From c2916e30ca528110d48ea3468abf9c8fde92d682 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 15 Nov 2019 07:34:38 -0800 Subject: [PATCH 01/11] Update entrypoint.sh (#194) This fix prevents an error on upgrade when changes are made to example configs --- package/sbin/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index a93736d..9abad88 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -12,7 +12,7 @@ gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl -- mkdir -p /opt/syslog-ng/etc/conf.d/local/context/ mkdir -p /opt/syslog-ng/etc/conf.d/local/config/ cp --verbose -n /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context/ -cp --verbose -R -n /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ +cp --verbose -R /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ echo syslog-ng starting exec /opt/syslog-ng/sbin/syslog-ng $@ \ No newline at end of file From 58795d3ee4acd9e4cb284106d69001ee542c49ef Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Sat, 16 Nov 2019 11:52:04 -0500 Subject: [PATCH 02/11] Implement guess-time zone (#193) * Implement guess-time zone Guess time zone for 3164 and non standard 5424 formats * restore default tz When guess fails default TZ can still be used * Add by source tz support --- .../p_rfc3164-checkpoint_splunk.conf.tmpl | 2 +- .../log_paths/p_rfc3164-cisco_ios.conf.tmpl | 1 + .../log_paths/p_rfc3164-cisco_nxos.conf.tmpl | 1 + .../p_rfc3164-fortinet_fortios.conf.tmpl | 2 +- .../p_rfc3164-paloalto_panos.conf.tmpl | 3 +- .../vendor_product_by_source.conf | 9 +++ .../vendor_product_by_source.csv | 4 +- package/etc/go_templates/source_network.t | 12 ++- tests/requirements.txt | 1 + tests/test_common.py | 73 ++++++++++++++++++- 10 files changed, 101 insertions(+), 7 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl index ee81c82..cd99a70 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl @@ -16,7 +16,7 @@ log { parser { kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); - date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})); + date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); }; rewrite { diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl index 3c51cf6..b9d997c 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl @@ -15,6 +15,7 @@ log { rewrite { set("cisco_ios", value("fields.sc4s_vendor_product")); + guess-time-zone(); r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops")) }; parser { diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl index f2a4478..e351441 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl @@ -15,6 +15,7 @@ log { rewrite { set("cisco_nxos", value("fields.sc4s_vendor_product")); + guess-time-zone(); r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_hdr_msg")) }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl index 39d2bc9..16b35f4 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl @@ -16,7 +16,7 @@ log { parser { kv-parser(prefix(".kv.") template("${MSGHDR} ${MSG}")); - date-parser(format("%Y-%m-%d:%H:%M:%S") template("${.kv.date}:${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})); + date-parser(format("%Y-%m-%d:%H:%M:%S") template("${.kv.date}:${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone)); }; rewrite { diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl index 60acc74..73dc1d0 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl @@ -38,7 +38,8 @@ log { date-parser( format("%Y/%m/%d %H:%M:%S") template("${.pan.GeneratedTime}") - time-zone("Universal") + time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) + flags(guess-timezone) ); }; diff --git a/package/etc/context_templates/vendor_product_by_source.conf b/package/etc/context_templates/vendor_product_by_source.conf index ec20e82..b0609de 100644 --- a/package/etc/context_templates/vendor_product_by_source.conf +++ b/package/etc/context_templates/vendor_product_by_source.conf @@ -39,4 +39,13 @@ filter f_proofpoint_pps_sendmail { filter f_ubiquiti_unifi_fw { host("usg-*" type(glob)) or netmask(192.168.6.0/24) +}; +filter f_tzfixhst { + host("tzfhst-*" type(glob)) or + netmask(192.168.6.0/24) +}; + +filter f_tzfixny { + host("tzfny-*" type(glob)) or + netmask(192.168.6.0/24) }; \ No newline at end of file diff --git a/package/etc/context_templates/vendor_product_by_source.csv b/package/etc/context_templates/vendor_product_by_source.csv index 698f672..975d558 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv +++ b/package/etc/context_templates/vendor_product_by_source.csv @@ -7,4 +7,6 @@ f_juniper_netscreen,sc4s_vendor_product,"juniper_netscreen" f_cisco_nx_os,sc4s_vendor_product,"cisco_nx_os" f_proofpoint_pps_sendmail,sc4s_vendor_product,"proofpoint_pps_sendmail" f_proofpoint_pps_filter,sc4s_vendor_product,"proofpoint_pps_filter" -f_ubiquiti_unifi_fw,sc4s_vendor_product,"ubiquiti_unifi_fw" \ No newline at end of file +f_ubiquiti_unifi_fw,sc4s_vendor_product,"ubiquiti_unifi_fw" +f_tzfixhst,sc4s_time_zone,"Pacific/Honolulu" +f_tzfixny,sc4s_time_zone,"America/New_York" \ No newline at end of file diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index badcbbb..63fb6d2 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -104,7 +104,7 @@ source s_{{ .port_id}} { rewrite(set_rfc5424_epochtime); } else { parser { - syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); + syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message, guess-timezone)); }; rewrite(set_rfc3164); }; @@ -114,6 +114,16 @@ source s_{{ .port_id}} { parser { vendor_product_by_source(); }; + + if { + filter { match("." value("fields.sc4s_time_zone") ) }; + rewrite { + fix-time-zone("${fields.sc4s_time_zone}"); + unset(value("fields.sc4s_time_zone")); + }; + }; + + }; }; {{- end }} diff --git a/tests/requirements.txt b/tests/requirements.txt index 758c531..6d908dd 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -11,3 +11,4 @@ jinja2 jinja2-time splunk-sdk flake8 +pytz \ No newline at end of file diff --git a/tests/test_common.py b/tests/test_common.py index 8325b52..ce279a6 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -3,9 +3,11 @@ # Use of this source code is governed by a BSD-2-clause-style # license that can be found in the LICENSE-BSD2 file or at # https://opensource.org/licenses/BSD-2-Clause +import datetime import random +import pytz -from jinja2 import Environment +from jinja2 import Environment, environment from .sendmessage import * from .splunkutils import * @@ -79,4 +81,71 @@ def test_metrics(record_property, setup_wordlist, setup_splunk): record_property("resultCount", resultCount) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 + +def test_tz_guess(record_property, setup_wordlist, setup_splunk): + + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }} {% now 'America/Los_Angeles', '%b %d %H:%M:%S' %} {{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n") + message = mt.render(mark="<111>", host=host) + + sendsingle(message) + + st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"cisco:asa\" \"%ASA-3-003164\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +def test_tz_fix_hst(record_property, setup_wordlist, setup_splunk): + + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.utcnow() - datetime.timedelta(hours=10, minutes=10) + mt = env.from_string( + "{{ mark }} {{ dt }} tzfhst-{{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n") + message = mt.render(mark="<111>", host=host, dt=dt.strftime('%b %d %H:%M:%S')) + + sendsingle(message) + + st = env.from_string("search index=netfw host=\"tzfhst-{{ host }}\" sourcetype=\"cisco:asa\"") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +def test_tz_fix_ny(record_property, setup_wordlist, setup_splunk): + + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + tz_NY = pytz.timezone('America/New_York') + dt = datetime.datetime.now(tz_NY) - datetime.timedelta(minutes=10) + mt = env.from_string( + "{{ mark }} {{ dt }} tzfny-{{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n") + message = mt.render(mark="<111>", host=host, dt=dt.strftime('%b %d %H:%M:%S')) + + sendsingle(message) + + st = env.from_string("search index=netfw host=\"tzfny-{{ host }}\" sourcetype=\"cisco:asa\"") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 From 89ecaaf5598fe04ff9d0510e747de86bc1fd0e8c Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Tue, 19 Nov 2019 08:15:45 -0500 Subject: [PATCH 03/11] Fix/udp port requires tcp (#199) Fixes #198 --- docs/configuration.md | 22 ++++++++++++++++ docs/performance.md | 2 +- .../p_rfc3164-checkpoint_splunk.conf.tmpl | 2 +- .../log_paths/p_rfc3164-cisco_asa.conf.tmpl | 2 +- .../log_paths/p_rfc3164-cisco_ios.conf.tmpl | 3 ++- .../log_paths/p_rfc3164-cisco_ise.conf.tmpl | 3 ++- .../log_paths/p_rfc3164-cisco_nxos.conf.tmpl | 3 ++- .../p_rfc3164-forcepoint_webprotect.conf.tmpl | 3 ++- .../p_rfc3164-fortinet_fortios.conf.tmpl | 3 ++- .../log_paths/p_rfc3164-juniper_idp.conf.tmpl | 3 ++- .../p_rfc3164-juniper_junos.conf.tmpl | 3 ++- .../p_rfc3164-juniper_netscreen.conf.tmpl | 3 ++- .../log_paths/p_rfc3164-juniper_nsm.conf.tmpl | 3 ++- .../p_rfc3164-juniper_nsm_idp.conf.tmpl | 3 ++- .../p_rfc3164-microfocus_arcsight.conf.tmpl | 2 +- .../p_rfc3164-paloalto_panos.conf.tmpl | 3 ++- .../p_rfc3164-proofpoint_pps_filter.conf.tmpl | 3 ++- ..._rfc3164-proofpoint_pps_sendmail.conf.tmpl | 3 ++- .../p_rfc3164-ubiquiti_unifi.conf.tmpl | 2 +- .../log_paths/p_rfc3164-zscaler_nss.conf.tmpl | 3 ++- .../p_rfc5424-noversion_cisco_asa.conf.tmpl | 3 ++- ...rfc5424-noversion_symantec_proxy.conf.tmpl | 3 ++- .../p_rfc5424-strict_juniper_junos.conf.tmpl | 5 ++-- .../p_rfc5424_epoch-cisco_meraki.conf.tmpl | 3 ++- package/etc/go_templates/source_network.t | 2 +- .../local_config/log_paths/example.conf.tmpl | 26 +++++++++---------- 26 files changed, 77 insertions(+), 39 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 9f38c9d..379edf7 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -123,4 +123,26 @@ redeploy the updated service using the command: - /opt/sc4s/default/compliance_meta_by_source.csv:/opt/syslog-ng/etc/context-local/compliance_meta_by_source.csv - /opt/sc4s/default/compliance_meta_by_source.conf:/opt/syslog-ng/etc/context-local/compliance_meta_by_source.conf `` +## Data Durability - Local Disk Buffer Configuration +SC4S provides capability to minimize the number of lost events if the connection to all the Splunk Indexers goes down. This capability utilizes the disk buffering feature of Syslog-ng. SC4S receives a response from the Splunk HTTP Event Collector (HEC) when a message is received successfully. If a confirmation message from the HEC endpoint is not received (or a “server busy” reply, such as a “503” is sent), the load balancer will try the next HEC endpoint in the pool. If all pool members are exhausted (such as would occur if there were a full network outage to the HEC endpoints), events will queue to the local disk buffer on the SC4S Linux host. SC4S will continue attempting to send the failed events while it buffers all new incoming events to disk. If the disk space allocated to disk buffering fills up then SC4S will stop accepting new events and subsequent events will be lost. Once SC4S gets confirmation that events are again being received by one or more indexers, events will then stream from the buffer using FIFO queueing. The number of events in the disk buffer will reduce as long as the incoming event volume is less than the maximum SC4S (with the disk buffer in the path) can handle. When all events have been emptied from the disk buffer, SC4S will resume streaming events directly to Splunk. + +For more detail on the Syslog-ng behavior the documentation can be found here: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/55#TOPIC-1209280 + +SC4S has disk buffering enabled by default and it is strongly recommended that you keep it on, however this feature does have a performance cost. +Without disk buffering enabled SC4S can handle up to 345K EPS (800 bytes/event avg) +With “Normal” disk buffering enabled SC4S can handle up to 60K EPS (800 bytes/event avg) -- This is still a lot of data! + +To guard against data loss it is important to configure the appropriate type and amount of storage for SC4S disk buffering. To estimate the storage allocation its best to start with your estimated maximum events per second that each SC4S server will experience. Based on the maximum throughput of SC4S with disk buffering enabled, the conservative estimate for maximum events per second is 60K (however, you should use the maximum rate in your environment for this calculation, not the max rate SC4S can handle). Next is your average estimated event size based on your data sources. It is common industry practice to estimate log events as 800 bytes on average. And the final input to the sizing estimation would be the maximum length of connectivity downtime you want disk buffering to be able to handle. This measure is very much dependent on your risk tolerance. For example, to protect against a full day of lost connectivity from SC4S to all your indexers at maximum throughput the calculation would look like the following... + +60,000 EPS * 86400 seconds * 800 bytes = 3.77186 TB of storage + +To configure storage allocation for the SC4S disk buffering, do the following... +Edit the file /opt/sc4s/default/env_file +Add the SC4S_DEST_SPLUNK_HEC_DISKBUFF_DISKBUFSIZE variable to the file and set the value to the number of bytes based on your estimation (e.g. 4147200000000 in the example above) +Splunk does not recommend reducing the disk allocation below 500 GB +Restart SC4S + +Given that in a connectivity outage to the Indexers events will be saved and read from disk until the buffer is emptied, it is ideal to use the fastest type of storage available. For this reason, NVMe storage is recommended for SC4S disk buffering. + +It is best to design your deployment so that the disk buffer will drain after connectivity is restored to the Splunk Indexers (while incoming data continues at the same general rate). Since "your mileage may vary" with different combinations of data load, instance type, and disk subsystem performance, it is good practice to provision a box that performs twice as well as is required for your max EPS. This headroom will allow for rapid recovery after a connectivity outage. diff --git a/docs/performance.md b/docs/performance.md index ea02c72..14f1b9c 100644 --- a/docs/performance.md +++ b/docs/performance.md @@ -34,7 +34,7 @@ and forget protocol making it sensitive to performance. Given this it is highly performance with your hardware and production data samples. The syslog-ng loggen tool available in the SC4S container and the commands above can be utilized in this effort. -Deployment Size | Hardware Spec | Average EPS with average msg size 800 k +Deployment Size | Hardware Spec | Average EPS with average msg size 800 bytes -- | -- | -- Small | 2 X 3.1 ghz cores1 GB of memory | 2K msg/sec Medium | 4 X 3.1 ghz cores2 GB of memory | 4.5K msg/sec diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl index cd99a70..2fa996f 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl @@ -79,7 +79,7 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT") "no") "no") }} +{{- if or (or (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT")) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl index e276484..2506ca5 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl @@ -43,7 +43,7 @@ log { }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT") "no") "no") }} +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_ASA_LEGACY traffic {{tmpl.Exec "log_path" "no" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl index b9d997c..c47fcd9 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl @@ -44,7 +44,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_IOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_IOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_IOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_IOS traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl index b1d9297..5f1bfb9 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl @@ -96,7 +96,8 @@ log { }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_ISE_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_ISE_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_ISE_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ISE_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ISE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ISE_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_ISE traffic {{tmpl.Exec "log_path" "no" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl index e351441..458ada4 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl @@ -44,7 +44,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_NX_OS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_NX_OS traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl index 759f523..5c000ba 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl @@ -42,7 +42,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT")) }} # Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl index 16b35f4..6fe1189 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl @@ -60,7 +60,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_FORTINET_FORTIOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for FORTINET_FORTIOS traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl index 7038621..c1dc820 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl @@ -45,7 +45,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_IDP traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl index 4e3eea5..6185a34 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl @@ -59,7 +59,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_JUNOS traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl index 4a9952e..9d6116f 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl @@ -43,7 +43,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_NETSCREEN traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl index b21861d..404781d 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl @@ -44,7 +44,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_NSM traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl index 9d511c7..0383731 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl @@ -41,7 +41,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl index ba00cc2..549b939 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl @@ -90,8 +90,8 @@ log { }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT") "no") "no") }} +{{- if or (or (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT")) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT"))) (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT")) }} # Listen on the specified dedicated port(s) for MICROFOCUS_ARCSIGHT traffic {{tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl index 73dc1d0..71335e2 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl @@ -93,7 +93,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PALOALTO_PANOS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for PALOALTO_PANOS traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl index 60b6736..09dd410 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl @@ -42,7 +42,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TLS_PORT")) }} # Listen on the specified dedicated port(s) for PROOFPOINT_PPS_FILTER traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl index 11a8057..694f14e 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl @@ -41,7 +41,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TLS_PORT")) }} # Listen on the specified dedicated port(s) for PROOFPOINT_PPS_SENDMAIL traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl index 0962cc6..226b310 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl @@ -127,8 +127,8 @@ log { }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT") "no") "no") }} +{{- if or (or (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT")) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT")) }} # Listen on the specified dedicated port(s) for UBIQUITI_UNIFI traffic {{tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl index 983e13f..c9de545 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl @@ -82,7 +82,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_ZSCALER_NSS_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TCP_PORT")) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_ZSCALER_NSS_TLS_PORT")) }} # Listen on the specified dedicated port(s) for ZSCALER_NSS traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl index 69f4e28..98e3b78 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl @@ -40,7 +40,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_ASA_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_ASA_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_ASA_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_ASA_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_ASA_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_ASA_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_ASA traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl index 1ff0958..a9f881e 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl @@ -43,7 +43,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_PROXY_TLS_PORT")) }} # Listen on the specified dedicated port(s) for SYMANTEC_PROXY traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl index 19a26c3..cc2d052 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl @@ -60,9 +60,10 @@ log { }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT")) }} # Listen on the specified dedicated port(s) for JUNIPER_JUNOS_STRUCTURED traffic - {{ tmpl.Exec "log_path" "no" }} +{{ tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for JUNIPER_JUNOS_STRUCTURED traffic diff --git a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl index 3ff2c86..149fb4b 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl @@ -40,7 +40,8 @@ log { flags(flow-control); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT") "no") "no") }} + +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT")) }} # Listen on the specified dedicated port(s) for CISCO_MERAKI traffic {{ tmpl.Exec "log_path" "no" }} {{- end}} diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 63fb6d2..ff5be59 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -127,6 +127,6 @@ source s_{{ .port_id}} { }; }; {{- end }} -{{- if (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) or (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT")) or (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT")) }} +{{- if or (or (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT"))) (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT")) }} {{ template "T1" (.) }} {{- end }} diff --git a/package/etc/local_config/log_paths/example.conf.tmpl b/package/etc/local_config/log_paths/example.conf.tmpl index 6a68b45..0f12886 100644 --- a/package/etc/local_config/log_paths/example.conf.tmpl +++ b/package/etc/local_config/log_paths/example.conf.tmpl @@ -7,41 +7,39 @@ # If any of the "LOCAL_EXAMPLE" variables passed into the environment are set (e.g. TLS, UDP, or TLS), # the template generator will build a custom source based on the value of one or more of the set variables. -{{- if (ne (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT") "no") "no") }} # "port_id" is used to generate the port variable to be used. It should match the "core" of the variable name # set in the line above. For example, the "port_id" of "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT" is "LOCAL_EXAMPLE". # "parser" can be customized on dedicated ports only # "common" uses the same parser sequence as the default ports and is the most commonly used -{{ $context := dict "port_id" "LOCAL_EXAMPLE" "parser" "common"}} # The following template execution creates a syslog-ng source with one or more dedicated ports for use with this log_path # The ports used are based on the values of one or more of the environment variables set above. +{{ $context := dict "port_id" "LOCAL_EXAMPLE" "parser" "common" }} {{ tmpl.Exec "t/source_network.t" $context }} -{{- end -}} +# The following is an inline template; we will use this to generate the actual log path {{ define "log_path" }} log { - -# The first time this template is used the log_path will be linked to the default port - {{- if eq (.) "yes"}} source(s_DEFAULT); - -# Filters should be updated to use the simplest and most effecient logic possible to discard -# the message from this path - filter(f_is_rfc3164); filter(f_local_example); {{- end}} {{- if eq (.) "no"}} + source (s_LOCAL_EXAMPLE); +{{- end}} + + +# The first time this template is used the log_path will be linked to the default port + +# Filters should be updated to use the simplest and most effecient logic possible to discard +# the message from this path # In the second pass through the template a link to the dedicated port is used. This # normally does not require additional filters -source (s_LOCAL_EXAMPLE); -{{- end}} #Set a default sourcetype and index @@ -64,11 +62,11 @@ source (s_LOCAL_EXAMPLE); }; {{- end}} -{{- if (ne (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT") "no") "no") }} +{{- if or (or (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TCP_PORT")) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_UDP_PORT"))) (getenv (print "SC4S_LISTEN_LOCAL_EXAMPLE_TLS_PORT")) }} # Listen on the specified dedicated port(s) for LOCAL_EXAMPLE traffic - {{tmpl.Exec "log_path" "no" }} +{{tmpl.Exec "log_path" "no" }} {{- end}} # Listen on the default port (typically 514) for LOCAL_EXAMPLE traffic From 639f502e6de8c8fea66c1c068b515448fdbf584f Mon Sep 17 00:00:00 2001 From: mbonsack Date: Wed, 27 Nov 2019 20:04:18 -0800 Subject: [PATCH 04/11] Docs/fixes nov27 (#207) BYOE fixes add missing python install fix broken wget links Add Docker install guides Add refinements to docs Add manual container launch commands to the troubleshooting guide Fixes issues: #130 #182 #186 #207 #204 #205 #206 #209 --- .circleci/config.yml | 7 +-- CONTRIBUTING.md => docs/CONTRIBUTING.md | 0 LICENSE-BSD2 => docs/LICENSE-BSD2 | 0 LICENSE-CC0 => docs/LICENSE-CC0 | 0 docs/configuration.md | 4 +- docs/gettingstarted.md | 46 +++++++++++++++++-- docs/gettingstarted/byoe-rhel7.md | 22 +++++++-- docs/gettingstarted/docker-swarm-general.md | 21 ++++++++- docs/gettingstarted/docker-swarm-rhel7.md | 2 +- docs/gettingstarted/docker-systemd-general.md | 24 ++++++++-- docs/troubleshooting.md | 16 +++++++ 11 files changed, 123 insertions(+), 19 deletions(-) rename CONTRIBUTING.md => docs/CONTRIBUTING.md (100%) rename LICENSE-BSD2 => docs/LICENSE-BSD2 (100%) rename LICENSE-CC0 => docs/LICENSE-CC0 (100%) diff --git a/.circleci/config.yml b/.circleci/config.yml index fda0601..8840fcf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -41,7 +41,8 @@ jobs: path: package extra_build_args: --build-arg RH_ORG=$RH_ORG --build-arg RH_ACTIVATION=$RH_ACTIVATION - - docker/install-goss + - docker/install-goss: + version: v0.3.7 - run: name: Test Docker command: | @@ -49,7 +50,7 @@ jobs: # Don't forget path! export PATH=$PATH:~/bin pushd package - GOSS_FMT_OPTIONS="perfdata verbose" GOSS_FILES_STRATEGY=cp GOSS_OPTS="--max-concurrent=1 --format junit" dgoss run -t $REGISTRY/$CI_IMAGE:$CIRCLE_SHA1 3>&1 1>&2 2>&3 > /tmp/goss.tmp || true ; cat /tmp/goss.tmp | grep -v "<" + GOSS_VER=v0.3.7 GOSS_FMT_OPTIONS="perfdata verbose" GOSS_FILES_STRATEGY=cp GOSS_OPTS="--max-concurrent=1 --format junit" dgoss run -t $REGISTRY/$CI_IMAGE:$CIRCLE_SHA1 3>&1 1>&2 2>&3 > /tmp/goss.tmp || true ; cat /tmp/goss.tmp | grep -v "<" popd cat /tmp/goss.tmp | grep "[<\>]" > /tmp/test-results/goss.xml @@ -413,7 +414,7 @@ workflows: requires: - build - test-unit - - test-scan-synk + #- test-scan-synk filters: tags: only: /^\d*\.\d*\.\d*.*$/ diff --git a/CONTRIBUTING.md b/docs/CONTRIBUTING.md similarity index 100% rename from CONTRIBUTING.md rename to docs/CONTRIBUTING.md diff --git a/LICENSE-BSD2 b/docs/LICENSE-BSD2 similarity index 100% rename from LICENSE-BSD2 rename to docs/LICENSE-BSD2 diff --git a/LICENSE-CC0 b/docs/LICENSE-CC0 similarity index 100% rename from LICENSE-CC0 rename to docs/LICENSE-CC0 diff --git a/docs/configuration.md b/docs/configuration.md index 379edf7..5926646 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -95,8 +95,8 @@ which maps to an associated lookup of alternate indexes, sources, or other metad * Get the filter and lookup files ```bash cd /opt/sc4s/default -sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/compliance_meta_by_source.conf -sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/compliance_meta_by_source.csv +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context_templates/compliance_meta_by_source.conf +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context_templates/compliance_meta_by_source.csv ``` * Edit the file ``compliance_meta_by_source.conf`` to supply uniquely named filters to identify events subject to override. * Edit the file ``compliance_meta_by_source.csv`` to supply appropriate the field(s) and values. diff --git a/docs/gettingstarted.md b/docs/gettingstarted.md index 887e886..e113881 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted.md @@ -72,12 +72,50 @@ Splunk type. | Container and Orchestration | Notes | |-----------------------------|-------| -| [Podman + systemd single node](gettingstarted/podman-systemd-general.md) | First choice for RedHat 7.x and 8.x, second choice for Debian and Ubuntu (packages provided via PPA) | -| [Docker CE + systemd single node](gettingstarted/docker-systemd-general.md) | First choice for Debian, Ubuntu, and CentOS distributions with limited existing docker experience | -| [Docker CE + Swarm single node](gettingstarted/docker-swarm-general.md) | Option for Debian, Ubuntu, and CentOS desiring swarm orchestration | -| [Docker CE + Swarm single node RHEL 7.7](gettingstarted/docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring swarm orchestration | +| [Podman + systemd single node](gettingstarted/podman-systemd-general.md) | First choice for RedHat 7.x/8.x and CentOS, second choice for Debian and Ubuntu (packages provided via PPA) | +| [Docker CE + systemd single node](gettingstarted/docker-systemd-general.md) | First choice for Debian and Ubuntu; second choice for CentOS for those with limited existing Docker experience | +| [Docker CE + Swarm single node](gettingstarted/docker-swarm-general.md) | Option for Debian, Ubuntu, CentOS, and Desktop Docker desiring Docker Compose or Swarm orchestration | +| [Docker CE + Swarm single node RHEL 7.7](gettingstarted/docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring Docker Compose or Swarm orchestration | | [Bring your own Envionment](gettingstarted/byoe-rhel7.md) | Option for RedHat 7.7 (centos 7) with SC4S configuration without containers | +## Offline Container Installation + +Follow these instructions to "stage" SC4S by downloading the container so that it can be loaded "out of band" on a +host machine, such as an airgapped system, without internet connectivity. + +* Download container image + +``` +sudo wget https://github.com/splunk/splunk-connect-for-syslog/releases/download/latest/oci_container.tar.gz +``` + +* Distribute the container to the airgapped host machine using an appropriate file transfer utility. +* Execute the following command, using docker or podman as appropriate + +``` + load < oci_container.tar.gz +``` + +* Note the container ID of the resultant load + +``` +Loaded image: docker.pkg.github.com/splunk/splunk-connect-for-syslog/ci:90196f77f7525bc55b3b966b5fa1ce74861c0250 +``` + +* Use the container ID to create a local label +``` + tag docker.pkg.github.com/splunk/splunk-connect-for-syslog/ci:90196f77f7525bc55b3b966b5fa1ce74861c0250 sc4slocal:latest +``` + +* Use this local label `sc4slocal:latest` in the relevant unit or yaml file to launch SC4S (see the runtime options +above) by setting the `SC4S_IMAGE` environment variable in the unit file (example below), or the relevant `image:` tag +if using Docker Compose/Swarm. Using this label will cause the runtime to select the locally loaded image, and will not +attempt to obtain the container image via the internet. + +``` +Environment="SC4S_IMAGE=sc4slocal:latest" +``` + # Scale out Additional hosts can be deployed for syslog collection from additional network zones and locations: diff --git a/docs/gettingstarted/byoe-rhel7.md b/docs/gettingstarted/byoe-rhel7.md index d970dcd..881f949 100644 --- a/docs/gettingstarted/byoe-rhel7.md +++ b/docs/gettingstarted/byoe-rhel7.md @@ -1,13 +1,19 @@ # SC4S "Bring Your Own Environment" +* FOREWORD: The BYOE SC4S deliverable should be considered as a _secondary_ option for SC4S deployment, and should be +considered only by those with specific needs based on advanced understanding of syslog-ng architectures. The +container deliverable is the preferred deliverable of SC4S for almost all enterprises. If you are simply trying to +"get syslog working", the turnkey, container approach described in the other runtime documents will be the fastest +route to success. + The "Bring Your Own Environment" instructions that follow allow administrators to utilize the SC4S syslog-ng config files directly on the host OS running on a hardware server or virtual machine. Administrators must provide an appropriate host OS as well as an up-to-date syslog-ng installation either built from source (not documented here) or installed from community-built RPMs. Modification of the base configuration will be required for most customer -environments due to enterprise infrastructure variations. +environments due to enterprise infrastructure variations. -* NOTE: Installing or modifying system configurations can have unexpected consequences, and rudimentary linux system -administratrion and syslog-ng configuration experience is assumed. +* NOTE: Installing or modifying system configurations can have unexpected consequences, and advanced linux system +administration and syslog-ng configuration experience is assumed when using the BYOE version of SC4S. * NOTE: Do _not_ depend on the distribution-supplied version of syslog-ng, as it will likely be far too old. Read this [explanation](https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions) @@ -68,6 +74,10 @@ sudo chmod 755 /usr/local/bin/gomplate gomplate --help ``` +* Install the latest python + +```scl enable rh-python36 bash``` + * create the sc4s unit file drop in ``/etc/systemd/system/sc4s.service`` and add the following content ```ini @@ -93,7 +103,7 @@ Restart=on-failure WantedBy=multi-user.target ``` -* create the file ``/opt/sc4s/bin/preconfig.sh`` and add the following content +* create the file ``/opt/sc4s/bin/preconfig.sh``. This file should be made executable according to your file permission standards. Add the following content: ```bash #!/usr/bin/env bash @@ -119,7 +129,9 @@ cp --verbose -R -n /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/l mkdir -p /opt/syslog-ng/var/data/disk-buffer/ ``` -* Execute the preconfiguration file created above +* (Optional) Execute the preconfiguration shell script created above. You may also optionally execute it as part of the unit +file, which is recommended. If you elect _not_ to execute the script in the unit file, care must be taken to execute it manually "out of band" +when any changes are made. ```bash sudo bash /opt/sc4s/bin/preconfig.sh diff --git a/docs/gettingstarted/docker-swarm-general.md b/docs/gettingstarted/docker-swarm-general.md index 6fd894f..dfa8b4d 100644 --- a/docs/gettingstarted/docker-swarm-general.md +++ b/docs/gettingstarted/docker-swarm-general.md @@ -1,7 +1,26 @@ # Install Docker CE and Swarm -Refer to [Getting Started](https://docs.docker.com/get-started/) +Refer to relevant installation guides: + +* [CentOS](https://docs.docker.com/install/linux/docker-ce/centos/) +* [Ubuntu](https://docs.docker.com/install/linux/docker-ce/ubuntu/) +* [Debian](https://docs.docker.com/install/linux/docker-ce/debian/) +* [Desktop](https://docs.docker.com/get-started/) + +NOTE: If using a CentOS image provisioned in AWS, IPV4 forwarding is _not_ enabled by default. +This needs to be enabled for container networking to function properly. The following is an example +to set this up; as usual this needs to be vetted with your enterprise security policy: + +```sudo sysctl net.ipv4.ip_forward=1``` + +Then, edit /etc/sysctl.conf, find the text below, and uncomment as shown so that the change made above will survive a +reboot: + +``` +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 +``` # SC4S Configuration diff --git a/docs/gettingstarted/docker-swarm-rhel7.md b/docs/gettingstarted/docker-swarm-rhel7.md index 5ef0e66..7ed5afe 100644 --- a/docs/gettingstarted/docker-swarm-rhel7.md +++ b/docs/gettingstarted/docker-swarm-rhel7.md @@ -1,7 +1,7 @@ # Install Docker CE and Swarm -*Warning* this method of installing docker on RHEL does not appear to be supported: +* Warning: this method of installing docker on RHEL does not appear to be supported. Consider using podman instead. ## Enable required repositories ```bash diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index 94b164f..838cdaa 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -1,7 +1,25 @@ # Install Docker CE -Refer to [Getting Started](https://docs.docker.com/get-started/) +Refer to relevant installation guides: + +* [CentOS](https://docs.docker.com/install/linux/docker-ce/centos/) +* [Ubuntu](https://docs.docker.com/install/linux/docker-ce/ubuntu/) +* [Debian](https://docs.docker.com/install/linux/docker-ce/debian/) + +NOTE: If using a CentOS image provisioned in AWS, IPV4 forwarding is _not_ enabled by default. +This needs to be enabled for container networking to function properly. The following is an example +to set this up; as usual this needs to be vetted with your enterprise security policy: + +```sudo sysctl net.ipv4.ip_forward=1``` + +Then, edit /etc/sysctl.conf, find the text below, and uncomment as shown so that the change made above will survive a +reboot: + +``` +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 +``` # Setup @@ -10,8 +28,8 @@ Refer to [Getting Started](https://docs.docker.com/get-started/) ```ini [Unit] Description=SC4S Container -After=network.service -Requires=network.service +Wants=network.target network-online.target +After=network.target network-online.target [Service] Environment="SC4S_IMAGE=splunk/scs:latest" diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 1a78b38..aca10a7 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -2,6 +2,22 @@ ## General +To test the container outside of the systemd startup environment, you can run the following to test the syntax +of the container. These commands assume the local mounted directory is set up as shown in the gettingstarted +examples (and omits the disk buffer mount): + +``` +/usr/bin/docker run --env-file=/opt/sc4s/env_file -v "/opt/sc4s/local:/opt/syslog-ng/etc/conf.d/local:z" --name SC4S_preflight --rm splunk/scs:latest -s +``` + +and you can run + +``` +/usr/bin/docker run --env-file=/opt/sc4s/env_file -v "/opt/sc4s/local:/opt/syslog-ng/etc/conf.d/local:z" --name SC4S --rm splunk/scs:latest +``` + +to test the final image. These commands can help with container errors that are hidden in the systemd process. If you +are using podman, substitute "podman" for "docker" for the container runtime command above. ### Verification of TLS Server From 7b428b16af456fcd966f0e50cf763e434cbb37bf Mon Sep 17 00:00:00 2001 From: mbonsack Date: Mon, 2 Dec 2019 08:30:43 -0800 Subject: [PATCH 05/11] Unit file dependencies/gomplate version (#214) * Change unit file dependencies (Wants/After) * Correct gomplate version check --- docs/gettingstarted/byoe-rhel7.md | 2 +- docs/gettingstarted/podman-systemd-general.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/gettingstarted/byoe-rhel7.md b/docs/gettingstarted/byoe-rhel7.md index 881f949..d81c566 100644 --- a/docs/gettingstarted/byoe-rhel7.md +++ b/docs/gettingstarted/byoe-rhel7.md @@ -71,7 +71,7 @@ sudo cp -R etc/* /opt/syslog-ng/etc/ ```bash sudo curl -o /usr/local/bin/gomplate -sSL https://github.com/hairyhenderson/gomplate/releases/download/v3.5.0/gomplate_linux-amd64 sudo chmod 755 /usr/local/bin/gomplate -gomplate --help +gomplate --version ``` * Install the latest python diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index 1d0ddc3..1cec535 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -10,8 +10,8 @@ Refer to [Installation](https://podman.io/getting-started/installation) ```ini [Unit] Description=SC4S Container -After=network.service -Requires=network.service +Wants=network.target network-online.target +After=network.target network-online.target [Service] Environment="SC4S_IMAGE=splunk/scs:latest" From 4ac6be4465ed4ab5498b76819aa8c68f5a32ad09 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Thu, 5 Dec 2019 21:08:38 -0500 Subject: [PATCH 06/11] fixes #212 disable dns-cache to resolve startup warning (#216) --- package/etc/syslog-ng.