From 71a8862db28cd04c50505a2983da4d51fd85d4b4 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Thu, 23 Jan 2020 22:27:15 -0800 Subject: [PATCH] Add backward compatibity for MF ARCSIGHT env vars * entrypoint.sh: Add backward compatibilty for deprecated MICROFOCUS_ARCSIGHT environment variables * Revise documentation to highlight deprecated variables * Add separate Arcsight source document --- docs/sources/Arcsight/index.md | 101 ++++++++++++++++++++++++ docs/sources/CommonEventFormat/index.md | 68 ++++------------ mkdocs.yml | 1 + package/sbin/entrypoint.sh | 8 ++ 4 files changed, 125 insertions(+), 53 deletions(-) create mode 100644 docs/sources/Arcsight/index.md diff --git a/docs/sources/Arcsight/index.md b/docs/sources/Arcsight/index.md new file mode 100644 index 0000000..15b6dda --- /dev/null +++ b/docs/sources/Arcsight/index.md @@ -0,0 +1,101 @@ +# Vendor - MicroFocus Arcsight + +## Product - Arcsight Internal Agent + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ArcSight:ArcSight | Internal logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| ArcSight_ArcSight | ArcSight:ArcSight | main | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Deprecated equivalent of above variable. This is included for backward compatibility and will be removed in a future version. _Do not use_ in new installations. | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="ArcSight:ArcSight") +``` + +## Product - Microsoft Windows (CEF) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| CEFEventLog:System or Application Event | Windows Application and System Event Logs | +| CEFEventLog:Microsoft Windows | Windows Security Event Logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | +| Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_WWW_XXX_MICROFOCUS_ARCSIGHT_YYY_ZZZ | no | Deprecated equivalents of the above variables. These are included for backward compatibility, and will be removed in a future version. _Do not use_ in new installations. | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) +``` diff --git a/docs/sources/CommonEventFormat/index.md b/docs/sources/CommonEventFormat/index.md index c6c26bd..d98e78b 100644 --- a/docs/sources/CommonEventFormat/index.md +++ b/docs/sources/CommonEventFormat/index.md @@ -1,57 +1,20 @@ # Vendor - Common Event Format Data Sources -## Product - Arcsight Internal Agent +## Product - Various products that send CEF-format messages via syslog -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ArcSight:ArcSight | Internal logs | +Each CEF product should have their own source entry in this documentation set. In a departure +from normal configuration, all CEF products should use the "CEF" version of the unique port and +archive envrionmetn variable settings (rather than a unique one per product), as the CEF log path +handles all products sending events to SC4S in the CEF format. Examples of this include Arcsight, +Imperva, and Cyberark. -### Index Configuration +The source documentation included below is a reference baseline for any product that sends data +using the CEF log path. -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| ArcSight_ArcSight | ArcSight:ArcSight | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="ArcSight:ArcSight") -``` - -## Product - Microsoft Windows (CEF) | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| | Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | | Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | @@ -61,19 +24,17 @@ index= (sourcetype=cef source="ArcSight:ArcSight") |----------------|---------------------------------------------------------------------------------------------------------| | cef | Common sourcetype | -### Source +### Typical Source | source | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| CEFEventLog:System or Application Event | Windows Application and System Event Logs | -| CEFEventLog:Microsoft Windows | Windows Security Event Logs | +| Varies | Varies | -### Index Configuration +### Typical Index Configuration | key | source | index | notes | |----------------|----------------|----------------|----------------| -| Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | -| Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | +| Vendor_Product | Varies | main | none | ### Filter type @@ -83,8 +44,9 @@ MSG Parse: This filter parses message content | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | | SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | @@ -95,5 +57,5 @@ An active site will generate frequent events use the following search to check f Verify timestamp, and host values match as expected ``` -index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) +index= (sourcetype=cef source=) ``` diff --git a/mkdocs.yml b/mkdocs.yml index 018c557..5a467aa 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -12,6 +12,7 @@ nav: - Configuration: 'configuration.md' - Sources: - About: sources/index.md + - ArcSight: sources/Arcsight/index.md - Checkpoint: sources/Checkpoint/index.md - Cisco: sources/Cisco/index.md - 'Common Event Format': sources/CommonEventFormat/index.md diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index b7d5b2d..229a384 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -1,6 +1,14 @@ #!/usr/bin/env bash source scl_source enable rh-python36 +# The MICROFOCUS_ARCSIGHT unique port environment variables are currently deprecated +# This will be removed when the MICROFOCUS_ARCSIGHT unique port environment variables are removed in version 2.0 +if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT} ]; then export SC4S_LISTEN_CEF_UDP_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT; fi +if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT} ]; then export SC4S_LISTEN_CEF_TCP_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT; fi +if [ ${SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT} ]; then export SC4S_LISTEN_CEF_TLS_PORT=$SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TLS_PORT; fi +if [ ${SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT} ]; then export SC4S_ARCHIVE_CEF=$SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT; fi +if [ ${SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC} ]; then export SC4S_DEST_CEF_HEC=$SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC; fi + cd /opt/syslog-ng gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl --out=\2/') --template t=etc/go_templates/