslog-ng-ctl healthcheck --timeout 5
 
 COPY pyproject.toml /
 COPY poetry.lock /
@@ -75,7 +72,6 @@ COPY package/etc/test_parsers /etc/syslog-ng/test_parsers
 COPY package/etc/local_config /etc/syslog-ng/local_config
 COPY package/etc/local_config /etc/syslog-ng/local_config
 COPY package/sbin/entrypoint.sh /
-COPY package/sbin/healthcheck.sh /
 COPY package/sbin/source_ports_validator.py /
 
 ENV SC4S_CONTAINER_OPTS=--no-caps

@@ -41,7 +41,6 @@ RUN apk add -U --upgrade --no-cache \
       cargo \
       ca-certificates \
       poetry \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.8 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \
@@ -56,9 +55,7 @@ EXPOSE 6514/tcp
 #/dev/log a low priv user cannot read this and the container will fail in SC4S
 #and other uses the low user may be selected
 
-HEALTHCHECK --interval=10s --retries=6 --timeout=6s CMD /healthcheck.sh
-
-COPY package/etc/goss.yaml /etc/syslog-ng/goss.yaml
+HEALTHCHECK --interval=2m --timeout=5s --start-period=30s CMD /usr/sbin/syslog-ng-ctl healthcheck --timeout 5
 
 COPY pyproject.toml /
 COPY poetry.lock /
@@ -97,7 +94,6 @@ COPY package/lite/etc/config.yaml /etc/syslog-ng/config.yaml
 COPY package/lite/etc/addons /etc/syslog-ng/addons
 
 COPY package/sbin/entrypoint.sh /
-COPY package/sbin/healthcheck.sh /
 COPY package/sbin/source_ports_validator.py /
 
 

@@ -288,6 +288,11 @@ source s_{{ port_id }} {
             };
         };
 
+        {%- if set_source_sc4s == True %}
+            rewrite {
+                set("sc4s", value(".splunk.source"));
+            };
+        {%- endif %}
 
         rewrite {
             set($FACILITY, value("fields.sc4s_syslog_facility") condition(match('facility' template('`SC4S_DEST_SPLUNK_INDEXED_FIELDS`') type(string) flags(substring))));
@@ -475,6 +480,12 @@ source s_{{ port_id }} {
             parser(app-group-sc4s-fallback);
         };
 
+        {%- if set_source_sc4s == True %}
+            rewrite {
+                set("sc4s", value(".splunk.source"));
+            };
+        {%- endif %}
+
         rewrite {
             set($FACILITY, value("fields.sc4s_syslog_facility") condition(match('facility' template('`SC4S_DEST_SPLUNK_INDEXED_FIELDS`') type(string) flags(substring))));
             set($LEVEL, value("fields.sc4s_syslog_severity") condition(match('severity' template('`SC4S_DEST_SPLUNK_INDEXED_FIELDS`') type(string) flags(substring)) ));

@@ -133,5 +133,6 @@ def normalize_env_variable_input(env_variable: str):
         ebpf_no_sockets=int(os.getenv("SC4S_EBPF_NO_SOCKETS", 4)),
         enable_parallelize=normalize_env_variable_input(f"SC4S_ENABLE_PARALLELIZE"),
         parallelize_no_partitions=int(os.getenv(f"SC4S_PARALLELIZE_NO_PARTITION", 4)),
+        set_source_sc4s=normalize_env_variable_input("SC4S_SET_SOURCE_AS_SC4S"),
     )
     print(outputText)
@@ -224,13 +224,6 @@ echo sc4s version=$(cat $SC4S_ETC/VERSION)
 echo sc4s version=$(cat $SC4S_ETC/VERSION) >>$SC4S_VAR/log/syslog-ng.out
 $SC4S_SBIN/syslog-ng --no-caps $SC4S_CONTAINER_OPTS -s >>$SC4S_VAR/log/syslog-ng.out 2>$SC4S_VAR/log/syslog-ng.err
 
-# Use goss to pick up default listening ports for health check
-if command -v goss &> /dev/null
-then
-  echo starting goss
-  goss -g $SC4S_ETC/goss.yaml serve -l 0.0.0.0:$SC4S_LISTEN_STATUS_PORT --format json >/dev/null 2>/dev/null &
-fi
-
 # OPTIONAL for BYOE:  Comment out/remove all remaining lines and launch syslog-ng directly from systemd
 if [ "${SC4S_DEBUG_CONTAINER}" == "yes" ]
 then