From 38e86fb075560a349034eb13884d89753372e772 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 12 Dec 2019 18:55:08 -0500 Subject: [PATCH 1/5] Provide support for SMG Initial support for SMG --- docs/sources/Symantec/index.md | 50 ++++++++++++++++ .../conf.d/filters/symantec/brightmail.conf | 3 + .../p_rfc3165-symantec_brightmail.conf.tmpl | 59 +++++++++++++++++++ .../apps/SA-syslog-ng/default/indexes.conf | 5 ++ tests/test_symantec_brightmail.py | 34 +++++++++++ 5 files changed, 151 insertions(+) create mode 100644 package/etc/conf.d/filters/symantec/brightmail.conf create mode 100644 package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl create mode 100644 tests/test_symantec_brightmail.py diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md index e169c78..c92bc05 100644 --- a/docs/sources/Symantec/index.md +++ b/docs/sources/Symantec/index.md @@ -49,3 +49,53 @@ An active proxy will generate frequent events. Use the following search to valid ``` index= sourcetype=bluecoat:proxysg:access:kv | stats count by host ``` + +## Product - Mail Gateway (Brightmail) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | TBD | +| Product Manual | https://support.symantec.com/us/en/article.howto38250.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| symantec:smg | Requires version TA 3.6 | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| symantec_brightmail | symantec:smg | email | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* No TA available +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | +| SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active mail server will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=symantec:smg | stats count by host +``` diff --git a/package/etc/conf.d/filters/symantec/brightmail.conf b/package/etc/conf.d/filters/symantec/brightmail.conf new file mode 100644 index 0000000..af6f53e --- /dev/null +++ b/package/etc/conf.d/filters/symantec/brightmail.conf @@ -0,0 +1,3 @@ +filter f_symantec_brightmail { + message("[Brightmail]") +}; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl new file mode 100644 index 0000000..41cc15d --- /dev/null +++ b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl @@ -0,0 +1,59 @@ +# Proofpoint +{{ $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} +{{ tmpl.Exec "t/source_network.t" $context }} +# The following is an inline template; we will use this to generate the actual log path +{{ define "log_path" }} +log { +{{- if eq (.) "yes" }} + source(s_DEFAULT); + filter(f_symantec_brightmail); +{{- end }} +{{- if eq (.) "no" }} + source (s_SYMANTEC_BRIGHTMAIL); +{{- end }} + + rewrite { + set("symantec_brightmail", value("fields.sc4s_vendor_product")); + subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); + set("${PROGRAM}", value(".PROGRAM")); + subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); + }; + + rewrite { + r_set_splunk_dest_default(sourcetype("symantec:smg"), index("email"), source("program:${.PROGRAM}") ) + + }; + + parser { p_add_context_splunk(key("symantec_brightmail")); }; + + parser (compliance_meta_by_source); + + #We want to unset the fields we won't need, as this is copied into the + #disk queue for network destinations. This can be very disk expensive + #if we don't + rewrite { + set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + }; + +{{- if ((getenv "SC4S_SYMANTEC_BRIGHTMAIL_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC" "no") | conv.ToBool) }} + destination(d_hec); +{{- end}} + +{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} + destination(d_archive); +{{- end}} + + flags(flow-control,final); +}; +{{- end}} + +{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT"))) (getenv (print "SC4S_SYMANTEC_BRIGHTMAIL_NSS_TLS_PORT")) }} +# Listen on the specified dedicated port(s) for SYMANTEC_BRIGHTMAIL traffic + {{ tmpl.Exec "log_path" "no" }} +{{- end}} + +# Listen on the default port (typically 514) for SYMANTEC_BRIGHTMAIL traffic +{{ tmpl.Exec "log_path" "yes" }} diff --git a/splunk/etc/apps/SA-syslog-ng/default/indexes.conf b/splunk/etc/apps/SA-syslog-ng/default/indexes.conf index 9c64a84..b2ecfa9 100644 --- a/splunk/etc/apps/SA-syslog-ng/default/indexes.conf +++ b/splunk/etc/apps/SA-syslog-ng/default/indexes.conf @@ -4,6 +4,11 @@ homePath = $SPLUNK_DB/syslogng_metrics/db coldPath = $SPLUNK_DB/syslogng_metrics/colddb thawedPath = $SPLUNK_DB/syslogng_metrics/thaweddb +[email] +homePath = $SPLUNK_DB/email/db +coldPath = $SPLUNK_DB/email/colddb +thawedPath = $SPLUNK_DB/email/thaweddb + [em_metrics] datatype=metric homePath = $SPLUNK_DB/em_metrics/db diff --git a/tests/test_symantec_brightmail.py b/tests/test_symantec_brightmail.py new file mode 100644 index 0000000..5fa0498 --- /dev/null +++ b/tests/test_symantec_brightmail.py @@ -0,0 +1,34 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * + +env = Environment(extensions=['jinja2_time.TimeExtension']) +# <141>Oct 24 21:05:43 smg-1 conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully. +def test_symantec_brightmail(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully.") + message = mt.render(mark="<134>", host=host) + sendsingle(message) + + st = env.from_string("search index=email host=\"{{ host }}\" sourcetype=\"symantec:smg\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +# From bd0a9d6a77e15da04ae71b8f2576c913cb6ca6ed Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 12 Dec 2019 22:53:01 -0500 Subject: [PATCH 2/5] Final updates --- docs/sources/Symantec/index.md | 2 +- .../conf.d/filters/symantec/brightmail.conf | 5 +- .../p_rfc3165-symantec_brightmail.conf.tmpl | 119 ++++++++++++++---- tests/test_symantec_brightmail.py | 37 ++++++ 4 files changed, 136 insertions(+), 27 deletions(-) diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md index c92bc05..dc6dcf2 100644 --- a/docs/sources/Symantec/index.md +++ b/docs/sources/Symantec/index.md @@ -91,7 +91,7 @@ MSG Parse: This filter parses message content | SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | | SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | | SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - +| SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG | yes | Email processing events generated by the bmserver process will be grouped by host+program+pid+msg ID into a single event | ### Verification An active mail server will generate frequent events. Use the following search to validate events are present per source device diff --git a/package/etc/conf.d/filters/symantec/brightmail.conf b/package/etc/conf.d/filters/symantec/brightmail.conf index af6f53e..7d78535 100644 --- a/package/etc/conf.d/filters/symantec/brightmail.conf +++ b/package/etc/conf.d/filters/symantec/brightmail.conf @@ -1,3 +1,6 @@ filter f_symantec_brightmail { - message("[Brightmail]") + message('\[Brightmail\]') or program("bmserver") +}; +filter f_symantec_brightmail_details { + program("bmserver") and not message('\[Brightmail\]') }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl index 41cc15d..ae26f0f 100644 --- a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl @@ -1,4 +1,25 @@ -# Proofpoint +filter f_symantec_brightmail_complete{ + match("yes", value("SMG.COMPLETE") type(glob)); +}; + +parser symantec_brightmail_grouping { + csv-parser( + columns(PID, SMG.seq, MESSAGE) + delimiters(chars("|")) + flags(greedy) + ); + grouping-by( + scope(program) + key("${SMG.seq}") + timeout(2) + aggregate( + value("MESSAGE" "${PID}|${SMG.seq}|$(implode ';' $(context-values ${MESSAGE}))") + value("SMG.COMPLETE" "yes") + ) + ); +}; + + {{ $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} {{ tmpl.Exec "t/source_network.t" $context }} # The following is an inline template; we will use this to generate the actual log path @@ -6,46 +27,94 @@ log { {{- if eq (.) "yes" }} source(s_DEFAULT); + filter(f_is_rfc3164); filter(f_symantec_brightmail); {{- end }} {{- if eq (.) "no" }} source (s_SYMANTEC_BRIGHTMAIL); {{- end }} - rewrite { - set("symantec_brightmail", value("fields.sc4s_vendor_product")); - subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); - set("${PROGRAM}", value(".PROGRAM")); - subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); - }; +{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) - rewrite { - r_set_splunk_dest_default(sourcetype("symantec:smg"), index("email"), source("program:${.PROGRAM}") ) + if { + filter(f_symantec_brightmail_details); - }; + parser(symantec_brightmail_grouping); + {{- end}} + if { + filter(f_symantec_brightmail_complete); - parser { p_add_context_splunk(key("symantec_brightmail")); }; + rewrite { + set("symantec_brightmail", value("fields.sc4s_vendor_product")); + }; - parser (compliance_meta_by_source); + rewrite { + r_set_splunk_dest_default(sourcetype("symantec:smg:mail"), index("email"), source("program:${.PROGRAM}") ) - #We want to unset the fields we won't need, as this is copied into the - #disk queue for network