Merge pull request #422 from mchavda-splunk/f5_filters_for_irule_and_asm

Add f5 bigip irule and ASM filters
CSVD · May 6, 2020 · 9d01492 · 9d01492
2 parents e10707a + f7ab991
commit 9d01492
Show file tree

Hide file tree

Showing 6 changed files with 204 additions and 9 deletions.
diff --git a/docs/gettingstarted/index.md b/docs/gettingstarted/index.md
@@ -40,6 +40,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes
 * netfw
 * netids
 * netops
+* netwaf
 * netproxy
 * netipam
 * oswinsec

diff --git a/docs/sources/F5/index.md b/docs/sources/F5/index.md
@@ -15,15 +15,21 @@
 |----------------|---------------------------------------------------------------------------------------------------------|
 | f5:bigip:syslog        | None                                                                                                    |
 | f5:bigip:irule    | None                                                                                         |
+| f5:bigip:ltm:http:irule | None |
+| f5:bigip:gtm:dns:request:irule | None |
+| f5:bigip:gtm:dns:response:irule | None |
+| f5:bigip:ltm:failed:irule | None |
+| f5:bigip:asm:syslog | None |
 | nix:syslog     | None                                                                                          |
 
-### Sourcetype and Index Configuration
+### Index Configuration
 
-| key            | sourcetype     | index          | notes          |
-|----------------|----------------|----------------|----------------|
-| f5_bigip      | f5:bigip:syslog       | netops          | none          |
-| f5_bigip_irule    | f5:bigip:syslog      | netops          | none          |
-| f5_bigip_nix    | nix:syslog      | netops          | if `f_f5_bigip` is not set the index osnix will be used          |
+| key            | index          | notes          |
+|----------------|----------------|----------------|
+| f5_bigip       | netops          | none          |
+| f5_bigip_irule | netops          | none          |
+| f5_bigip_asm   | netwaf          | none          |
+| f5_bigip_nix   | netops          | if `f_f5_bigip` is not set the index osnix will be used          |
 
 ### Filter type
 

diff --git a/package/etc/conf.d/filters/f5/bigip.conf.tmpl b/package/etc/conf.d/filters/f5/bigip.conf.tmpl
@@ -5,7 +5,8 @@ filter f_f5_bigip {
     or program("mcpd")
     or program("apmd")
     or program("tmm\d?")
-    or program('^f5_irule=');
+    or program('^f5_irule=')
+    or message('^f5_asm=Splunk-F5-ASM');
 };
 
 filter f_f5_bigip_irule {

diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
@@ -51,15 +51,58 @@ log {
 #        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
     } elif {
         filter {
-            program('f5_irule=')
+            program('^f5_irule=')
+        };
+        if {
+            filter {
+                program('^f5_irule=Splunk-iRule-HTTP')
+            };
+            rewrite {
+                r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:http:irule"), index("netops"))
+            };
+        } elif {
+            filter {
+                program('^f5_irule=Splunk-iRule-DNS_REQUEST')
+            };
+            rewrite {
+                r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:request:irule"), index("netops"))
+            };
+        } elif {
+            filter {
+                program('^f5_irule=Splunk-iRule-DNS_RESPONSE')
+            };
+            rewrite {
+                r_set_splunk_dest_default(sourcetype("f5:bigip:gtm:dns:response:irule"), index("netops"))
+            };
+        } elif {
+            filter {
+                program('^f5_irule=Splunk-iRule-LB_FAILED')
+            };
+            rewrite {
+                r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:failed:irule"), index("netops"))
+            };
+        } else {
+            rewrite {
+                r_set_splunk_dest_default(sourcetype("f5:bigip:irule"), index("netops"))
+            };
         };
         rewrite {
             set("f5_bigip_irule", value("fields.sc4s_vendor_product"));
-            r_set_splunk_dest_default(sourcetype("f5:bigip:irule"), index("netops"))
         };
         parser { p_add_context_splunk(key("f5_bigip_irule")); };
         parser (compliance_meta_by_source);
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+    } elif {
+        filter {
+            message('^f5_asm=Splunk-F5-ASM')
+        };
+        rewrite {
+            set("f5_bigip_asm", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(sourcetype("f5:bigip:asm:syslog"), index("netwaf"))
+        };
+        parser { p_add_context_splunk(key("f5_bigip_asm")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
     } elif {
         filter(f_f5_bigip);
         rewrite {

diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
@@ -27,6 +27,7 @@
 #forcepoint_webprotect,index,netproxy
 #f5_bigip,index,netops
 #f5_bigip_irule,index,netops
+#f5_bigip_asm,index,netwaf
 #f5_bigip_nix,index,netops
 #fortinet_fortios_event,index,netops
 #fortinet_fortios_log,index,netops