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/syslog-ng.conf b/package/etc/syslog-ng.conf index 88897f1..4f19083 100644 --- a/package/etc/syslog-ng.conf +++ b/package/etc/syslog-ng.conf @@ -21,7 +21,7 @@ options { chain_hostnames (off); use_dns (no); use_fqdn (no); - dns-cache(yes); + dns-cache(no); create_dirs (no); keep-hostname (yes); create_dirs(yes); From 0e5795243d5aaa6dcbfc5224dae07a570d0b0d36 Mon Sep 17 00:00:00 2001 From: mbonsack Date: Fri, 6 Dec 2019 04:27:00 -0800 Subject: [PATCH 07/11] Config/runtime docs refinement (#215) Significant update to the configuration and runtime doc * Added metadata override detail * Added missing mount point detail * Added detail to runtime docs * Misc fixes --- docs/configuration.md | 145 +++++++++++++----- docs/gettingstarted/byoe-rhel7.md | 2 + docs/gettingstarted/docker-swarm-general.md | 20 ++- docs/gettingstarted/docker-swarm-rhel7.md | 22 ++- docs/gettingstarted/docker-systemd-general.md | 24 ++- docs/gettingstarted/podman-systemd-general.md | 24 ++- 6 files changed, 181 insertions(+), 56 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 5926646..588a783 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -44,9 +44,8 @@ may hide this nuance. ## Archive File Configuration -This feature is designed to support "compliance" archival of all messages. To enable this feature update the Unit file -or docker compose to mount an appropriate host folder to the container folder ``/opt/syslog-ng/var/archive``. -The files will be stored in a folder structure using the naming pattern +This feature is designed to support "compliance" archival of all messages. Instructions for enabling this feature are included +in each "getting started" runtime document. The files will be stored in a folder structure using the naming pattern ``${YEAR}/${MONTH}/${DAY}/${fields.sc4s_vendor_product}_${YEAR}${MONTH}${DAY}${HOUR}${MIN}.log"``. This pattern will create one file per "vendor_product" per minute with records formatted using syslog-ng's EWMM template. @@ -76,7 +75,8 @@ and/or move them to an archival system to avoid disk space failures. ## Syslog Source TLS Certificate Configuration -* Create a folder ``/opt/sc4s/tls`` +* Create a folder ``/opt/sc4s/tls`` if not already done as part of the "getting started" process. +* Uncomment the appropriate mount line in the unit or yaml file (again, documented in the "getting started" runtime documents). * Save the server private key in PEM format with NO PASSWORD to ``/opt/sc4s/tls/server.key`` * Save the server certificate in PEM format to ``/opt/sc4s/tls/server.pem`` * Add the following line to ``/opt/sc4s/env_file`` @@ -85,44 +85,115 @@ and/or move them to an archival system to avoid disk space failures. SC4S_SOURCE_TLS_ENABLE=yes ``` -## Override index or metadata based on host, ip, or subnet +## Log Path overrides of index or metadata + +In some cases it is appropriate to override the default SC4S index or other Splunk metadata (such as an +source, host, or sourcetype) for a given data source. This is accomplished by the use of a lookup file that identifies these +source exceptions based on the log path used by the incoming message. These log path overrides are documented in the associated +"sources" document. For each data source, you will see a table of the form + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| foo_bar | fb_log | netfw | none | + +In this case the key, `foo_bar`, will be an entry into the `splunk_indexes.csv` file that is populated in `/opt/sc4s/local/context` when SC4S +is run for the first time. The other columns show the default sourcetype and index when not overriden. This file contruct +is best shown with an example. Here is the table for Juniper Netscreen devices, from the "sources" document: -In some cases it is appropriate to re-direct events to an alternate index or append metadata (such as an -indexed field) based on PCI scope, geography, or other criterion. This is accomplished by the use -of a file that uniquely identifies these source exceptions via syslog-ng filters, -which maps to an associated lookup of alternate indexes, sources, or other metadata. +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_netscreen | netscreen:firewall | netfw | none | +| juniper_idp | juniper:idp | netfw | none | -* Get the filter and lookup files -```bash -cd /opt/sc4s/default -sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context_templates/compliance_meta_by_source.conf -sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context_templates/compliance_meta_by_source.csv +Here is a snippet from the `splunk_indexes.csv` file: + +``` +#juniper_sslvpn,index,netfw +juniper_netscreen,index,ns_index +#juniper_nsm,index,netfw ``` + +The columns in this file are `key`, `metadata`, and `value`. The `key` entries are +by default "commmented out", which is really a half-truth because CSV files don't allow comments. Therefore, to ensure there +is a match from the log path that references this file, be sure to remove the leading `#`. Once this is done, the following changes can be +made by adding one or more rows to the table and specifying one or more of the following `metadata`/`value` pairs for a given `key`: + + * `index` to specify an alternate `value` for index + * `source` to specify an alternate `value` for source + * `sourcetype` to specify an alternate `value` for sourcetype (be _very_ careful when changing this; only do so if a downstream + TA is _not_ being used, or a custom TA (built by you) is being used.) + +In this case, the `juniper_netscreen` key is "uncommented" (thereby enabling it), and the new index used for that data source will be +`ns_index`. + +In general, for most deployments the index should be the only change needed; the defaults for the others should almost +never be overridden (particularly for "Out of the Box" data sources). Even then, care should be taken when considering an alternate +index, as the defaults for SC4S were chosen with best practices in mind. + +This `csv` file can also be appended when building custom SC4S log paths (filters). Care should be taken during filter design to choose +appropriate index and sourctype defaults, so that admins are not compelled to override them. + + +## Override index or metadata based on host, ip, or subnet + +In other cases it is appropriate to provide the same overrides but based on PCI scope, geography, or other criterion rather than globally. +This is accomplished by the use of a file that uniquely identifies these source exceptions via syslog-ng filters, +which maps to an associated lookup of alternate indexes, sources, or other metadata. In addition, (indexed) fields can also be +added to futher classify the data. + +* The `conf` and `csv` files referenced below will be populated into the `/opt/sc4s/local/context` directory when SC4S is run for the first +time after being set up according to the "getting started" runtime documents. * Edit the file ``compliance_meta_by_source.conf`` to supply uniquely named filters to identify events subject to override. -* Edit the file ``compliance_meta_by_source.csv`` to supply appropriate the field(s) and values. -The three columns in the table are `filter name`, `field name`, and `value`. `field name` obeys the following convention: - * ``fields.fieldname`` where `fieldname` will become the name of an indexed field with the supplied value - * ``.splunk.index`` to specify an alternate value for index - * ``.splunk.source`` to specify an alternate value for source +* Edit the file ``compliance_meta_by_source.csv`` to supply appropriate field(s) and values. + +The three columns in the `csv` file are `filter name`, `field name`, and `value`. Filter names in the `conf` file must match one or more +corresonding `filter name` rows in the `csv` file. The `field name` column obeys the following convention: + + * `.splunk.index` to specify an alternate `value` for index + * `.splunk.source` to specify an alternate `value` for source + * `.splunk.sourcetype` to specify an alternate `value` for sourcetype (be _very_ careful when changing this; only do so if a downstream + TA is _not_ being used, or a custom TA (built by you) is being used.) + * `fields.fieldname` where `fieldname` will become the name of an indexed field sent to Splunk with the supplied `value` + +This file construct is best shown by an example. Here is a sample ``compliance_meta_by_source.conf`` file: + +``` +@version: 3.24 +filter f_test_test { + host("something-*" type(glob)) or + netmask(192.168.100.1/24) +}; +``` +and the corresponding ``compliance_meta_by_source.csv`` file: + +``` +f_test_test,.splunk.index,"pciindex" +f_test_test,fields.compliance,"pci" +``` + +First off, ensure that the proper version string exists at the top of the `conf` file, and that the filter name(s) in the `conf` file match +one or more rows in the `csv` file. In this case, any incoming message with a hostname starting with `something-` or arriving from a netmask +of `192.168.100.1/24` will match the `f_test_test` filter, and the corresponding entries in the `csv` file will be checked for overrides. +In this case, the new index is `pciindex`, and an indexed field named `compliance` will be sent to Splunk, with it's value set to `pci`. +To add additional overrides, simply add another `filter foo_bar {};` stanza to the `conf` file, and add appropriate entries to the `csv` file +that match the filter name(s) to the overrides you deisre. + +* IMPORTANT: The files above are actual syslog-ng config file snippets that get parsed directly by the underlying syslog-ng +process. Take care that your syntax is correct; for more information on proper syslog-ng syntax, see the syslog-ng +[documentation](https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/57#TOPIC-1298086). +A syntax error will cause the runtime process to abort in the "preflight" phase at startup. -* For the Docker/Podman runtimes, update the docker/podman run command in the systemd unit file or the docker-compose to -include volumes mapping the files above. -* In the Unit file, add the following lines to the `ExecStart` command prior to `$SC4SIMAGE` then restart using the command -``sudo systemctl daemon-reload; sudo systemctl restart sc4s`` - -`` -SC4S_UNIT_VP_CSV=-v /opt/sc4s/default/compliance_meta_by_source.csv:/opt/syslog-ng/etc/context-local/compliance_meta_by_source.csv \ -SC4S_UNIT_VP_CONF=-v /opt/sc4s/default/compliance_meta_by_source.conf:/opt/syslog-ng/etc/context-local/compliance_meta_by_source.conf \ -`` - -* For the Docker Swarm runtime, update the docker compose yml to add the following volume mounts to thee sc4s service and -redeploy the updated service using the command: -``docker stack deploy --compose-file docker-compose.yml sc4s`` - -`` - - /opt/sc4s/default/compliance_meta_by_source.csv:/opt/syslog-ng/etc/context-local/compliance_meta_by_source.csv - - /opt/sc4s/default/compliance_meta_by_source.conf:/opt/syslog-ng/etc/context-local/compliance_meta_by_source.conf -`` +Finally, to update your changes for the systemd-based runtimes, restart SC4S using the commands: +``` +sudo systemctl daemon-reload +sudo systemctl restart sc4s +``` + +For the Docker Swarm runtime, redeploy the updated service using the command: +``` +docker stack deploy --compose-file docker-compose.yml sc4s +``` + ## Data Durability - Local Disk Buffer Configuration SC4S provides capability to minimize the number of lost events if the connection to all the Splunk Indexers goes down. This capability utilizes the disk buffering feature of Syslog-ng. SC4S receives a response from the Splunk HTTP Event Collector (HEC) when a message is received successfully. If a confirmation message from the HEC endpoint is not received (or a “server busy” reply, such as a “503” is sent), the load balancer will try the next HEC endpoint in the pool. If all pool members are exhausted (such as would occur if there were a full network outage to the HEC endpoints), events will queue to the local disk buffer on the SC4S Linux host. SC4S will continue attempting to send the failed events while it buffers all new incoming events to disk. If the disk space allocated to disk buffering fills up then SC4S will stop accepting new events and subsequent events will be lost. Once SC4S gets confirmation that events are again being received by one or more indexers, events will then stream from the buffer using FIFO queueing. The number of events in the disk buffer will reduce as long as the incoming event volume is less than the maximum SC4S (with the disk buffer in the path) can handle. When all events have been emptied from the disk buffer, SC4S will resume streaming events directly to Splunk. diff --git a/docs/gettingstarted/byoe-rhel7.md b/docs/gettingstarted/byoe-rhel7.md index d81c566..59baff5 100644 --- a/docs/gettingstarted/byoe-rhel7.md +++ b/docs/gettingstarted/byoe-rhel7.md @@ -127,6 +127,8 @@ mkdir -p /opt/syslog-ng/etc/conf.d/local/config/ cp --verbose -n /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context/ cp --verbose -R -n /opt/syslog-ng/etc/local_config/* /opt/syslog-ng/etc/conf.d/local/config/ mkdir -p /opt/syslog-ng/var/data/disk-buffer/ +mkdir -p /opt/syslog-ng/var/archive/ +mkdir -p /opt/syslog-ng/tls/ ``` * (Optional) Execute the preconfiguration shell script created above. You may also optionally execute it as part of the unit diff --git a/docs/gettingstarted/docker-swarm-general.md b/docs/gettingstarted/docker-swarm-general.md index dfa8b4d..44d2255 100644 --- a/docs/gettingstarted/docker-swarm-general.md +++ b/docs/gettingstarted/docker-swarm-general.md @@ -51,8 +51,10 @@ services: volumes: - /opt/sc4s/local:/opt/syslog-ng/etc/conf.d/local:z - /opt/sc4s/disk-buffer:/opt/syslog-ng/var/data/disk-buffer:z +# Uncomment the following line if local disk archiving is desired +# - /opt/sc4s/archive:/opt/syslog-ng/var/archive:z # Uncomment the following line if custom TLS certs are provided -# - /opt/sc4s/tls:/opt/syslog-ng/tls +# - /opt/sc4s/tls:/opt/syslog-ng/tls:z ``` * Create the subdirectory ``/opt/sc4s/local``. This will be used as a mount point for local overrides and configurations. @@ -76,7 +78,14 @@ of events in the event of network failure to the Splunk infrastructure. If you are sure, after stopping SC4S, that all data has been sent, these files can be removed. They will be created again upon restart. -* IMPORTANT: When creating the two directories above, ensure the directories created match the volume mounts specified in the +* Create the subdirectory ``/opt/sc4s/archive``. This will be used as a mount point for local storage of syslog events +(if the optional mount is uncommented above). The events will be written in the syslog-ng EWMM format. See the "configuration" +document for details on the directory structure the archive uses. + +* Create the subdirectory ``/opt/sc4s/tls``. This will be used as a mount point for custom TLS certificates +(if the optional mount is uncommented above). + +* IMPORTANT: When creating the directories above, ensure the directories created match the volume mounts specified in the `docker-compose.yml` file. Failure to do this will cause SC4S to abort at startup. ## Configure the SC4S environment @@ -107,12 +116,15 @@ Log paths are preconfigured to utilize a convention of index destinations that a * Edit `splunk_index.csv` to review or change the index configuration and revise as required for the data sources utilized in your environment. Simply uncomment the relevant line and enter the desired index. The "Sources" document details the specific entries in this table that pertain to the individual data source filters that are included with SC4S. +* Other Splunk metadata (e.g. source and sourcetype) can be overriden via this file as well. This is an advanced topic, and further +information is covered in the "Log Path overrides" section of the Configuration document. ## Configure source filtering by source IP or host name Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources that require this step, refer to the "sources" section of this documentation. +* If changes need to be made to source filtering, navigate to the ``/opt/sc4s/local/context`` directory to start. * Navigate to `vendor_product_by_source.conf` and find the appropriate filter that matches your legacy device type. * Edit the file to properly identify these products by hostname glob or network mask using syslog-ng filter syntax. Configuration by hostname or source IP is needed only for those devices that cannot be determined via normal syslog-ng parsing or message contents. * The `vendor_product_by_source.csv` file should not need to be changed unless a local filter is created that is specific to the environment. In this case, a matching filter will also need to be provided in `vendor_product_by_source.conf`. @@ -122,8 +134,8 @@ apply to support such sources. To identify sources that require this step, refer In some cases, devices that have been properly sourcetyped need to be further categorized by compliance, geography, or other criterion. The two files `compliance_meta_by_source.conf` and `compliance_meta_by_source.csv` can be used for this purpose. These operate similarly to the files above, where the `conf` file specifies a filter to uniquely identify the messages that should be overridden, and the `csv` file -lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is in -the "Configuration" section. +lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is +covered in the "Override index or metadata based on host, ip, or subnet" section of the Configuration document. ## Start/Restart SC4S diff --git a/docs/gettingstarted/docker-swarm-rhel7.md b/docs/gettingstarted/docker-swarm-rhel7.md index 7ed5afe..0af8b6b 100644 --- a/docs/gettingstarted/docker-swarm-rhel7.md +++ b/docs/gettingstarted/docker-swarm-rhel7.md @@ -59,8 +59,10 @@ services: volumes: - /opt/sc4s/local:/opt/syslog-ng/etc/conf.d/local:z - /opt/sc4s/disk-buffer:/opt/syslog-ng/var/data/disk-buffer:z +# Uncomment the following line if local disk archiving is desired +# - /opt/sc4s/archive:/opt/syslog-ng/var/archive:z # Uncomment the following line if custom TLS certs are provided -# - /opt/sc4s/tls:/opt/syslog-ng/tls +# - /opt/sc4s/tls:/opt/syslog-ng/tls:z ``` * Create the subdirectory ``/opt/sc4s/local``. This will be used as a mount point for local overrides and configurations. @@ -82,9 +84,16 @@ of events in the event of network failure to the Splunk infrastructure. * This directory will populate with the disk buffer files upon SC4S startup. If SC4S restarts for any reason, a new set of files will be created in addition to the original ones. _The original ones will not be removed_. If you are sure, after stopping SC4S, that all data has been sent, these files can be removed. They will be created -again upon restart. +again upon restart + +* Create the subdirectory ``/opt/sc4s/archive``. This will be used as a mount point for local storage of syslog events +(if the optional mount is uncommented above). The events will be written in the syslog-ng EWMM format. See the "configuration" +document for details on the directory structure the archive uses. + +* Create the subdirectory ``/opt/sc4s/tls``. This will be used as a mount point for custom TLS certificates +(if the optional mount is uncommented above). -* IMPORTANT: When creating the two directories above, ensure the directories created match the volume mounts specified in the +* IMPORTANT: When creating the directories above, ensure the directories created match the volume mounts specified in the `docker-compose.yml` file. Failure to do this will cause SC4S to abort at startup. ## Configure the SC4S environment @@ -116,6 +125,8 @@ Log paths are preconfigured to utilize a convention of index destinations that a * Edit `splunk_index.csv` to review or change the index configuration and revise as required for the data sources utilized in your environment. Simply uncomment the relevant line and enter the desired index. The "Sources" document details the specific entries in this table that pertain to the individual data source filters that are included with SC4S. +* Other Splunk metadata (e.g. source and sourcetype) can be overriden via this file as well. This is an advanced topic, and further +information is covered in the "Log Path overrides" section of the Configuration document. ## Configure source filtering by source IP or host name @@ -123,6 +134,7 @@ this table that pertain to the individual data source filters that are included Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources that require this step, refer to the "sources" section of this documentation. +* If changes need to be made to source filtering, navigate to the ``/opt/sc4s/local/context`` directory to start. * Navigate to `vendor_product_by_source.conf` and find the appropriate filter that matches your legacy device type. * Edit the file to properly identify these products by hostname glob or network mask using syslog-ng filter syntax. Configuration by hostname or source IP is needed only for those devices that cannot be determined via normal syslog-ng parsing or message contents. * The `vendor_product_by_source.csv` file should not need to be changed unless a local filter is created that is specific to the environment. In this case, a matching filter will also need to be provided in `vendor_product_by_source.conf`. @@ -132,8 +144,8 @@ apply to support such sources. To identify sources that require this step, refer In some cases, devices that have been properly sourcetyped need to be further categorized by compliance, geography, or other criterion. The two files `compliance_meta_by_source.conf` and `compliance_meta_by_source.csv` can be used for this purpose. These operate similarly to the files above, where the `conf` file specifies a filter to uniquely identify the messages that should be overridden, and the `csv` file -lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is in -the "Configuration" section. +lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is +covered in the "Override index or metadata based on host, ip, or subnet" section of the Configuration document. ## Start/Restart SC4S diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index 838cdaa..7eae5b0 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -40,8 +40,10 @@ Environment="SC4S_LOCAL_CONFIG_MOUNT=-v /opt/sc4s/local:/opt/syslog-ng/etc/conf. # Mount point for local disk buffer (required) Environment="SC4S_LOCAL_DISK_BUFFER_MOUNT=-v /opt/sc4s/disk-buffer:/opt/syslog-ng/var/data/disk-buffer:z" +# Uncomment the following line if local disk archiving is desired +# Environment="SC4S_LOCAL_ARCHIVE_MOUNT=-v /opt/sc4s/archive:/opt/syslog-ng/var/archive:z" # Uncomment the following line if custom TLS certs are provided -# Environment="SC4S_TLS_DIR=-v /opt/sc4s/tls:/opt/syslog-ng/tls" +# Environment="SC4S_TLS_DIR=-v /opt/sc4s/tls:/opt/syslog-ng/tls:z" TimeoutStartSec=0 Restart=always @@ -56,6 +58,8 @@ ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp \ --env-file=/opt/sc4s/env_file \ "$SC4S_LOCAL_CONFIG_MOUNT" \ "$SC4S_LOCAL_DISK_BUFFER_MOUNT" \ + "$SC4S_LOCAL_ARCHIVE_MOUNT" \ + "$SC4S_TLS_DIR" \ --name SC4S --rm \ $SC4S_IMAGE ``` @@ -79,9 +83,16 @@ of events in the event of network failure to the Splunk infrastructure. * This directory will populate with the disk buffer files upon SC4S startup. If SC4S restarts for any reason, a new set of files will be created in addition to the original ones. _The original ones will not be removed_. If you are sure, after stopping SC4S, that all data has been sent, these files can be removed. They will be created -again upon restart. +again upon restart + +* Create the subdirectory ``/opt/sc4s/archive``. This will be used as a mount point for local storage of syslog events +(if the optional mount is uncommented above). The events will be written in the syslog-ng EWMM format. See the "configuration" +document for details on the directory structure the archive uses. + +* Create the subdirectory ``/opt/sc4s/tls``. This will be used as a mount point for custom TLS certificates +(if the optional mount is uncommented above). -* IMPORTANT: When creating the two directories above, ensure the directories created match the volume mounts specified in the +* IMPORTANT: When creating the directories above, ensure the directories created match the volume mounts specified in the unit file above. Failure to do this will cause SC4S to abort at startup. ## Configure the SC4S environment @@ -112,12 +123,15 @@ Log paths are preconfigured to utilize a convention of index destinations that a * Edit `splunk_index.csv` to review or change the index configuration and revise as required for the data sources utilized in your environment. Simply uncomment the relevant line and enter the desired index. The "Sources" document details the specific entries in this table that pertain to the individual data source filters that are included with SC4S. +* Other Splunk metadata (e.g. source and sourcetype) can be overriden via this file as well. This is an advanced topic, and further +information is covered in the "Log Path overrides" section of the Configuration document. ## Configure source filtering by source IP or host name Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources that require this step, refer to the "sources" section of this documentation. +* If changes need to be made to source filtering, navigate to the ``/opt/sc4s/local/context`` directory to start. * Navigate to `vendor_product_by_source.conf` and find the appropriate filter that matches your legacy device type. * Edit the file to properly identify these products by hostname glob or network mask using syslog-ng filter syntax. Configuration by hostname or source IP is needed only for those devices that cannot be determined via normal syslog-ng parsing or message contents. * The `vendor_product_by_source.csv` file should not need to be changed unless a local filter is created that is specific to the environment. In this case, a matching filter will also need to be provided in `vendor_product_by_source.conf`. @@ -127,8 +141,8 @@ apply to support such sources. To identify sources that require this step, refer In some cases, devices that have been properly sourcetyped need to be further categorized by compliance, geography, or other criterion. The two files `compliance_meta_by_source.conf` and `compliance_meta_by_source.csv` can be used for this purpose. These operate similarly to the files above, where the `conf` file specifies a filter to uniquely identify the messages that should be overridden, and the `csv` file -lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is in -the "Configuration" section. +lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is +covered in the "Override index or metadata based on host, ip, or subnet" section of the Configuration document. ## Configure SC4S for systemd and start SC4S diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index 1cec535..18f8f82 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -22,8 +22,10 @@ Environment="SC4S_LOCAL_CONFIG_MOUNT=-v /opt/sc4s/local:/opt/syslog-ng/etc/conf. # Mount point for local disk buffer (required) Environment="SC4S_LOCAL_DISK_BUFFER_MOUNT=-v /opt/sc4s/disk-buffer:/opt/syslog-ng/var/data/disk-buffer:z" +# Uncomment the following line if local disk archiving is desired +# Environment="SC4S_LOCAL_ARCHIVE_MOUNT=-v /opt/sc4s/archive:/opt/syslog-ng/var/archive:z" # Uncomment the following line if custom TLS certs are provided -# Environment="SC4S_TLS_DIR=-v /opt/sc4s/tls:/opt/syslog-ng/tls" +# Environment="SC4S_TLS_DIR=-v /opt/sc4s/tls:/opt/syslog-ng/tls:z" TimeoutStartSec=0 Restart=always @@ -38,6 +40,8 @@ ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp \ --env-file=/opt/sc4s/env_file \ "$SC4S_LOCAL_CONFIG_MOUNT" \ "$SC4S_LOCAL_DISK_BUFFER_MOUNT" \ + "$SC4S_LOCAL_ARCHIVE_MOUNT" \ + "$SC4S_TLS_DIR" \ --name SC4S --rm \ $SC4S_IMAGE ``` @@ -61,9 +65,16 @@ of events in the event of network failure to the Splunk infrastructure. * This directory will populate with the disk buffer files upon SC4S startup. If SC4S restarts for any reason, a new set of files will be created in addition to the original ones. _The original ones will not be removed_. If you are sure, after stopping SC4S, that all data has been sent, these files can be removed. They will be created -again upon restart. +again upon restart + +* Create the subdirectory ``/opt/sc4s/archive``. This will be used as a mount point for local storage of syslog events +(if the optional mount is uncommented above). The events will be written in the syslog-ng EWMM format. See the "configuration" +document for details on the directory structure the archive uses. + +* Create the subdirectory ``/opt/sc4s/tls``. This will be used as a mount point for custom TLS certificates +(if the optional mount is uncommented above). -* IMPORTANT: When creating the two directories above, ensure the directories created match the volume mounts specified in the +* IMPORTANT: When creating the directories above, ensure the directories created match the volume mounts specified in the unit file above. Failure to do this will cause SC4S to abort at startup. ## Configure the sc4s environment @@ -94,12 +105,15 @@ Log paths are preconfigured to utilize a convention of index destinations that a * Edit `splunk_index.csv` to review or change the index configuration and revise as required for the data sources utilized in your environment. Simply uncomment the relevant line and enter the desired index. The "Sources" document details the specific entries in this table that pertain to the individual data source filters that are included with SC4S. +* Other Splunk metadata (e.g. source and sourcetype) can be overriden via this file as well. This is an advanced topic, and further +information is covered in the "Log Path overrides" section of the Configuration document. ## Configure source filtering by source IP or host name Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources that require this step, refer to the "sources" section of this documentation. +* If changes need to be made to source filtering, navigate to the ``/opt/sc4s/local/context`` directory to start. * Navigate to `vendor_product_by_source.conf` and find the appropriate filter that matches your legacy device type. * Edit the file to properly identify these products by hostname glob or network mask using syslog-ng filter syntax. Configuration by hostname or source IP is needed only for those devices that cannot be determined via normal syslog-ng parsing or message contents. * The `vendor_product_by_source.csv` file should not need to be changed unless a local filter is created that is specific to the environment. In this case, a matching filter will also need to be provided in `vendor_product_by_source.conf`. @@ -109,8 +123,8 @@ apply to support such sources. To identify sources that require this step, refer In some cases, devices that have been properly sourcetyped need to be further categorized by compliance, geography, or other criterion. The two files `compliance_meta_by_source.conf` and `compliance_meta_by_source.csv` can be used for this purpose. These operate similarly to the files above, where the `conf` file specifies a filter to uniquely identify the messages that should be overridden, and the `csv` file -lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is in -the "Configuration" section. +lists one or more metadata items that can be overridden based on the filter name. This is an advanced topic, and further information is +covered in the "Override index or metadata based on host, ip, or subnet" section of the Configuration document. ## Configure SC4S for systemd and start SC4S From 086d7d82925459b4534879577207774ec6ce66ff Mon Sep 17 00:00:00 2001 From: mbonsack Date: Fri, 6 Dec 2019 04:46:05 -0800 Subject: [PATCH 08/11] Combine proofpoint log paths (#218) * Combine proofpoint log paths * Update sources.md for Proofpoint and fix random notes for UDP unique ports --- docs/sources.md | 11 ++-- .../p_rfc3164-proofpoint_pps.conf.tmpl | 61 +++++++++++++++++++ .../p_rfc3164-proofpoint_pps_filter.conf.tmpl | 52 ---------------- ..._rfc3164-proofpoint_pps_sendmail.conf.tmpl | 51 ---------------- 4 files changed, 66 insertions(+), 109 deletions(-) create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl delete mode 100644 package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl delete mode 100644 package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl diff --git a/docs/sources.md b/docs/sources.md index 22c3aab..3d868cc 100644 --- a/docs/sources.md +++ b/docs/sources.md @@ -225,7 +225,7 @@ PATTERN MATCH | Variable | default | description | |----------------|----------------|----------------| | SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | ### Verification @@ -273,7 +273,7 @@ IP, Netmask, Host or Port | Variable | default | description | |----------------|----------------|----------------| | SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | ### Verification @@ -579,7 +579,7 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| | SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | ### Verification @@ -629,7 +629,7 @@ Verify timestamp, and host values match as expected | Variable | default | description | |----------------|----------------|----------------| | SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | ### Verification @@ -887,8 +887,7 @@ messages to create meaningful final output. This will require follow-on process | Variable | default | description | |----------------|----------------|----------------| -| SC4S_PROOFPOINT_PPS_FILTER_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. If this option is used to ensure PPS sendmail sourcetype uniqueness (see above), set the same port number for this and the SC4S_PROOFPOINT_PPS_MAIL_TCP_PORT variable immediately below.| -| SC4S_PROOFPOINT_PPS_MAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. If this option is used to ensure PPS sendmail sourcetype uniqueness (see above), set the same port number for this and the SC4S_PROOFPOINT_PPS_FILTER_TCP_PORT variable immediately above. | +| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | ### Verification diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl new file mode 100644 index 0000000..1081d60 --- /dev/null +++ b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl @@ -0,0 +1,61 @@ +# Proofpoint Protection Server +{{ $context := dict "port_id" "PROOFPOINT_PPS" "parser" "common" }} +{{ tmpl.Exec "t/source_network.t" $context }} +# The following is an inline template; we will use this to generate the actual log path +{{ define "log_path" }} +log { +{{- if eq (.) "yes" }} + source(s_DEFAULT); + filter { filter(f_proofpoint_pps_filter) or filter(f_proofpoint_pps_sendmail) }; +{{- end }} +{{- if eq (.) "no" }} + source (s_PROOFPOINT_PPS); +{{- end }} + + if (filter(f_proofpoint_pps_filter)) { + rewrite { + set("proofpoint_pps_filter", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("pps_filter_log"), index("email"))}; + parser { + p_add_context_splunk(key("proofpoint_pps_filter")); + }; + } else { + rewrite { + set("proofpoint_pps_sendmail", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("pps_mail_log"), index("email"))}; + parser { + p_add_context_splunk(key("proofpoint_pps_sendmail")); + }; + }; + + parser (compliance_meta_by_source); + + + #We want to unset the fields we won't need, as this is copied into the + #disk queue for network destinations. This can be very disk expensive + #if we don't + rewrite { + set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + groupunset(values(".kv.*")); + }; + + destination(d_hec); + +{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_PROOFPOINT_PPS") }} + destination(d_archive); +{{- end}} + + flags(flow-control); +}; +{{- end}} + +{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_TLS_PORT")) }} +# Listen on the specified dedicated port(s) for PROOFPOINT_PPS traffic + {{ tmpl.Exec "log_path" "no" }} +{{- end}} + +# Listen on the default port (typically 514) for PROOFPOINT_PPS traffic +{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl deleted file mode 100644 index 09dd410..0000000 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl +++ /dev/null @@ -1,52 +0,0 @@ -# Proofpoint -{{ $context := dict "port_id" "PROOFPOINT_PPS_FILTER" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} -log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_proofpoint_pps_filter); -{{- end }} -{{- if eq (.) "no" }} - source (s_PROOFPOINT_PPS_FILTER); -{{- end }} - - rewrite { - set("proofpoint_pps_filter", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_filter_log"), index("email"))}; - parser { - p_add_context_splunk(key("proofpoint_pps_filter")); - }; - - parser (compliance_meta_by_source); - - - #We want to unset the fields we won't need, as this is copied into the - #disk queue for network destinations. This can be very disk expensive - #if we don't - rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); - unset(value("RAWMSG")); - unset(value("PROGRAM")); - unset(value("LEGACY_MSGHDR")); - groupunset(values(".kv.*")); - }; - - destination(d_hec); - -{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_PROOFPOINT_PPS") }} - destination(d_archive); -{{- end}} - - flags(flow-control); -}; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for PROOFPOINT_PPS_FILTER traffic - {{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for PROOFPOINT_PPS_FILTER traffic -{{ tmpl.Exec "log_path" "yes" }} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl deleted file mode 100644 index 694f14e..0000000 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl +++ /dev/null @@ -1,51 +0,0 @@ -# Proofpoint -{{ $context := dict "port_id" "PROOFPOINT_PPS_SENDMAIL" "parser" "common" }} -{{ tmpl.Exec "t/source_network.t" $context }} -# The following is an inline template; we will use this to generate the actual log path -{{ define "log_path" }} -log { -{{- if eq (.) "yes" }} - source(s_DEFAULT); - filter(f_proofpoint_pps_sendmail); -{{- end }} -{{- if eq (.) "no" }} - source (s_PROOFPOINT_PPS_SENDMAIL); -{{- end }} - - rewrite { - set("proofpoint_pps_sendmail", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("pps_mail_log"), index("email"))}; - parser { - p_add_context_splunk(key("proofpoint_pps_sendmail")); - }; - - parser (compliance_meta_by_source); - - #We want to unset the fields we won't need, as this is copied into the - #disk queue for network destinations. This can be very disk expensive - #if we don't - rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); - unset(value("RAWMSG")); - unset(value("PROGRAM")); - unset(value("LEGACY_MSGHDR")); - groupunset(values(".kv.*")); - }; - - destination(d_hec); - -{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_PROOFPOINT_PPS_SENDMAIL") }} - destination(d_archive); -{{- end}} - - flags(flow-control); -}; -{{- end}} - -{{- if or (or (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_UDP_PORT"))) (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TLS_PORT")) }} -# Listen on the specified dedicated port(s) for PROOFPOINT_PPS_SENDMAIL traffic - {{ tmpl.Exec "log_path" "no" }} -{{- end}} - -# Listen on the default port (typically 514) for PROOFPOINT_PPS_SENDMAIL traffic -{{ tmpl.Exec "log_path" "yes" }} From 86eeea6e283bbd334a834b22d53841b0aafd8e3f Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 6 Dec 2019 12:47:23 -0500 Subject: [PATCH 09/11] Improve CI performance and reliability (#219) Due to container network occasionally a test will fail that will work on retry this change adds flaky support with minimum 1 max 3 and improves test run time by adding pytest-parallel --- docker-compose-ci.yml | 8 +++++++- tests/Dockerfile | 5 +++-- tests/entrypoint.sh | 2 +- tests/pytest.ini | 5 +++++ tests/requirements.txt | 5 ++++- tests/test_ubiquiti_unifi.py | 16 ++++++++-------- 6 files changed, 28 insertions(+), 13 deletions(-) create mode 100644 tests/pytest.ini diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml index a699498..7566f3d 100644 --- a/docker-compose-ci.yml +++ b/docker-compose-ci.yml @@ -6,10 +6,16 @@ # #You should have received a copy of the CC0 legalcode along with this #work. If not, see . -version: "3.2" +version: "3.7" services: test: build: ./tests + entrypoint: + - /entrypoint.sh + - --workers + - auto + - --tests-per-worker + - auto links: - splunk - sc4s diff --git a/tests/Dockerfile b/tests/Dockerfile index 0bf3d12..285d52c 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -9,13 +9,14 @@ FROM python:3.7 COPY requirements.txt / - RUN pip3 install -r /requirements.txt RUN mkdir -p /work/tests RUN mkdir -p /work/test-results/functional COPY entrypoint.sh / COPY wait-for /bin/ COPY ./* /work/tests/ +COPY pytest.ini /work COPY ./data /work/tests/data #WORKDIR /work -CMD /entrypoint.sh \ No newline at end of file +CMD /entrypoint.sh + diff --git a/tests/entrypoint.sh b/tests/entrypoint.sh index 646dd56..6128096 100755 --- a/tests/entrypoint.sh +++ b/tests/entrypoint.sh @@ -20,4 +20,4 @@ echo check for splunk hec wait-for splunk:8088 -t 0 -- echo splunkhec is up -cd /work;python -m pytest --junitxml=/work/test-results/functional/functional.xml +cd /work;python -m pytest --junitxml=/work/test-results/functional/functional.xml $@ diff --git a/tests/pytest.ini b/tests/pytest.ini new file mode 100644 index 0000000..00b64d9 --- /dev/null +++ b/tests/pytest.ini @@ -0,0 +1,5 @@ +[pytest] +addopts = + --force-flaky --max-runs=3 --min-passes=1 +filterwarnings = + ignore::DeprecationWarning diff --git a/tests/requirements.txt b/tests/requirements.txt index 6d908dd..b530d97 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -11,4 +11,7 @@ jinja2 jinja2-time splunk-sdk flake8 -pytz \ No newline at end of file +pytz +flaky +#pytest-randomly +pytest-parallel \ No newline at end of file diff --git a/tests/test_ubiquiti_unifi.py b/tests/test_ubiquiti_unifi.py index 4eed2b2..0a69280 100644 --- a/tests/test_ubiquiti_unifi.py +++ b/tests/test_ubiquiti_unifi.py @@ -17,12 +17,12 @@ def test_ubiquiti_unifi_us8p60(record_property, setup_wordlist, setup_splunk): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) mt = env.from_string( - "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type") - message = mt.render(mark="<27>", host=host) + "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type {{key}}") + message = mt.render(mark="<27>", key=host) sendsingle(message) - st = env.from_string("search index=netops sourcetype=ubnt:switch earliest=-2m | head 2") - search = st.render(host=host) + st = env.from_string("search index=netops sourcetype=ubnt:switch \"{{key}}\" earliest=-2m | head 2") + search = st.render(key=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -37,12 +37,12 @@ def test_ubiquiti_unifi_switch_us24p250(record_property, setup_wordlist, setup_s host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) mt = env.from_string( - "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: 0") - message = mt.render(mark="<27>", host=host) + "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: {{key}}") + message = mt.render(mark="<27>", key=host) sendsingle(message) - st = env.from_string("search index=netops sourcetype=ubnt:switch earliest=-2m | head 2") - search = st.render(host=host) + st = env.from_string("search index=netops sourcetype=ubnt:switch \"{{key}}\" earliest=-2m | head 2") + search = st.render(key=host) resultCount, eventCount = splunk_single(setup_splunk, search) From 5a8e39bcac868c9541d844f1ca6c31455dce4fed Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 6 Dec 2019 13:42:56 -0500 Subject: [PATCH 10/11] Improve archive only use case allow disable of HEC out and archive of fallback (#217) Allow use of archive on fallback path, allow the user to disable hec out for archive only use cases --- docker-compose.yml | 2 +- docs/configuration.md | 5 +-- .../local/config/log_paths/example.conf.tmpl | 2 +- .../etc/conf.d/log_paths/internal.conf.tmpl | 10 +++++- .../p_rfc3164-checkpoint_splunk.conf.tmpl | 4 ++- .../log_paths/p_rfc3164-cisco_asa.conf.tmpl | 2 ++ .../log_paths/p_rfc3164-cisco_ios.conf.tmpl | 2 ++ .../log_paths/p_rfc3164-cisco_ise.conf.tmpl | 4 ++- .../log_paths/p_rfc3164-cisco_nxos.conf.tmpl | 3 ++ .../p_rfc3164-forcepoint_webprotect.conf.tmpl | 2 ++ .../p_rfc3164-fortinet_fortios.conf.tmpl | 3 ++ .../log_paths/p_rfc3164-juniper_idp.conf.tmpl | 3 ++ .../p_rfc3164-juniper_junos.conf.tmpl | 2 ++ .../p_rfc3164-juniper_netscreen.conf.tmpl | 2 ++ .../log_paths/p_rfc3164-juniper_nsm.conf.tmpl | 2 ++ .../p_rfc3164-juniper_nsm_idp.conf.tmpl | 2 ++ .../p_rfc3164-microfocus_arcsight.conf.tmpl | 2 ++ .../p_rfc3164-paloalto_panos.conf.tmpl | 2 ++ .../p_rfc3164-proofpoint_pps.conf.tmpl | 2 ++ .../p_rfc3164-ubiquiti_unifi.conf.tmpl | 3 ++ .../log_paths/p_rfc3164-zscaler_nss.conf.tmpl | 2 ++ .../p_rfc5424-noversion_cisco_asa.conf.tmpl | 2 ++ ...rfc5424-noversion_symantec_proxy.conf.tmpl | 2 ++ .../p_rfc5424-strict_juniper_junos.conf.tmpl | 5 ++- .../p_rfc5424_epoch-cisco_meraki.conf.tmpl | 2 ++ package/etc/conf.d/log_paths/zfallback.conf | 14 --------- .../etc/conf.d/log_paths/zfallback.conf.tmpl | 31 +++++++++++++++++++ .../local_config/log_paths/example.conf.tmpl | 2 +- 28 files changed, 96 insertions(+), 23 deletions(-) delete mode 100644 package/etc/conf.d/log_paths/zfallback.conf create mode 100644 package/etc/conf.d/log_paths/zfallback.conf.tmpl diff --git a/docker-compose.yml b/docker-compose.yml index 082040f..d1e1558 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ # #You should have received a copy of the CC0 legalcode along with this #work. If not, see . -version: "3.2" +version: "3.7" services: test: build: ./tests diff --git a/docs/configuration.md b/docs/configuration.md index 588a783..378f505 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -15,11 +15,12 @@ and variables needed to properly configure SC4S for your environment. | Variable | Values | Description | |----------|---------------|-------------| -| SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (threads). Set this to the number of HEC endpoints up to a max of 32. | -| SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | +| SC4S_DEST_SPLUNK_HEC_GLOBAL | yes | Send events to Splunk using HEC | | SC4S_DEST_SPLUNK_HEC_CIPHER_SUITE | comma separated list | Open SSL cipher suite list | | SC4S_DEST_SPLUNK_HEC_SSL_VERSION | comma separated list | Open SSL version list | | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | +| SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | +| SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (threads). Set this to the number of HEC endpoints up to a max of 32. | ## SC4S Disk Buffer Configuration diff --git a/package/etc/conf.d/local/config/log_paths/example.conf.tmpl b/package/etc/conf.d/local/config/log_paths/example.conf.tmpl index 6a68b45..6eae6a3 100644 --- a/package/etc/conf.d/local/config/log_paths/example.conf.tmpl +++ b/package/etc/conf.d/local/config/log_paths/example.conf.tmpl @@ -55,7 +55,7 @@ source (s_LOCAL_EXAMPLE); # Send it to Splunk - destination(d_hec); #--HEC-- + destination(d_hec); # Note: We normally do not use the "final" flag; this will allow another plugin to be created that will # forward events to another system diff --git a/package/etc/conf.d/log_paths/internal.conf.tmpl b/package/etc/conf.d/log_paths/internal.conf.tmpl index c751b9e..4373f5c 100644 --- a/package/etc/conf.d/log_paths/internal.conf.tmpl +++ b/package/etc/conf.d/log_paths/internal.conf.tmpl @@ -16,7 +16,11 @@ log { value("MESSAGE") flags("utf8" "global") ); }; - destination(d_hecmetrics); #--HEC-- + + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_INTERNAL_METRICS_HEC" "no") | conv.ToBool) }} + destination(d_hecmetrics); + {{- end}} + } else { {{- if eq (getenv "SC4S_DEBUG_STDOUT" "yes") "yes"}} @@ -24,7 +28,11 @@ log { {{- end}} rewrite { r_set_splunk_dest_default(sourcetype("sc4s:events"), index("main"))}; parser {p_add_context_splunk(key("sc4s_events")); }; + + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_INTERNAL_EVENTS_HEC" "no") | conv.ToBool) }} destination(d_hec_internal); + {{- end}} + }; }; {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl index 2fa996f..1f5c620 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl @@ -69,8 +69,10 @@ log { unset(value("LEGACY_MSGHDR")); groupunset(values(".kv.*")); }; - +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_CHECKPOINT_SPLUNK_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CHECKPOINT_SPLUNK") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl index 2506ca5..a07d6a1 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl @@ -32,7 +32,9 @@ log { unset(value("LEGACY_MSGHDR")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CISCO_ASA_LEGACY") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl index c47fcd9..554277b 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl @@ -35,7 +35,9 @@ log { groupunset(values(".cisco.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_CISCO_IOS_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CISCO_IOS") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl index 5f1bfb9..cca9afd 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl @@ -84,7 +84,9 @@ log { groupunset(values("ISE.*")); }; - destination(d_hec); +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_CISCO_ISE_HEC" "no") | conv.ToBool) }} + destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CISCO_ISE") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl index 458ada4..fd7a8b4 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl @@ -34,7 +34,10 @@ log { unset(value("LEGACY_MSGHDR")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_CISCO_NXOS_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CISCO_NXOS") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl index 5c000ba..b35e857 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl @@ -33,7 +33,9 @@ log { unset(value("LEGACY_MSGHDR")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_FORCEPOINT_WEBPROTECT_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FORCEPOINT_WEBPROTECT") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl index 6fe1189..1be63f1 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl @@ -51,7 +51,10 @@ log { groupunset(values(".kv.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_FORTINET_FORTIOS_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FORTINET_FORTIOS") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl index c1dc820..761a8c0 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl @@ -36,7 +36,10 @@ log { groupunset(values(".kv.*")); }; + +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_JUNIPER_IDP_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_JUNIPER_IDP") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl index 6185a34..d461e5e 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl @@ -50,7 +50,9 @@ log { unset(value("LEGACY_MSGHDR")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_JUNIPER_JUNOS_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_JUNIPER_JUNOS") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl index 9d6116f..b735a73 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl @@ -34,7 +34,9 @@ log { unset(value("LEGACY_MSGHDR")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_JUNIPER_NETSCREEN_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_JUNIPER_NETSCREEN") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl index 404781d..5571ba0 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl @@ -35,7 +35,9 @@ log { unset(value("LEGACY_MSGHDR")); }; + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_JUNIPER_NSM_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_JUNIPER_NSM") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl index 0383731..bb717e0 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl @@ -32,7 +32,9 @@ log { unset(value("LEGACY_MSGHDR")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_JUNIPER_NSM_IDP_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_JUNIPER_NSM_IDP") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl index 549b939..db6cd6a 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl @@ -80,7 +80,9 @@ log { groupunset(values(".cef.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl index 71335e2..05c45ad 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl @@ -84,7 +84,9 @@ log { groupunset(values(".pan.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_PALOALTO_PANOS_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_PALOALTO_PANOS") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl index 1081d60..78f234c 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl @@ -42,7 +42,9 @@ log { groupunset(values(".kv.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_PROOFPOINT_PPS_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_PROOFPOINT_PPS") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl index 226b310..55bd6a7 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl @@ -117,7 +117,10 @@ log { unset(value("LEGACY_MSGHDR")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_PROOFPOINT_UBIQUITI_UNIFI_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_UBIQUITI_UNIFI") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl index c9de545..47a77c1 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl @@ -73,7 +73,9 @@ log { groupunset(values(".kv.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ZSCALER_NSS_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_ZSCALER_NSS") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl index 98e3b78..a7f069c 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl @@ -31,7 +31,9 @@ log { groupunset(values(".kv.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CISCO_ASA") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl index a9f881e..855d390 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl @@ -34,7 +34,9 @@ log { groupunset(values(".kv.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_PROXY_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_PROXY") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl index cc2d052..40bce61 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl @@ -52,9 +52,12 @@ log { groupunset(values(".kv.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_JUNOS_STRUCTURED_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} + -{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CHECKPOINT") }} +{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_JUNOS_STRUCTURED") }} destination(d_archive); {{- end}} diff --git a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl index 149fb4b..18a37b4 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl @@ -31,7 +31,9 @@ log { groupunset(values(".kv.*")); }; +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_CISCO_MERAKI_HEC" "no") | conv.ToBool) }} destination(d_hec); +{{- end}} {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_CISCO_MERAKI") }} destination(d_archive); diff --git a/package/etc/conf.d/log_paths/zfallback.conf b/package/etc/conf.d/log_paths/zfallback.conf deleted file mode 100644 index 478ff31..0000000 --- a/package/etc/conf.d/log_paths/zfallback.conf +++ /dev/null @@ -1,14 +0,0 @@ -log { - source(s_DEFAULT); - - rewrite { - r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main"), template("t_JSON")); - set("$(template ${fields.sc4s_template} $(template t_JSON))" value("MSG")); - }; - parser { - p_add_context_splunk(key("sc4s_fallback")); - }; - - destination(d_hec); #--HEC-- - flags(flow-control,fallback); -}; diff --git a/package/etc/conf.d/log_paths/zfallback.conf.tmpl b/package/etc/conf.d/log_paths/zfallback.conf.tmpl new file mode 100644 index 0000000..0f36b1f --- /dev/null +++ b/package/etc/conf.d/log_paths/zfallback.conf.tmpl @@ -0,0 +1,31 @@ +log { + source(s_DEFAULT); + + rewrite { + r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main"), template("t_JSON")); + set("$(template ${fields.sc4s_template} $(template t_JSON))" value("MSG")); + }; + parser { + p_add_context_splunk(key("sc4s_fallback")); + }; + +{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + destination(d_hec); +{{- end}} + + + #in fallback archive only write rawmsg as msg + rewrite { + set("value(RAWMSG)" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + groupunset(values(".kv.*")); + }; + +{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} + destination(d_archive); +{{- end}} + + flags(flow-control,fallback); +}; diff --git a/package/etc/local_config/log_paths/example.conf.tmpl b/package/etc/local_config/log_paths/example.conf.tmpl index 0f12886..6f75c8e 100644 --- a/package/etc/local_config/log_paths/example.conf.tmpl +++ b/package/etc/local_config/log_paths/example.conf.tmpl @@ -53,7 +53,7 @@ log { # Send it to Splunk - destination(d_hec); #--HEC-- + destination(d_hec); # Note: We normally do not use the "final" flag; this will allow another plugin to be created that will # forward events to another system From f7e299ecde11fb25d6e65df8653b03b4e30fe305 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 6 Dec 2019 20:24:28 -0500 Subject: [PATCH 11/11] Improve docs by creating a nav tree for sources (#220) * Improve table of contents * Split sources.md by vendor * new theme --- .readthedocs.yml | 7 +- .../index.md} | 26 +- docs/logo.png | Bin 0 -> 34258 bytes docs/sources.md | 1089 ----------------- docs/sources/Checkpoint/index.md | 63 + docs/sources/Cisco/index.md | 236 ++++ docs/sources/Forcepoint/index.md | 52 + .../Fortinet}/FortiGate_event.png | Bin .../Fortinet}/FortiGate_traffic.png | Bin docs/{ => sources/Fortinet}/FortiGate_utm.png | Bin docs/sources/Fortinet/index.md | 108 ++ docs/sources/Imperva/index.md | 53 + docs/sources/Juniper/index.md | 207 ++++ docs/sources/Microfocus/index.md | 99 ++ docs/sources/PaloaltoNetworks/index.md | 63 + docs/sources/Proofpoint/index.md | 53 + docs/sources/Symantec/index.md | 51 + docs/sources/Ubiquiti/index.md | 75 ++ docs/sources/Zscaler/index.md | 69 ++ docs/sources/index.md | 7 + mkdocs-requirements.txt | 1 + mkdocs.yml | 44 +- 22 files changed, 1196 insertions(+), 1107 deletions(-) rename docs/{gettingstarted.md => gettingstarted/index.md} (94%) create mode 100644 docs/logo.png delete mode 100644 docs/sources.md create mode 100644 docs/sources/Checkpoint/index.md create mode 100644 docs/sources/Cisco/index.md create mode 100644 docs/sources/Forcepoint/index.md rename docs/{ => sources/Fortinet}/FortiGate_event.png (100%) rename docs/{ => sources/Fortinet}/FortiGate_traffic.png (100%) rename docs/{ => sources/Fortinet}/FortiGate_utm.png (100%) create mode 100644 docs/sources/Fortinet/index.md create mode 100644 docs/sources/Imperva/index.md create mode 100644 docs/sources/Juniper/index.md create mode 100644 docs/sources/Microfocus/index.md create mode 100644 docs/sources/PaloaltoNetworks/index.md create mode 100644 docs/sources/Proofpoint/index.md create mode 100644 docs/sources/Symantec/index.md create mode 100644 docs/sources/Ubiquiti/index.md create mode 100644 docs/sources/Zscaler/index.md create mode 100644 docs/sources/index.md create mode 100644 mkdocs-requirements.txt diff --git a/.readthedocs.yml b/.readthedocs.yml index 2880d22..aae9256 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -9,4 +9,9 @@ mkdocs: formats: all submodules: - exclude: all \ No newline at end of file + exclude: all + +python: + version: 3.7 + install: + - requirements: mkdocs-requirements.txt \ No newline at end of file diff --git a/docs/gettingstarted.md b/docs/gettingstarted/index.md similarity index 94% rename from docs/gettingstarted.md rename to docs/gettingstarted/index.md index e113881..bb432e9 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted/index.md @@ -1,4 +1,6 @@ -# Getting Started +# Before you start + +## Getting Started Splunk Connect for Syslog is a containerized distribution of syslog-ng with a configuration framework designed to simplify getting syslog data into Splunk Enterprise and Splunk Cloud. Our approach is @@ -6,7 +8,7 @@ to provide a runtime-agnostic solution allowing customers to deploy using the co environment of choice. -# Planning Deployment +## Planning Deployment Syslog is an overloaded term that refers to multiple message formats AND optionally a wire protocol for transmission of events between computer systems over UDP, TCP, or TLS. The protocol is designed to minimize @@ -24,11 +26,11 @@ environment. * Plan for appropriately sized hardware (see)[performance.md] -# Implementation +## Implementation -## Splunk Setup +### Splunk Setup -### Create Indexes +#### Create Indexes SC4S is pre-configured to map each sourcetype to a typical index. For new installations, it is best practice to create them in Splunk when using the SC4S defaults. SC4S can be easily customized to use different indexes if desired. @@ -42,7 +44,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes * netipam * em_metrics (ensure this is created as a metrics index) -### Install Related Splunk Apps +#### Install Related Splunk Apps Install the following: @@ -50,7 +52,7 @@ Install the following: * [Splunk Add-on for Infrastructure](https://splunkbase.splunk.com/app/4217/) * [Splunk Metrics Workspace](https://splunkbase.splunk.com/app/4192/) *NOTE Included in Splunk 7.3.0 and above* -### Configure the Splunk HTTP Event Collector +#### Configure the Splunk HTTP Event Collector - Set up the Splunk HTTP Event Collector with the HEC endpoints behind a load balancer (VIP) configured for https round robin *WITHOUT* sticky session. Alternatively, a list of HEC endpoint URLs can be configured in SC4S (native Syslog-ng load balancing) if no load balancer is in place. In either case, it is @@ -61,14 +63,14 @@ event destinations. or [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) for specific HEC configuration instructions based on your Splunk type. -## Implement a Container Runtime and SC4S +### Implement a Container Runtime and SC4S -### Prerequisites +#### Prerequisites * Linux host with Docker (CE 19.x or greater with Docker Swarm) or Podman enabled, depending on runtime choice (below). * A network load balancer (NLB) configured for round robin. Note: Special consideration may be required when more advanced products are used. The optimal configuration of the load balancer will round robin each http POST request (not each connection). -### Select a Container Runtime and SC4S Configuration +#### Select a Container Runtime and SC4S Configuration | Container and Orchestration | Notes | |-----------------------------|-------| @@ -78,7 +80,7 @@ Splunk type. | [Docker CE + Swarm single node RHEL 7.7](gettingstarted/docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring Docker Compose or Swarm orchestration | | [Bring your own Envionment](gettingstarted/byoe-rhel7.md) | Option for RedHat 7.7 (centos 7) with SC4S configuration without containers | -## Offline Container Installation +### Offline Container Installation Follow these instructions to "stage" SC4S by downloading the container so that it can be loaded "out of band" on a host machine, such as an airgapped system, without internet connectivity. @@ -116,7 +118,7 @@ attempt to obtain the container image via the internet. Environment="SC4S_IMAGE=sc4slocal:latest" ``` -# Scale out +## Scale out Additional hosts can be deployed for syslog collection from additional network zones and locations: diff --git a/docs/logo.png b/docs/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..fe6f098044f72325e8617c57dc11a8b10fade08c GIT binary patch literal 34258 zcmeFZbyQYS_doa$(g=cdcXxL;NOyO4H%Lh%DGfe!NFxnOBi#*>($dm%LBBC;{{F2s zYvy$k5BHw4&ptap`-G87@1&3sa1lTt5VDN4xC#gaDGPiv!odJfge9qFKp-SaYcVk; z88ILDJiXw(R#^{uh5h+eXpLh3R*SIZn>ajQO_I5Lb00Kdj90@hiOJ@-gDs5?