From 8a12f672162fe43e02bbbeede56231964f278c1c Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Sat, 28 Sep 2019 17:32:49 -0400 Subject: [PATCH] Mergeback proofpoint (#101) * Feature/proofpoint (#97) * Add Proofpoint PPS filter support * Fix parser/metdata/IOS filter --- docker-compose.yml | 2 +- .../conf.d/conflib/_common/network.conf.tmpl | 0 .../{rfc_syslog.conf => syslog_format.conf} | 12 ++++++++ .../etc/conf.d/conflib/_common/utility.conf | 4 --- package/etc/conf.d/filters/cisco/ios.conf | 6 ++-- .../log_paths/p_rfc3164-cisco_ios.conf.tmpl | 2 +- .../log_paths/p_rfc3164-cisco_nx-os.conf.tmpl | 10 +++---- package/etc/conf.d/sources/network.conf.tmpl | 4 +-- .../vendor_product_by_source.conf | 30 +++++++++---------- package/etc/templates/source_network.t | 6 ++-- 10 files changed, 42 insertions(+), 34 deletions(-) delete mode 100644 package/etc/conf.d/conflib/_common/network.conf.tmpl rename package/etc/conf.d/conflib/_common/{rfc_syslog.conf => syslog_format.conf} (80%) delete mode 100644 package/etc/conf.d/conflib/_common/utility.conf diff --git a/docker-compose.yml b/docker-compose.yml index a1fc681..1765168 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -47,7 +47,7 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SC4S_SOURCE_TLS_ENABLE=yes + - SC4S_SOURCE_TLS_ENABLE=no - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 volumes: diff --git a/package/etc/conf.d/conflib/_common/network.conf.tmpl b/package/etc/conf.d/conflib/_common/network.conf.tmpl deleted file mode 100644 index e69de29..0000000 diff --git a/package/etc/conf.d/conflib/_common/rfc_syslog.conf b/package/etc/conf.d/conflib/_common/syslog_format.conf similarity index 80% rename from package/etc/conf.d/conflib/_common/rfc_syslog.conf rename to package/etc/conf.d/conflib/_common/syslog_format.conf index 1809034..8c5794c 100644 --- a/package/etc/conf.d/conflib/_common/rfc_syslog.conf +++ b/package/etc/conf.d/conflib/_common/syslog_format.conf @@ -24,4 +24,16 @@ rewrite set_rfc3164{ }; filter f_is_rfc3164{ match("rfc3164" value("fields.sc4s_syslog_format")) +}; +rewrite set_cisco_ios{ + set("cisco_ios" value("fields.sc4s_syslog_format")); +}; +filter f_is_cisco_ios{ + match("cisco_ios" value("fields.sc4s_syslog_format")) +}; +rewrite set_no_parse{ + set("no_parse" value("fields.sc4s_syslog_format")); +}; +filter f_is_no_parse{ + match("no_parse" value("fields.sc4s_syslog_format")) }; \ No newline at end of file diff --git a/package/etc/conf.d/conflib/_common/utility.conf b/package/etc/conf.d/conflib/_common/utility.conf deleted file mode 100644 index 8b986c3..0000000 --- a/package/etc/conf.d/conflib/_common/utility.conf +++ /dev/null @@ -1,4 +0,0 @@ - -rewrite set_metadata_presume { - set("$(env SYSLOG_PRESUME_FILTER)" value("fields.sc4s_presume")); -}; \ No newline at end of file diff --git a/package/etc/conf.d/filters/cisco/ios.conf b/package/etc/conf.d/filters/cisco/ios.conf index 09a37ed..0e4c478 100644 --- a/package/etc/conf.d/filters/cisco/ios.conf +++ b/package/etc/conf.d/filters/cisco/ios.conf @@ -1,8 +1,6 @@ -rewrite set_metadata_vendor_product_cisco_ios{ - set("cisco_ios" value(".metadata.vendor_product")); -}; +# In general this will not be used; parser setting will override the need for this filter f_cisco_ios{ - match("cisco_ios", value(".metadata.vendor_product") type(glob)); + match("cisco_ios", value("fields.sc4s_vendor_product") type(glob)); }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl index 6518a0d..05b9e29 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl @@ -7,7 +7,7 @@ log { {{- if eq (.) "yes" }} source(s_default-ports); - filter(f_cisco_ios); + filter(f_is_cisco_ios); {{- end }} {{- if eq (.) "no" }} source (s_dedicated_port_CISCO_IOS); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl index 2caff20..03700cd 