diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index b0234dd..ae72697 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -48,6 +48,54 @@ index= sourcetype=cisco:acs Verify timestamp, and host values match as expected +## Product - APIC (ACI) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | No current add-on for syslog events | +| Product Manual | https://community.cisco.com/t5/security-documents/acs-5-x-configuring-the-external-syslog-server/ta-p/3143143 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:apic:acl: | APIC events from leaf switches | +| cisco:apic:events | APIC events from any component used | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_apic_acl | cisco:apic:acl | netfw | None | +| cisco_apic_events | cisco:apic:events | netops | None | + +### Filter type + +PATTERN MATCH + +### Setup and Configuration + +* No special steps required + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_APIC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_APIC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_APIC | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_APIC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:apic:* +``` + +Verify timestamp, and host values match as expected ## Product - ASA (Pre Firepower) @@ -283,3 +331,50 @@ index= sourcetype=merkai Verify timestamp, and host values match as expected +## Product - UCM + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Product Manual | multiple | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ucm | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ucm | cisco:ucm | ucm | None | + + +### Filter type + +PATTERN MATCH + +### Setup and Configuration + +* Refer to Cisco support web site + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_UCM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_UCM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_UCM | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_UCM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:ucm +``` + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/package/etc/conf.d/filters/cisco/apic.conf b/package/etc/conf.d/filters/cisco/apic.conf new file mode 100644 index 0000000..ea6660d --- /dev/null +++ b/package/etc/conf.d/filters/cisco/apic.conf @@ -0,0 +1,6 @@ + +filter f_cisco_apic { + program('^%LOG_LOCAL\d-\d-'); + or + program('^%ACLLOG-\d-ACLLOG_PKTLOG'); +}; \ No newline at end of file diff --git a/package/etc/conf.d/filters/cisco/ucm.conf b/package/etc/conf.d/filters/cisco/ucm.conf new file mode 100644 index 0000000..a193625 --- /dev/null +++ b/package/etc/conf.d/filters/cisco/ucm.conf @@ -0,0 +1,32 @@ + +filter f_cisco_ucm { + message("^%UC\_") + or + message("^%CCM\_") +}; + +filter f_cisco_ucm_message { + message( + '^(<\d{1,3}>)\d*: (?:([^:]+): )?(.*) : (%.*)' + flags(store-matches) + ); +}; + +parser p_cisco_ucm_date { + #Oct 14 2015 05:50:19 AM.484 UTC + #Apr 21 19:01:35.638 UTC + date-parser(format( + '%b %d %Y %I:%M:%S %p.%f %Z', + '%b %d %H:%M:%S.%f %Z' + ) + template("$3") + ); +}; + +rewrite r_cisco_ucm_message { + set("cisco_ucm" value("fields.sc4s_syslog_format")); + set("cisco_ucm" value("fields.sc4s_vendor_product")); + set("$HOST_FROM" value("HOST") ); + set("$2" value("HOST") condition(match("^..." template("${2}"))) ); + set("$4" value("MESSAGE")); +}; diff --git a/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl new file mode 100644 index 0000000..cd3d9f9 --- /dev/null +++ b/package/etc/conf.d/log_paths/lp-cisco_apic.conf.tmpl @@ -0,0 +1,56 @@ +# Cisco APIC +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_APIC" "parser" "rfc3164" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +log { + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_APIC_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_APIC_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_APIC_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_APIC traffic + source (s_CISCO_APIC); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_APIC traffic + source (s_DEFAULT); + filter(f_cisco_apic); + flags(final); + }; + }; + + rewrite { + guess-time-zone(); + }; + if { + filter { + program('^%ACLLOG-\d-ACLLOG_PKTLOG') + }; + rewrite { + set("cisco_APIC_acl", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("cisco:apic:acl"), index("netfw"), template("t_hdr_msg")) + }; + parser { p_add_context_splunk(key("cisco_apic_acl")); }; + + } elif { + rewrite { + set("cisco_APIC_events", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("cisco:apic:events"), index("netops"), template("t_hdr_msg")) + }; + parser { p_add_context_splunk(key("cisco_apic_events")); }; + }; + + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); }; + +{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_APIC_HEC" "no")) }} + destination(d_hec); +{{- end}} + +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_CISCO_APIC" "no")) }} + destination(d_archive); +{{- end}} + + flags(flow-control,final); +}; diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl new file mode 100644 index 0000000..e0823cf --- /dev/null +++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl @@ -0,0 +1,62 @@ +# Cisco UCM +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "CISCO_UCM" "parser" "cisco_ucm" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +log { + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_CISCO_UCM_TCP_PORT")) (getenv (print "SC4S_LISTEN_CISCO_UCM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CISCO_UCM_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for CISCO_UCM traffic + source (s_CISCO_UCM); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for CISCO_UCM traffic + source (s_DEFAULT); + filter(f_cisco_ucm); + flags(final); + }; + }; + + if { + filter { + message( + 'Node ?ID(?:\:|\=)([^ \]]+)' + flags(store-matches) + ); + }; + rewrite { + set("$1" value("HOST") ); + }; + } elif { + filter { + message( + ' on node ([^ ]+\. |[^ ]+ )' + flags(store-matches) + ); + }; + rewrite { + set("$1" value("HOST") ); + }; + }; + + rewrite { + set("cisco_ucm", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main")) + }; + parser {p_add_context_splunk(key("cisco_ucm")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); }; + +{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_UCM_HEC" "no")) }} + destination(d_hec); +{{- end}} + +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_CISCO_UCM" "no")) }} + destination(d_archive); +{{- end}} + + flags(flow-control,final); +}; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index c307ca6..bf8e3bb 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -13,11 +13,14 @@ #checkpoint_splunk_web,index,netproxy #checkpoint_splunk,index,netops #checkpoint_splunk,index,netops +#cisco_apic_acl,index,netfw +#cisco_apic_events,index,netops #cisco_acs,index,netauth #cisco_asa,index,netfw #cisco_ios,index,netops #cisco_ise,index,netauth #cisco_nx_os,index,netops +#cisco_ucm,index,main #citrix_netscaler,index,netfw #local_example,index,main #forcepoint_webprotect,index,netproxy diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 0728c2d..ea83f05 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -91,6 +91,9 @@ source s_{{ .port_id }} { {{ else if eq .parser "citrix_netscaler" }} parser(p_citrix_netscaler_date); rewrite(r_citrix_netscaler_message); +{{ else if eq .parser "cisco_ucm" }} + parser (p_cisco_ucm_date); + rewrite (r_cisco_ucm_message); {{ else if eq .parser "no_parse" }} rewrite(set_no_parse); {{ else }} @@ -107,6 +110,10 @@ source s_{{ .port_id }} { } elif { parser (p_cisco_meraki); rewrite(set_rfc5424_epochtime); + } elif { + filter(f_cisco_ucm_message); + parser (p_cisco_ucm_date); + rewrite (r_cisco_ucm_message); } elif { filter(f_rfc3164_version); rewrite(set_rfc3164_no_version_string); diff --git a/tests/conftest.py b/tests/conftest.py index e5429ee..271f3a5 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -14,6 +14,7 @@ import splunklib.client as client + @pytest.fixture(scope="module") def setup_wordlist(): path_to_current_file = os.path.realpath(__file__) diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index 34d8613..9966505 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -40,6 +40,7 @@ services: - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005 - SC4S_LISTEN_PFSENSE_TCP_PORT=5006 - SC4S_ARCHIVE_GLOBAL=no + - SC4S_SOURCE_STORE_RAWMSG=yes splunk: build: context: ../splunk diff --git a/tests/splunkutils.py b/tests/splunkutils.py index bb77a58..205fcfa 100644 --- a/tests/splunkutils.py +++ b/tests/splunkutils.py @@ -24,12 +24,13 @@ def splunk_single(service, search): if stats["isDone"] == "1": break - sleep(2) + else: + sleep(2) # Get the results and display them resultCount = stats["resultCount"] eventCount = stats["eventCount"] - if resultCount > 0 or tried > 15: + if resultCount > 0 or tried > 5: break else: tried += 1 diff --git a/tests/test_cisco_apic.py b/tests/test_cisco_apic.py new file mode 100644 index 0000000..b7509fb --- /dev/null +++ b/tests/test_cisco_apic.py @@ -0,0 +1,53 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * + +env = Environment(extensions=['jinja2_time.TimeExtension']) + +#<11>July 22 22:45:28 apic1 %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110] Node 102 not reachable. unknown +def test_cisco_aci(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{ host }} %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110]\n") + message = mt.render(mark="<165>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search index=netops host=\"{{ host }}\" sourcetype=\"cisco:apic:events\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +#%ACLLOG-5-ACLLOG_PKTLOG +def test_cisco_aci_acl(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{ host }} %ACLLOG-5-ACLLOG_PKTLOG unable to locate real message\n") + message = mt.render(mark="<165>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"cisco:apic:acl\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 diff --git a/tests/test_cisco_asa.py b/tests/test_cisco_asa.py index edc2389..db8d3ac 100644 --- a/tests/test_cisco_asa.py +++ b/tests/test_cisco_asa.py @@ -46,7 +46,7 @@ def test_cisco_asa_traditional_nohost(record_property, setup_wordlist, setup_spl sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search index=netfw sourcetype=\"cisco:asa\" \"%ASA-4-402119\" \"{host}\" | head 2") + st = env.from_string("search index=netfw sourcetype=\"cisco:asa\" \"%ASA-4-402119\" \"{{ host }}\" | head 2") search = st.render(host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_cisco_ucm.py b/tests/test_cisco_ucm.py new file mode 100644 index 0000000..1a155cd --- /dev/null +++ b/tests/test_cisco_ucm.py @@ -0,0 +1,110 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * + +env = Environment(extensions=['jinja2_time.TimeExtension']) + +# https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017/pdf/TECUCC-3000.pdf + +# <189>8103: Oct 14 2015 05:50:19 AM.484 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.110.1.2][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID=CUCM11PUB]: Audit Event is generated by this application + + +def test_cisco_ucm_nohost_auditlog(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), + random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }}8103: {% now 'utc', '%b %d %Y %I:%M:%S %p' %}.100 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.168.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n") + message = mt.render(mark="<189>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + "search index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# <189>17: Apr 21 19:01:35.638 UTC : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node ORD-PUB1, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:ord-pub1 +def test_cisco_ucm_nohost_rtmt(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), + random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }}17: {% now 'utc', '%b %d %H:%M:%S' %}.100 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n") + message = mt.render(mark="<189>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + "search index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +# <189>23813: cucm-pub: Jul 05 2016 04:03:01 PM.688 UTC : %UC_RTMT-2-RTMT_ALERT: %[AlertName=SyslogSeverityMatchFound][AlertDetail= At Tue Jul 05 12:03:01 EDT 2016 on node 1.2.3.4, the following SyslogSeverityMatchFound events generated: #012SeverityMatch : Critical#012MatchedEvent : Jul 5 12:02:29 cucm-sub1 local7 2 ccm: 6838: cucm-sub1: Jul 05 2016 16:02:29.795 UTC : %UC_CALLMANAGER-2-SignalCongestionEntry: %[Thread=SIP Handler Thread] [AverageDelay=22] [EntryLatency=20] [ExitLatency=8] [SampleSize=10] [TotalSignalCongestionEntry=6752][HighPriorityQueueDepth=0][NormalPriorityQueueDepth=1][LowPriorityQueueDepth=0][AppID=Cisco CallManager][ClusterID=UCMCluster1][NodeID=cucm-sub1]: Unified CM has detected signal congestion in an internal thread and has throttled activities for that thread#012AppID : Cisco Syslog Agent#012Cluster + + +def test_cisco_ucm_host_auditlog(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), + random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }}23813: {% now 'utc', '%b %d %Y %I:%M:%S %p' %}.100 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n") + message = mt.render(mark="<189>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + "search index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +#<121>17: Apr 21 19:01:35.638 UTC : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node ORD-PUB1, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:ord-pub1 + + +def test_cisco_ucm_nohost_alert(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), + random.choice(setup_wordlist)) + + mt = env.from_string( + "{{ mark }}17: {% now 'utc', '%b %d %H:%M:%S' %}.100 UTC : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node {{ host }}, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:{{host}}\n") + message = mt.render(mark="<189>", host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + "search index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1