+fQxBJY_fNWbg^ruqz6G zU#Df8EssO zf~4sD!CA=Pg)#4$QsU9#hEqX=VzKMR3p~uT^z&x^LVKUex_M1dSrV{iktlV3wlr}a zM@Dp)Gug#8;T;R&&vE&FM;C?t`Q|5Yev*@KOP=t(*p@sh1g~+-H?f7nfLsEH*X_KU zk4;z?DE^yBdRX%to9prcO(b!}kUv*yJkS--DpHbH`Eu8hksa2?FNwp2o zUiveN?GC8#Ni~73uA7HH<0 zg!2R0Mz|N5h%`4^2ssIjG%u-m!GN9_i^}_CQj7u40?Zo%o|r7*Q8I!7`z?~mkTyxd zd~8_>4rTvoe1hnf`~WL#+=zD)Qxo{?L=57ZdD~VPEqM0Aig{QQ2Ub+KkVpNXq8Jut zvSCcuZpdnCdK|g#o_W6tY`X5UYM%-m!M$=Vs@Z7&o=9#2%Z)~-_VA5UZrHJJyPH2w z5&WoDgL1!DZJ?YA-qQt3j+4!!^25=8Cl}>4rp*7KBsnj_EzXU+mhJGJkM!dJu@0*K z&(<{YVd7B|Mk)u=V+ukl57gEV59DYv5oTg%q!J(J3-napSVLKJ?P2dBlxALt$Y>8L z4Jy-U(P+z*sO6~@)ywUbOkxxk%R-rP)Z#3J;7jZzS|({GmJg0>{n&Ci14(3?h@5`z zQD&u%rru8W8L}P{7{W6*H#ar++>RWA+zuPs9=b~&qY+Yjl%C1cQH3f|Em7G=utC1$ zzT~__j+JC9zL`w4Zm!3u*IATVgj$5fXo<>3kP9oX6)sdM6xog%l2flOOE1gaXP@z# zVV!|0OH=oq8L-*0fv~Y_xUosGiI{OHyDXoYA(#eF*UhArpQs2`J<5j^7=L+F@NI^A zdj5;E3OG7$Lg5#L+iQQ8_Kbjx)k>M^`f)RB3#(MC;|aT|!>P$}+~Slx4!LrbgAW>1 zP^O>Qv|{M{Wcvd8ko$_2Z^8GHr;-eK>O%WNCD)7K2LA@{#ok5VhAP{@N#lL!J+u9a zS?lTMs^|lqgLl)}rLEf6^$sUiBNI7b9&ohO36Z}P%1qsC^h753tNux%L1#yBz=sa$ zz>r6o2Lq_^;3|>uZ#p4h7=ds%F-NiBpE}*9;bZAK@YN z*p2Lr@g4Py+UEXr!1wlykdK&E%9P9GmgZZB?&(eOPVrfov2n3=Ecn#bS)7b845N>v zed5XxsvB=K(%#aY)?ThF(7x5$(bCX1s3X;B);8C%ueJFqS(#mVGn+D-X0L>Yg%>3z6gW7!|j;Mq7$bdSoRh)E^8S5q?~KHu z%E{!W&3?v4%fw|-W|40FlFL`uV`$I7>sQAN$3y~p{4N4lzV}Dg2kCpwKh77tqEFjS zXEs~gV%p~omfCpR(^qL$b=&#;WBld?)dl1I6#SYy`22EjwQtP-99{YDIi4_G32i+I zc99twbe#&*Gm}?yS2IYHQ45xk{t~HncJgu3cQX9oI*^sHnIAe{JwB7qrF~2Px;%A; z>zn)cHu&Q2CB`+z7{>A6E4zDtj=Ztz3H`wF=9+YbH0)!nGI10}1Lb}|y@cDl3nKJL zbTF01J3q8dR5q?1J9+^RpTjTnp3aZXbeqS0x_xq+y69@?MdZ_zZHh?p^a_Vr>>iVC zGFVA&NzgJ1g9TfmTLgm-Ng1{~?<^IC5=5nC zwNvKcNMKc%iHN((Qr_PY5`+J@Rt*w8HqKNSkfaUV?D9W4B?5E?-leX@To z7{ONT{$*lW!j)+BJoBr)AghpjzyV~^t1!eCtZ@3}<`1>ht`oVhu3iSxybYPrj z($kv1lpA1jm!Or{_?#)npJt~W#e_j`ue(!k*IirHyS#x&aYbQHk(=h4YWQd7=iHeg ztY$%_mF`}x%Q@`^?awm2a(|5zdUd7|rXwBnnj&KcSNqe&uLng{e1@D~?0)zR`Rv_} zp8Y;6LN3D7u>Yg?t*Xgj&#>7OyxM1ux8}Iv&{DhL>H2{Az(AoZXpdpn-oRj{E0*G| zzTmNO)pn#JWg0Ev5&X(7+?~q^pKu5P#&T(#txBi{ZT%GUG@s&WZ zZ^pj;!Pg`6Lxu&|E17G7CxPv2yu0qJuY^u~N`d2t>wRJuV!g=H-G|{Fk^!ccsw%4e zKj9;EGX*kH9*nQ06rz>ow%=5e(Z#F8VGi(aO`h{#9%6 zbuW>d;NktRtJA~c9z{i1ivUW0#wU}@!W-N9Ip2_lkPyTY-I|s~-J|yk|vtmO9zB*1@ zm%8D)|LH7_nvvcB6b|rC(%P;d5GKX*H-wA|`EL*iBHLO`%S}r`p4ZgTp3&IM(Zrn5 z%ialS4Fd6d@d6+1&E1TNz3lBATzS0&NMBm;0-v8BGm#R%G;y;PAk|V(A{KLWF(>9= zWM^b16+|E=CgyiBv*1+`m;Bcq_)CD)%FWG*mx;;K)05GYjnUD?l8J?fhlh!om5G&= z0cgSC>h0iW?8V^VO7@q?f6);)cQtjfc5<_JbRd4FYi#1^?j}G=`aIBo|NG0QxtI0- zjO5_@Z(6_vnV#P;u`n_-{Woo(EC2ITUL|WUb2}|@YkPACS6~c54sK5Vm-hdUH~%x@ z|LUpzzj|_T|L>mv>&?HO{7lai_+JzHE3KEOfVcz^_?iA&^nwVMWC}`vHt?;*71e;> zkk6_C6o&=;p#J;&`7`6&;f`%m5Qt%2MqEVA3*s;vB|&{AdsngZQOZE?|@1J;K*yhc7d53zmnnIIp({aIK=_}bO+_EX@DtVtdzQAW&DdT}(IWy}> zqM4^T4;y_BFLg%LC$|}w6rrdIuDj-B=O;Yr@IAT7zB_3fE8q7ySrOXJTHC!A*bTVr z@Ex;PlC?gG$ATsXLBI)vAW?&aUj@UQ@JW_JA{dhV*Rvo+5IFSp|1<$X#HfI1B>D_IRaRb0OH26b z!&vtkA0OW!^Ivyar-r<{I#PA)d}#DJAK{wOb!_LjFnIJ{YP8=kOfyiqyFL-J5$c$x z3jU5=_=ZffgvWKKgel-OS}c&wa#XEQrBtv^a{46}Cr}4puLT+koDZ|@mlo&X-Y&Jc z+kU=O_6mUCTBN>_v^rjH-p{c8qKt^esCIO8bVDKY<0Wo)X+w4>-%i8_6x`n3&0HNV zWydCU#Ze^4fv1<3D{gOZr$@NfDvA^`J?zT0A^&EAfuNwLx|PKS+Zh7S<@|u_);05S z$TIm%;V&^Nrl#PQvmv?}&(1r2_p?E&;*s~a{}RMUIIGGTvUq-0w>F=f?KHBZZpmKq z1U#_YgalS82AxL9)H}Y)Pvq7dFVdMNfOvX;LiG4M!e*h?TnsC0jv$B^j@uRNwh>8H z=6l>MrSG#>=pK}b`jQ8`Bp`jS4sm!}w}{5>b9cR(#faI!)8pfLm`ny0$1MkpjFTQx zisH{R$om4%|8##Y#zp+_c->iL`*;c9(YC6W9)o+L6o=x;BQP*^>iGB=a`W@v-*JPz zppQGB9`kKo9%x>9VZ;m5N)8HzTpZSo(LPyn8T@PHL-zaOB+zihYcuu|vl0E2(ji$g zp0G0D;lQvQhs}Z;B8K=MbCl5c#R|*byV;bjwTj`;XdJSS@=FJ^m8w{Ve$L?}Dt|>T zOzaE!sOXqx7;rNlv%2s#98;Vkp+xz1^}3_D<2?IB+#YdBl8b# zgrKMLh$rT&oAcdrM8+oJ?7+txo2`M5kx9RwYOW8?PT+P^0wEuJUe7-6jAkEf3oXp8 zujd_~oXi0ZS3m2JiA4P)C&vh0jy(uwa=Od8pP;yXH^Js4_qQ2}nZX`Y$DhwvqYlpa zb-zT=CZpQl{o-*w5UT-q>7$+~+~CuUEieGU}DI zXNIBi^!Xpz8oH)tl38XSVi&TFa+AG*5I7qkTNHY=4`;WrF8m&59E3|<0y8Rbt=Dcj zMtIQQqL9g%AL(cNJx*Dt!6wE1l>d6!)u-pf8#wAUNK&CKSmeCmmWeKkG`-Iccu{tp zMT)rwTu6vs8)6R0IyyQRttTC}>Rd}-9p_g0<>4YAu#o|tf?!+Ia{i9wUe7f0xAoO?|uMzJ*j7)t^2LFlNFyt)!=H2}4 zK`htm_+zLc=b{A8+46VPa6q_u!TY#>Zs$534#v6EMuFHjTr>8bN=CS9<`rtgXPG2Q zZHy=(GMnj^g?FiZf4-qSk7M*DSf#X}eK$jg4@U6u&nEtp9=oijo^u$-$3JX&jg5_@ z$$ki7Z3$Swe8+{uV7_$R+SvAYd9Hd#93<2J+36X`Y_%2&+WwKIi$0j`xhg|7Tr53+ z=q>WBZMBIYp|FuJ`mGfNu&u4FKlQ>~`@&@`k^^q1a&^!Lcy_ZwgwLo@T}0o#2#14x zU8rDX*7ouKruxe_Ub1d-Hd&^&-|sQ}|I}rly*1ZnWJN>G<_*lw$VxzGPxuUT54*JJ zfy9nV;X_sZ@1cp>Vf4C*RO}on~2~T$&C| zwCEu!DjvlcNY{E081FeVRU}K0{ELM3aBdzRWx>G^bTgF(?K%wFwLP-hZ%raVl7p|M zWP_grZ!j-Kkg^NkDK^E|b2+z{ehJJ#q4Yh7jgb(X>QUU}d@RmnF z-?B(Z(b~$&f?8v>b>7Nz(9LSx?6(%Z9MJ zzlN{n&%s%inuXMT;Pnxg%R&CIvEzD_Z-0=AP*ceFP`TlBZmf)JEkMe;(ljlp zp8!{2>QDM!u6lcWyUkBS2DM^^Z2a={llJq}#os+b<*<)?BA0$3JDRmeT4q_H* z(0!a*HY>kT51u8Ydg(02O?_qPgYPVVSDPvsEo!NzBe3sZ7qVCH&LQtP8E|#kK)Ydk#!^$D{g81hy!K-jZBe&AImH?L}$2uf%eX0@O-Se$6! zi)<}FIYr6X@T2IVUQu&*%j1cq4cwR3?JM@~SoJwg-yO3d$}g0T2F;Wj ze%p9d*2%x1ZtycV_UQ(Xp64r$X>?;maTD`A-$)Uoowiqr$wf^kaTir%G#vYD$IB@u zF&63qi=CfQEv)ai_ADR>7wKr8Ia+H}C9f=zf{X{CUrP=op;_w8L{<(QQtVZ!tuH5;0XR?nmOi;ZjY7&L$4{*1x& zoM)CKFxMxRf-UT z$$x~Tyjz>s8^}$e0Dx0IauOZbyhGKE!r zYh>6bS&EhU`4Xx6hCO(F^h-^jy9?8U+jet>= zC2`d_*^&-fgQHsi>1|vJ3chZP)8NG*I_ZpIY@}EEHCvHAy44RrhqXizJ-4z~!=f_* zA<8ZWT(zLE&C8!FFSZ4XRZ2476c9@|F{$Q`8adSnbJCJx`PG510&xmusnG%Ts|2g+ zMa|J_`B=JlnRBMB0>ka3B@@6>;^@1E zAbwo%Jsc%i*+=3{JcVo6EA z{D#AJQQVcxXm2;)k>NJc8}EI9=f*WNV^|>nN$Rp4M1B4Vz z%YtU(PASDiEBt$&y>3D}fR z$ysBa^umay%Svya!-E-AWq_znG!t9QIdD#$0qvBV^rARy_!v;?<#@P zp7(gBUjWJ8o-i|Z0K`7*?B>YD9UQi&BtiSd(w5d%-FQ4c4Nte2S^L%DRR#tIu{yuB zwn5s5^iFW9rfq9;`&^hz!_MvKl?B~V$xPpn`^b^0O{0vj#`$B4=K)ZnjaM@4HB|W@ z_9S?`s*2+yDO{$eQFvBE*|ht|e-_xap3k_7`>cjZk=~2hUu4>=m92e6LQL`O$3qVk zNhHUM%{=Z&?8}d5h#x(V{8ZOGekl0tZ^^7~n&PtAsD^MhqdvKuC^J48J9%dPQ#0DkVa-*<;|swCly_c^np}*^pR;}wX!54MjgicN(mNk4udij6wprv@E{1b_#fL_@A$k_S z4KI7F>uk(;tY(g*Xz*(}WXneHf>NBxp^nT~9Drb9nnT}}_mk<^NCEwim>pvZ-e=>JW_7l9EhfN%pXitt*uH_@#RRRJ%S$q@;p2;(18u}&A zr_chyv;E?^su?PGPj#NAp@rDD@^K~YKhp5f?j2_=9FnMQ_YZGAx_X(3#cR(<6>oJ@ z&zKTPi{f3XP)f=O!tCnN)q>)Y{Av}SozO1YuCMJ?Z75~SwSj==6^;gS(qWgDceX-@ zi?uGERLb16jT`0heC~31`gS+<4a=-95jSm>yWPD4w^4HVT~*ylZI>MZ%5(JjX?er9jeSal{@(AcSCMO8eqNG@jm-d#+wiaA$M?+G@oM0fV63K z0QUkcX;=arRtp+@h2W+>A8GH?E(SXlR5Oln_#)#xM%6mN9ON{9Ny|a zc97b7-|?38V`mfsmVyIYXMfO=u{=4Tu;^~b>E&d91PJIdR}suUJhv^#j8AsbtrPPY zryMm}mUo-@%F55Jbp8#1cf@oyY_0j;3DrODMICPM9T==kz73=e=6Qbu-am>-OfU80 z+sF>S;gk&!a&15<;0SNhLXj-R?q>?VGJ{y;6@Rt@RJg8RcGBgRpB!`pzE)o7GFnO< zej0xL2%Fh%e-J)@S(weFd&%)No@HpJ;7iN<7kzbp<+X_pl_Cx@zr!v&qb$h>YzWTC|xom?E`?O zIJ=Bs)dqHi{Hha^ypCu7-ahj;5ca!`s`Cyu1}JhC6T?cfx)lqq z0~p~q$(j!;4Pp`(piIG!Tbx;76Wqe?TUsX~ZhW!O$M22ZJ_3K@lzB5ELT(dYQS&CI z9KFEr`0w}&g0f>L+Id9Uo%!@r)&Vh(==kTYM4p5TfZFwVCkpDOLiE^p2mFJe@Egr-Kgck;_;crtN=LvGi~ zb&(l~nM6m!mzuisz*RaO+(j~HuA8aKxI0|;IlF?)%aW_*@oyTMjFLCl%6r)&4$L5M zV{+9!UurEe<1j+<{uqL)DxG>QN3N!swz3ap^vg{F?pAz$9<`S3)&kCl1JajoSrp|` ztI9+V-KR9sp_a9)rt{nOx3=CF1$ZmdPHVdDksIq&(WD*0Ps@4$7} zEEWtPD;bzU%wjW{R(=O)qZX@TnJ=lRMhAEtG-~mdHJ-*sGsd~0`ddw<+O$gPG@4Ik zNV}8wc9d4?KeruW7lo%k$JdXLR^Xylxm_keiBCojw_}4W z_%seLe|MvlcXV__75XVe3zw>?FjQ6o3&fk#RFv{cRM~E4<7*4M!z!xpay}Qy^GE>e z%R5T0j|H-YoaQu_A4Ts+M)hrWe%_KDxp;xES8uRpcpeYC*Fps4v#xj=Hn#(jbqHGS zlQ!d21HG=n<41|}U3_>&9lUpS5E4%^`cGVjnnE{*@udPp;*PnN$O)B1;Z>6AVID@cU&1yzs?a zExq$v_A&$C(I9=LXyfe4&g#Rc=Jy`QjX!a3f_J*v6-DmsIR$@spjuSsDgj*G=uzBw zG@wB5#ct2^zll+CXMDXUfthz&Q*I*l%v;fWz4ic83CayW0{J5x%S|f9_^IkB`%Qg5 zw}nY_jJy837Tet&wU|k@Zw)ftZ(?l_bN2HMp4S92Yx>=Whc*MSDRw!?5uLocQeJ=u zGXcNFur9Hz{Jnx~3HJLogmZejE}@yWyD;T0J@9*&XQAQZr|CiUwslkrY@D9v9p8YW_= z%?;hg?e)Jpx0tpwY=15sIZfmDKBe?O01B{`#?0Fz)^8?yMu3CsB<-WUW82Bc&KxK$ zMMt(od^IYxHJysN{DK}!8B2VobE@{R2bQUAwhaMvZH#+HeBD(`i3ZdLu~Ml&Y;Y`Y zg*`Uo_vRCd0n!c!5$VnCs~RUvCo!=;r+ZSp*d6z2mSygpej<9KP7qY`f(j2mXVStu zaXU^vq%3qdN`P_)C?G`UL|X7zd9K!r76xXzB;;o$hax5JDA!>aqRda`3cL} zYpm6wUH0MVI>7IbZvzT)tit|K=VQiV!}*F$IlA^N&*PNM$devM>mkf`G*u5!&#u?|kjFQ;({SeY=VtvGL|elJ0K%c#b!BL!ZUh3gdNZ zoGrD@LDyAno2Z%L8L(8j{q{eeYFs=|ukkST_38{tQ_b$UtkA(~wizKMNBJmbd@vFt zs)S#=shcYa0({PW2$r0a==kPC$n~X7hzs8pz_>Q714O>0T}#rv6R@PlCSX(e-&0F9 z@_M?Yw^3)HUQ}&*e^!H<0APTJ$9iRw`B>ucF^QEUoT+2 z0w_D6$$hV8oH*+Oh{j_n?)aDba}wN*`Yx9^;~FnK?06RNC~kuuI$Z5?R?48jTN;Ap zztn*MGN4~W_RI-wB!{5y?^5eJ+FI3$s!cS%S)Df{DwVKni_@{$wY6Nb0r(fe_c2l) zZYg&B*o9^{JHk-Ucu4datj}XkF0b0!7jn+Hypyro_~Fu_V1J}hj4X{g9;f9=nA)E{ zvg-#_cpkUH9eo9M7uc~7k~Fx*{JYEr_5cy&v*#!wnrP?dvFCcu*pRZSHpJt91~2K1 zTXVj%;@vxhv@n>z03i3HmDvnJbUOF#e(IZ+Je0QzLJRd+;ACV^aLtlk7J!XyKRw6S zgk&Sh*dyAmg(Q)Oy)SX{NZ(@Nhh5FUivE_?hLrqUyu)eAXPfybTdsDAwj&05*c86> z=gD)mjld!xOUa$N5r90Y)~|aFHo~ygAD`ckS(#PvYT_jfi3MCw|&YPCqtt238~QYX`K4dCdVh zjQh;ghjh0Ih|4YO+?gfT7Qx*x1;u@Bw&KXeT=sI;UHyWu#eJ4lkL5W`Zx7!e>F78z zvu<({8ly>JT?Fg!RCKxnG2WFC5fx0niDl_Dy43g#V&AU{K9nmk%_oY?xXfM&t*3*h z+)LH&7OcECr)C9ZuNibI*6JNHU@oJ!zwRl<5G2`lTcx7ZX^&SOWM{%7-U>g&1#aK= z0U;ksJ4ij=4hE6u8EkqNk8IU>BKHH^D7W|ChT~7BHwX`tvzo|id6zp1os(Zz&c5Cb zr?XuQG`0yjkO6DFv9UgrTQokWlX$>#DwlZ9w(s0%Hc;&MUm(k29nd6E?d=rx$s>tS zW<)t>YcVcL5tZoLn48B0)%6{swHzopq&*I0yD$b_`0r+-k{u*= zp~)^&#U*wjvuMT3*bs2j#6iks5dFdG*c7md(r|zGCkcSDJr1WzaKOnh=KFt-a9RQ+ zvlNb$jQ+Ec2?*r>_(tZ-j%ScCGN3bDCw#3iWf$Ve(7y+77v6MHoA(RGX0XUwD;2$d zY3Y;-Y&kDXzkU_|jB&+bU-m}f0mGs|;@;d~k;S13+J8B(ls6CTtoDu?Y5_ZK#-Un& zH&IbbM1aj_s5q!{X4%)|A5mXU?-26=V;{~JE3-+`AP-GLypSA4>!Rk#T+HtR@X>DC zufGkAfrgG@H;$e+~F;Ca|MCe}iZ%AW0L0dhqYeFb813HeJp}7?Oj*5?s>YU#ql=%n(K&vz?k-zq__{Ee!cji%xO zDzdUs*L;FOAh_o*VSdzsBr24`q9WSC{ZA~WCBE0kvKyl0HgE+=6WA)esIoS+kTriB z_fSE=75=HUQxUo5-LH1+l?@z8(0j3|Tc7HTKvYfMwfA+ABP%(SsRETS^jrKmVB z{XuX&BoJ^EyXv^1iRb&!JdiJZNh<-|j+T1?FJ|CfpkKyM$OG8Q(mZ{BfxZRz!YZ){ zJTQ9I1_|(jYT(UZVZBESQgSiq6$4(pOCWomCMX!10+hei78L=!$R?Kh%Nx8bNOaH} z0|j`&D-!oSa}YFIG9Zw1T0-E3`+NMqvLmN{VUYj-?F_b=hE95}`AeZw$~zH~{F4v} z`a7z$tnBA}v54?y(I*->iie7dmPtTYz?Jjl#6%PI=8v!cX@Z(0fl853RzX1>4J$Me zEk>3sSV<)c{o_9|-~wXsoZ}8nY(2m#gnH2vb2=cd!65rMKwvuv!e@U4d#V5urRg|e zQaL6`CVlhW`$Yv1sBmJyVzdALPObSxFEs^8bdYtr1^vC!WGn*K`Tf=bktiKQ2@bD8C)LB73(@Q_p*GJR;)oG5|lrftGe!JbXbwqtTLE!rTd~R z4ic4lBP|Z~k~fTmfN^bs{}O`3Vfj-AyS1qKkJJVsRRmY3<7FP5b{`G~-Nu+yMtxa6 z&tr0u(C=?i)ro;jCrtY1_20aw2`!t(sKB68pO?y@tFqGKP9qkM( zf#c@>;<*90G}!{av-?~6DTJYklfcbZQbr(&L0^1cE-0G(*c?~D zhutUr!c@+cVhl3+hJxxN4LqC0@CP0g$+LK0(<M`+o6o|piX2{)Rg`V=Do@|(xIg?sK<;rD@rVH)GPXE^fo7kyp7hs(L} zMYQFL+^%3KSn+s50pd@j(G;daUJvSMkFszSrk6&2Vu;S4-x)zwL(ti+$MGGbMq@G{ ztVyp|SVIFh5~z4R4ym`yyf2tvVJY+xLYLXR79G?Q&^l!n!!02LW+q&SJWwgt0~D#f zYk^OdWi%rEFmU(4O8#e&5ExWB>)yl~qK;tR(^ib-lS^; zd!ntLCyhK*R}?7uW<805~Z-_4{Wxx(gEz zfcxsSx3Hga%*K1+4!;|#!}*$v0kZfWiGUFEGhh$E?bkR7Z@@h_pqkM;llZxgHE%W@ zo@-g(?SYTocj@t`*UQbWsvk)usA*_uv{;>;?YhH}FM7}w$ALrUxL7ypDKc;r>f~=w z{yJrva1y10)ntK;T9cFU2@6%=IH}RaFgL~fUDMJ5?Ajo|9(?=L2Y+?V~3+Kb4hGjYOwC_{5mj~8>*DdlP zQt&}t^Ujp1NAFLUin$-m7G`kR+O(^9?9k{fp6`rIU9HI}C?I>L(~XKyH-E-ehI`RT zE~v_Eb7j9U!v2nJGYP8sm%$RM$IaPxz1;#U;QtMrb~~<-n}W6L70O_k760p%=_Y4W z1@TiBs#kjpnSj%>=kFExrGLZ{>p)ZU_75VW_+$UE&wc>YS?JF&=;Yjn}EkM7ysi$t%5OAzhc9VVcEyYcj!`Ep+FzEtzgVH3_HfA&k>y*D-jW z3he8cZhoPdhibKN;YzF;D8{t&BYn}eB6{Cp@Qt9x1n(*my0yzPpu|q?mYbB_4rUbw zFg(6AAg>NLs+Vh+e0%@ueOMIwcff3*`Ow_0bZJTp@9^^;N+1y{SaKqSMhow1u$}w0n;Tek()ncIJ4k}E zSZAsDJz3}tB5lO`=LRY>>C$8_VVaKf}f;BcXv`hO^yd`fZJySFH z`-oiXC5y`_vnZ3zm=d|Ye&>~KkPxCuOG8ewWUmu!fc?L$`-l+>EJT053ta}!f2oPy=(CZQ{nYtj%8|f$Ojoj zd&;XiXlpG-Y!H13`w*^Leum?TmuOZW+O-7>3SFjIMRLSS`|M}IcV8PruUDj31%Zy~w^UZ^36n1BgKjuZ@BcjC?=N`}w$G?=b+-F^4t z@B-KaNmYQpg2PmYq@MNSCh9m!z{o9ED>bk67 zk_>$IDCG23otk;wehE(%D}Md#H8dHdgdjZlXtZGryBlP;Ne9QB6QuXbbg+B=lz4+Y z1OO_Z!w|7-1hZDeD;g%wE8V>)ppbZlmd~e z&%tgagF|+cgN+rg5Y%$doVHR7A$5uY)Xdbuz-27Fr%>!LtBD7C>ZYH`Nr4KAr%R5V zg@8Xz0vGr!baYNB6Cg#jNIo@PI|26>rU7H=+DZu&0s?XkH(TAPx&^K%O%SE8Ps->t zWZVWFTu_iQWW;L%QXZOlEB2-}NJuEy*98F&x9K^FZnCmKkR&-aXC~`u6-F>K2{YPX zZf1+c=Skd>?FPsOq@AypcpNRd-CkH1o@QXA=MSpaZX`n&H^Kh7m{LqhhW!WtjX&rK z=V(X*wp&oB*ScMKru}h`7?$6^p6`xDCnvvEJy4A*NRazun(cO!d^h~aFi_b-@BHd? zJI&C>-OR%~rZ1k5LS~$c9Y9t9g4*|m%M}4ZzeO!E>=dljZ`BZy|L~n2a#8?+!LTFC zYmK??dv4&P3=02mko`h!Zv{D;$!+L#RnfcK)N+D`_WJ@)$Ep2DGD3DMRGH%Bq9S8< z7q~)VXe_X^Z!5oFsIwfA71cc(J5NMo_$>-w2YH_S znzq#QWYvNqe?-*;>+NJ|skJqB?EE-)P1#S|;$h`PW)4CQn`u-a2=vz)44C4D9Gzfe|HNRmi& zv$L|%r)-fvgQKbIos4GcuqvyJ!Djic#us_19h%Q2!>E!#2a-PSkOywh%o=PDrG#v@ zNsl`T=EGHkXZ2e>-i(R-oC6LFSoOyd!1odpBI3>9aKDzc zC!UeEMdMoHS!yPqy#>JGK%dQ6E>Q}{U);OdyVW%-+zi+%PGwt#=)TEj5;!Iyci&Jr zL3mDO$O8m$p?YB@`)_h6a{wL?_M-bQEK78Kk_xOa0L+0td~~y$iv>XS*oF4s1pzq# za?7Z$mA#fW41aeR$$3Sr`U>_Ls&QW$$N1$N7(_OYjN z8^yHGyxrpVV?s(I6tUVnP${MpPRD4A4JzqNJR@n|B9vAVg zA8BJWN1-(l5on~WXfN2fHw4}~FU|<+)DcR+_e$+@{wjL+Z2QN?m)7Ij3gh#OzNVl0 zyr!3?IERQ;gj?R`6RC5DYj*jfVLbqN3^8B$T?1rV9Sg-b+&FhX@hDFfp`YOci6{kM z?|cHv1?e{!yLyN{cik*r_y4QBul}mCi?&ueqy?0gE>Q$Q8tIVkE-9r$;?Ui3ICM!X zDBUd~B`HeRp&O+8?!$ZU7~lW!{Rm_5u%BngnrqIv)|UHYHuEBj!=O=Hv(9cy!E~wf zYF-jcFqDNP=l!QL!aAX5UW)yNB7Pa^v|Nz6Bu#02`Sf`2A^lSn1Qe4&K>}xJE>jjD zOjW?jk_WI(jmrKDhWT=t#}clqa8``7&U@*Hvc8)0Hg_QVskWQrhaR*c@FJ)CjByE$tySGiaMHPe;jtw=gK(z1ka@8NzOk#@}o;yykJxkwKH?21(j zunv8EG*Nj^7&)sr&3-BeqTyJ9;@&PHpRw3D7Ulv6&K9lkvqvjgFIoB%la@9{^VAF9 zrKUi})!+Y&Q&lS<8_j!sDe_jQFJuejERfoUro#3!$P$aG{`edo(7!LSja;9V*b@42 zK|c1<)J}8!4=6rlU%}7G&ir!z%DDZ3{6Fd_0#6t{@%`6!V0*adA5Y{T?q;d=bR~iw z#D}VWX4h^8$+*&O2Nhi;r;XRUZ;4`Db|&LNO`=%=XSRS_Og;wPo(y z^$SK68v9%Vbdp%uD{c$Y_G)ux6fu_5VwjLXAzqt@Q=Rb-Bv67~uwDXnYv{)A+cki7 z5i8K+%Z-k7)F3h)d`pxSA3OSFZMMM^0I;PaNndD^6=n6#@`%VPrD_`FW!rCFDerk_Ve~W?t!RkE6Vw$NU<9P+|JjQv$M_%43^m z+othLNlxI5dHOq0W4#CW>N}JgI|UT@ElUT}CD*qG6p%R`5+E$uzR>{guL*SE=sdgE350!Dj3Ob^KRp*;DBumobA#O-#cjON(jhmU6(ezD97E z3gXKV5G)}fwgSlBocLZN3Zwg94H@RzH>{F0I;}=jzR8Qm5M$9bwJxjEWp>1!G~rIpHeBj8-PE+@`}*DsLbC!P!F>nG`jh_RE^v$n*F#;Qf;u zJ>=6g5u+1%cJK4xLfex!cC+OK!V+jrByL6tgl@|!0_5fv8!Wc{#eTyR-n<_xb z8wpCnDkMhi1SYg@?Bf9oW~)JVO1SPicYAY92)ZOoJY;@2TSO@si#WH+a+oYadUz0D z&XakG?EYgAA?>tDV5RpfHLmT+Tp(-wSaYzegvzi0xA#5rW6Zz{$VP>z`$S| zVk$WHRgGzts$JZ?Tlq|*>y|T<)Oh1LXDCL#3R$JdES^vKLtpYZw%;zot|taR5BdB# zL*~bES~%qew$vLjM=V|VftS;(fnilN7Ftd6-)_P72T4p;vF7*U{5OKlD&Mp@O&4B& z3U%L6f%mQN6y~^Wj!g@jgS;`X?e*zB`Eqsd<< zKlJZ0y8tlFbx=6<>(q}p+TSeKw1y#640m@}<^|-%q=*6fcUAenGVho0`YYx917MSl zly&9i6Xre*9kJ5mh%miI1AJ<)1OGV4zi@!RtrNZrC6o?&)|E(yXUhVx?JmJMsy~t^ zjmKs)KG{j1h7{aHf{2HoRZv6#-?7+DYV_zVCHis}^j|QMq|0ZE)((Q|CvmJuxNv%% zJ5*Q55I(hr|$*f|Y^z;{jNxvJOcDQJ%#j8u^)A>8l?I3OLT!OgGFsFRB;3#m!R#4X$ zkBNb(kDd_SWkV-%&3MM$E3X*;KD!|sfWut=&6x~61#ivg;PIQnzoBIk>NoY;ha^nRX`ygyj{!MQ%rCnjrGzN7c9Gn-BGn^oZ; z*~iZ~$$Qxt;28OX97G8C4Z;aDK-T7OseDuLTf0zHtSWL4V*&k&#XRwOyNp2!$cYUF z4C)g(f!V>?5*Q#+Q;taF*i&bb^9Fo;02$;U8M`&hH7uCNHuz+Bda{$D7#h@|-N?gR z6&I%W!}mKU*^|jYA)EI1;|V>kjuULS0mPswK&jKL ztpmv~&|6~gDo3ywSUV`ojM{v9-ykbF_|&f}?J1GCv+kUMBc}&e=Wy{UK-u#Q_~ViU z(h|UcIe*(lV=`zYOn|lnb{5YF>iY0LFbQkNGnuv79z;_6uqNe0$O?Gp-8a*!X&eA4;8iN}(1cr{X1<$^Ex&cb- zoejmKK8^0!=Q^XQ2$WxVGe!B3Yb|;9gOq?40P6@6stw}Z<{;=)W!C2IwH&otMHECR zklpOC6kxA{x1)-zvSYPJJ9Nev%JZGGQ>(Rsn#2arp9IaB!(??ZGHw_TtvHo4? zx1Mmqi<}*wgv_3aS9=@*+mvMyM!|$3WUwwJM7Rw^+mK!Mpc`@`xgS46%$~EvPK5N* z$K=Haf-xB*zqMHmCN&H@iBDf^1?1W9iYReRhP{HrW9CErL}`qRh(Ii2R*Z(uX3cq! zJATZiS1Wwi;no|Y^iN-B;fmH9_fPMUuswKv9CA|o0LUR+^0`um{jgWD#bBCs57M1O zkwpHr1Y{m_*A_r#q)4(Ox2$9f)zm0V(DuiZWlaoqJ`8j2=T-+jGUvbnzI~h&o@>~G zXf@AE^L|*nwDqrrbYA zvdOJX=M=0R7tmtlD|0ppI(ftI*|l_&Ct<%+2K^E1`PLE{j6n1B(Hdr_q6K;JkF(4S zN;@u{*e^EYU*Z}00e*r{$Vjunenvedf(b!n@e(K6m#ZuW$KdB{>GstS_aTih_@y@f zhg%nWutwaSDQt~fnVtrw*icgi=7~EWhYE=y;+|ABVr`8cDBi5uH>w|a*B}Y9MjqX> zCE3y$y!FnoL(U=d&B9y3L^KYOi5~+Uk9I3TQ;i--blLAttKhMb9C4w(%a%5P!{*P$ zSErnt6*Kv#TLgK-V;$4USj%}o4tulCXR0m$(n047t+aPW=t~9W$P-#q2<9Cr>vM�ce73cp?QB~ebENJu zXQ^x&#jsC!zPQ9>JT^}>n*BFXeCjIqItqyGPK=pJa$=4mIvlLK-G|OQs{j(u`A2c& zm~dvxiA)cdu)h~hzTzDC4i_VpWkpsHRP402hs+-d0dg^N2{eV8Cw`xG)VdG4nUG$? z%{15&9~ae%u$JEFcVA7vY05bN?8|v*(-V-Z6^i6jW*56kN^Cc@#iR+o#j3*0k;!Da ziOkB`Th5QE0Zj!!tRMj8HH_cT_LXQZ=We`-jS}a zLE5M1*hi<%j&csPrg{4!`KT;xxCATy{EHlus-P3WLx3J%j+r+O$tO!5pD)L5H)`%n z_5(aXBnooIvGmf??HDQ{IaO<@{=cGaPyKrbOt{2n-@9A-GYd7<70;6`7Tci2_pCHf z5UNnkk~s{T-FiJ<9A9piLE6xLzNoz>e@zs-`(E4wa0XgL+u2~HM2IKc`Wv!haIT~YD|LBC-hD1$dzI@DBJBLOLM?q z(`Uwz#W1}@Vwh8J{w6Xz^sC}iNre&0Cy^Ii(WFlhhhq6dYI5V)p<*Qa?WN;&n|hN1 zbSn3DJXEE)q?Q+Oz#5W(NODSEdFhsZ4L?qjn|7Ev%EXEgyWk3^MdgaD9X#@ky~6Fe z@bUR>`Rvd*K@eU@&J_-qtPF!}tzBA9mZsI;>XAF%9N-_GO(mL6!BMAGPaHgO1=n>F z*R|q&Tis{TQRdB7niAHKjtXm8kzR19+4l5%!nD0*sfp>C%nzjt-rDiY0C9_+X^|zG z^xoPcDoB*VZB2-1ha?w4lU$JC^7=D9M-^>6j=&+Cc5en>)!#t6OxZ#{gK8@ks3HrC z(cUBO-MROTS3?xjuP;8@7MYRT=Plss=iqvus+`OuY_udt<~J;yJ-};<&UOt5Iexwa zdDFX2Zgr}f%j9_{>NKq$cVvy%cQb4CZ>7`F@e|1bba^o>221{uyG#|BI6rx3^sWd=St#3D= zF3wIC&q+gL4GPl#S&j>9d2f(TzbeZ()fuMVH1Si-T96jmYn0KjSIAWgA;I&Q3HiSM zb$|`sYM44%+;Eu>Xp*?llGCwY_HaHeU_z>MQdy?YsRmgFe90)!Ka>%hgx!jptnDfh ziy=nGPFyTj=rqNMmbL9=5O_zu^!8q}w0lEP+!vI5JQ`>d-4l*muvo&#t&2is02oW; zv7KJoO?`56`;psW1i$#xM~lnzJ1C1=%<(+!Kf(POy`3>n2+ttPw%ZUSJ{K>!3?uE8 zNFtiA3+$A#nUF_wQztDy@&Odmsxsf~VGV)~x9_bNoc|Tw8*{O?ys9)<@4Ps2QQrpbVcq+58=fhDY^{J1>WJxm5g^ zwbFQT`3?UkR-Y0YQ}YNeO>Mp{Q~of=&KvDj!@Sye(U!x*l)U?^VY}M%h)=h1iQ>7A zn^d~KorX^)EzCVE-rM6Vh7A*IAd6TyS8q&Pt<97eAYN2cjk-|p{S}{6{PcoUe?Ho@ z+K3F^{0ggPTX;;z^|~?plTq$wcG1|cGR4uHJS_!<0T!Z0B2{L`LAf@PX(y>aTSMw4 zZ&wgwi!(-XFBZ!YyK_z2Sjm;%QX!i!!#J@bU7+ntzSG#$^fMrM^u#qtF{5z}A~%JA zc{)`Vqj|ByAL{iTxsKQLR1JrQsZe5mX7S>Ax@(@#UIN zWB}@WL>ha;UYzyMtWg=RdUX375GQ}V#Ge%U0Ut3Ue8Gso++Vag7KIv%eYLzIx1N+A zGODo*dM?nwt_?vy?6Uv!15+%Vm#|c)s&FYcl{3mFTp12Mij8aftNuos>m4Bhf=2=> z5JB9P>loO>*D-vD@-K6^w_6C0jfu`)P&76i4!bPAI5GW;c?6prR04e#anff&hV@mS z@5b=&3B6USGW?gr#GYlgH(Eu0k%a>e;(^*SerHqDt=>(+EI*UfU*>e_C2%*fS=tcr zuW-zZ@3r*xtYEz3-(q3PPfpY;JxAM9={HCr}C*Vo|11k~C^{y;rBs z?AX7<=?uuWalreuMJ;0g=Rfd9*=ty*(rtA4>iu*i)#+u9i&7@Vad*9{Q>T7r{F|N1 z?*cDW6MT11a7$_$d3gt)thM>h4ntn36eP8!BsmL&F4PmPg1s--{}ZzM+J0VNRzFLI zom4I>2vAybouPQK>6k%TUdxpCjF-%3=k+0ON4P`}>GKq2_&YaunitVKMnTZZFDLyr zJaKB4WxtobPe&&{4tpk$omp^RYLzt4?_V#S#D`jsXdi`0?e1v6pYc+8su4_vOeJZc z%>)sW=86SlP2;J#@}|m(hTR)*3H{qaw?E0U*307MNV1`1LVLYeE5RLILa!8Yo4xzM z<43eghDKg(M$d4)Z8B~6cC0%bFrKS2eW4jGuvhSUA+3tDG&IqmMQ%2|0c3$nJdaw^ zO?qmv7z%&PWC9v17!8-=%P!0&4Brmz-nJ4Jeos!=V27u?`g~OAAl66JjU4SvaMr&v zxSH|&o%W+a1Fy6~+1Q!wx{M+qblTf_=v7{=UKdmC9;tPvO$Fjo+f6yfZx!xvdJ`Em zc_w-uZ@fj&S4EePTJEkE?g~MVJ@N>;1B;npD3iFy(OLm$A({Fl<%6Y47Wcvb8m%(g zfmDicNc~Xa-}pk6(>3*6jh5?qmIIgLiv$Dz?vZ{4OY8pYglgj{>qdu7YFBzL^?YNg zt#f5VQ|Z+1$e@MY+io|!(el_>Np>lal5Q@AQWt`Te3H#PyT^?J-0iaj5=mhRQu zMHp%A$B7s~^@{;?7vb^bPmEy!5WQ5vPqax&!>AyEL7M-u;U05A&Oa7s!VoVy)Lh-I$ zdF(C7o2WU^AOX+TxMq);bbVU_ar)hI;?zYy4c(u98yYK3QjWkJhxn}M^90KvwlJPH zQrVVQYK3nffqt}d`p6DCIy**frGHt9%z~jsrXW+70_|f(YV79H0JR;W;Y9V)9UZZH zx>4LqSm-)=BC3eE8?Ax~rN;_&?8r`ZRr*s6b~6g{1X&=1Pj%}rA3eWYqsUBRn|yQ7 zFObF5y~$IY7+CrK?}T&y9K}H>s+MX2wd;ivAe$cVPF3}gcY=n72wA?`v>R)mQ;7N- z*gRC9jeKu3lxk@WkCtOafO#;H){t};HHK8K71h)TyICxzX#>&8wee_3;C0)()`>-~ z`;$V{1_dy)(n>-n>NdQ3E?Vqj;Z>UTqEcID>TkEk_>D#|f5%t)-oh7-JBLX(uXaf{ zns)zr_n=<7E|}X76D$}th-q%oC!Z8?59dJ^__9`Re(%XoOYDBAV^le%r#?g5bRMnA zCxO9cnN&}k*C$F1a&gqY-+iHQwnUoIn`@hUTW3;Q_|HL3>+WW$;5N(fQnKC ztjmOV%RKh795X5jtJ%*ebwInAPF$g4le{~EM<1R`2j8zsJBD_Mb@Ajo*hRUe-Ra2g z3Vw<5KNySB(6M^4wgsyWJJB4w5ksU!p=w_$x4#p7+?C()9~otG+4%2?nzPQH(ox0D zo%nT1)T4+@7Bl`q%C~1dcKKWfoDf?kv+WJ6DvTHqmq+fY`o*?w=QxR z(#*R$(N?*atAD}s;nI=p->3?|2ji}O8psrjQYXPxXcB@`hDwX^q*MWLlX_(Y8>?QV zNI4BCpfB>(%bLfmyOR}xb`7gZ)-7mtjE+rND=d5#APUk)sa^hBekwe#)-`S>Y&%jgF03Z8a*E?v_j22NaMJsGriEKsT414kaa0H`zINVj$)V%S~Z)_~e z2+#B@jnxPMY!{zva?>KvNP9yA8>9L0U-)`~)Liv&SOD`cIf1>TH!g;*>Z3CqGk*ShlcRu!*UaR$H=DMx zB$b)`a~l(MwaQyrdC%{CS)Da-Q)_ z?71GD$Egw+8B?(59wH$F0`&n8eh*K%>$c{_a9i4e@7rM@9_Hutk0p(Nej*+#JAyFWCOWR;1Iu%^x9f3Qm3lIsL|)J?a%lPJ$lI ztF7zbvw~v(EI9QX*x`a76N!})#2gH#3VDs+$EXi~?jA1&^)ZTACidipNfJ8^ga<4_3 zx-`wgyJQwyW=Uj26PhDzFL*6)*7!W&iMhe$hJqZF(QOJD;ZJw)LHdW0V z%tBkqdF|9mvLnLkbMQ#qC!@8LDwJ517DHN0IztdPfZ=CtXHiebM!A$$ijtd%#~IzO zGNTTHg`AGCY7eUvK?mAFl>>@rpWr%WhAkMJTLLW(OJWF7`Z<#3r%h)0WP>LZ!d{bc z4#x~XX<@+?sXwasSW~ULaL~#hBIs@;^0@Rc>;`WB9ehb{CXbX}+2MosCHjSZABka$*C8anCD3H(wBO)ul3HwI@4(UYnu4`z6@cTW_?m8 z;@o-wzDB&B@-b`m1S`xWM{W%lhb#g=X%vl&bJ;PbdF^+xUvEHm-P}%Pf?V#eZ7W(z zEB8CB%Tu&8j8L$S;cxSo=2-F#hv?Rw3oM;qjjr1vEfc)+8B<(gD;=rb-_4=bXUa#> zUi+BW`VCIzhjVTV!M|chi9q-vs??HoOGP@eJZ_5cG^l(ZuJUO9Dwcwe7D%l2wVCjo z{9HHz`VIy#!t@KmdBj>^ckGIV}AwTB4m7xs}maV6$+bx$+@72(U10{mgY16xY zhndd}i1W`3u(VZ6MNQ1BwPZaXkxr}{zAO%)n2xd%$MQ*buV?YIl9YUggB|k17~7qy ztLolCogw0Ds6kHux6H_X+nEU}1DCo6PU$G^dBC@(va+s7nC3YBG3i3;!_FUgpi&@5 ztTsT*3>936zLs*AEa;~>q$3(S&<0P{oycFwIO-?aj`w*qGtUZcSuanbV-+Z!`MRdD-tKM z`Z%KV@8wE@D?6STGzODYVB>zCM$1pOGshv2=C&TAXCuqyw%*uOAbV--w^x}3OfbDd zBe3uY;O(0mZ;s^{QgTjH39_be1|$BxAAxe{^d+pw zo5t=q;Df(>k9 zR2>Z-hJJu~#||h!YWjY?omMgkjiDByIw|Jd99R97C8Vcy{YiiPn+})3ju&6?