feat: release v3.38.0 (#2783)

* Changes to cisco asa and ftd parsers (#2765)

Changes to cisco asa and ftd parsers

* docs: updatw missing link in getting started (#2771)

* fix: update dell powerstore index (#2770)

* fix: update dell powerstore index

* fix: remove change from enterprise

* docs: Remove experimental status from SC4S Lite (#2773)

Signed-off-by: mstopa-splunk <[email protected]>

* feat: add Suricata parser (#2774)

* docs: add Google Analytics tracking to documentation site (#2779)

Signed-off-by: Ilya Kheifets <[email protected]>

* fix: add powerstore index var (#2786)

* fix: add SC4S_OPTION_DELL_POWERSTORE_INDEX variable

* docs: rewrite documentation for powerstore

---------

Signed-off-by: mstopa-splunk <[email protected]>
Signed-off-by: Ilya Kheifets <[email protected]>
Co-authored-by: Szymon Bylica <[email protected]>
Co-authored-by: mstopa-splunk <[email protected]>
Co-authored-by: Ilya Kheifets <[email protected]>

Author: 4 people

docs/experiments.md

@@ -14,8 +14,6 @@ SC4S processes incoming messages from a TCP connection in a single thread. While
 
 To learn more, see the [Configuration documentation](./configuration.md#parallelize), as well as this [blog post](https://www.syslog-ng.com/community/b/blog/posts/accelerating-single-tcp-connections-in-syslog-ng-parallelize).
 
-### SC4S Lite
-In the new 3.0.0 update, we've introduced SC4S Lite. SC4S Lite is designed for those who prefer speed and custom filters over the pre-set ones that come with the standard SC4S. It's similar to our default version, without the pre-defined filters and complex app_parser topics. More information can be found at [dedicated page.](./lite.md)
 ## > 2.13.0
 * In `env_file`, SC4S sets `SC4S_USE_NAME_CACHE=yes` to enable caching of the last valid host string, replaces nill, null, or IPv4 with the last good value, and stores this information in the `hostip.sqlite` file. 
     - Benefit: More correct host name values in Splunk when source vendor fails to provide valid syslog message.

docs/gettingstarted/index.md

@@ -17,7 +17,7 @@ or resource constraint can cause data to be lost in transmission.
 * If you reguire high availability for SC4S, implement multi-node clustering.
 * Avoid TCP except where the source is unable to contain the event to a single UDP packet.
 * Avoid TLS except where the event may cross an untrusted network.
-* Plan for [appropriately sized hardware](../performance.md)
+* Plan for [appropriately sized hardware](../architecture/performance-tests.md)
 
 
 ## Implementation

docs/sources/vendor/Dell/emc_powerstore.md

@@ -21,6 +21,9 @@
 
 ### Index Configuration
 
-| key                | sourcetype            | index    | notes |
-|--------------------|-----------------------|----------|-------|
-| dellemc_powerstore | `dell:emc:powerstore` | `netops` | none  |
+| key                | sourcetype            | index      | notes                                     |
+|--------------------|-----------------------|------------|-------------------------------------------|
+| dellemc_powerstore | `dell:emc:powerstore` | `infraops` | Default index changed in version `3.38.0` |
+
+In SC4S `v3.37.0` the data was sent to `netops` index by default. If you want to change the target index, 
+you can set the `SC4S_OPTION_DELL_POWERSTORE_INDEX` environment variable to specify a different index name.

docs/sources/vendor/Suricata/Suricata.md

@@ -0,0 +1,37 @@
+# Suricata
+
+## Key facts
+* Message format: Based on the default `eve-log.identity` value in `suricata.yaml`, which is "suricata"
+* Legacy BSD Format default port 514
+
+## Links
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  |                                                                                                         |
+| Product Manual | [Suricata Documentation](https://docs.suricata.io/)   |
+
+
+## Sourcetypes
+
+| sourcetype             | notes                                                                                                   |
+|------------------------|---------------------------------------------------------------------------------------------------------|
+| suricata:flow          | None                                                                                                    |
+| suricata:dns           | None                                                                                                    |
+| suricata:fileinfo      | None                                                                                                    |
+| suricata:http          | None                                                                                                    |
+| suricata:tls           | None                                                                                                    |
+| suricata:stats         | None                                                                                                    |
+| suricata:<event_type\>  | unlisted or new event_type (parsed but not guaranteed tested)                                           |
+
+## Sourcetype and Index Configuration
+
+| key                    | sourcetype            | index          | notes          |
+|------------------------|-----------------------|----------------|----------------|
+| suricata_suricata      | suricata:<event_type\> | netids         | none           |
+
+## Options
+
+| variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_SURICATA_SIMPLE_SOURCETYPE | false   | Set to 'yes' to assign a simple sourcetype 'suricata' to all events. Keep the default to assign compound sourcetypes such as 'suricata:flow', 'suricata:dns', etc. |

