Sc4s_Severity Information not logged

[Engineer33426]

It seems as though sc4s drops duplicate information severity <182> and info in the original syslog message. When it makes its way to splunk the severity of the message is not a parsed field or gets dropped.

Raw message sent to SC4S

<182>Jul 15 14:57:01 info logger[5553]: [ssl_req][15/Jul/2021:14:57:00 -0400] TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp" 7110 Raw message in Splunk logger[5553]: [ssl_req][15/Jul/2021:14:57:00 -0400] 156.40.176.34 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp" 7110

[jerryeblades]

I had this error in 1.75.2, as well as today's downloaded latest (from yesterday), 1.83.0. I found this also,and tracked the issue to:

severity missing from envvar: 'SC4S_DEST_SPLUNK_INDEXED_FIELDS' in /entrypoint.sh

# egrep 'SC4S_DEST_SPLUNK_INDEXED_FIELDS' /entrypoint.sh export SC4S_DEST_SPLUNK_INDEXED_FIELDS=${SC4S_DEST_SPLUNK_INDEXED_FIELDS:=facility,container,loghost,destport,fromhostip,proto}

so I added severity into the array like so: SC4S_DEST_SPLUNK_INDEXED_FIELDS=${SC4S_DEST_SPLUNK_INDEXED_FIELDS:=facility,severity,container,loghost,destport,fromhostip,proto}

Then with the fix, and then gen'd my own local image from it, and modified the service file to not pull latest, and to reference my local image. However, a colleague alerted me to that was all too much effort, all that was needed to add the "local" copy of that var to the server, which would then supersede that var within the container.

I reverted all my changes, pulled the latest image, and modified <SC4S_install_dir>/env_file with the following: SC4S_DEST_SPLUNK_INDEXED_FIELDS=(facility severity container loghost destport fromhostip proto)

This fixed my issue, and now we don't have to use a locally modified and managed image.

[Engineer33426]

The fix worked great thank you for the input.