From 67d2cd99d112e4cc2cddd7f44ed5441032f6e3a7 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Wed, 25 Mar 2020 20:10:52 -0400
Subject: [PATCH 1/2] Support Brocade switch fabric

---
 docs/sources/Brocade/index.md                 | 47 +++++++++++++++
 mkdocs.yml                                    |  1 +
 .../etc/conf.d/filters/brocade/syslog.conf    |  4 ++
 .../etc/conf.d/log_paths/lp-brocade.conf.tmpl | 55 ++++++++++++++++++
 .../vendor_product_by_source.conf.example     |  5 ++
 .../vendor_product_by_source.csv.example      |  1 +
 tests/test_brocade.py                         | 57 +++++++++++++++++++
 7 files changed, 170 insertions(+)
 create mode 100644 docs/sources/Brocade/index.md
 create mode 100644 package/etc/conf.d/filters/brocade/syslog.conf
 create mode 100644 package/etc/conf.d/log_paths/lp-brocade.conf.tmpl
 create mode 100644 tests/test_brocade.py

diff --git a/docs/sources/Brocade/index.md b/docs/sources/Brocade/index.md
new file mode 100644
index 0000000..90173e9
--- /dev/null
+++ b/docs/sources/Brocade/index.md
@@ -0,0 +1,47 @@
+# Vendor - Brocade
+
+
+## Product - Switches
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | None                                    |
+| Product Manual | unknown   |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| brocade:syslog        | None                                                                                                    |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| brocade_syslog      | brocade:syslog       | netops          | none          |
+
+### Filter type
+
+Must be identified by host or ip assignment. Update the filter `f_brocade_syslog` or configure a dedicated port as required
+
+### Setup and Configuration
+
+Device setup unknown 
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_BROCADE_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
+| SC4S_LISTEN_BROCADE_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
+| SC4S_ARCHIVE_BROCADE | no | Enable archive to disk for this specific source |
+| SC4S_DEST_BROCADE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active device will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=brocade:syslog| stats count by host
+```
diff --git a/mkdocs.yml b/mkdocs.yml
index 2cc7387..dc8acd7 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -13,6 +13,7 @@ nav:
   - Development: "developing/index.md"
   - Sources:
       - About: sources/index.md
+      - Brocade: sources/Brocade/index.md   
       - Checkpoint: sources/Checkpoint/index.md
       - Cisco: sources/Cisco/index.md
       - Citrix: sources/Citrix/index.md
diff --git a/package/etc/conf.d/filters/brocade/syslog.conf b/package/etc/conf.d/filters/brocade/syslog.conf
new file mode 100644
index 0000000..ca5a2dd
--- /dev/null
+++ b/package/etc/conf.d/filters/brocade/syslog.conf
@@ -0,0 +1,4 @@
+filter f_brocade {
+    match("^brocade_syslog", value("fields.sc4s_vendor_product"));
+
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl
new file mode 100644
index 0000000..9ddf47b
--- /dev/null
+++ b/package/etc/conf.d/log_paths/lp-brocade.conf.tmpl
@@ -0,0 +1,55 @@
+# BROCADE
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "BROCADE" "parser" "rfc3164" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+log {
+    junction {
+{{- if or (or (getenv  (print "SC4S_LISTEN_BROCADE_TCP_PORT")) (getenv  (print "SC4S_LISTEN_BROCADE_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_BROCADE_TLS_PORT")) }}
+        channel {
+        # Listen on the specified dedicated port(s) for BROCADE traffic
+            source (s_BROCADE);
+            flags (final);
+	    };
+{{- end}}
+        channel {
+        # Listen on the default port (typically 514) for BROCADE traffic
+            source (s_DEFAULT);
+            filter(f_is_rfc3164);
+            filter(f_brocade);
+            flags(final);
+        };
+    };
+
+    
+    rewrite {
+        set("brocade_syslog", value("fields.sc4s_vendor_product"));
+        subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
+        set("${PROGRAM}", value(".PROGRAM"));
+        subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
+        r_set_splunk_dest_default(sourcetype("brocade:syslog"), index("netops"), source("program:${.PROGRAM}"))
+    };
+    parser { p_add_context_splunk(key("brocade_syslog")); };
+
+
+    parser (compliance_meta_by_source);
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_BROCADE_HEC" "no")) }}
+    destination(d_hec);
+{{- end}}
+
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_BROCADE" "no")) }}
+    destination(d_archive);
+{{- end}}
+
+{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+{{- if (print (getenv "SC4S_DEST_BROCADE_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_BROCADE_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+    flags(flow-control,final);
+};
diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example
index 5280b72..7504c41 100644
--- a/package/etc/context_templates/vendor_product_by_source.conf.example
+++ b/package/etc/context_templates/vendor_product_by_source.conf.example
@@ -6,6 +6,11 @@ filter f_catch_first {
    netmask(169.254.100.0/24)
 };
 