`L`ZM zZDnuZs*$S@1VA=va#>`xQ(Rt2a+z!r6LD%P@swMQ(iY$(5Ffoge$?Q&4Af|ePV*+u zlj0{lHYsuGl_A7W1WgbcTL2_CgJLonhP6Z_PZ94!3NUS$s!MYvmr|Bs5+;L<3GK%x z|JfC!5Js9VJ;N_pP8^TsoCcm(13#CB%4Ij5B;g^ODsU&G$=0FLlOM|@Z}AU9zBqc7 zXnxPNZ@mavnPvK(q5l`~0cya#AXCczn>cxn6gd0BG|LQaJ$Ul5uo_xqL1eN9jwaye zd1`)f34*FjgqHc?W_a%_4MwiO>h=d<;{9;6jge;s=*XE1?)rw)d55bTfB#N+MsBbw z{zmTM6vY&XQxp>=$G{lQQq)28@A+RM{1+t1b&Ub>S*X#3HWWlQ1X7&(~bS`JzA1<6HQ+ep61V3>qOO4+!XOHYP+skl~8NmKUQ_n&wsNPx?E zfLApdWo7N#w6e}-FQ#8a3e z$lp684@l>8W~{OPEoH4q<#q5@x7^r&?9GXUMFW3As#uya;{Dpu*vtJ5TRgiDd?Dw0 z2omet-tp;&=Ieh0OI*QKWd6e_IlG>P-qIoq1Tw8GUta0nqu%4n*UOE7Bx31d3$B#O7WV#iN>Y+}>rCAh{nqc3 z2E~}Gwi${*M^)EX9-4JlOujl9kLB*$C{q?^ZrX72e^#e1YKFaUq7GWl=BpH#Q!D)Z zNv1xj1pm2C1pI-|_7Yq~03)pu55?sMmgBj@t<2_K@}&?Q@-ILQ zYz;l&d*lx;T#!6MC0-*`Q>@r$**u2=$6+D&Eg+56zU$UpGe)o}(1^VU{-Os<+z6ms z@BaWB27*>R#ZOgTicJO`BF-IkWu-VF2~UnA!_H{C43d5k4|Pmt!1Pm_?ICEe)b#(&aHT)L>sASvBZC;JNv zkF$2Zsh0kA5t|7PO-rEu&`Z8U1a_9PHL_&HV*)2%E;TZqEC~wsvWf_LyC5J=8mRr- zI+an%c=ODCfHZb7>Ue0vlSh>b==O0}GndtHZ!$@ zFtj}&iRFS~j(N-UB7&Hc8(@s#VaN{0-vnmTCz=~5B}At>uA5^FIKznYC=e3@em-Ne zjRd+?YCwFq7GP7GdER&1(~6O~zm$BilHV_8I6{Zmj?5Ln2%d=U&8`HkALSL&dHG8aF8lQeAlb{nU#v+MkVB_-g~o@F^LBMk@xRMV7;*t zVpxJxq9A^u@&;I-X7#9oPmuf#j@e3(qOf z{6~us?#=FE&e}+XWAP6fqbL3TIQ75KR(R-(XN20$5n=4;Y~qAg0H=-bc+6{qj8wt-;bPwosHW`XXLD`0C&H6KR}V-?r- zIgdOkkmd2ih6Z7}u@m05ZhGgjZju3R3zz<5{6eqx7p$3HHy?BaAO<$B@CYHi7D|9~ z)zve~nmvyATQYx$(@lya_ZX8RK2z>gy8`bV{ptRK{fExpcsxpe_2h{SVD!e~TJKIV zR1Rf0_{BB6K_WMcY@Wm=i$^k_yHY!2=iDd*zg{xI_zx>T;5jfNUkslRd}r}#aVZI8 zSfRG{9{Zdqt|;!NLS+`%s}cUOM{+VGl@_-0a2A}a1CW#H2!_#PFbGnNiXv7&!k@Qj zzNmS;vIF}4gCalytIoMrZ-`QQgj+BoQ6Yr!M&_G#M_`s*Yo2V3(iut+1`$%l-Qvj{ zJir6r*3TAEtWbEy>TorDl;mE5v!J2V?D)cdE8=t31A8S^PrOt8T! zEr&V4bvd@-%ocyuiWG^PRh$HCnl^9yzIln?JAgq}?280I0%ObNR>>{8!X@JwF&*EF z@Rjm(Sr!^yyoU`8mwUdhjoe##LOY2vL2k)j<9$!Y%u0_ozg(Dk{~m3tgnK*{IE`VyFypKtqI1phxB zA>uKPccv1gqMp1RJ5$V;cNBh$`AxSbLbulDX&tcJ{6WiEkw-=pgaFXtLSQvh`&=PQ zFg2ga(qLjax9b_r9G(>$X~8g~)?+fUKH@)NVu;x9cXEG85?qQC?A51y%`B`i>uHQZ3W9DI zKSsT8De)2WF{^qQ3A?r^i1KwjCi!a^NKRD-p2wro;ob}loTAJP6`CrHhBDc%@c^1M?Z7wc1R4x>Q47-6I+Fq~NfO9BjBz179) z9+0SMHzNhCq{1x+9oY1|JfB=QpTYDET9_&B2`Ht{AN~|`oBez=aEf2m8Wf%h2VRda zAmB|qe58%@QNDx?!e<6r|%7x~f z-0{|F1SqpZ1pB*Z;DVz1%3vWLF1px;A_rrB3+!ziz`u_rLm^=dYN8P^cofv! zQo`6Eh=;%M&A-2kPR?L6p z*V?+S5k*+!_RVj>O)<6X2J{jxz~b+@p6OOCH0^FqE~X3mjaa8HVj!l-&kqOX z)%#viQ23VzT)ZY7b$!?1pp*bM<{WVOR2+wXy|L4WLrS3_Rj&zZCp^R(m(s<7jq16P z6Z!?z1gTe9C`=>{4yxB}C$*F|NfPI!9tGZ?(EI8Ftz&SV6U07+a3;Ief> zE2zd!aeweQ(H*!Pxq(3!oF`?3LniquLHKe~m~bD&A3S*Y8?lOIoIQK>av#4ioIO6C zje9W6mnQ7pxTbIgAg_yfybTL-5cK(EJoEjlh_a)&!`(nMem#1;7>K6|oVRA-KmVK| zq8GPG2MPjtGQWQP=Z|?!t^>ZDrm_^-e=DRP^WZNth`EKJx>_xh-<3JOP8xW4nFc{V z2LU9jIN!EJ489mk{6}i@dl?`ZpINt>dCvFlW;|CC8~$B&cJCye$rO+=Y4>+Z0WoD6 zn&x82iD=^Tf4y4#9wMGAxqxrAQL=C;^t`?H04`i2F!&hl$F{Te z@jwa6JF?R+go2I&a%umGY@#$A7>`+0C5V)oUFAT+RILR{0@|JF;SR%C Q#5KLLl8O?gV#Wdg1LjH?MgRZ+ literal 0 HcmV?d00001 diff --git a/docs/sources.md b/docs/sources.md deleted file mode 100644 index 3d868cc..0000000 --- a/docs/sources.md +++ /dev/null @@ -1,1089 +0,0 @@ -# Introduction -When using Splunk Connect for Syslog to onboard a data source, the SC4S filter performs the operations that are traditionally performed at index-time by the corresponding Technical Add-on installed there. These index-time operations include linebreaking, sourcetype setting and timestamping. For this reason, if a data source is exclusively onboarded using SC4S then you will not need to install its corresponding Add-On on the indexers. You must, however, install the Add-on on the search head(s) for the user communities interested in this data source. - -SC4S "unique" filters are based either on the port upon which events arrive or the hostname/CIDR block from which they are sent. The "soup" filters run for events that arrive on port 514 (default for syslog), and contain regex and other syslog-specific parsers to identify events from a specific source, apply the correct sourcetype, and set other metadata. Data sources which generate events that are not unique enough to accurately identify with soup filters _must_ employ the "unique" filters (port/hostname/CIDR block) instead -- the soup filters are unavailable for these sources. - -If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. - -# Vendor - Checkpoint - -## Product - Log Exporter (Splunk) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ | -| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cp_log | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk | cp_log | netfw | none | - -### Source and Index Configuration - -Checkpoint Software blades with CIM mapping have been sub-grouped into sources -to allow routing to appropriate indexes. All other source meta data is left at default - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk_dlp | dlp | netdlp | none | -| checkpoint_splunk_email | email | email | none | -| checkpoint_splunk_firewall | firewall | netfw | none | -| checkpoint_splunk_sessions | sessions | netops | none | -| checkpoint_splunk_web | web | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cp_log -``` - -Verify timestamp, and host values match as expected -# Vendor - Cisco - -## Product - ASA (Pre Firepower) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1620/ | -| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:asa | None | -| cisco:pix | Not supported | -| cisco:fwsm | Not supported | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_asa | cisco:asa | netfw | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above ensure: - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:asa -``` - -Verify timestamp, and host values match as expected - -## Product - IOS and NX-OS based equipment - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1467/ | -| IOS Manual | https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html | -| NX-OS Manual | https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_5syslog.html| -| Cisco ACI | https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf | -| Cisco WLC & AP | https://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html#anc8 | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ios | cisco:ios | netops | none | -| cisco_nx_os | cisco:ios | netops | none | - -### Filter type - -* Cisco IOS products can be identified by message parsing alone -* Cisco NX OS, WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_nx_os` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* IOS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included -* NX-OS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" user may select alternate levels by module based on use cases - * Protocol is TCP/IP - * device-id is hostname and included - * timestamp is included and milisecond accuracy selected -* ACI Logging configuration of the ACI product often varies by use case. - * Ensure NTP sync is configured and active - * Ensure proper host names are configured -* WLC - * Ensure NTP sync is configured and active - * Ensure proper host names are configured - * For security use cases per AP logging is required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present, for NX-OS, WLC and ACI products ensure each host filter condition is verified - -``` -index= sourcetype=cisco:ios | stats count by host -``` - -## Product - ISE - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1915/ | -| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs_chapter_00.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ise:syslog | Aggregation used | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ise | cisco:ise:syslog | netauth | None | - - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* No special steps required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ise:syslog -``` - -Verify timestamp, and host values match as expected - -## Product - Meraki Product Line MR, MS, MX, MV - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3018/ | -| Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| merkai | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | - - -### Filter type - -IP, Netmask, Host or Port - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=merkai -``` - -Verify timestamp, and host values match as expected - -# Vendor - Forcepoint - -## Product - Webprotect (Websense) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ | -| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| websense:cg:kv | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| forcepoint_webprotect | websense:cg:kv | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command - - -``` -index= sourcetype=websense:cg:kv -``` - -# Vendor - Fortinet - -## Product - Fortigate - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2846/ | -| Product Manual | https://docs.fortinet.com/product/fortigate/6.2 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| fgt_log | The catch all sourcetype is not used | -| fgt_traffic | None | -| fgt_utm | None | -| fgt_event | None - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| fortinet_fortios_traffic | fgt_traffic | netops | none | -| fortinet_fortios_utm | fgt_utm | netids | none | -| fortinet_fortios_event | fgt_event | netops | none | -| fortinet_fortios_log | fgt_log | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - -``` -config log memory filter - -set forward-traffic enable - -set local-traffic enable - -set sniffer-traffic disable - -set anomaly enable - -set voip disable - -set multicast-traffic enable - -set dns enable - -end - -config system global - -set cli-audit-log enable - -end - -config log setting - -set neighbor-event enable - -end - -``` - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command - -``` -diag log test -``` - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) -``` - -### UTM Message type - -![FortiGate UTM message](FortiGate_utm.png) - -### Traffic Message Type - -![FortiGate Traffic message](FortiGate_traffic.png) - -###Event Message Type -![FortiGate Event message](FortiGate_event.png) - -Verify timestamp, and host values match as expected - -# Vendor - Imperva - -## Product - Incapsula - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| Imperva:Incapsula | Common sourcetype | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="Imperva:Incapsula") -``` - -# Vendor - Juniper - -## Product - Juniper JunOS - -| Ref | Link | -|-------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| JunOS TechLibrary | https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-messages-configuring-qfx-series.html | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|------------------------------------------------------------------| -| juniper:junos:firewall | None | -| juniper:junos:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------------------|------------------------|----------------|---------------| -| juniper_junos_flow | juniper:junos:firewall | netfw | none | -| juniper_junos_idp | juniper:junos:idp | netids | none | -| juniper_junos_utm | juniper:junos:firewall | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | - -### Verification - -Use the following search to validate events are present; for Juniper JunOS ensure each host filter condition is verified - -``` -index= sourcetype=juniper:junos:firewall | stats count by host -index= sourcetype=juniper:junos:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper NSM - -| Ref | Link | -|----------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:nsm | None | -| juniper:nsm:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_nsm | juniper:nsm | netfw | none | -| juniper_nsm_idp | juniper:nsm:idp | netids | none | - -### Filter type - -* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified - -``` -index= sourcetype=juniper:nsm | stats count by host -index= sourcetype=juniper:nsm:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper Netscreen - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Netscreen Manual | http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 | - -### Sourcetypes - -| sourcetype | notes | -|-------------------------|------------------------------------------------------------------------------------------------| -| netscreen:firewall | None | -| juniper:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_netscreen | netscreen:firewall | netfw | none | -| juniper_idp | juniper:idp | netfw | none | - -### Filter type - -* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper Netscreen products ensure each host filter condition is verified - -``` -index= sourcetype=netscreen:firewall | stats count by host -index= sourcetype=juniper:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper SSLVPN - -| Ref | Link | -|------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:sslvpn | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_sslvpn | juniper:sslvpn | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified - -``` -index= sourcetype=juniper:sslvpn | stats count by host -``` - -Verify timestamp, and host values match as expected - -# Vendor - Microfocus ArcSight - -## Product - Internal Agent Events - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ArcSight:ArcSight | Internal logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_ArcSight_ArcSight | ArcSight:ArcSight | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="ArcSight:ArcSight") -``` - -## Product - Microsoft Windows - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| CEFEventLog:System or Application Event | Windows Application and System Event Logs | -| CEFEventLog:Microsoft Windows | Windows Security Event Logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | -| cef_Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) -``` - -# Vendor - PaloAlto - -## Product - NGFW - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | -| Product Manual | https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pan:log | None | -| pan:traffic | None | -| pan:threat | None | -| pan:system | None | -| pan:config | None | -| pan:hipwatch | None | -| pan:correlation | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| pan_log | pan:log | netops | none | -| pan_traffic | pan:traffic | netfw | none | -| pan_threat | pan:threat | netproxy | none | -| pan_system | pan:system | netops | none | -| pan_config | pan:config | netops | none | -| pan_hipwatch | pan:hipwatch | netops | none | -| pan_correlation | pan:correlation | netops | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration - * Select TCP or SSL transport option - * Select IETF Format - * Ensure the format of the event is not customized - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active firewall will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=pan:*| stats count by host -``` - -# Vendor - Proofpoint - -## Product - Proofpoint Protection Server - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3080/ | -| Product Manual | https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pps_filter_log | | -| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| proofpoint_pps_filter | pps_filter_log | email | none | -| proofpoint_pps_sendmail | pps_mail_log | email | none | - - -### Filter type - -MSG Parse: This filter parses message content -* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related -messages to create meaningful final output. This will require follow-on processing in Splunk. - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | - -### Verification - -One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: - -``` -index= sourcetype=pps_*_log | stats count by host -``` - -# Vendor - Symantec - -## Product - ProxySG/ASG (Bluecoat) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | -| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| bluecoat:proxysg:access:kv | Requires version TA 3.6 | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| bluecoat_proxy | bluecoat:proxysg:access:kv | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=bluecoat:proxysg:access:kv | stats count by host -``` - - -# Vendor - Ubiquiti - Unifi - -All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. - - -* Login to NMS -* Navigate to settings -* Navigate to Site -* Enable Remote syslog server -* Enter hostname and port -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls - -## Product - Unifi Switch and Access Points - -Unifi devices are managed using the Network Management Controller - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ | -| Product Manual | https://https://help.ubnt.com/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ubnt | Used when no sub source type is required by add on | -| ubnt:fw | USG events | -| ubnt:threat | USG IDS events | -| ubnt:switch | Unifi Switches | -| ubnt:wireless | Access Point logs | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| ubiquiti_unifi | ubnt | netops | none | -| ubiquiti_unifi_fw | ubnt:fw | netfw | none | -| ubiquiti_unifi_link | ubnt:link | netops | none | -| ubiquiti_unifi_sudo | ubnt:sudo | netops | none | -| ubiquiti_unifi_switch | ubnt:switch | netops | none | -| ubiquiti_unifi_threat | ubnt:threat | netids | none | -| ubiquiti_unifi_wireless | ubnt:wireless | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` - - -# Vendor - Zscaler - -## Product - All Products - -The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page -26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize -the IP or host name of the SC4S instance and port 514 - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | -| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | -| zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | -| zscalernss-web | None | -| zscalernss-zpa-app | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-auth | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-connector | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth_connector`` immediately prior to the ``\n`` in the LSS Connector format. See Zscaler manual for more info. | -| zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| zscalernss_alerts | zscalernss-alerts | main | none | -| zscalernss_dns | zscalernss-dns | netdns | none | -| zscalernss_fw | zscalernss-fw | netfw | none | -| zscalernss_web | zscalernss-web | netproxy | none | -| zscalernss-zpa-app | zscalernss_zpa-app | netids | none | -| zscalernss-zpa-auth | zscalernss_zpa_auth | netauth | none | -| zscalernss-zpa-connector | zscalernss_zpa_connector | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` diff --git a/docs/sources/Checkpoint/index.md b/docs/sources/Checkpoint/index.md new file mode 100644 index 0000000..ee2c590 --- /dev/null +++ b/docs/sources/Checkpoint/index.md @@ -0,0 +1,63 @@ +# Vendor - Checkpoint + +## Product - Log Exporter (Splunk) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ | +| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cp_log | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk | cp_log | netfw | none | + +### Source and Index Configuration + +Checkpoint Software blades with CIM mapping have been sub-grouped into sources +to allow routing to appropriate indexes. All other source meta data is left at default + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk_dlp | dlp | netdlp | none | +| checkpoint_splunk_email | email | email | none | +| checkpoint_splunk_firewall | firewall | netfw | none | +| checkpoint_splunk_sessions | sessions | netops | none | +| checkpoint_splunk_web | web | netproxy | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | +| SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | +| SC4S_ARCHIVE_CHECKPOINT_SPLUNK | no | Enable archive to disk for this specific source | +| SC4S_DEST_CHECKPOINT_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cp_log +``` + +Verify timestamp, and host values match as expected diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md new file mode 100644 index 0000000..9d6cad4 --- /dev/null +++ b/docs/sources/Cisco/index.md @@ -0,0 +1,236 @@ +# Vendor - Cisco + +## Product - ASA (Pre Firepower) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1620/ | +| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:asa | None | +| cisco:pix | Not supported | +| cisco:fwsm | Not supported | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_asa | cisco:asa | netfw | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above ensure: + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ASA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_ASA | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ASA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_ARCHIVE_CISCO_ASA_LEGACY | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ASA_LEGACY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:asa +``` + +Verify timestamp, and host values match as expected + +## Product - IOS and NX-OS based equipment + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1467/ | +| IOS Manual | https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html | +| NX-OS Manual | https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_5syslog.html| +| Cisco ACI | https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf | +| Cisco WLC & AP | https://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html#anc8 | + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ios | cisco:ios | netops | none | +| cisco_nx_os | cisco:ios | netops | none | + +### Filter type + +* Cisco IOS products can be identified by message parsing alone +* Cisco NX OS, WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_nx_os` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* IOS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included +* NX-OS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" user may select alternate levels by module based on use cases + * Protocol is TCP/IP + * device-id is hostname and included + * timestamp is included and milisecond accuracy selected +* ACI Logging configuration of the ACI product often varies by use case. + * Ensure NTP sync is configured and active + * Ensure proper host names are configured +* WLC + * Ensure NTP sync is configured and active + * Ensure proper host names are configured + * For security use cases per AP logging is required + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_IOS_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_IOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_IOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_NX_OS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_NXOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_NXOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present, for NX-OS, WLC and ACI products ensure each host filter condition is verified + +``` +index= sourcetype=cisco:ios | stats count by host +``` + +## Product - ISE + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1915/ | +| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs_chapter_00.