Merge pull request #87 from ZachChristensen28/develop

Version 1.5.3
ZachChristensen28 · May 14, 2023 · bbeb74e · bbeb74e
2 parents 5d67252 + 2e980ca
commit bbeb74e
Show file tree

Hide file tree

Showing 13 changed files with 41 additions and 28 deletions.
diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml
@@ -10,7 +10,7 @@ on:
 
 jobs:
   call-packaging-workflow:
-    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@154fb6bd5201e90183c99b40661cb931d61781b4
+    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@main
     secrets:
       API_USER: ${{ secrets.API_USER }}
       API_PASS: ${{ secrets.API_PASS }}
diff --git a/.github/workflows/increment-build.yml b/.github/workflows/increment-build.yml
@@ -11,4 +11,4 @@ on:
 
 jobs:
   call-packaging-workflow:
-    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/increment-build-number.yml@95c81c2bca6e0ad926e5c462ef003f6a6b30cbc0
+    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/increment-build-number.yml@main
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -8,4 +8,4 @@ on:
       - "src/**"
 jobs:
   call-packaging-workflow:
-    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/package-app.yml@154fb6bd5201e90183c99b40661cb931d61781b4
+    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/package-app.yml@main
diff --git a/README.md b/README.md
@@ -5,9 +5,9 @@
 ![Appinspect](https://github.com/ZachChristensen28/TA-opnsense/actions/workflows/appinspect.yml/badge.svg)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/ZachChristensen28/TA-opnsense)
 [![Splunkbase App](https://img.shields.io/badge/Splunkbase-TA--opnsense-blue)](https://splunkbase.splunk.com/app/4538/)
-[![Splunk CIM Version](https://img.shields.io/badge/Splunk%20CIM%20Version-5.x%20|%204.x-success)](https://docs.splunk.com/Documentation/CIM/latest/User/Overview)
+[![Splunk CIM Version](https://img.shields.io/badge/Splunk%20CIM%20Version-5.x%20-success)](https://docs.splunk.com/Documentation/CIM/latest/User/Overview)
 ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
-[![OPNsense Compatibility](https://img.shields.io/badge/OPNsense%20Compatibility-22.x-orange?logo=opnsense)](https://opnsense.org/)
+[![OPNsense Compatibility](https://img.shields.io/badge/OPNsense%20Compatibility-22,23-orange?logo=opnsense)](https://opnsense.org/)
 
 ## Documentation
 
@@ -17,8 +17,8 @@ Full documentation can be found at [https://splunk-opnsense-ta.ztsplunker.com](h
 
  Info | Description
 ------|----------
-Version | 1.5.2 - See on [Splunkbase](https://splunkbase.splunk.com/app/4538/)
-Vendor Product Version | [OPNsense® 22.x](https://opnsense.org/)
+Version | 1.5.3 - See on [Splunkbase](https://splunkbase.splunk.com/app/4538/)
+Vendor Product Version | [OPNsense® 22.x, 23.x](https://opnsense.org/)
 Add-on has a web UI | Yes, this add-on has a view to setup a modular input.
 
 Try the [OPNsense App for Splunk](https://splunkbase.splunk.com/app/5372/).

diff --git a/docs/landing-page.md b/docs/landing-page.md
@@ -1,5 +1,4 @@
 ---
-ᴴₒᴴₒᴴₒ: true
 hide:
     - navigation
     - toc
@@ -25,10 +24,10 @@ This documentation assumes the following:
 
 Info | Description
 ------|----------
-Version | 1.5.2 - [Splunkbase](https://splunkbase.splunk.com/app/4538/) \| [GitHub](https://github.com/ZachChristensen28/TA-opnsense)
+Version | 1.5.3 - [Splunkbase](https://splunkbase.splunk.com/app/4538/) \| [GitHub](https://github.com/ZachChristensen28/TA-opnsense)
 CIM | 5.x, 4.x
-Vendor Product Version | [OPNsense® 22.x](https://opnsense.org/)
+Vendor Product Version | [OPNsense® 22, 23](https://opnsense.org/)
 
-[Get Started](getting-started/logging-architecture){ .md-button .md-button--primary }
+[Get Started](/getting-started/logging-architecture){ .md-button .md-button--primary }
 
 --8<-- "includes/abbreviations.md"
diff --git a/docs/reference/releases/index.md b/docs/reference/releases/index.md
@@ -1,16 +1,11 @@
 # Release notes for the OPNsense Add-on for Splunk
 
-## v1.5.2 <small>Dec 15, 2022</small>
-
-???+ warning
-    **_Only applies if you are upgrading from a version < 1.5.0_**
-
-    This version includes packages for the new version of Add-on builder (v4.0.0) which may cause API credentials to no longer work after updating. After updating to this version, you may have to re-enter the API credentials for the modular inputs to work again by editing the existing account configurations.
+## v1.5.3 <small>May 14, 2023</small>
 
 ### What's changed
 
-- Updated Add-on builder packages.
-- Updated documentation to address required log formats [#67](https://github.com/ZachChristensen28/TA-opnsense/issues/67).
+- Fixed "unknown" action for nat rules [#85](https://github.com/ZachChristensen28/TA-opnsense/issues/85).
+- Added the field `dest_interface` for CIM compliance.
 
