diff --git a/docs/sources/nix/index.md b/docs/sources/nix/index.md new file mode 100644 index 0000000..64e9e4b --- /dev/null +++ b/docs/sources/nix/index.md @@ -0,0 +1,50 @@ +# Vendor - Nix Generic + +## Product - All Products + +Many appliance vendor utilize Linux and BSD distributions as the foundation of the solution when configured to provide +syslog output these devices can be monitored using the common Splunk Nix TA + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/833/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| nix:syslog | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| nix_syslog | nix:syslog | osnix | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. + + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_ARCHIVE_NIX_SYSLOG | no | Enable archive to disk for this specific source | +| SC4S_DEST_NIX_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index=osnix sourcetype=nix:syslog | stats count by host +``` diff --git a/mkdocs.yml b/mkdocs.yml index 6b82a92..3848849 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -17,6 +17,7 @@ nav: - Fortinet: sources/Fortinet/index.md - Imperva: sources/Imperva/index.md - Juniper: sources/Juniper/index.md + - Nix: sources/nix/index.md - Microfocus: sources/Microfocus/index.md - 'Paloalto Networks': sources/PaloaltoNetworks/index.md - Proofpoint: sources/Proofpoint/index.md diff --git a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl index b809caf..9e2547e 100644 --- a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl @@ -15,9 +15,15 @@ log { rewrite { set("nix_syslog", value("fields.sc4s_vendor_product")); subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); + set("${PROGRAM}", value(".PROGRAM")); + subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); + }; + + rewrite { + r_set_splunk_dest_default(sourcetype("nix:syslog"), index("main"), source("program:${.PROGRAM}") ) + }; - rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("main"))}; parser { p_add_context_splunk(key("nix_syslog")); }; parser (compliance_meta_by_source); diff --git a/package/etc/context_templates/splunk_index.csv b/package/etc/context_templates/splunk_index.csv index d4c05b9..eaf846d 100644 --- a/package/etc/context_templates/splunk_index.csv +++ b/package/etc/context_templates/splunk_index.csv @@ -35,6 +35,7 @@ #juniper_nsm,index,netfw #juniper_nsm_idp,index,netids #juniper_legacy,index,netops +#nix_syslog,index,osnix #pan_traffic,index,netfw #pan_threat,index,netproxy #pan_system,index,netops diff --git a/splunk/etc/apps/SA-syslog-ng/default/indexes.conf b/splunk/etc/apps/SA-syslog-ng/default/indexes.conf index 04c2df6..9c64a84 100644 --- a/splunk/etc/apps/SA-syslog-ng/default/indexes.conf +++ b/splunk/etc/apps/SA-syslog-ng/default/indexes.conf @@ -26,6 +26,11 @@ homePath = $SPLUNK_DB/test2/db coldPath = $SPLUNK_DB/test2/colddb thawedPath = $SPLUNK_DB/test2/thaweddb +[osnix] +homePath = $SPLUNK_DB/osnix/db +coldPath = $SPLUNK_DB/osnix/colddb +thawedPath = $SPLUNK_DB/osnix/thaweddb + [oswin] homePath = $SPLUNK_DB/oswin/db coldPath = $SPLUNK_DB/oswin/colddb diff --git a/tests/test_linux_syslog.py b/tests/test_linux_syslog.py index 3731db0..914dea6 100644 --- a/tests/test_linux_syslog.py +++ b/tests/test_linux_syslog.py @@ -16,7 +16,7 @@ env = Environment(extensions=['jinja2_time.TimeExtension']) #<78>Oct 25 09:10:00 /usr/sbin/cron[54928]: (root) CMD (/usr/libexec/atrun) -def test_linux_program_as_path(record_property, setup_wordlist, setup_splunk): +def test_linux__nohost_program_as_path(record_property, setup_wordlist, setup_splunk): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) @@ -36,7 +36,27 @@ def test_linux_program_as_path(record_property, setup_wordlist, setup_splunk): assert resultCount == 1 -def test_linux_program_conforms(record_property, setup_wordlist, setup_splunk): +def test_linux__host_program_as_path(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + pid = random.randint(1000, 32000) + + mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n") + message = mt.render(mark="<111>", host=host, pid=pid) + + sendsingle(message) + + st = env.from_string("search index=main \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\" | head 2") + search = st.render(host=host, pid=pid) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +def test_linux__nohost_program_conforms(record_property, setup_wordlist, setup_splunk): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) @@ -54,4 +74,24 @@ def test_linux_program_conforms(record_property, setup_wordlist, setup_splunk): record_property("resultCount", resultCount) record_property("message", message) + assert resultCount == 1 + +def test_linux__host_program_conforms(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + pid = random.randint(1000, 32000) + + mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n") + message = mt.render(mark="<111>", host=host, pid=pid) + + sendsingle(message) + + st = env.from_string("search index=main \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\" | head 2") + search = st.render(host=host, pid=pid) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + assert resultCount == 1 \ No newline at end of file