From 39a19a2c83a1a2d3dd06486d8213177707e60289 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Tue, 28 Apr 2020 08:38:55 -0700 Subject: [PATCH 1/2] Update metadata keys for Meraki and Zscaler * Fix incorrect Meraki and Zscaler keys in docs * Change zscaler LSS `zpa-auth` logs to use `netproxy` index (to match all other LSS events). --- docs/sources/Cisco/index.md | 2 +- docs/sources/Zscaler/index.md | 27 ++++++++++--------- .../conf.d/log_paths/lp-zscaler_lss.conf.tmpl | 2 +- .../splunk_index.csv.example | 9 ++++++- 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index 9cf0707..9467fa2 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -291,7 +291,7 @@ Verify timestamp, and host values match as expected | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| merkai | None | +| meraki | None | ### Sourcetype and Index Configuration diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md index d922ef7..c087e3b 100644 --- a/docs/sources/Zscaler/index.md +++ b/docs/sources/Zscaler/index.md @@ -25,13 +25,14 @@ the IP or host name of the SC4S instance and port 514 ### Sourcetype and Index Configuration -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| zscalernss_alerts | zscalernss-alerts | main | none | -| zscalernss_dns | zscalernss-dns | netdns | none | -| zscalernss_fw | zscalernss-fw | netfw | none | -| zscalernss_web | zscalernss-web | netproxy | none | - +| key | sourcetype | index | notes | +|---------------------|------------------------|----------|---------| +| zscaler_alerts | zscalernss-alerts | main | none | +| zscaler_dns | zscalernss-dns | netdns | none | +| zscaler_fw | zscalernss-fw | netfw | none | +| zscaler_web | zscalernss-web | netproxy | none | +| zscaler_zia_audit | zscalernss-zia-audit | netops | none | +| zscaler_zia_sandbox | zscalernss-zia-sandbox | main | none | ### Filter type @@ -87,12 +88,12 @@ the IP or host name of the SC4S instance and port 514 ### Sourcetype and Index Configuration -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| zscalernss-zpa-app | zscalerlss_zpa-app | netproxy | none | -| zscalernss-zpa-auth | zscalerlss_zpa_auth | netauth | none | -| zscalernss-zpa-bba | zscalerlss_zpa_auth | netproxy | none | -| zscalernss-zpa-connector | zscalerlss_zpa_connector | netproxy | none | +| key | sourcetype | index | notes | +|----------------|--------------------------|------------|---------| +| zscaler_lss | zscalerlss_zpa-app | netproxy | none | +| zscaler_lss | zscalerlss_zpa_auth | netproxy | none | +| zscaler_lss | zscalerlss_zpa_auth | netproxy | none | +| zscaler_lss | zscalerlss_zpa_connector | netproxy | none | ### Filter type diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl index ff95eea..602df4e 100644 --- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl @@ -74,7 +74,7 @@ log { match('.' value('.json.SAMLAttributes')) and match('.' value('.json.Customer')) }; - rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netauth"))}; + rewrite { r_set_splunk_dest_default(sourcetype("zscalerlss-zpa-auth"), index("netproxy"))}; parser { p_add_context_splunk(key("zscaler_lss")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 8a77f3d..2755202 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -69,4 +69,11 @@ #sc4s_fallback,index,main #sc4s_metrics,index,em_metrics #symanrtec_ep,index,epav -#vmware_nsx,index,main \ No newline at end of file +#vmware_nsx,index,main +#zscaler_alerts,index,main +#zscaler_dns,index,netdns +#zscaler_fw,index,netfw +#zscaler_web,index,netproxy +#zscaler_zia_audit,index,netops +#zscaler_zia_sandbox,index,main +#zscaler_lss,index,netproxy \ No newline at end of file From 2db657a954a4e74d3172c6736fe71224b10b434f Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Tue, 28 Apr 2020 08:53:53 -0700 Subject: [PATCH 2/2] Update `test_zscaler_lss_zpa_auth` test * Update `test_zscaler_lss_zpa_auth` test to use `netproxy` index --- tests/test_zscaler_proxy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_zscaler_proxy.py b/tests/test_zscaler_proxy.py index 389069e..b8cbe50 100644 --- a/tests/test_zscaler_proxy.py +++ b/tests/test_zscaler_proxy.py @@ -247,7 +247,7 @@ def test_zscaler_lss_zpa_auth(record_property, setup_wordlist, setup_splunk, set message = mt.render(mark="<134>", lss_time=lss_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netauth sourcetype=\"zscalerlss-zpa-auth\" \"{{host}}\"") + st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-auth\" \"{{host}}\"") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search)