Skip to content

Commit

Permalink
Merge pull request #492 from splunk/ADDON-26836-juniper-remove-suppor…
Browse files Browse the repository at this point in the history 
…t-of-deprecated-sourcetypes

ADDON-26836: removed support of 4 deprecated sourcetypes
  • Loading branch information
Ryan Faircloth authored and GitHub committed May 28, 2020
2 parents 1022740 + 068c2ab commit 617be96
Show file tree
Hide file tree
Showing 13 changed files with 2 additions and 429 deletions.
4 changes: 0 additions & 4 deletions docs/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,15 +157,11 @@ page in this section:
| key | sourcetype | index | notes |
|------------------------|---------------------|----------------|---------------|
| juniper_netscreen | netscreen:firewall | netfw | none |
| juniper_idp | juniper:idp | netfw | none |

Here is a snippet from the `splunk_indexes.csv` file:

```bash
#juniper_sslvpn,index,netfw
juniper_netscreen,index,ns_index
#juniper_nsm,index,netfw

```

The columns in this file are `key`, `metadata`, and `value`. By default, the keys in this file are "commented out", but in reality CSV files
Expand Down
108 changes: 1 addition & 107 deletions docs/sources/Juniper/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,59 +59,6 @@ index=<asconfigured> sourcetype=juniper:junos:idp | stats count by host

Verify timestamp, and host values match as expected

## Product - Juniper NSM

| Ref | Link |
|----------------|-------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ |
| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 |

### Sourcetypes

| sourcetype | notes |
|------------------|-----------------------------------------------------------------------|
| juniper:nsm | None |
| juniper:nsm:idp | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|------------------------|---------------------|----------------|---------------|
| juniper_nsm | juniper:nsm | netfw | none |
| juniper_nsm_idp | juniper:nsm:idp | netids | none |

### Filter type

* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required


### Setup and Configuration

* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
* Review and update the splunk_index.csv file and set the index as required.
* Follow vendor configuration steps per Product Manual

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |
| SC4S_LISTEN_JUNIPER_NSM_TLS_PORT | empty string | Enable at TLS port for this specific vendor product using the number defined |
| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined |
| SC4S_ARCHIVE_JUNIPER_NSM | no | Enable archive to disk for this specific source |
| SC4S_DEST_JUNIPER_NSM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

### Verification

Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified

```
index=<asconfigured> sourcetype=juniper:nsm | stats count by host
index=<asconfigured> sourcetype=juniper:nsm:idp | stats count by host
```

Verify timestamp, and host values match as expected

## Product - Juniper Netscreen

| Ref | Link |
Expand All @@ -124,18 +71,16 @@ Verify timestamp, and host values match as expected
| sourcetype | notes |
|-------------------------|------------------------------------------------------------------------------------------------|
| netscreen:firewall | None |
| juniper:idp | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|------------------------|---------------------|----------------|---------------|
| juniper_netscreen | netscreen:firewall | netfw | none |
| juniper_idp | juniper:idp | netfw | none |

### Filter type

* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required
* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` as required


### Setup and Configuration
Expand All @@ -160,57 +105,6 @@ Use the following search to validate events are present; for Juniper Netscreen p

```
index=<asconfigured> sourcetype=netscreen:firewall | stats count by host
index=<asconfigured> sourcetype=juniper:idp | stats count by host
```

Verify timestamp, and host values match as expected

## Product - Juniper SSLVPN

| Ref | Link |
|------------------|-------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ |
| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 |

### Sourcetypes

| sourcetype | notes |
|------------------|-----------------------------------------------------------------------|
| juniper:sslvpn | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|------------------------|---------------------|----------------|---------------|
| juniper_sslvpn | juniper:sslvpn | netfw | none |

### Filter type

* MSG Parse: This filter parses message content


### Setup and Configuration

* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
* Review and update the splunk_index.csv file and set the index as required.
* Follow vendor configuration steps per referenced Product Manual

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |
| SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined |
| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined |
| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source |
| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

### Verification

Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified

```
index=<asconfigured> sourcetype=juniper:sslvpn | stats count by host
```

