From 7eaf8c9f5098004a61f70fe152438a82a4e52d16 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Thu, 18 Jun 2020 10:32:33 -0400
Subject: [PATCH] Support Vmware Horizon

---
 docs/sources/VMWare/index.md                  | 52 +++++++++++++++++++
 .../etc/conf.d/filters/VMware/vsphere.conf    |  4 ++
 .../log_paths/lp-vmware_vsphere.conf.tmpl     | 11 ++++
 .../splunk_metadata.csv.example               |  1 +
 tests/test_vmware.py                          | 31 ++++++++++-
 5 files changed, 98 insertions(+), 1 deletion(-)

diff --git a/docs/sources/VMWare/index.md b/docs/sources/VMWare/index.md
index e4a820f..16945b2 100644
--- a/docs/sources/VMWare/index.md
+++ b/docs/sources/VMWare/index.md
@@ -53,3 +53,55 @@ An active proxy will generate frequent events. Use the following search to valid
 ```
 index=<asconfigured> sourcetype="vmware:vsphere:*" | stats count by host
 ```
+
+# Vendor - Dell - VMware
+
+## Product - Horizon View 
+
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | None                                                                |
+| Manual | unknown |
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| vmware:horizon | None |
+| nix:syslog | When used with a default port this will follow the generic NIX configuration when using a dedicated port, IP or host rules events will follow the index configuration for vmware nsx  |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| vmware_horizon      | vmware:horizon | main          | none          |
+
+### Filter type
+
+MSG Parse: This filter parses message content when using the default configuration
+
+### Setup and Configuration
+
+* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
+* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration
+    * Select TCP or SSL transport option
+    * Ensure the format of the event is customized per Splunk documentation
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
+| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
+| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT      | empty string      | Enable a TLS port for this specific vendor product using the number defined |
+| SC4S_ARCHIVE_VMWARE_VSPHERE | no | Enable archive to disk for this specific source |
+| SC4S_DEST_VMWARE_VSPHERE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active device will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype="vmware:horizon" | stats count by host
+```
diff --git a/package/etc/conf.d/filters/VMware/vsphere.conf b/package/etc/conf.d/filters/VMware/vsphere.conf
index 553de54..e055108 100644
--- a/package/etc/conf.d/filters/VMware/vsphere.conf
+++ b/package/etc/conf.d/filters/VMware/vsphere.conf
@@ -33,6 +33,7 @@ filter f_vmware_all {
     or program("NSXV", flags(ignore-case))
     or program("dfwpktlogs", flags(ignore-case))
     or program("nsx-.*", flags(ignore-case))
+    or program("view", flags(ignore-case))
 };
 
 filter f_vmware_esx {
@@ -77,4 +78,7 @@ filter f_vmware_vcenter {
     or program("Vpxd", flags(ignore-case))
     or program("Vpxd-svcs", flags(ignore-case))
 
+};    
+filter f_vmware_horizon {
+    program("View")    
 };    
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
index a3cfc91..77aab5b 100644
--- a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
@@ -97,6 +97,17 @@ log {
         parser { p_add_context_splunk(key("vmware_esx")); };
         parser (compliance_meta_by_source);
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+    } elif {
+        filter(f_is_rfc5424_strict);
+        filter(f_vmware_horizon);
+
+        rewrite {
+            set("vmware_horizon", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(sourcetype("vmware:horizon"),  source("program:${PROGRAM}"));
+        };
+        parser { p_add_context_splunk(key("vmware_horizon")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; 
 
     } else {
 
diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example
index f88c5ae..59bc079 100644
--- a/package/etc/context_templates/splunk_metadata.csv.example
+++ b/package/etc/context_templates/splunk_metadata.csv.example
@@ -87,6 +87,7 @@ ubiquiti_unifi_switch,index,netops
 ubiquiti_unifi_threat,index,netidss
 ubiquiti_unifi_wireless,index,netops
 vmware_esx,index,main
+vmware_horizon,index,main
 vmware_nsx,index,main
 vmware_vcenter,index,main
 zscaler_alerts,index,netops
diff --git a/tests/test_vmware.py b/tests/test_vmware.py
index f558f01..2a04f8e 100644
--- a/tests/test_vmware.py
+++ b/tests/test_vmware.py
@@ -128,4 +128,33 @@ def test_linux_vmware_vcenter_ietf(record_property, setup_wordlist, setup_splunk
     record_property("resultCount", resultCount)
     record_property("message", message)
 
-    assert resultCount == 1
\ No newline at end of file
+    assert resultCount == 1
+
+# <111>1 2020-06-18T08:44:09.039-05:00 host View - 73 [View@6876 Severity="AUDIT_SUCCESS" Module="Broker" EventType="BROKER_USERLOGGEDIN" UserSID="S-1-5-21-873381292-3070774752-20851"]
+def test_linux_vmware_horizon_ietf(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+    pid = random.randint(1000, 32000)
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    # iso from included timeutils is from local timezone; need to keep iso as UTC
+    iso_header = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string('{{ mark }}1 {{ iso_header }}Z {{ host }} View - 73 [View@6876 Severity="AUDIT_SUCCESS" Module="Broker" EventType="BROKER_USERLOGGEDIN" UserSID="S-1-5-21-873381292-3070774752-20851"]\n')
+    message = mt.render(mark="<144>", iso_header=iso_header, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search _time={{ epoch }} index=main host={{ host }} sourcetype=\"vmware:horizon\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1