From 8799d4e0654a6a0135916d330a3c15e370969e37 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Fri, 29 May 2020 10:34:39 -0400
Subject: [PATCH] Add proper support for vcenter appliances

---
 docs/sources/VMWare/index.md                  |  6 ++--
 .../etc/conf.d/filters/VMware/vsphere.conf    | 14 +++++++--
 package/etc/conf.d/filters/nix/os.conf        |  5 ++--
 .../log_paths/lp-vmware_vsphere.conf.tmpl     | 24 +++++++++++++--
 .../log_paths/lp-zzy-nix_syslog.conf.tmpl     | 10 +++++--
 .../splunk_index.csv.example                  |  2 ++
 tests/test_vmware.py                          | 29 +++++++++++++++++++
 7 files changed, 79 insertions(+), 11 deletions(-)

diff --git a/docs/sources/VMWare/index.md b/docs/sources/VMWare/index.md
index 4942e35..fa7cd76 100644
--- a/docs/sources/VMWare/index.md
+++ b/docs/sources/VMWare/index.md
@@ -14,14 +14,16 @@
 |----------------|---------------------------------------------------------------------------------------------------------|
 | vmware:vsphere:nsx | None |
 | vmware:vsphere:esx | None |
+| vmware:vsphere:vcenter | None |
 | nix:syslog | When used with a default port this will follow the generic NIX configuration when using a dedicated port, IP or host rules events will follow the index configuration for vmware nsx  |
 
 ### Sourcetype and Index Configuration
 
 | key            | sourcetype     | index          | notes          |
 |----------------|----------------|----------------|----------------|
-| vmware_nsx      | vmware:vsphere:nsx | main          | none          |
 | vmware_esx      | vmware:vsphere:esx | main          | none          |
+| vmware_nsx      | vmware:vsphere:nsx | main          | none          |
+| vmware_vcenter      | vmware:vsphere:vcenter | main          | none          |
 
 ### Filter type
 
@@ -49,5 +51,5 @@ MSG Parse: This filter parses message content when using the default configurati
 An active proxy will generate frequent events. Use the following search to validate events are present per source device
 
 ```
-index=<asconfigured> sourcetype="vmware:*:vsphere:*" | stats count by host
+index=<asconfigured> sourcetype="vmware:vsphere:*" | stats count by host
 ```
diff --git a/package/etc/conf.d/filters/VMware/vsphere.conf b/package/etc/conf.d/filters/VMware/vsphere.conf
index 295d3d8..d7ba39b 100644
--- a/package/etc/conf.d/filters/VMware/vsphere.conf
+++ b/package/etc/conf.d/filters/VMware/vsphere.conf
@@ -12,8 +12,12 @@ filter f_vmware_all {
     or program("sdrsInjector", flags(ignore-case))
     or program("sfcb-.*", flags(ignore-case))
     or program("storageRM", flags(ignore-case))
+    or program("vmafdd", flags(ignore-case))
+    or program("vmcad", flags(ignore-case))
+    or program("vmdird", flags(ignore-case))
     or program("vmkernel", flags(ignore-case))
     or program("vmkwarning", flags(ignore-case))
+    or program("vmon", flags(ignore-case))
     or program("vobd", flags(ignore-case))
     or program("Vpxa", flags(ignore-case))
     or program("Vpxd", flags(ignore-case))
@@ -26,7 +30,7 @@ filter f_vmware_all {
     or program("nsx-.*", flags(ignore-case))
 };
 
