-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'develop' into feature/netscaler2
- Loading branch information
Showing
13 changed files
with
430 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
|
|
||
| filter f_cisco_apic { | ||
| program('^%LOG_LOCAL\d-\d-'); | ||
| or | ||
| program('^%ACLLOG-\d-ACLLOG_PKTLOG'); | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
|
|
||
| filter f_cisco_ucm { | ||
| message("^%UC\_") | ||
| or | ||
| message("^%CCM\_") | ||
| }; | ||
|
|
||
| filter f_cisco_ucm_message { | ||
| message( | ||
| '^(<\d{1,3}>)\d*: (?:([^:]+): )?(.*) : (%.*)' | ||
| flags(store-matches) | ||
| ); | ||
| }; | ||
|
|
||
| parser p_cisco_ucm_date { | ||
| #Oct 14 2015 05:50:19 AM.484 UTC | ||
| #Apr 21 19:01:35.638 UTC | ||
| date-parser(format( | ||
| '%b %d %Y %I:%M:%S %p.%f %Z', | ||
| '%b %d %H:%M:%S.%f %Z' | ||
| ) | ||
| template("$3") | ||
| ); | ||
| }; | ||
|
|
||
| rewrite r_cisco_ucm_message { | ||
| set("cisco_ucm" value("fields.sc4s_syslog_format")); | ||
| set("cisco_ucm" value("fields.sc4s_vendor_product")); | ||
| set("$HOST_FROM" value("HOST") ); | ||
| set("$2" value("HOST") condition(match("^..." template("${2}"))) ); | ||
| set("$4" value("MESSAGE")); | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # Cisco APIC | ||
| {{- /* The following provides a unique port source configuration if env var(s) are set */}} | ||
| {{- $context := dict "port_id" "CISCO_APIC" "parser" "rfc3164" }} | ||
| {{- tmpl.Exec "t/source_network.t" $context }} | ||
|
|
||
| log { | ||
| junction { | ||
| {{- if or (or (getenv (print "SC4S_LISTEN_CISCO_APIC_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_APIC_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_APIC_TLS_PORT")) }} | ||
| channel { | ||
| # Listen on the specified dedicated port(s) for CISCO_APIC traffic | ||
| source (s_CISCO_APIC); | ||
| flags (final); | ||
| }; | ||
| {{- end}} | ||
| channel { | ||
| # Listen on the default port (typically 514) for CISCO_APIC traffic | ||
| source (s_DEFAULT); | ||
| filter(f_cisco_apic); | ||
| flags(final); | ||
| }; | ||
| }; | ||
|
|
||
| rewrite { | ||
| guess-time-zone(); | ||
| }; | ||
| if { | ||
| filter { | ||
| program('^%ACLLOG-\d-ACLLOG_PKTLOG') | ||
| }; | ||
| rewrite { | ||
| set("cisco_APIC_acl", value("fields.sc4s_vendor_product")); | ||
| r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), index("netfw"), template("t_hdr_msg")) | ||
| }; | ||
| parser { p_add_context_splunk(key("cisco_apic_acl")); }; | ||
|
|
||
| } elif { | ||
| rewrite { | ||
| set("cisco_APIC_events", value("fields.sc4s_vendor_product")); | ||
| r_set_splunk_dest_default(sourcetype("cisco:apic:events"), index("netops"), template("t_hdr_msg")) | ||
| }; | ||
| parser { p_add_context_splunk(key("cisco_apic_events")); }; | ||
| }; | ||
|
|
||
| parser (compliance_meta_by_source); | ||
| rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); }; | ||
|
|
||
| {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_APIC_HEC" "no")) }} | ||
| destination(d_hec); | ||
| {{- end}} | ||
|
|
||
| {{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_CISCO_APIC" "no")) }} | ||
| destination(d_archive); | ||
| {{- end}} | ||
|
|
||
| flags(flow-control,final); | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| # Cisco UCM | ||
| {{- /* The following provides a unique port source configuration if env var(s) are set */}} | ||
| {{- $context := dict "port_id" "CISCO_UCM" "parser" "cisco_ucm" }} | ||
| {{- tmpl.Exec "t/source_network.t" $context }} | ||
|
|
||
| log { | ||
| junction { | ||
| {{- if or (or (getenv (print "SC4S_LISTEN_CISCO_UCM_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_UCM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_UCM_TLS_PORT")) }} | ||
| channel { | ||
| # Listen on the specified dedicated port(s) for CISCO_UCM traffic | ||
| source (s_CISCO_UCM); | ||
| flags (final); | ||
| }; | ||
| {{- end}} | ||
| channel { | ||
| # Listen on the default port (typically 514) for CISCO_UCM traffic | ||
| source (s_DEFAULT); | ||
| filter(f_cisco_ucm); | ||
| flags(final); | ||
| }; | ||
| }; | ||
|
|
||
| if { | ||
| filter { | ||
| message( | ||
| 'Node ?ID(?:\:|\=)([^ \]]+)' | ||
| flags(store-matches) | ||
| ); | ||
| }; | ||
| rewrite { | ||
| set("$1" value("HOST") ); | ||
| }; | ||
| } elif { | ||
| filter { | ||
| message( | ||
| ' on node ([^ ]+\. |[^ ]+ )' | ||
| flags(store-matches) | ||
| ); | ||
| }; | ||
| rewrite { | ||
| set("$1" value("HOST") ); | ||
| }; | ||
| }; | ||
|
|
||
| rewrite { | ||
| set("cisco_ucm", value("fields.sc4s_vendor_product")); | ||
| r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main")) | ||
| }; | ||
| parser {p_add_context_splunk(key("cisco_ucm")); }; | ||
| parser (compliance_meta_by_source); | ||
| rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); }; | ||
|
|
||
| {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_UCM_HEC" "no")) }} | ||
| destination(d_hec); | ||
| {{- end}} | ||
|
|
||
| {{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_CISCO_UCM" "no")) }} | ||
| destination(d_archive); | ||
| {{- end}} | ||
|
|
||
| flags(flow-control,final); | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # Copyright 2019 Splunk, Inc. | ||
| # | ||
| # Use of this source code is governed by a BSD-2-clause-style | ||
| # license that can be found in the LICENSE-BSD2 file or at | ||
| # https://opensource.org/licenses/BSD-2-Clause | ||
| import random | ||
|
|
||
| from jinja2 import Environment | ||
|
|
||
| from .sendmessage import * | ||
| from .splunkutils import * | ||
|
|
||
| env = Environment(extensions=['jinja2_time.TimeExtension']) | ||
|
|
||
| #<11>July 22 22:45:28 apic1 %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110] Node 102 not reachable. unknown | ||
| def test_cisco_aci(record_property, setup_wordlist, setup_splunk, setup_sc4s): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{ host }} %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110]\n") | ||
| message = mt.render(mark="<165>", host=host) | ||
| sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) | ||
|
|
||
| st = env.from_string("search index=netops host=\"{{ host }}\" sourcetype=\"cisco:apic:events\" | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
|
|
||
| #%ACLLOG-5-ACLLOG_PKTLOG | ||
| def test_cisco_aci_acl(record_property, setup_wordlist, setup_splunk, setup_sc4s): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{ host }} %ACLLOG-5-ACLLOG_PKTLOG unable to locate real message\n") | ||
| message = mt.render(mark="<165>", host=host) | ||
| sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) | ||
|
|
||
| st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"cisco:apic:acl\" | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.