From 2e57b04a8edc53d6dc93ebe73120cc05a42c28b3 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sat, 18 Apr 2020 18:03:17 -0400 Subject: [PATCH] Limited Symantec EP support --- docs/sources/Symantec/index.md | 50 ++++++++++++++++++ package/etc/conf.d/filters/symantec/ep.conf | 3 ++ .../conf.d/log_paths/lp-symantec_ep.conf.tmpl | 51 +++++++++++++++++++ .../splunk_index.csv.example | 1 + tests/test_symantec_ep.py | 43 ++++++++++++++++ 5 files changed, 148 insertions(+) create mode 100644 package/etc/conf.d/filters/symantec/ep.conf create mode 100644 package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl create mode 100644 tests/test_symantec_ep.py diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md index 58e79a5..f2e7ab5 100644 --- a/docs/sources/Symantec/index.md +++ b/docs/sources/Symantec/index.md @@ -1,5 +1,55 @@ # Vendor - Symantec +## Product - Symantec Endpoint Protection + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | No Public add-on | +| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| symantec:ep:syslog | Warning the syslog method of accepting EP logs has been reported to show high data loss and is not Supported by Splunk | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| symantec_ep | symantec:ep:syslog | epav | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_SYMANTEC_EP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_EP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_SYMANTEC_EP | no | Enable archive to disk for this specific source | +| SC4S_DEST_SYMANTEC_EP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active server will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=symantec:ep:syslog | stats count by host +`` + ## Product - ProxySG/ASG (Bluecoat) | Ref | Link | diff --git a/package/etc/conf.d/filters/symantec/ep.conf b/package/etc/conf.d/filters/symantec/ep.conf new file mode 100644 index 0000000..a9db248 --- /dev/null +++ b/package/etc/conf.d/filters/symantec/ep.conf @@ -0,0 +1,3 @@ +filter f_symantec_ep { + program("SymantecServer") +}; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl new file mode 100644 index 0000000..2f294ed --- /dev/null +++ b/package/etc/conf.d/log_paths/lp-symantec_ep.conf.tmpl @@ -0,0 +1,51 @@ +# SYMANTEC_EP +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "SYMANTEC_EP" "parser" "rfc3164" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +log { + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_SYMANTEC_EP_TCP_PORT")) (getenv (print "SC4S_LISTEN_SYMANTEC_EP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_SYMANTEC_EP_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for SYMANTEC_EP traffic + source (s_SYMANTEC_EP); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for SYMANTEC_EP traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_symantec_ep); + flags(final); + }; + }; + + + rewrite { + set("symantec_ep_syslog", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("symantec:ep:syslog"), index("epav")) + }; + parser { p_add_context_splunk(key("symantec_ep_syslog")); }; + + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + +{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_SYMANTEC_EP_HEC" "no")) }} + destination(d_hec); +{{- end}} + +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_SYMANTEC_EP" "no")) }} + destination(d_archive); +{{- end}} + +{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }} + {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + +{{- if (print (getenv "SC4S_DEST_SYMANTEC_EP_ALTERNATES")) }} + {{ getenv "SC4S_DEST_SYMANTEC_EP_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + + flags(flow-control,final); +}; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 0538d78..8a77f3d 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -68,4 +68,5 @@ #sc4s_events,index,main #sc4s_fallback,index,main #sc4s_metrics,index,em_metrics +#symanrtec_ep,index,epav #vmware_nsx,index,main \ No newline at end of file diff --git a/tests/test_symantec_ep.py b/tests/test_symantec_ep.py new file mode 100644 index 0000000..0c0e75a --- /dev/null +++ b/tests/test_symantec_ep.py @@ -0,0 +1,43 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +env = Environment() + +# <134>Apr 14 10:42:05 xxxxx SymantecServer: Site: Site xxxxx,Server Name: xxxxx,Domain Name: Default,The management server received the client log successfully,yyyyyyy,zzzzzzzz,host.domain.suffix +def test_symantec_ep_agent(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ mark }}{{ bsd }} {{host}} SymantecServer: Site: Site xxxxx,Server Name: xxxxx,Domain Name: Default,The management server received the client log successfully,yyyyyyy,zzzzzzzz,host.domain.suffix" + ) + message = mt.render(mark="<134>", bsd=bsd, host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="symantec:ep:syslog"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1