-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Ubiquiti Networks Unifi product range (#188)
* Resolve fallback events in msg rather than JSON mode * Add support for Ubiquiti networks unifi product line AP, Switch, USG (firewalls)
- Loading branch information
themrkeys
authored and
Ryan Faircloth
committed
Nov 11, 2019
1 parent
e64962b
commit 906e609
Showing
8 changed files
with
322 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| filter f_ubiquiti_unifi { | ||
| host('^U[^,]{1,10},[a-z0-9]{9,16},v\d{1,2}\.\d{1,2}\.\d{1,2}\.\d{1,6}') | ||
| or | ||
| program('^U[^,]{1,10},[a-z0-9]{9,16},v\d{1,2}\.\d{1,2}\.\d{1,2}\.\d{1,6}') | ||
| or | ||
| match("ubiquiti_unifi_*", value("fields.sc4s_vendor_product") type(glob) ); | ||
| }; |
137 changes: 137 additions & 0 deletions
137
package/etc/conf.d/log_paths/p_rfc3164-ubiquiti_unifi.conf.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| #Ubiquiti unifi | ||
| {{ $context := dict "port_id" "UBIQUITI_UNIFI" "parser" "common"}} | ||
| {{ tmpl.Exec "t/source_network.t" $context }} | ||
|
|
||
| # The following is an inline template; we will use this to generate the actual log path | ||
| {{ define "log_path" }} | ||
| log { | ||
| {{- if eq (.) "yes"}} | ||
| source(s_DEFAULT); | ||
| filter(f_is_rfc3164); | ||
| filter(f_ubiquiti_unifi); | ||
| {{- end}} | ||
| {{- if eq (.) "no"}} | ||
| source (s_UBIQUITI_UNIFI); | ||
| {{- end}} | ||
|
|
||
|
|
||
| parser {p_add_context_splunk(key("ubiquiti_unifi")); }; | ||
|
|
||
| #Fiewall | ||
| if { | ||
| filter { | ||
| match("ubiquiti_unifi_fw", value("fields.sc4s_vendor_product") type(glob) ); | ||
| }; | ||
|
|
||
| if (match("[^)]\s\S+\skernel:\s[^ll\sheader][^\[\d+.\d+\]]\S+\s\w+:" value("RAWMSG"))) { | ||
| rewrite { r_set_splunk_dest_default(sourcetype("ubnt:threat"), index("netids")) | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG"));}; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_threat")); }; | ||
| } elif (match("\S+\slinkcheck:" value("RAWMSG"))) { | ||
| rewrite { r_set_splunk_dest_default(sourcetype("ubnt:link"), index("netops")) | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG"));}; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_link")); }; | ||
| } elif (match("\d+:\d+:\d+\s\S+\ssudo:" value("RAWMSG"))) { | ||
| rewrite { r_set_splunk_dest_default(sourcetype("ubnt:sudo"), index("netops")) | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG"));}; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_sudo")); }; | ||
| } else { | ||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("ubnt:fw"), index("netfw")); | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG")); | ||
| }; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_fw")); }; | ||
| }; | ||
| #Switch | ||
| } elif { | ||
| filter { | ||
| host('^(?<model>US[^,]{1,10}),(?<serial>[a-z0-9]{9,16}),(?<firmware>v\d{1,2}\.\d{1,2}\.\d{1,2}\.\d{1,6})', flags("store-matches")); | ||
| }; | ||
| if (match("hostapd:\s+ath" value("RAWMSG"))) { | ||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("ubnt:hostapd"), index("netops")); | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG")); | ||
| set("${HOST_FROM}", value("HOST")); | ||
| }; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; | ||
| } elif (match("\d+:\d+:\d+\s\S+\smcad:" value("RAWMSG"))) { | ||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("ubnt:mcad"), index("netops")); | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG")); | ||
| set("${HOST_FROM}", value("HOST")); | ||
| }; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; | ||
| } else { | ||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("ubnt:switch"), index("netops")); | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG")); | ||
| set("${FROM_HOST}",value("HOST")); | ||
| set("${model}", value("fields.model")); | ||
| set("${serial}", value("fields.serial")); | ||
| set("${firmware}", value("fields.firmware")); | ||
| }; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_switch")); }; | ||
|
|
||
| }; | ||
|
|
||
| } elif { | ||
| filter { | ||
| program('^(?<model>U\d[^,]{1,10}),(?<serial>[a-z0-9]{9,16}),(?<firmware>v\d{1,2}\.\d{1,2}\.\d{1,2}\.\d{1,6})', flags("store-matches")); | ||
| }; | ||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("ubnt:wireless"), index("netops")); | ||