mkdocs.yml

@@ -5,6 +5,9 @@ plugins:
 extra:
   version:
     provider: mike
+  analytics:
+    provider: google
+    property: G-ZQQ3Q8N2WQ
 
 markdown_extensions:
   - toc:
@@ -68,7 +71,7 @@ nav:
       - Read First: "sources/index.md"
       - Basic Onboarding: "sources/base"
       - Known Vendors: "sources/vendor"
-  - SC4S Lite (Experimental):
+  - SC4S Lite:
       - Intro: "lite.md"
       - Pluggable modules: "pluggable_modules.md"
   - Edge Processor: "edge_processor.md"

package/enterprise/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_asa.conf

@@ -17,7 +17,7 @@ application app-cisco-cisco_asa[cisco_syslog] {
         message('%ASA-' type(string) flags(prefix))
         or (
             message('%FTD-' type(string) flags(prefix))
-            and not "${.values.mnemonic}" eq "430003"
+            and not match("^43000.$" value(".values.mnemonic"))
         );
     };	
     parser { app-cisco-cisco_asa(); };

package/enterprise/etc/conf.d/conflib/cisco-syslog/app-cisco-cisco_ftd.conf

@@ -14,7 +14,7 @@ block parser app-cisco-cisco_ftd() {
 application app-cisco-cisco_ftd[cisco_syslog] {
 	filter {
         message('%FTD-' type(string) flags(prefix))
-        and "${.values.mnemonic}" eq "430003"
+        and match("^43000.$" value(".values.mnemonic"))
         ;
     };	
     parser { app-cisco-cisco_ftd(); };

package/enterprise/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf

@@ -2,7 +2,7 @@ block parser app-syslog-dell_powerstore() {
  channel {
         rewrite {
             r_set_splunk_dest_default(
-                index('netops')
+                index('`SC4S_OPTION_DELL_POWERSTORE_INDEX`')
                 sourcetype('dell:emc:powerstore')
                 vendor('dellemc')
                 product('powerstore')

package/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf

@@ -2,7 +2,7 @@ block parser app-syslog-dell_powerstore() {
  channel {
         rewrite {
             r_set_splunk_dest_default(
-                index('netops')
+                index('`SC4S_OPTION_DELL_POWERSTORE_INDEX`')
                 sourcetype('dell:emc:powerstore')
                 vendor('dellemc')
                 product('powerstore')

package/etc/conf.d/conflib/syslog/app-syslog-suricata.conf

@@ -0,0 +1,59 @@
+block parser app-syslog-suricata() {
+ channel {
+    rewrite {
+        r_set_splunk_dest_default(
+            index('netids')
+            sourcetype('suricata')
+            vendor("suricata")
+            product("suricata")
+            template('t_json_values')
+        );
+    };
+
+    parser {
+        json-parser(
+            prefix('.values.')
+        );
+    };
+
+    if {
+        filter {
+            # Simple Suricata sourcetype: "suricata"
+            # Complex Suricata sourcetype: "suricata:flow", "suricata:dns", etc.
+            not "`SC4S_SURICATA_SIMPLE_SOURCETYPE`" eq "yes"
+            and "${.values.event_type}" ne "";
+        };	
+
+        rewrite {
+            r_set_splunk_dest_update_v2(
+                sourcetype('suricata:${.values.event_type}')
+            );
+        };
+    };
+
+    if {
+        filter {
+            "${.values.timestamp}" ne "";
+        };	
+
+        # 2025-07-04T10:20:33.093102+0000
+        parser {
+            date-parser(
+                format('%Y-%m-%dT%H:%M:%S.%f%z')
+                template("${.values.timestamp}")
+            );
+        };
+
+        rewrite { 
+            set-tag("json-timestamp-parsed");
+         };
+    };
+   };
+};
+
+application app-syslog-suricata[sc4s-syslog-pgm] {
+    filter {
+        program('suricata' type(string));
+    };	
+    parser { app-syslog-suricata(); };
+};