 ### Known issues
 

diff --git a/docs/reference/releases/release-history.md b/docs/reference/releases/release-history.md
@@ -1,6 +1,18 @@
 # Release history for the OPNsense addon for Splunk
 
-The latest version of the OPNsense addon for Splunk is version 1.5.2. See [Release notes for the OPNsense addon for Splunk](../../releases/) of the latest version.
+The latest version of the OPNsense addon for Splunk is version 1.5.3. See [Release notes for the OPNsense addon for Splunk](../../releases/) of the latest version.
+
+## v1.5.2 <small>Dec 15, 2022</small>
+
+???+ warning
+    **_Only applies if you are upgrading from a version < 1.5.0_**
+
+    This version includes packages for the new version of Add-on builder (v4.0.0) which may cause API credentials to no longer work after updating. After updating to this version, you may have to re-enter the API credentials for the modular inputs to work again by editing the existing account configurations.
+
+### What's changed
+
+- Updated Add-on builder packages.
+- Updated documentation to address required log formats [#67](https://github.com/ZachChristensen28/TA-opnsense/issues/67).
 
 ## v1.5.1 <small>Nov 30, 2021</small>
 

diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -1,4 +1,4 @@
 mkdocs==1.4.2
-mkdocs-material==9.0.6
-mkdocs-git-revision-date-localized-plugin==1.1.0
-mkdocs-minify-plugin==0.6.2
+mkdocs-git-revision-date-localized-plugin==1.2.0
+mkdocs-material==9.1.7
+mkdocs-minify-plugin==0.6.4
diff --git a/src/TA-opnsense/app.manifest b/src/TA-opnsense/app.manifest
@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-opnsense",
-      "version": "1.5.2"
+      "version": "1.5.3"
     },
     "author": [
       {

diff --git a/src/TA-opnsense/default/app.conf b/src/TA-opnsense/default/app.conf
@@ -6,13 +6,17 @@
 state_change_requires_restart = true
 is_configured = false
 state = enabled
-build = 8
+build = 10
 
 [launcher]
 author = ZachTheSplunker
-version = 1.5.2
+version = 1.5.3
 description = This Technology Add-on provides CIM compliant field extractions, eventtypes and tags for the OPNsense Firewall
 
+[id]
+name = TA-opnsense
+version = 1.5.3
+
 [ui]
 is_visible = 1
 label = OPNsense Add-on for Splunk

diff --git a/src/TA-opnsense/default/props.conf b/src/TA-opnsense/default/props.conf
@@ -95,6 +95,7 @@ EVAL-bytes_in                            = if(vendor_direction=="in",'bytes',0)
 EVAL-bytes_out                           = if(vendor_direction=="out",'bytes',0)
 FIELDALIAS-opnsense_filterlog_src        = src_ip AS src
 FIELDALIAS-opnsense_filterlog_dest       = dest_ip AS dest
+FIELDALIAS-opnsense_filterlog_dest_int   = dest_interface ASNEW dest_int
 FIELDALIAS-opnsense_filterlog_dvc        = host AS dvc
 FIELDALIAS-opnsense_filterlog_session_id = id AS session_id
 LOOKUP-opnsense_filterlog_action         = opnsense_filterlog_action_lookup vendor_action OUTPUTNEW action

diff --git a/src/TA-opnsense/default/transforms.conf b/src/TA-opnsense/default/transforms.conf
@@ -145,9 +145,9 @@ REGEX  = [[opnsense_dhcp_mod]]\s(?<vendor_event>reuse_lease)\:\slease\sage\s(?<l
 #===========================================
 #--- Modular Regex ---#
 [opnsense_filterlog_mod_main]
-# Extracts: pid, rule_id, sub_rule_id, anchor_name, tracker_id, dest_int,
+# Extracts: pid, rule_id, sub_rule_id, anchor_name, tracker_id, dest_interface,
 #           reason, vendor_action, vendor_direction
-REGEX  = filterlog(?:\[(?<pid>[^\]]+)\])*:\s+(?<rule_id>[^\,a-z]*)\,(?<sub_rule_id>[^\,]*)\,(?<anchor_name>[^\,]*)\,(?<tracker_id>[^\,]*)\,(?<dest_int>[^\,]*)\,(?<reason>[^\,]*)\,(?<vendor_action>[^\,]*)\,(?<vendor_direction>[^\,]*)\,
+REGEX  = filterlog(?:\[(?<pid>[^\]]+)\])*:\s+(?<rule_id>[^\,a-z]*)\,(?<sub_rule_id>[^\,]*)\,(?<anchor_name>[^\,]*)\,(?<tracker_id>[^\,]*)\,(?<dest_interface>[^\,]*)\,(?<reason>[^\,]*)\,(?<vendor_action>[^\,]*)\,(?<vendor_direction>[^\,]*)\,
 
 [opnsense_filterlog_mod_ipv4]
 # Extracts: ip_version, tos, ecn, ttl, id, offset, flags, transport_id

diff --git a/src/TA-opnsense/lookups/opnsense_filterlog_action.csv b/src/TA-opnsense/lookups/opnsense_filterlog_action.csv
@@ -2,4 +2,6 @@ vendor_action,action
 pass,allowed
 block,blocked
 rdr,redirected
+nat,nat
+binat,binat
 unknown,unknown