-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial support for SMG
- Loading branch information
rfaircloth-splunk
committed
Dec 12, 2019
1 parent
d8eae37
commit 38e86fb
Showing
5 changed files
with
151 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| filter f_symantec_brightmail { | ||
| message("[Brightmail]") | ||
| }; |
59 changes: 59 additions & 0 deletions
59
package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| # Proofpoint | ||
| {{ $context := dict "port_id" "SYMANTEC_BRIGHTMAIL" "parser" "common" }} | ||
| {{ tmpl.Exec "t/source_network.t" $context }} | ||
| # The following is an inline template; we will use this to generate the actual log path | ||
| {{ define "log_path" }} | ||
| log { | ||
| {{- if eq (.) "yes" }} | ||
| source(s_DEFAULT); | ||
| filter(f_symantec_brightmail); | ||
| {{- end }} | ||
| {{- if eq (.) "no" }} | ||
| source (s_SYMANTEC_BRIGHTMAIL); | ||
| {{- end }} | ||
|
|
||
| rewrite { | ||
| set("symantec_brightmail", value("fields.sc4s_vendor_product")); | ||
| subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); | ||
| set("${PROGRAM}", value(".PROGRAM")); | ||
| subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); | ||
| }; | ||
|
|
||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("symantec:smg"), index("email"), source("program:${.PROGRAM}") ) | ||
|
|
||
| }; | ||
|
|
||
| parser { p_add_context_splunk(key("symantec_brightmail")); }; | ||
|
|
||
| parser (compliance_meta_by_source); | ||
|
|
||
| #We want to unset the fields we won't need, as this is copied into the | ||
| #disk queue for network destinations. This can be very disk expensive | ||
| #if we don't | ||
| rewrite { | ||
| set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); | ||
| unset(value("RAWMSG")); | ||
| unset(value("PROGRAM")); | ||
| unset(value("LEGACY_MSGHDR")); | ||
| }; | ||
|
|
||
| {{- if ((getenv "SC4S_SYMANTEC_BRIGHTMAIL_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC" "no") | conv.ToBool) }} | ||
| destination(d_hec); | ||
| {{- end}} | ||
|
|
||
| {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL") }} | ||
| destination(d_archive); | ||
| {{- end}} | ||
|
|
||
| flags(flow-control,final); | ||
| }; | ||
| {{- end}} | ||
|
|
||
| {{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT"))) (getenv (print "SC4S_SYMANTEC_BRIGHTMAIL_NSS_TLS_PORT")) }} | ||
| # Listen on the specified dedicated port(s) for SYMANTEC_BRIGHTMAIL traffic | ||
| {{ tmpl.Exec "log_path" "no" }} | ||
| {{- end}} | ||
|
|
||
| # Listen on the default port (typically 514) for SYMANTEC_BRIGHTMAIL traffic | ||
| {{ tmpl.Exec "log_path" "yes" }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # Copyright 2019 Splunk, Inc. | ||
| # | ||
| # Use of this source code is governed by a BSD-2-clause-style | ||
| # license that can be found in the LICENSE-BSD2 file or at | ||
| # https://opensource.org/licenses/BSD-2-Clause | ||
| import random | ||
|
|
||
| from jinja2 import Environment | ||
|
|
||
| from .sendmessage import * | ||
| from .splunkutils import * | ||
|
|
||
| env = Environment(extensions=['jinja2_time.TimeExtension']) | ||
| # <141>Oct 24 21:05:43 smg-1 conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully. | ||
| def test_symantec_brightmail(record_property, setup_wordlist, setup_splunk): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{host}} conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully.") | ||
| message = mt.render(mark="<134>", host=host) | ||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=email host=\"{{ host }}\" sourcetype=\"symantec:smg\" | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
|
|
||
| # |