Proper way to override a host value?

[nickramser]

What is the sc4s version ? v3.22.1

Feature Request description: We have a device which is sending a host value in syslog message, but it's hardcoded and based off the device serial number. I'd like to override it, but since there is a host value supplied in the message, it doesn't appear that SC4S_USE_REVERSE_DNS or the host.csv would be checked.

Issues #572/#575 indicate that you can use .splunk.host within compliance_meta_by_source.csv, but that is not working for me and it doesn't appear in the compliance_meta_by_source documentation as an option.

So, is there currently a way to override a host when a host value is supplied by the source? If not, could .splunk.host be added back in as a valid metadata override value?

[mstopa-splunk]

Hi @nickramser we will need to check why this fix was removed from SC4S and if it's safe to restore it, we will try to find a slot for it in the next sprint

[mstopa-splunk]

@nickramser regardless restoring that solution a postfilter will work for you:

block parser app-postfilter-host() {
    channel {
        rewrite{
            set("new_host", value("HOST"));
        };
    };
};

application app-postfilter-host[sc4s-postfilter] {
    filter {
        host('test_host' type(string));
    };
    parser { app-postfilter-host(); };
};

[mstopa-splunk]

@nickramser I confirmed with the team that limiting functionality of compliance_meta_by_source.csv was a long-term decision and that way of overriding the host won't be restored. Please try the postfilter and let me know if we can close the issue

[nickramser]

@mstopa-splunk, thanks for the quick responses. I just tested the postfilter and it's working as expected. I'll go ahead on close out the issue.