Skip to content

Commit

Permalink
final
Browse files Browse the repository at this point in the history
  • Loading branch information
rfaircloth-splunk committed Dec 12, 2019
1 parent df88021 commit 1233911
Show file tree
Hide file tree
Showing 6 changed files with 106 additions and 3 deletions.
50 changes: 50 additions & 0 deletions docs/sources/nix/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Vendor - Nix Generic

## Product - All Products

Many appliance vendor utilize Linux and BSD distributions as the foundation of the solution when configured to provide
syslog output these devices can be monitored using the common Splunk Nix TA


| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/833/ |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| nix:syslog | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| nix_syslog | nix:syslog | osnix | none |


### Filter type

MSG Parse: This filter parses message content

### Setup and Configuration

* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source.


### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_ARCHIVE_NIX_SYSLOG | no | Enable archive to disk for this specific source |
| SC4S_DEST_NIX_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

### Verification

An active proxy will generate frequent events. Use the following search to validate events are present per source device

```
index=osnix sourcetype=nix:syslog | stats count by host
```
1 change: 1 addition & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ nav:
- Fortinet: sources/Fortinet/index.md
- Imperva: sources/Imperva/index.md
- Juniper: sources/Juniper/index.md
- Nix: sources/nix/index.md
- Microfocus: sources/Microfocus/index.md
- 'Paloalto Networks': sources/PaloaltoNetworks/index.md
- Proofpoint: sources/Proofpoint/index.md
Expand Down
8 changes: 7 additions & 1 deletion package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,15 @@ log {
rewrite {
set("nix_syslog", value("fields.sc4s_vendor_product"));
subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
set("${PROGRAM}", value(".PROGRAM"));
subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
};

rewrite {
r_set_splunk_dest_default(sourcetype("nix:syslog"), index("main"), source("program:${.PROGRAM}") )

};

rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("main"))};
parser { p_add_context_splunk(key("nix_syslog")); };

parser (compliance_meta_by_source);
Expand Down
1 change: 1 addition & 0 deletions package/etc/context_templates/splunk_index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
#juniper_nsm,index,netfw
#juniper_nsm_idp,index,netids
#juniper_legacy,index,netops
#nix_syslog,index,osnix
#pan_traffic,index,netfw
#pan_threat,index,netproxy
#pan_system,index,netops
Expand Down
5 changes: 5 additions & 0 deletions splunk/etc/apps/SA-syslog-ng/default/indexes.conf
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@ homePath = $SPLUNK_DB/test2/db
coldPath = $SPLUNK_DB/test2/colddb
thawedPath = $SPLUNK_DB/test2/thaweddb

[osnix]
homePath = $SPLUNK_DB/osnix/db
coldPath = $SPLUNK_DB/osnix/colddb
thawedPath = $SPLUNK_DB/osnix/thaweddb

[oswin]
homePath = $SPLUNK_DB/oswin/db
coldPath = $SPLUNK_DB/oswin/colddb
Expand Down
44 changes: 42 additions & 2 deletions tests/test_linux_syslog.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
env = Environment(extensions=['jinja2_time.TimeExtension'])

#<78>Oct 25 09:10:00 /usr/sbin/cron[54928]: (root) CMD (/usr/libexec/atrun)
def test_linux_program_as_path(record_property, setup_wordlist, setup_splunk):
def test_linux__nohost_program_as_path(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

Expand All @@ -36,7 +36,27 @@ def test_linux_program_as_path(record_property, setup_wordlist, setup_splunk):

assert resultCount == 1

def test_linux_program_conforms(record_property, setup_wordlist, setup_splunk):
def test_linux__host_program_as_path(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
message = mt.render(mark="<111>", host=host, pid=pid)

sendsingle(message)

st = env.from_string("search index=main \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\" | head 2")
search = st.render(host=host, pid=pid)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

def test_linux__nohost_program_conforms(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

Expand All @@ -54,4 +74,24 @@ def test_linux_program_conforms(record_property, setup_wordlist, setup_splunk):
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

def test_linux__host_program_conforms(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
message = mt.render(mark="<111>", host=host, pid=pid)

sendsingle(message)

st = env.from_string("search index=main \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\" | head 2")
search = st.render(host=host, pid=pid)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

0 comments on commit 1233911

Please sign in to comment.