destinations. This can be very disk expensive - #if we don't - rewrite { - set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); - unset(value("RAWMSG")); - unset(value("PROGRAM")); - unset(value("LEGACY_MSGHDR")); - }; + }; + + parser { p_add_context_splunk(key("symantec_brightmail")); }; + + parser (compliance_meta_by_source); + + #We want to unset the fields we won't need, as this is copied into the + #disk queue for network destinations. This can be very disk expensive + #if we don't + rewrite { + set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + }; + + {{- if ((getenv "SC4S_SYMANTEC_BRIGHTMAIL_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC" "no") | conv.ToBool) }} + destination(d_hec); + {{- end}} -{{- if ((getenv "SC4S_SYMANTEC_BRIGHTMAIL_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC" "no") | conv.ToBool) }} - destination(d_hec); + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} + destination(d_archive); + {{- end}} + + }; + } else { {{- end}} + rewrite { + set("symantec_brightmail", value("fields.sc4s_vendor_product")); + }; + + rewrite { + r_set_splunk_dest_default(sourcetype("symantec:smg"), index("email"), source("program:${.PROGRAM}") ) + + }; + + parser { p_add_context_splunk(key("symantec_brightmail")); }; + + parser (compliance_meta_by_source); + + #We want to unset the fields we won't need, as this is copied into the + #disk queue for network destinations. This can be very disk expensive + #if we don't + rewrite { + set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + }; -{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} - destination(d_archive); + {{- if ((getenv "SC4S_SYMANTEC_BRIGHTMAIL_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC" "no") | conv.ToBool) }} + destination(d_hec); + {{- end}} + + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} + destination(d_archive); + {{- end}} + +{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) + + }; {{- end}} + flags(flow-control,final); }; {{- end}} diff --git a/tests/test_symantec_brightmail.py b/tests/test_symantec_brightmail.py index 5fa0498..6e877f9 100644 --- a/tests/test_symantec_brightmail.py +++ b/tests/test_symantec_brightmail.py @@ -4,6 +4,7 @@ # license that can be found in the LICENSE-BSD2 file or at # https://opensource.org/licenses/BSD-2-Clause import random +import uuid from jinja2 import Environment @@ -31,4 +32,40 @@ def test_symantec_brightmail(record_property, setup_wordlist, setup_splunk): assert resultCount == 1 +def test_symantec_brightmail_msg(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + msgid = uuid.uuid4() + + mt = env.from_string("""{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|VERDICT|someone@example.com|none|default|default\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|FIRED|someone@example.com|none\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|UNTESTED|someone@example.com|safe|opl|content_1574820902092|content_1574820956288|content_1574821059194|content_1574821017042|sys_deny_ip|sys_allow_ip|sys_deny_email|dns_allow|dns_deny|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|blockedlang|knownlang\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|LOGICAL_IP|200.200.200.154\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|google-play_111-33.png\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|mac_appstore_136_33.png\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|6f0c8ad8-e0da-4bcc-aac9-8fa71ba43bb6.jpg\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|b340ec99-9c66-4a19-a2f4-ee467e0d63e1.jpg\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|product-logo.update.png\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|header-research.png\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|ms-logo-138.png\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|ATTACH|ms-logo-138.png|header-research.png|product-logo.update.png|b340ec99-9c66-4a19-a2f4-ee467e0d63e1.jpg|6f0c8ad8-e0da-4bcc-aac9-8fa71ba43bb6.jpg|mac_appstore_136_33.png|google-play_111-33.png\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|EHLO|mail6.bemta23.messagelabs.com\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|MSG_SIZE|94239\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|MSGID| <7jszytr60wmja@example.com>\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|SUBJECT|pulse: this is a subject\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|SOURCE|external\n +{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195987|{{ MSGID }}|VERDICT||connection_class_1|default|static connection class 1\n""") + message = mt.render(mark="<1>", host=host, MSGID=msgid) + sendsingle(message) + + st = env.from_string("search index=email host=\"{{ host }}\" sourcetype=\"symantec:smg:mail\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + # From 1f02296db1c35107f6b610b976c48a085dbf859d Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 12 Dec 2019 23:14:16 -0500 Subject: [PATCH 3/5] Update p_rfc3165-symantec_brightmail.conf.tmpl --- .../conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl index ae26f0f..21ca1eb 100644 --- a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl @@ -13,7 +13,7 @@ parser symantec_brightmail_grouping { key("${SMG.seq}") timeout(2) aggregate( - value("MESSAGE" "${PID}|${SMG.seq}|$(implode ';' $(context-values ${MESSAGE}))") + value("MESSAGE" ";CONTEXT|${PID};${SMG.seq}|$(implode ';' $(context-values ${MESSAGE}))") value("SMG.COMPLETE" "yes") ) ); From 3df2bce210bee49598b7043934cd8a02a0a0342e Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 12 Dec 2019 23:55:53 -0500 Subject: [PATCH 4/5] Fix feature flag --- docs/sources/Symantec/index.md | 2 +- .../p_rfc3165-symantec_brightmail.conf.tmpl | 15 +++++++-------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md index dc6dcf2..58e79a5 100644 --- a/docs/sources/Symantec/index.md +++ b/docs/sources/Symantec/index.md @@ -89,7 +89,7 @@ MSG Parse: This filter parses message content |----------------|----------------|----------------| | SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | | SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | +| SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL | no | Enable archive to disk for this specific source | | SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG | yes | Email processing events generated by the bmserver process will be grouped by host+program+pid+msg ID into a single event | ### Verification diff --git a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl index 21ca1eb..6e71835 100644 --- a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl @@ -1,3 +1,4 @@ +{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) filter f_symantec_brightmail_complete{ match("yes", value("SMG.COMPLETE") type(glob)); }; @@ -13,12 +14,12 @@ parser symantec_brightmail_grouping { key("${SMG.seq}") timeout(2) aggregate( - value("MESSAGE" ";CONTEXT|${PID};${SMG.seq}|$(implode ';' $(context-values ${MESSAGE}))") + value("MESSAGE" "${PID}|${SMG.seq}|$(implode ';' $(context-values ${MESSAGE}))") value("SMG.COMPLETE" "yes") ) ); }; - +{{- end }} {{ $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} {{ tmpl.Exec "t/source_network.t" $context }} @@ -35,12 +36,11 @@ log { {{- end }} {{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) - if { - filter(f_symantec_brightmail_details); + filter(f_symantec_brightmail_details); parser(symantec_brightmail_grouping); - {{- end}} + if { filter(f_symantec_brightmail_complete); @@ -77,7 +77,8 @@ log { }; } else { -{{- end}} +{{- end }} + rewrite { set("symantec_brightmail", value("fields.sc4s_vendor_product")); }; @@ -108,9 +109,7 @@ log { {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} destination(d_archive); {{- end}} - {{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) - }; {{- end}} From 578829890d1cf642c87c5f5e1a05d6fbf3717108 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 12 Dec 2019 23:57:15 -0500 Subject: [PATCH 5/5] Update p_rfc3165-symantec_brightmail.conf.tmpl --- .../log_paths/p_rfc3165-symantec_brightmail.conf.tmpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl index 6e71835..a81ca33 100644 --- a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl @@ -1,4 +1,4 @@ -{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) +{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) }} filter f_symantec_brightmail_complete{ match("yes", value("SMG.COMPLETE") type(glob)); }; @@ -35,7 +35,7 @@ log { source (s_SYMANTEC_BRIGHTMAIL); {{- end }} -{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) +{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) }} if { filter(f_symantec_brightmail_details); @@ -109,7 +109,7 @@ log { {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} destination(d_archive); {{- end}} -{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) +{{- if ((getenv "SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG" "yes") | conv.ToBool) }} }; {{- end}}