Merge pull request #447 from mchavda-splunk/sep-syslog-filters

Symantec Endpoint Protection filters
CSVD · May 8, 2020 · 6a4f471 · 6a4f471
2 parents f3c37f4 + 695de26
commit 6a4f471
Show file tree

Hide file tree

Showing 5 changed files with 458 additions and 16 deletions.
diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md
@@ -10,15 +10,27 @@
 
 ### Sourcetypes
 
-| sourcetype     | notes                                                                                                   |
-|----------------|---------------------------------------------------------------------------------------------------------|
-| symantec:ep:syslog        | Warning the syslog method of accepting EP logs has been reported to show high data loss and is not Supported by Splunk  |
-
-### Sourcetype and Index Configuration
-
-| key            | sourcetype     | index          | notes          |
-|----------------|----------------|----------------|----------------|
-| symantec_ep      | symantec:ep:syslog       | epav          | none          |
+| sourcetype                     | notes                                                                                                   |
+|--------------------------------|---------------------------------------------------------------------------------------------------------|
+| symantec:ep:syslog             | Warning the syslog method of accepting EP logs has been reported to show high data loss and is not Supported by Splunk  |
+| symantec:ep:admin:syslog       | none |
+| symantec:ep:agent:syslog       | none |
+| symantec:ep:agt:system:syslog  | none |
+| symantec:ep:behavior:syslog    | none |
+| symantec:ep:packet:syslog      | none |
+| symantec:ep:policy:syslog      | none |
+| symantec:ep:proactive:syslog   | none |
+| symantec:ep:risk:syslog        | none |
+| symantec:ep:scan:syslog        | none |
+| symantec:ep:scm:system:syslog  | none |
+| symantec:ep:security:syslog    | none |
+| symantec:ep:traffic:syslog     | none |
+
+### Index Configuration
+
+| key            | index          | notes          |
+|----------------|----------------|----------------|
+| symantec_ep    | epav           | none           |
 
 
 ### Filter type

diff --git a/package/etc/conf.d/filters/symantec/ep.conf b/package/etc/conf.d/filters/symantec/ep.conf
@@ -1,3 +1,51 @@
 filter f_symantec_ep {
     program("SymantecServer")
+};
+
+filter f_symantec_ep_proactive {
+    message(',Detection\stype:')
+};
+
+filter f_symantec_ep_risk {
+    message(',Risk\sname:')
+};
+
+filter f_symantec_ep_agt_system {
+    message(',Category:\s\d+,')
+};
+
+filter f_symantec_ep_packet {
+    message(',(?:Inbound|Outbound|Unknown),Application:')
+};
+
+filter f_symantec_ep_traffic {
+    message(',(?:Inbound|Outbound|Unknown),Begin(?:\sTime)?:')
+};
+
+filter f_symantec_ep_security {
+    message('CIDS\sSignature\sSubID:')
+};
+
+filter f_symantec_ep_scan {
+    message('Scan\sID:\s\d+')
+};
+
+filter f_symantec_ep_behavior {
+    message('Begin(?:\sTime)?:\s[^,]*,End(?:\sTime)?:')
+};
+
+filter f_symantec_ep_policy {
+    message('Admin:\s[^,]+,.*[Pp]olicy')
+};
+
+filter f_symantec_ep_admin {
+    message('Domain(?:\sName)?:\s[^,]{0,25},Admin:')
+};
+
+filter f_symantec_ep_agent {
+    message('(?:,The\smanagement\sserver|,The\sclient)')
+};
+
+filter f_symantec_ep_scm_system {
+    message('Site:\s[^,]+,Server(?:\sName)?:\s[^,]+,')
 };
diff --git a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl
@@ -21,15 +21,78 @@ log {
         };
     };
 
-
+    if {
+        filter(f_symantec_ep_proactive);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:proactive:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_risk);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:risk:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_agt_system);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:agt:system:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_packet);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:packet:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_traffic);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:traffic:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_security);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:security:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_scan);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:scan:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_behavior);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:behavior:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_policy);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:policy:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_admin);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:admin:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_agent);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:agent:syslog"), index("epav"))
+        };
+    } elif {
+        filter(f_symantec_ep_scm_system);
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:scm:system:syslog"), index("epav"))
+        };
+    } else {
+        rewrite {
+            r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav"))
+        };
+    };
     rewrite {
-        set("symantec_ep_syslog", value("fields.sc4s_vendor_product"));
-        r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav"))
+        set("Symantec Endpoint Protection", value("fields.sc4s_vendor_product"));
     };
-    parser { p_add_context_splunk(key("symantec_ep_syslog")); };
+    parser { p_add_context_splunk(key("symantec_ep")); };
 
     parser (compliance_meta_by_source);
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_EP_HEC" "no")) }}
     destination(d_hec);

diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
@@ -72,7 +72,7 @@
 #sc4s_events,index,main
 #sc4s_fallback,index,main
 #sc4s_metrics,index,em_metrics
-#symanrtec_ep,index,epav
+#symantec_ep,index,epav
 #vmware_nsx,index,main
 #zscaler_alerts,index,main
 #zscaler_dns,index,netdns