diff --git a/docs/sources/vendor/Powertech/interact.md b/docs/sources/vendor/Powertech/interact.md new file mode 100644 index 0000000000..114e7db874 --- /dev/null +++ b/docs/sources/vendor/Powertech/interact.md @@ -0,0 +1,31 @@ +# PowerTech Interact + +## Key facts + +* MSG Format based filter +* CEF Format default port 514 + +## Links + +| Ref | Link | +|-----------------------------|--------------------------------------------------------------------------------------------| +| Splunk Add-on | None | + + +## Sourcetypes + +| sourcetype | notes | +|-----------------------------|--------------------------------------------------------------------------------------------| +| PowerTech:Interact:cef | CEF | + +## Source + +| source | notes | +|-----------------------------|--------------------------------------------------------------------------------------------| +| PowerTech:Interact:cef | None | + +### Index Configuration + +| key | source | index | notes | +|--------------------|---------------------|------------------------|----------------| +|PowerTech_Interact | PowerTech:Interact | netops | none | diff --git a/package/etc/conf.d/conflib/cef/app-cef-powertech_interact.conf b/package/etc/conf.d/conflib/cef/app-cef-powertech_interact.conf new file mode 100644 index 0000000000..66d9f264c1 --- /dev/null +++ b/package/etc/conf.d/conflib/cef/app-cef-powertech_interact.conf @@ -0,0 +1,21 @@ +block parser app-cef-power_interact() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netops'), + source('PowerTech:Interact'), + sourcetype('PowerTech:Interact:cef') + vendor('PowerTech') + product('Interact') + ); + }; + }; +}; + +application app-cef-power_interact[cef] { + filter{ + match("PowerTech" value(".metadata.cef.device_vendor")) + and match("Interact" value(".metadata.cef.device_product")); + }; + parser { app-cef-power_interact(); }; +};