Skip to content

Commit

Permalink
Add backward compatibity for MF ARCSIGHT env vars
Browse files Browse the repository at this point in the history 
* entrypoint.sh:  Add backward compatibilty for deprecated MICROFOCUS_ARCSIGHT environment variables
* Revise documentation to highlight deprecated variables
* Add separate Arcsight source document
  • Loading branch information
Mark Bonsack committed Jan 24, 2020
1 parent 645732b commit 71a8862
Show file tree
Hide file tree
Showing 4 changed files with 125 additions and 53 deletions.
101 changes: 101 additions & 0 deletions docs/sources/Arcsight/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# Vendor - MicroFocus Arcsight

## Product - Arcsight Internal Agent

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ |
| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| cef | Common sourcetype |

### Source

| source | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| ArcSight:ArcSight | Internal logs |

### Index Configuration

| key | source | index | notes |
|----------------|----------------|----------------|----------------|
| ArcSight_ArcSight | ArcSight:ArcSight | main | none |

### Filter type

MSG Parse: This filter parses message content

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |
| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Deprecated equivalent of above variable. This is included for backward compatibility and will be removed in a future version. _Do not use_ in new installations. |

### Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

```
index=<asconfigured> (sourcetype=cef source="ArcSight:ArcSight")
```

## Product - Microsoft Windows (CEF)

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ |
| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ |
| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| cef | Common sourcetype |

### Source

| source | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| CEFEventLog:System or Application Event | Windows Application and System Event Logs |
| CEFEventLog:Microsoft Windows | Windows Security Event Logs |

### Index Configuration

| key | source | index | notes |
|----------------|----------------|----------------|----------------|
| Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none |
| Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none |

### Filter type

MSG Parse: This filter parses message content

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |
| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined |
| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
| SC4S_WWW_XXX_MICROFOCUS_ARCSIGHT_YYY_ZZZ | no | Deprecated equivalents of the above variables. These are included for backward compatibility, and will be removed in a future version. _Do not use_ in new installations. |

### Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

```
index=<asconfigured> (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event"))
```
68 changes: 15 additions & 53 deletions docs/sources/CommonEventFormat/index.md
View file
Original file line number Diff line number Diff line change
@@ -1,57 +1,20 @@
# Vendor - Common Event Format Data Sources

## Product - Arcsight Internal Agent
## Product - Various products that send CEF-format messages via syslog

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ |
| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| cef | Common sourcetype |

### Source

| source | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| ArcSight:ArcSight | Internal logs |
Each CEF product should have their own source entry in this documentation set. In a departure
from normal configuration, all CEF products should use the "CEF" version of the unique port and
archive envrionmetn variable settings (rather than a unique one per product), as the CEF log path
handles all products sending events to SC4S in the CEF format. Examples of this include Arcsight,
Imperva, and Cyberark.

### Index Configuration
The source documentation included below is a reference baseline for any product that sends data
using the CEF log path.

| key | source | index | notes |
|----------------|----------------|----------------|----------------|
| ArcSight_ArcSight | ArcSight:ArcSight | main | none |

### Filter type

MSG Parse: This filter parses message content

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |

### Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

```
index=<asconfigured> (sourcetype=cef source="ArcSight:ArcSight")
```

## Product - Microsoft Windows (CEF)

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ |
| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ |
| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm |


Expand All @@ -61,19 +24,17 @@ index=<asconfigured> (sourcetype=cef source="ArcSight:ArcSight")
|----------------|---------------------------------------------------------------------------------------------------------|
| cef | Common sourcetype |

### Source
### Typical Source

| source | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| CEFEventLog:System or Application Event | Windows Application and System Event Logs |
| CEFEventLog:Microsoft Windows | Windows Security Event Logs |
| Varies | Varies |

### Index Configuration
### Typical Index Configuration

| key | source | index | notes |
|----------------|----------------|----------------|----------------|
| Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none |
| Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none |
| Vendor_Product | Varies | main | none |

### Filter type

Expand All @@ -83,8 +44,9 @@ MSG Parse: This filter parses message content

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |
| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined |
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |
| SC4S_LISTEN_CEF_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined |
| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

Expand All @@ -95,5 +57,5 @@ An active site will generate frequent events use the following search to check f
Verify timestamp, and host values match as expected

```
index=<asconfigured> (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event"))
index=<asconfigured> (sourcetype=cef source=<asconfigured>)
```
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ nav:
- Configuration: 'configuration.md'
- Sources:
- About: sources/index.md
- ArcSight: sources/Arcsight/index.md
- Checkpoint: sources/Checkpoint/index.md
- Cisco: sources/Cisco/index.md
- 'Common Event Format': sources/CommonEventFormat/index.md
Expand Down
8 changes: 8 additions & 0 deletions package/sbin/entrypoint.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
#!/usr/bin/env bash
source scl_source enable rh-python36

# The MICROFOCUS_ARCSIGHT unique port environment variables are currently deprecated
# This will be removed when the MICROFOCUS_ARCSIGHT unique port environment variables are removed in version 2.0
if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT} ]; then export SC4S_LISTEN_CEF_UDP_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT; fi
if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT} ]; then export SC4S_LISTEN_CEF_TCP_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT; fi
if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT} ]; then export SC4S_LISTEN_CEF_TLS_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT; fi
if [ ${SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT} ]; then export SC4S_ARCHIVE_CEF=$SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT; fi
if [ ${SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC} ]; then export SC4S_DEST_CEF_HEC=$SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC; fi

cd /opt/syslog-ng

gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl --out=\2/') --template t=etc/go_templates/
Expand Down

0 comments on commit 71a8862

Please sign in to comment.