From 9690067ef1e769480fb1505e935aca23ef255641 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Mon, 6 Apr 2020 19:49:19 -0400
Subject: [PATCH] Support OS syslog nested in Checkpoint event format

This will unwrap the proper OS syslog event from the header when origin is the logger OS however it will not support third party relay via checkpoint in this format.
---
 .../etc/conf.d/filters/checkpoint/splunk.conf |  7 +++-
 .../log_paths/lp-checkpoint_splunk.conf.tmpl  | 19 ++++++++++
 tests/docker-compose.yml                      |  2 +-
 tests/test_checkpoint.py                      | 35 +++++++++++++++++++
 4 files changed, 61 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/filters/checkpoint/splunk.conf b/package/etc/conf.d/filters/checkpoint/splunk.conf
index 87643d1..df1919b 100644
--- a/package/etc/conf.d/filters/checkpoint/splunk.conf
+++ b/package/etc/conf.d/filters/checkpoint/splunk.conf
@@ -1,6 +1,8 @@
 filter f_checkpoint_splunk {
     match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("MSG") type("pcre")) or
-    match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre"));
+    match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre")) or
+    match('|product\=Syslog\|ifdir=inbound\|loguid\=' value("MSG") type("pcre")) or
+    match('|product\=Syslog\|ifdir=inbound\|loguid\=' value("LEGACY_MSGHDR") type("pcre"));
 };
 
 filter f_checkpoint_splunk_alerts {
@@ -55,4 +57,7 @@ filter f_checkpoint_splunk_NetworkTraffic {
 };
 filter f_checkpoint_splunk_Web {
     match('*Url Filtering*' value('.kv.product') type('glob'))
+};
+filter f_checkpoint_splunk_syslog {
+    match('Syslog' value('.kv.product') type('glob'))
 };
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
index 2a15a21..673b11c 100644
--- a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl
@@ -62,6 +62,25 @@ log {
             filter(f_checkpoint_splunk_DLP);
             rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))};
             parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); };
+        } elif {
+            filter(f_checkpoint_splunk_syslog);
+            if {
+                    parser {
+                        syslog-parser(template("${.kv.default_device_message}") flags(guess-timezone, no-hostname));
+                        date-parser-nofilter(format("%s") template("${.kv.time}"));
+                    };
+            };
+            
+            rewrite {
+                    set("${.kv.hostname}", value("HOST"));
+                    set("checkpoint_splunk", value("fields.sc4s_vendor_product"));            
+                    subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
+                    set("${PROGRAM}", value(".PROGRAM"));
+                    subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
+                };
+            rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) };
+            parser { p_add_context_splunk(key("checkpoint_os")); };                
+        
         };
     } else {
         filter(f_nix_syslog);
diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
index 643be05..c8a8e1e 100644
--- a/tests/docker-compose.yml
+++ b/tests/docker-compose.yml
@@ -14,7 +14,7 @@ services:
       context: ../package
     hostname: sc4s
     #When this is enabled test_common will fail
-    #command: -det
+    command: -det
     ports:
       - "514"
       - "601"
diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py
index 7bd9655..d6ac8aa 100644
--- a/tests/test_checkpoint.py
+++ b/tests/test_checkpoint.py
@@ -223,3 +223,38 @@ def test_checkpoint_splunk_os(record_property, setup_wordlist, setup_splunk, set
     record_property("message", message)
 
     assert resultCount == 1
+
+
+# time=1586182935|hostname=xxxx-xxxx|product=Syslog|ifdir=inbound|loguid={0x0,0x0,0x0,0x0}|origin=10.0.0.164|sequencenum=3|time=1586182935|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0|
+def test_checkpoint_splunk_os_nested(
+    record_property, setup_wordlist, setup_splunk, setup_sc4s
+):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Syslog|ifdir=inbound|loguid={0x0,0x0,0x0,0x0}|origin=10.0.0.0|sequencenum=3|time={{ epoch }}|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0|\n"
+    )
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="nix:syslog"'
+    )
+    search = st.render(
+        epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset
+    )
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1