| set("${FROM_HOST}",value("HOST")); | ||
| set("${model}", value("fields.model")); | ||
| set("${serial}", value("fields.serial")); | ||
| set("${firmware}", value("fields.firmware")); | ||
| }; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_wireless")); }; | ||
|
|
||
| } elif (match("traputil.c\(696\) " value("RAWMSG"))) { | ||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("ubnt:edgeswitch"), index("netops")); | ||
| set("${HOST_FROM}", value("HOST")); | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG")); | ||
| }; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi_edge_switch")); }; | ||
|
|
||
| } else { | ||
| rewrite { | ||
| r_set_splunk_dest_default(sourcetype("ubnt"), index("netops")); | ||
| set("${HOST_FROM}", value("HOST")); | ||
| set("${LEGACY_MSGHDR}${MSG}" value("MSG")); | ||
| }; | ||
| parser {p_add_context_splunk(key("ubiquiti_unifi")); }; | ||
| }; | ||
|
|
||
|
|
||
| parser (compliance_meta_by_source); | ||
|
|
||
| #We want to unset the fields we won't need, as this is copied into the | ||
| #disk queue for network destinations. This can be very disk expensive | ||
| #if we don't | ||
| rewrite { | ||
|
|
||
| unset(value("RAWMSG")); | ||
| unset(value("PROGRAM")); | ||
| unset(value("LEGACY_MSGHDR")); | ||
| }; | ||
|
|
||
| destination(d_hec); | ||
|
|
||
| {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_UBIQUITI_UNIFI") }} | ||
| destination(d_archive); | ||
| {{- end}} | ||
|
|
||
| flags(flow-control); | ||
|
|
||
| }; | ||
| {{- end}} | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_UBIQUITI_UNIFI_TLS_PORT") "no") "no") }} | ||
|
|
||
| # Listen on the specified dedicated port(s) for UBIQUITI_UNIFI traffic | ||
| {{tmpl.Exec "log_path" "no" }} | ||
| {{- end}} | ||
|
|
||
| # Listen on the default port (typically 514) for UBIQUITI_UNIFI traffic | ||
| {{tmpl.Exec "log_path" "yes" }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| # Copyright 2019 Splunk, Inc. | ||
| # | ||
| # Use of this source code is governed by a BSD-2-clause-style | ||
| # license that can be found in the LICENSE-BSD2 file or at | ||
| # https://opensource.org/licenses/BSD-2-Clause | ||
| import random | ||
|
|
||
| from jinja2 import Environment | ||
|
|
||
| from .sendmessage import * | ||
| from .splunkutils import * | ||
|
|
||
| env = Environment(extensions=['jinja2_time.TimeExtension']) | ||
| #<27>Nov 8 17:28:43 US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type | ||
|
|
||
| def test_ubiquiti_unifi_us8p60(record_property, setup_wordlist, setup_splunk): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type") | ||
| message = mt.render(mark="<27>", host=host) | ||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=netops sourcetype=ubnt:switch earliest=-2m | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
|
|
||
| #<29>Nov 10 20:46:02 US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: 0 | ||
| def test_ubiquiti_unifi_switch_us24p250(record_property, setup_wordlist, setup_splunk): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: 0") | ||
| message = mt.render(mark="<27>", host=host) | ||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=netops sourcetype=ubnt:switch earliest=-2m | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
|
|
||
| #<30>Nov 10 11:49:46 U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514 | ||
| def test_ubiquiti_unifi_ap_u7pg2(record_property, setup_wordlist, setup_splunk): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514") | ||
| message = mt.render(mark="<27>", host=host) | ||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=netops sourcetype=ubnt:wireless earliest=-2m | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
|
|
||
| #<4>Nov 10 23:04:06 USG kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328 | ||
| def test_ubiquiti_unifi_usg(record_property, setup_wordlist, setup_splunk): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{mark}}{% now 'utc', '%b %d %H:%M:%S' %} usg-{{host}} kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328") | ||
| message = mt.render(mark="<27>", host=host) | ||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=netfw sourcetype=ubnt:fw host=usg-{{host}} | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 |