kintyre / ta-postfix Goto Github PK

The app name does not comply with the spec that ES uses to auto load eventtypes and tags into its CIM Data models...

it requires TA-appname or Splunk_TA_appname to be the naming convention or the app is ignored

https://answers.splunk.com/answers/238170/splunk-enterprise-security-add-on-nomenclature.html

The regex in this line, which is in /default/props.conf, needs to be adjusted.

From:

EXTRACT-queue_id = postfix/\w+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}):

To (or something similar):

EXTRACT-queue_id = postfix/[\w\\/]+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}):

The existing regex doesn't pick up cases where the process has more than one backslash - such as postfix/submission/smtpd

I've downloaded the .tgz as per our email yesterday, but Splunk Support still came back with "Review fails vetting and cannot be installed.". Would you consider the recommendations in the email below?

Thank you for your recent Splunk Cloud App request. Our Splunk Cloud operations and security teams have determined that the App you've requested is not compatible and/or secure within the Splunk Cloud service architecture. Please see their comments below:

#Custom 0.8.5 - TA-postfix
Review fails vetting and cannot be installed.

Props Configuration file standards Ensure that all props.conf files located in the default (or local) folder are well formed and valid. props.conf transforms.conf [failure] Check that pretrained sourctypes in props.conf have only "TRANSFORM-" or "SEDCMD" settings, and that those transforms only modify the host, source, or sourcetype.
Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes. File: default/props.conf Line Number: 7

If you wish to make changes to the app, you can find documentation and utilities to assist you here: https://urldefense.com/v3/__http://dev.splunk.com/view/appinspect/SP-CAAAE9U__;!!NVzLfOphnbDXSw!XbGBHNAefhEhdcB_1AQ7C0yaD4OpwjXeIcOWxRR1cuVsKZxm5mAwg-YabOjkqtRyCw$

We look forward to working with you in the future to develop and install Apps that will further improve your Splunk Cloud experience.?If you have any immediate questions or concerns, please let me know. If there are no questions at this time, please let me know and I will close this case.

Best Regards,
Ashanjot
Splunk Support

The EXTRACT for reject_reason triggers when it shouldn't (when status!=reject) and collects erroneous results

My suggestion would be to remove EXTRACT-reject_reason and to extract the reject_reason within EXTRACT-status_reject - that way, reject_reason is only extracted when status==reject

Current:

EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?\<status\>reject):
EXTRACT-reject_reason = : (?<reject_reason>[^;:]+);

Proposed:

EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?\<status\>reject):\s(?<status_code_short>\d+)\s(?\<dsn\>(\d+\\.)+\d+)\s(.+?:\s)?(?<reject_reason>[^;]+);

I've also incorporated extractions for the status_code_short and dsn because they weren't being picked up in these reject events.

The proposed regex works for the data that I have access to but please test against your data.

We'd like to release this app on Splunkbase as a direct download rather than as an "externally hosted" app. Splunk doesn't allow us to just convert an existing app between these types, therefore we need to upload a new app.

Additionally, Splunk now frowns upon reusing an existing sourcetype name that ships with Splunk enterprise, see #10. So we have to change the sourcetype postfix_syslog to something new. At the moment, I'm assuming that we also have to update the app id (folder name) to something new as well.

We would move the existing "master" branch to a new branch representing the "NEW" version of the app, the existing branch would be kept for some time for anyone still on the older version. Each branch would have some clear instructions in the README explaining the situation (and linking to the other), and there would be some "upgrade" notes on how to migrate from the legacy version to the updated and Splunkbase-available version.

Here's what I'm thinking in terms of renaming stuff. Please provide feedback with any recommendations or gotchas.

Where * indicates a change.

Invalid key in stanza [postfix_email] in /opt/splunk/etc/apps/TA-postfix/default/eventtypes.conf, line 2: sourcetype  (value:  postfix_syslog).
Did you mean 'search'?

correct is:
[postfix_email]
search = sourcetype = postfix_syslog

Thank you,
Meno