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ise:syslog | Aggregation used | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ise | cisco:ise:syslog | netauth | None | + + +### Filter type + +PATTERN MATCH + +### Setup and Configuration + +* No special steps required + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_ISE | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ISE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:ise:syslog +``` + +Verify timestamp, and host values match as expected + +## Product - Meraki Product Line MR, MS, MX, MV + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3018/ | +| Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| merkai | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | + + +### Filter type + +IP, Netmask, Host or Port + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_MERAKI | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_MERAKI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=merkai +``` + +Verify timestamp, and host values match as expected + diff --git a/docs/sources/Forcepoint/index.md b/docs/sources/Forcepoint/index.md new file mode 100644 index 0000000..e5fdeff --- /dev/null +++ b/docs/sources/Forcepoint/index.md @@ -0,0 +1,52 @@ +# Vendor - Forcepoint + +## Product - Webprotect (Websense) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ | +| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| websense:cg:kv | None | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| forcepoint_webprotect | websense:cg:kv | netproxy | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_FORCEPOINT_WEBPROTECT | no | Enable archive to disk for this specific source | +| SC4S_DEST_FORCEPOINT_WEBPROTECT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command + + +``` +index= sourcetype=websense:cg:kv +``` + diff --git a/docs/FortiGate_event.png b/docs/sources/Fortinet/FortiGate_event.png similarity index 100% rename from docs/FortiGate_event.png rename to docs/sources/Fortinet/FortiGate_event.png diff --git a/docs/FortiGate_traffic.png b/docs/sources/Fortinet/FortiGate_traffic.png similarity index 100% rename from docs/FortiGate_traffic.png rename to docs/sources/Fortinet/FortiGate_traffic.png diff --git a/docs/FortiGate_utm.png b/docs/sources/Fortinet/FortiGate_utm.png similarity index 100% rename from docs/FortiGate_utm.png rename to docs/sources/Fortinet/FortiGate_utm.png diff --git a/docs/sources/Fortinet/index.md b/docs/sources/Fortinet/index.md new file mode 100644 index 0000000..a13bc1d --- /dev/null +++ b/docs/sources/Fortinet/index.md @@ -0,0 +1,108 @@ +# Vendor - Fortinet + +## Product - Fortigate + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2846/ | +| Product Manual | https://docs.fortinet.com/product/fortigate/6.2 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fgt_log | The catch all sourcetype is not used | +| fgt_traffic | None | +| fgt_utm | None | +| fgt_event | None + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| fortinet_fortios_traffic | fgt_traffic | netops | none | +| fortinet_fortios_utm | fgt_utm | netids | none | +| fortinet_fortios_event | fgt_event | netops | none | +| fortinet_fortios_log | fgt_log | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + +``` +config log memory filter + +set forward-traffic enable + +set local-traffic enable + +set sniffer-traffic disable + +set anomaly enable + +set voip disable + +set multicast-traffic enable + +set dns enable + +end + +config system global + +set cli-audit-log enable + +end + +config log setting + +set neighbor-event enable + +end + +``` + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_FORTINET_FORTIOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_FORTINET_FORTIOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command + +``` +diag log test +``` + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) +``` + +### UTM Message type + +![FortiGate UTM message](FortiGate_utm.png) + +### Traffic Message Type + +![FortiGate Traffic message](FortiGate_traffic.png) + +###Event Message Type +![FortiGate Event message](FortiGate_event.png) + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md new file mode 100644 index 0000000..2ae9eea --- /dev/null +++ b/docs/sources/Imperva/index.md @@ -0,0 +1,53 @@ +# Vendor - Imperva + +## Product - Incapsula + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| Imperva:Incapsula | Common sourcetype | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT | no | Enable archive to disk for this specific source | +| SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="Imperva:Incapsula") +``` \ No newline at end of file diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md new file mode 100644 index 0000000..98cd701 --- /dev/null +++ b/docs/sources/Juniper/index.md @@ -0,0 +1,207 @@ +# Vendor - Juniper + +## Product - Juniper JunOS + +| Ref | Link | +|-------------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| JunOS TechLibrary | https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-messages-configuring-qfx-series.html | + +### Sourcetypes + +| sourcetype | notes | +|--------------------------|------------------------------------------------------------------| +| juniper:junos:firewall | None | +| juniper:junos:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------------------|------------------------|----------------|---------------| +| juniper_junos_flow | juniper:junos:firewall | netfw | none | +| juniper_junos_idp | juniper:junos:idp | netids | none | +| juniper_junos_utm | juniper:junos:firewall | netfw | none | + +### Filter type + +* MSG Parse: This filter parses message content + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | +| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper JunOS ensure each host filter condition is verified + +``` +index= sourcetype=juniper:junos:firewall | stats count by host +index= sourcetype=juniper:junos:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper NSM + +| Ref | Link | +|----------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 | + +### Sourcetypes + +| sourcetype | notes | +|------------------|-----------------------------------------------------------------------| +| juniper:nsm | None | +| juniper:nsm:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_nsm | juniper:nsm | netfw | none | +| juniper_nsm_idp | juniper:nsm:idp | netids | none | + +### Filter type + +* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_NSM | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_NSM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified + +``` +index= sourcetype=juniper:nsm | stats count by host +index= sourcetype=juniper:nsm:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper Netscreen + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| Netscreen Manual | http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 | + +### Sourcetypes + +| sourcetype | notes | +|-------------------------|------------------------------------------------------------------------------------------------| +| netscreen:firewall | None | +| juniper:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_netscreen | netscreen:firewall | netfw | none | +| juniper_idp | juniper:idp | netfw | none | + +### Filter type + +* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_NETSCREEN | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_NETSCREEN_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper Netscreen products ensure each host filter condition is verified + +``` +index= sourcetype=netscreen:firewall | stats count by host +index= sourcetype=juniper:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper SSLVPN + +| Ref | Link | +|------------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 | + +### Sourcetypes + +| sourcetype | notes | +|------------------|-----------------------------------------------------------------------| +| juniper:sslvpn | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_sslvpn | juniper:sslvpn | netfw | none | + +### Filter type + +* MSG Parse: This filter parses message content + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified + +``` +index= sourcetype=juniper:sslvpn | stats count by host +``` + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Microfocus/index.md b/docs/sources/Microfocus/index.md new file mode 100644 index 0000000..5909324 --- /dev/null +++ b/docs/sources/Microfocus/index.md @@ -0,0 +1,99 @@ +# Vendor - Microfocus ArcSight + +## Product - Internal Agent Events + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ArcSight:ArcSight | Internal logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_ArcSight_ArcSight | ArcSight:ArcSight | main | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="ArcSight:ArcSight") +``` + +## Product - Microsoft Windows + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| CEFEventLog:System or Application Event | Windows Application and System Event Logs | +| CEFEventLog:Microsoft Windows | Windows Security Event Logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | +| cef_Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT | no | Enable archive to disk for this specific source | +| SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) +``` \ No newline at end of file diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md new file mode 100644 index 0000000..bc27602 --- /dev/null +++ b/docs/sources/PaloaltoNetworks/index.md @@ -0,0 +1,63 @@ +# Vendor - PaloAlto + +## Product - NGFW + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | +| Product Manual | https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pan:log | None | +| pan:traffic | None | +| pan:threat | None | +| pan:system | None | +| pan:config | None | +| pan:hipwatch | None | +| pan:correlation | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| pan_log | pan:log | netops | none | +| pan_traffic | pan:traffic | netfw | none | +| pan_threat | pan:threat | netproxy | none | +| pan_system | pan:system | netops | none | +| pan_config | pan:config | netops | none | +| pan_hipwatch | pan:hipwatch | netops | none | +| pan_correlation | pan:correlation | netops | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration + * Select TCP or SSL transport option + * Select IETF Format + * Ensure the format of the event is not customized + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_PALOALTO_PANOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PALOALTO_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active firewall will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=pan:*| stats count by host +``` diff --git a/docs/sources/Proofpoint/index.md b/docs/sources/Proofpoint/index.md new file mode 100644 index 0000000..1fac35c --- /dev/null +++ b/docs/sources/Proofpoint/index.md @@ -0,0 +1,53 @@ +# Vendor - Proofpoint + +## Product - Proofpoint Protection Server + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3080/ | +| Product Manual | https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pps_filter_log | | +| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| proofpoint_pps_filter | pps_filter_log | email | none | +| proofpoint_pps_sendmail | pps_mail_log | email | none | + + +### Filter type + +MSG Parse: This filter parses message content +* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related +messages to create meaningful final output. This will require follow-on processing in Splunk. + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | +| SC4S_PROOFPOINT_PPS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined. | +| SC4S_ARCHIVE_PROOFPOINT_PPS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PROOFPOINT_PPS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: + +``` +index= sourcetype=pps_*_log | stats count by host +``` \ No newline at end of file diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md new file mode 100644 index 0000000..e169c78 --- /dev/null +++ b/docs/sources/Symantec/index.md @@ -0,0 +1,51 @@ +# Vendor - Symantec + +## Product - ProxySG/ASG (Bluecoat) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | +| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| bluecoat:proxysg:access:kv | Requires version TA 3.6 | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| bluecoat_proxy | bluecoat:proxysg:access:kv | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | +| SC4S_DEST_SYMANTEC_PROXY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=bluecoat:proxysg:access:kv | stats count by host +``` diff --git a/docs/sources/Ubiquiti/index.md b/docs/sources/Ubiquiti/index.md new file mode 100644 index 0000000..1769377 --- /dev/null +++ b/docs/sources/Ubiquiti/index.md @@ -0,0 +1,75 @@ +# Vendor - Ubiquiti - Unifi + +All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. + + +* Login to NMS +* Navigate to settings +* Navigate to Site +* Enable Remote syslog server +* Enter hostname and port +* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls + +## Product - Unifi Switch and Access Points + +Unifi devices are managed using the Network Management Controller + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ | +| Product Manual | https://https://help.ubnt.com/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ubnt | Used when no sub source type is required by add on | +| ubnt:fw | USG events | +| ubnt:threat | USG IDS events | +| ubnt:switch | Unifi Switches | +| ubnt:wireless | Access Point logs | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| ubiquiti_unifi | ubnt | netops | none | +| ubiquiti_unifi_fw | ubnt:fw | netfw | none | +| ubiquiti_unifi_link | ubnt:link | netops | none | +| ubiquiti_unifi_sudo | ubnt:sudo | netops | none | +| ubiquiti_unifi_switch | ubnt:switch | netops | none | +| ubiquiti_unifi_threat | ubnt:threat | netids | none | +| ubiquiti_unifi_wireless | ubnt:wireless | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_UBIQUITI_UNIFI | no | Enable archive to disk for this specific source | +| SC4S_DEST_UBIQUITI_UNIFI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=zscalernss-* | stats count by host +``` diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md new file mode 100644 index 0000000..67b70e1 --- /dev/null +++ b/docs/sources/Zscaler/index.md @@ -0,0 +1,69 @@ +# Vendor - Zscaler + +## Product - All Products + +The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page +26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize +the IP or host name of the SC4S instance and port 514 + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | +| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | +| zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | +| zscalernss-web | None | +| zscalernss-zpa-app | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | +| zscalernss-zpa-auth | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | +| zscalernss-zpa-connector | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth_connector`` immediately prior to the ``\n`` in the LSS Connector format. See Zscaler manual for more info. | +| zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| zscalernss_alerts | zscalernss-alerts | main | none | +| zscalernss_dns | zscalernss-dns | netdns | none | +| zscalernss_fw | zscalernss-fw | netfw | none | +| zscalernss_web | zscalernss-web | netproxy | none | +| zscalernss-zpa-app | zscalernss_zpa-app | netids | none | +| zscalernss-zpa-auth | zscalernss_zpa_auth | netauth | none | +| zscalernss-zpa-connector | zscalernss_zpa_connector | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_ZSCALER_NSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_ZSCALER_NSS | no | Enable archive to disk for this specific source | +| SC4S_DEST_ZSCALER_NSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=zscalernss-* | stats count by host +``` diff --git a/docs/sources/index.md b/docs/sources/index.md new file mode 100644 index 0000000..c32c773 --- /dev/null +++ b/docs/sources/index.md @@ -0,0 +1,7 @@ +# Introduction +When using Splunk Connect for Syslog to onboard a data source, the SC4S filter performs the operations that are traditionally performed at index-time by the corresponding Technical Add-on installed there. These index-time operations include linebreaking, sourcetype setting and timestamping. For this reason, if a data source is exclusively onboarded using SC4S then you will not need to install its corresponding Add-On on the indexers. You must, however, install the Add-on on the search head(s) for the user communities interested in this data source. + +SC4S "unique" filters are based either on the port upon which events arrive or the hostname/CIDR block from which they are sent. The "soup" filters run for events that arrive on port 514 (default for syslog), and contain regex and other syslog-specific parsers to identify events from a specific source, apply the correct sourcetype, and set other metadata. Data sources which generate events that are not unique enough to accurately identify with soup filters _must_ employ the "unique" filters (port/hostname/CIDR block) instead -- the soup filters are unavailable for these sources. + +If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. + diff --git a/mkdocs-requirements.txt b/mkdocs-requirements.txt new file mode 100644 index 0000000..4c8f017 --- /dev/null +++ b/mkdocs-requirements.txt @@ -0,0 +1 @@ +mkdocs-material diff --git a/mkdocs.yml b/mkdocs.yml index cc7f4e8..6b82a92 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,10 +1,44 @@ site_name: Splunk Connect for Syslog -theme: readthedocs + nav: - Home: 'index.md' - - Performance: 'performance.md' - - Getting Started: 'gettingstarted.md' - - Demo Lab: 'demo.md' + - Getting Started: + - 'Read First': 'gettingstarted/index.md' + - 'Podman + systemd single node': 'gettingstarted/podman-systemd-general.md' + - 'Docker CE + systemd single node': 'gettingstarted/docker-systemd-general.md' + - 'Docker CE + Swarm single node': 'gettingstarted/docker-swarm-rhel7.md' + - 'Bring your own Envionment': 'gettingstarted/byoe-rhel7.md' - Configuration: 'configuration.md' - - Sources: 'sources.md' + - Sources: + - About: sources/index.md + - Checkpoint: sources/Checkpoint/index.md + - Cisco: sources/Cisco/index.md + - Forcepoint: sources/Forcepoint/index.md + - Fortinet: sources/Fortinet/index.md + - Imperva: sources/Imperva/index.md + - Juniper: sources/Juniper/index.md + - Microfocus: sources/Microfocus/index.md + - 'Paloalto Networks': sources/PaloaltoNetworks/index.md + - Proofpoint: sources/Proofpoint/index.md + - Symantec: sources/Symantec/index.md + - Ubiquiti: sources/Ubiquiti/index.md + - Zscaler: sources/Zscaler/index.md + - 'Demo Lab': 'demo.md' + - Performance: 'performance.md' - Troubleshooting: 'troubleshooting.md' + +markdown_extensions: + - toc: + permalink: True + - smarty + - fenced_code + - sane_lists + - codehilite + +theme: + name: 'material' + palette: + primary: 'black' + accent: 'orange' + favicon: 'logo.png' + logo: 'logo.png' \ No newline at end of file