-filter f_vmware_vsphere {
+filter f_vmware_esx {
     program("cimslp", flags(ignore-case))
     or program("Fdm", flags(ignore-case))
     or program("Hostd", flags(ignore-case))
@@ -57,4 +61,10 @@ filter f_vmware_nsx {
     program("dfwpktlogs", flags(ignore-case))
     or
     program("nsx-.*", flags(ignore-case))
-};
\ No newline at end of file
+};
+filter f_vmware_vcenter {
+    program("vmafdd", flags(ignore-case))
+    or program("vmcad", flags(ignore-case))
+    or program("vmdird", flags(ignore-case))
+    or program("vmon", flags(ignore-case))
+};    
\ No newline at end of file
diff --git a/package/etc/conf.d/filters/nix/os.conf b/package/etc/conf.d/filters/nix/os.conf
index bfeeb2a..0cb11dd 100644
--- a/package/etc/conf.d/filters/nix/os.conf
+++ b/package/etc/conf.d/filters/nix/os.conf
@@ -1,5 +1,6 @@
 filter f_nix_syslog {
-    program("[a-zA-Z0-9\/]+")
+    (program("[a-zA-Z0-9\/\-]+")
     and
-    match('[a-zA-Z\]]: $' value("LEGACY_MSGHDR"))
+    match('[a-zA-Z\]]: $' value("LEGACY_MSGHDR")))
+    or match("rfc5424_strict" value("fields.sc4s_syslog_format"))
 };
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
index 13b77b5..b4764cd 100644
--- a/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-vmware_vsphere.conf.tmpl
@@ -46,11 +46,24 @@ log {
         parser { p_add_context_splunk(key("vmware_nsx")); };
         parser (compliance_meta_by_source);
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+    } elif {
+
+        filter(f_vmware_vcenter);
+
+        rewrite {
+            set("vmware_vcenter", value("fields.sc4s_vendor_product"));
+            set("${PROGRAM}", value(".PROGRAM"));
+            subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
+            r_set_splunk_dest_default(sourcetype("vmware:vsphere:vcenter"), index("main"), source("program:${.PROGRAM}"));
+        };
+        parser { p_add_context_splunk(key("vmware_vcenter")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
 
     #esx things
     } elif {
         filter(f_is_rfc5424_strict);
-        filter(f_vmware_vsphere);
+        filter(f_vmware_esx);
 
         rewrite {
             set("vmware_vsphere_esx", value("fields.sc4s_vendor_product"));
@@ -62,7 +75,7 @@ log {
 
     } elif {
 
-        filter(f_vmware_vsphere);
+        filter(f_vmware_esx);
 
         rewrite {
             set("vmware_vsphere_esx", value("fields.sc4s_vendor_product"));
@@ -86,7 +99,12 @@ log {
         rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) };
         parser { p_add_context_splunk(key("nix_syslog")); };
         parser (compliance_meta_by_source);
-        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+        if {
+            filter(f_is_rfc5424_strict);
+            rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); };
+        } else {
+            rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };        
+        };
     };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_VMWARE_VSPHERE_HEC" "no")) }}
diff --git a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl
index 9b9f848..558818d 100644
--- a/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zzy-nix_syslog.conf.tmpl
@@ -19,7 +19,6 @@ log {
             flags(final);
         };
     };
-
     rewrite {
         set("nix_syslog", value("fields.sc4s_vendor_product"));
         subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
@@ -30,7 +29,14 @@ log {
     rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) };
     parser { p_add_context_splunk(key("nix_syslog")); };
     parser (compliance_meta_by_source);
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+
+    if {
+        filter(f_is_rfc5424_strict);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); };
+    } else {
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+        
+    };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_NIX_SYSLOG_HEC" "no")) }}
     destination(d_hec);
diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
index 4165197..b740247 100644
--- a/package/etc/context_templates/splunk_index.csv.example
+++ b/package/etc/context_templates/splunk_index.csv.example
@@ -70,7 +70,9 @@
 #sc4s_fallback,index,main
 #sc4s_metrics,index,em_metrics
 #symantec_ep,index,epav
+#vmware_esx,index,main
 #vmware_nsx,index,main
+#vmware_vcenter,index,main
 #zscaler_alerts,index,main
 #zscaler_dns,index,netdns
 #zscaler_fw,index,netfw
diff --git a/tests/test_vmware.py b/tests/test_vmware.py
index 7f6c371..24c5684 100644
--- a/tests/test_vmware.py
+++ b/tests/test_vmware.py
@@ -100,3 +100,32 @@ def test_linux_vmware_nsx_fw(record_property, setup_wordlist, setup_splunk, setu
     record_property("message", message)
 
     assert resultCount == 1
+
+
+def test_linux_vmware_vcenter_ietf(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+    pid = random.randint(1000, 32000)
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    # iso from included timeutils is from local timezone; need to keep iso as UTC
+    iso_header = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string("{{ mark }}1 {{ iso_header }}Z {{ host }} vmon 2275 - -  <vsan-dps> Reset fail counters of service\n")
+    message = mt.render(mark="<144>", iso_header=iso_header, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search _time={{ epoch }} index=main host={{ host }} sourcetype=\"vmware:vsphere:vcenter\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
\ No newline at end of file