+filter f_brocade_syslog {
+    host("test_brocade-*" type(glob))
+    #or netmask(xxx.xxx.xxx.xxx/xx)
+};
+
 filter f_citrix_netscaler {
     host("test_ctitrixns-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example
index 9e5eaa3..6edbb8c 100644
--- a/package/etc/context_templates/vendor_product_by_source.csv.example
+++ b/package/etc/context_templates/vendor_product_by_source.csv.example
@@ -1,4 +1,5 @@
 f_test_test,sc4s_vendor_product,"test_test"
+f_brocade_syslog,sc4s_vendor_product,"brocade_syslog"
 f_catch_first,sc4s_vendor_product,"catch_first"
 f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
 f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
diff --git a/tests/test_brocade.py b/tests/test_brocade.py
new file mode 100644
index 0000000..e49ee12
--- /dev/null
+++ b/tests/test_brocade.py
@@ -0,0 +1,57 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+import pytest
+env = Environment()
+
+
+#
+#Mar 25 13:53:24 xxxxxx-xxxx STP: VLAN 125 Port 1/1/24 STP State -> FORWARDING (DOT1wTransition) 
+#Mar 25 13:53:25 xxxxx-xxxxx System: PoE: Power disabled on port 1/1/24 because of detection of non-PD. PD detection will be disabled on port. 
+#Mar 25 11:50:21 xxxxx-xxxxx Security: SSH terminated by uuuuuuu from src IP 10.1.1.1 from src MAC dddd.dddd.dddd from USER EXEC mode using RSA as Server Host Key. 
+testdata = [
+    "{{ mark }}{{ bsd }} {{ host }} STP: VLAN 125 Port 1/1/24 STP State -> FORWARDING (DOT1wTransition)",
+    "{{ mark }}{{ bsd }} {{ host }} System: PoE: Power disabled on port 1/1/24 because of detection of non-PD. PD detection will be disabled on port.",
+    "{{ mark }}{{ bsd }} {{ host }} Security: SSH terminated by uuuuuuu from src IP 10.1.1.1 from src MAC dddd.dddd.dddd from USER EXEC mode using RSA as Server Host Key. ",
+]
+
+@pytest.mark.parametrize("event", testdata)
+def test_brocade(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
+    host = "test_brocade-" + get_host_key
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+    time = time[:-7]
+    millisec = iso[20:23]
+    microsec = iso[20:26]
+
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<166>", seq=20, bsd=bsd, time=time,
+                        millisec=millisec, microsec=microsec, tzname=tzname, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        "search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype=\"brocade:syslog\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    search = st.render(epoch=epoch, millisec=millisec,
+                       microsec=microsec, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1

From 9d22ca3068cdd145ed31114248bd607f7df46284 Mon Sep 17 00:00:00 2001
From: mbonsack <mbonsack@splunk.com>
Date: Wed, 25 Mar 2020 17:59:18 -0700
Subject: [PATCH 2/2] Simplify brocade test

Simplify test; many variables not needed.
---
 tests/test_brocade.py | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/tests/test_brocade.py b/tests/test_brocade.py
index e49ee12..df21cf3 100644
--- a/tests/test_brocade.py
+++ b/tests/test_brocade.py
@@ -33,20 +33,15 @@ def test_brocade(record_property, setup_wordlist, get_host_key, setup_splunk, se
 
     # Tune time functions
     epoch = epoch[:-7]
-    time = time[:-7]
-    millisec = iso[20:23]
-    microsec = iso[20:26]
 
     mt = env.from_string(event + "\n")
-    message = mt.render(mark="<166>", seq=20, bsd=bsd, time=time,
-                        millisec=millisec, microsec=microsec, tzname=tzname, host=host)
+    message = mt.render(mark="<166>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
-        "search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype=\"brocade:syslog\" (host=\"{{ host }}\" OR \"{{ host }}\")")
-    search = st.render(epoch=epoch, millisec=millisec,
-                       microsec=microsec, host=host)
+        "search index=netops _time={{ epoch }} sourcetype=\"brocade:syslog\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)