* Combine ASA log paths (#577)

* Combine the legacy and RFC 5424 ASA log paths * Update `/entrypoint.sh` to account for deprectated env_vars
CSVD · Jul 23, 2020 · 6650b8c · 6650b8c
1 parent a5d601b
commit 6650b8c
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 63 deletions.
diff --git a/package/etc/conf.d/filters/cisco/asa.conf b/package/etc/conf.d/filters/cisco/asa.conf
@@ -9,3 +9,8 @@ filter f_cisco_asa_nohost {
     match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"))
     or match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
 };
+
+filter f_cisco_ftd {
+    message('^%FTD-\d+-43000\d: ') or
+    match('^%FTD-\d+-43000\d:', value("LEGACY_MSGHDR"));
+};
diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl
@@ -1,6 +1,6 @@
-# Cisco ASA RFC5424
+# Cisco ASA
 {{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_ASA" "parser" "rfc5424_noversion" }}
+{{- $context := dict "port_id" "CISCO_ASA" "parser" "common" }}
 {{- tmpl.Exec "t/source_network.t" $context }}
 
 log {
@@ -15,17 +15,13 @@ log {
         channel {
         # Listen on the default port (typically 514) for CISCO_ASA traffic
             source (s_DEFAULT);
-            filter(f_is_rfc5424_noversion);
             filter(f_cisco_asa);
             flags(final);
         };
     };
 
     if {
-        filter {
-            message('^%FTD-\d+-43000\d: ') or
-            match('^%FTD-\d+-43000\d:', value("LEGACY_MSGHDR"));
-        };
+        filter(f_cisco_ftd);
         rewrite {
             set("cisco_ftd", value("fields.sc4s_vendor_product"));
             r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog"))
@@ -41,8 +37,12 @@ log {
         };
         parser {p_add_context_splunk(key("cisco_asa")); };
         parser (compliance_meta_by_source);
-        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
 
+        if (filter (f_cisco_asa_nohost)) {
+            rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+        } else {
+            rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+        };
     };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no")) }}

diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh
@@ -3,14 +3,26 @@
 # The follwoing will be addressed in a future release
 # source scl_source enable rh-python36
 
-# The MICROFOCUS_ARCSIGHT unique port environment variables are currently deprecated
-# This will be removed when the MICROFOCUS_ARCSIGHT unique port environment variables are removed in version 2.0
+# The MICROFOCUS_ARCSIGHT destination is currently deprecated
+# The unique port environment variables associated with MICROFOCUS_ARCSIGHT will be renamed to
+# match the current CEF destination
+# This block will be removed when the MICROFOCUS_ARCSIGHT destination is removed in version 2.0
 if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT} ]; then export SC4S_LISTEN_CEF_UDP_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT; fi
 if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT} ]; then export SC4S_LISTEN_CEF_TCP_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT; fi
 if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT} ]; then export SC4S_LISTEN_CEF_TLS_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT; fi
 if [ ${SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT} ]; then export SC4S_ARCHIVE_CEF=$SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT; fi
 if [ ${SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC} ]; then export SC4S_DEST_CEF_HEC=$SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC; fi
 
+# The CISCO_ASA_LEGACY destination is currently deprecated
+# The unique port environment variables associated with CISCO_ASA_LEGACY will be renamed to 
+# match the current CISCO_ASA destination
+# This block will be removed when the CISCO_ASA_LEGACY destination is removed in version 2.0
+if [ ${SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT} ]; then export SC4S_LISTEN_CISCO_ASA_UDP_PORT=$SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT; fi
+if [ ${SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT} ]; then export SC4S_LISTEN_CISCO_ASA_TCP_PORT=$SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT; fi
+if [ ${SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT} ]; then export SC4S_LISTEN_CISCO_ASA_TLS_PORT=$SC4S_LISTEN_CISCO_ASA_LEGACY_TLS_PORT; fi
+if [ ${SC4S_ARCHIVE_CISCO_ASA_LEGACY} ]; then export SC4S_ARCHIVE_CISCO_ASA=$SC4S_ARCHIVE_CISCO_ASA_LEGACY; fi
+if [ ${SC4S_DEST_CISCO_ASA_LEGACY_HEC} ]; then export SC4S_DEST_CISCO_ASA_HEC=$SC4S_DEST_CISCO_ASA_LEGACY_HEC; fi
+
 cd /opt/syslog-ng
 
 # SIGTERM-handler