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl @@ -5,17 +5,17 @@ {{- end -}} {{ define "log_path" }} log { -{{- if eq (.) "yes"}} +{{- if eq (.) "yes" }} source(s_default-ports); filter(f_cisco_nx_os); -{{- end}} -{{- if eq (.) "no"}} +{{- end }} +{{- if eq (.) "no" }} source (s_dedicated_port_CISCO_NX_OS); -{{- end}} +{{- end }} rewrite { r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_hdr_msg"))}; parser { - p_add_context_splunk(key("cisco_nx_os")); + p_add_context_splunk(key("cisco_nx_os")); }; destination(d_hec); #--HEC-- diff --git a/package/etc/conf.d/sources/network.conf.tmpl b/package/etc/conf.d/sources/network.conf.tmpl index 42b4344..a9e8b78 100644 --- a/package/etc/conf.d/sources/network.conf.tmpl +++ b/package/etc/conf.d/sources/network.conf.tmpl @@ -81,7 +81,7 @@ source s_default-ports { rewrite(set_rfc5424_noversion); } elif { parser {cisco-parser()}; - rewrite(set_metadata_vendor_product_cisco_ios); + rewrite(set_cisco_ios); } else { parser { syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); @@ -94,5 +94,5 @@ source s_default-ports { parser { vendor_product_by_source(); }; - }; + }; }; \ No newline at end of file diff --git a/package/etc/context-local/vendor_product_by_source.conf b/package/etc/context-local/vendor_product_by_source.conf index bb1ede6..37e3412 100644 --- a/package/etc/context-local/vendor_product_by_source.conf +++ b/package/etc/context-local/vendor_product_by_source.conf @@ -4,34 +4,34 @@ #filter {match("f5_test" template("$(env PRESUME_SYSLOG)")); }; filter f_test_test { - host("testvp-*" type(glob)) - or match("test_test" value("fields.sc4s_presume")) + host("testvp-*" type(glob)) or + netmask(192.168.100.1/24) }; filter f_juniper_nsm { - host("jnpnsm-*" type(glob)) - or match("juniper_nsm" value("fields.sc4s_presume")) + host("jnpnsm-*" type(glob)) or + netmask(192.168.1.0/24) }; filter f_juniper_nsm_idp { - host("jnpnsmidp-*" type(glob)) - or match("juniper_nsm_idp" value("fields.sc4s_presume")) + host("jnpnsmidp-*" type(glob)) or + netmask(192.168.2.0/24) }; filter f_juniper_idp { - host("jnpidp-*" type(glob)) - or match("juniper_idp" value("fields.sc4s_presume")) + host("jnpidp-*" type(glob)) or + netmask(192.168.3.0/24) }; filter f_juniper_netscreen { - host("jnpns-*" type(glob) ) - or match("juniper_netscreen" value("fields.sc4s_presume")) + host("jnpns-*" type(glob)) or + netmask(192.168.4.0/24) }; filter f_cisco_nx_os { - host("csconx-*" type(glob) ) - or match("cisco_nx_os" value("fields.sc4s_presume")) -}; + host("csconx-*" type(glob)) or + netmask(192.168.5.0/24) +}; filter f_proofpoint_pps_sendmail { host("pps-*" type(glob)) or - netmask(192.168.1.0/24) + netmask(192.168.6.0/24) }; filter f_proofpoint_pps_filter { host("pps-*" type(glob)) or - netmask(192.168.1.0/24) + netmask(192.168.7.0/24) }; \ No newline at end of file diff --git a/package/etc/templates/source_network.t b/package/etc/templates/source_network.t index 8651474..f804816 100644 --- a/package/etc/templates/source_network.t +++ b/package/etc/templates/source_network.t @@ -73,12 +73,14 @@ source s_dedicated_port_{{ .port_id}} { rewrite(set_rfc5424_noversion); {{- else if eq .parser "cisco_parser" }} parser {cisco-parser()}; - rewrite(set_metadata_vendor_product_cisco_ios); + rewrite(set_cisco_ios); {{- else if eq .parser "rfc3164" }} parser { syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); }; rewrite(set_rfc3164); +{{- else if eq .parser "no_parse" }} + rewrite(set_no_parse); {{- else }} if {filter(f_rfc5424_strict); parser { @@ -93,7 +95,7 @@ source s_dedicated_port_{{ .port_id}} { rewrite(set_rfc5424_noversion); } elif { parser {cisco-parser()}; - rewrite(set_metadata_vendor_product_cisco_ios); + rewrite(set_cisco_ios); } else { parser { syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message));