Verify timestamp, and host values match as expected
14 changes: 0 additions & 14 deletions package/etc/conf.d/filters/juniper/legacy.conf
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,6 @@


filter f_juniper_nsm {
match("^juniper_nsm$", value("fields.sc4s_vendor_product"));

};
filter f_juniper_nsm_idp {
match("juniper_nsm_idp", value("fields.sc4s_vendor_product") type(glob) );

};

filter f_juniper_netscreen {
match("juniper_netscreen", value("fields.sc4s_vendor_product") type(glob) );

};

filter f_juniper_idp {
match("juniper_idp", value("fields.sc4s_vendor_product") type(glob))
or match('^\[syslog@juniper' value("SDATA"))
};
49 changes: 0 additions & 49 deletions package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl
View file

This file was deleted.

3 changes: 0 additions & 3 deletions package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,6 @@ log {
} elif (program('RT_UTM')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
parser {p_add_context_splunk(key("juniper_junos_utm")); };
} elif (program('Juniper')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:sslvpn"), index("netfw"))};
parser {p_add_context_splunk(key("juniper_sslvpn")); };
} else {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"), index("netops"))};
parser {p_add_context_splunk(key("juniper_legacy")); };
Expand Down
9 changes: 1 addition & 8 deletions package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,7 @@ log {
} elif (program('RT_SECINTEL')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) };
parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); };
}
# Legacy Netscreen IDP is handled in the "p_rfc3164-juniper-idp.conf" log path
#
# } elif (program('Jnpr')) {
# rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp:structured"), index("netids")) };
# parser {p_add_context_splunk(key("juniper_junos_idp")); };
# }
else {
} else {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) };
parser {p_add_context_splunk(key("juniper_structured")); };
};
Expand Down
49 changes: 0 additions & 49 deletions package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl
View file

This file was deleted.

48 changes: 0 additions & 48 deletions package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl
View file

This file was deleted.

3 changes: 0 additions & 3 deletions package/etc/context_templates/splunk_index.csv.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,7 @@
#juniper_junos_fw,index,netfw
#juniper_junos_ids,index,netids
#juniper_junos_utm,index,netfw
#juniper_sslvpn,index,netfw
#juniper_netscreen,index,netfw
#juniper_nsm,index,netfw
#juniper_nsm_idp,index,netids
#juniper_legacy,index,netops
#mcafee_epo,index,epav
#nix_syslog,index,osnix
Expand Down
12 changes: 0 additions & 12 deletions package/etc/context_templates/vendor_product_by_source.conf.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,10 @@ filter f_dell_rsa_secureid {
host("test_rsasecureid*" type(glob))
#or netmask(xxx.xxx.xxx.xxx/xx)
};
filter f_juniper_idp {
host("jnpidp-*" type(glob))
#or netmask(xxx.xxx.xxx.xxx/xx)
};
filter f_juniper_netscreen {
host("jnpns-*" type(glob))
#or netmask(xxx.xxx.xxx.xxx/xx)
};
filter f_juniper_nsm {
host("jnpnsm-*" type(glob))
#or netmask(xxx.xxx.xxx.xxx/xx)
};
filter f_juniper_nsm_idp {
host("jnpnsmidp-*" type(glob))
#or netmask(xxx.xxx.xxx.xxx/xx)
};
filter f_cisco_meraki {
host("testcm-*" type(glob))
#or netmask(xxx.xxx.xxx.xxx/xx)
Expand Down
3 changes: 0 additions & 3 deletions package/etc/context_templates/vendor_product_by_source.csv.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@ f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid"
f_f5_bigip,sc4s_vendor_product,"f5_bigip"
f_infoblox,sc4s_vendor_product,"infoblox"
f_juniper_nsm,sc4s_vendor_product,"juniper_nsm"
f_juniper_nsm_idp,sc4s_vendor_product,"juniper_nsm_idp"
f_juniper_idp,sc4s_vendor_product,"juniper_idp"
f_juniper_netscreen,sc4s_vendor_product,"juniper_netscreen"
f_cisco_nx_os,sc4s_vendor_product,"cisco_nx_os"
f_pfsense,sc4s_vendor_product,"pfsense"
Expand Down

0 comments on commit 617be96

Please sign in to comment.