Support OS syslog nested in Checkpoint event format

This will unwrap the proper OS syslog event from the header when origin is the logger OS however it will not support third party relay via checkpoint in this format.
CSVD · Apr 6, 2020 · 9690067 · 9690067
1 parent e467a18
commit 9690067
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 2 deletions.
diff --git a/package/etc/conf.d/filters/checkpoint/splunk.conf b/package/etc/conf.d/filters/checkpoint/splunk.conf
@@ -1,6 +1,8 @@
 filter f_checkpoint_splunk {
     match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("MSG") type("pcre")) or
-    match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre"));
+    match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre")) or
+    match('|product\=Syslog\|ifdir=inbound\|loguid\=' value("MSG") type("pcre")) or
+    match('|product\=Syslog\|ifdir=inbound\|loguid\=' value("LEGACY_MSGHDR") type("pcre"));
 };
 
 filter f_checkpoint_splunk_alerts {
@@ -55,4 +57,7 @@ filter f_checkpoint_splunk_NetworkTraffic {
 };
 filter f_checkpoint_splunk_Web {
     match('*Url Filtering*' value('.kv.product') type('glob'))
+};
+filter f_checkpoint_splunk_syslog {
+    match('Syslog' value('.kv.product') type('glob'))
 };
diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
@@ -62,6 +62,25 @@ log {
             filter(f_checkpoint_splunk_DLP);
             rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))};
             parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); };
+        } elif {
+            filter(f_checkpoint_splunk_syslog);
+            if {
+                    parser {
+                        syslog-parser(template("${.kv.default_device_message}") flags(guess-timezone, no-hostname));
+                        date-parser-nofilter(format("%s") template("${.kv.time}"));
+                    };
+            };
+
+            rewrite {
+                    set("${.kv.hostname}", value("HOST"));
+                    set("checkpoint_splunk", value("fields.sc4s_vendor_product"));            
+                    subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
+                    set("${PROGRAM}", value(".PROGRAM"));
+                    subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
+                };
+            rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) };
+            parser { p_add_context_splunk(key("checkpoint_os")); };                
+
         };
     } else {
         filter(f_nix_syslog);

diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
@@ -14,7 +14,7 @@ services:
       context: ../package
     hostname: sc4s
     #When this is enabled test_common will fail
-    #command: -det
+    command: -det
     ports:
       - "514"
       - "601"

diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py
@@ -223,3 +223,38 @@ def test_checkpoint_splunk_os(record_property, setup_wordlist, setup_splunk, set
     record_property("message", message)
 
     assert resultCount == 1
+
+
+# time=1586182935|hostname=xxxx-xxxx|product=Syslog|ifdir=inbound|loguid={0x0,0x0,0x0,0x0}|origin=10.0.0.164|sequencenum=3|time=1586182935|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0|
+def test_checkpoint_splunk_os_nested(
+    record_property, setup_wordlist, setup_splunk, setup_sc4s
+):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Syslog|ifdir=inbound|loguid={0x0,0x0,0x0,0x0}|origin=10.0.0.0|sequencenum=3|time={{ epoch }}|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0|\n"
+    )
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="nix:syslog"'
+    )
+    search = st.render(
+        epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset
+    )
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1