Merge pull request #381 from splunk/feature/rsa-secureid

Support RSA SecureID
CSVD · Mar 27, 2020 · 9e84339 · 9e84339
2 parents ad35746 + b5f80b5
commit 9e84339
Show file tree

Hide file tree

Showing 9 changed files with 365 additions and 1 deletion.
diff --git a/docs/sources/Dell_RSA/index.md b/docs/sources/Dell_RSA/index.md
@@ -0,0 +1,55 @@
+# Vendor - Dell RSA
+
+
+## Product - SecureID
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | https://splunkbase.splunk.com/app/2958/                                                                 |
+| Product Manual | http://docs.splunk.com/Documentation/AddOns/latest/RSASecurID/About  |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| rsa:securid:syslog        | Catchall; used if a more specific source type can not be identified                                                                                                 |
+| rsa:securid:admin:syslog    | None                                                                                         |
+| rsa:securid:runtime:syslog     | None                                                               | rsa:securid:system:syslog     | None                                                                                          |
+| nix:syslog     | None                                                                                          |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| dell_rsa_secureid      | all       | netauth          | none          |
+| dell_rsa_secureid    | nix:syslog      | osnix          | uses os_nix key of not configured bye host/ip/port          |
+
+### Filter type
+
+Must be identified by host or ip assignment. Update the filter `f_dell_rsa_secureid` or configure a dedicated port as required
+
+NOTE: Java trace and exception will default to sc4s:fallback if the host/ip filter or port is not configured
+
+### Setup and Configuration
+
+* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
+* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source.
+* Refer to the admin manual for specific details of configuration
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_DELL_RSA_SECUREID_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
+| SC4S_LISTEN_DELL_RSA_SECUREID_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
+| SC4S_ARCHIVE_DELL_RSA_SECUREID | no | Enable archive to disk for this specific source |
+| SC4S_DEST_DELL_RSA_SECUREID_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active device will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=DELL_RSA_SECUREID:*| stats count by host
+```
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -19,6 +19,7 @@ nav:
       - Citrix: sources/Citrix/index.md
       - "Common Event Format": sources/CommonEventFormat/index.md
       - CyberArk: sources/CyberArk/index.md
+      - "Dell RSA": sources/Dell_RSA/index.md
       - Forcepoint: sources/Forcepoint/index.md
       - Fortinet: sources/Fortinet/index.md
       - Imperva: sources/Imperva/index.md

diff --git a/package/etc/conf.d/filters/dell/rsa_secureid.conf b/package/etc/conf.d/filters/dell/rsa_secureid.conf
@@ -0,0 +1,5 @@
+filter f_dell_rsa_secureid {
+    message('\.com\.rsa\.')
+    or 
+    match("^dell_rsa_secureid", value("fields.sc4s_vendor_product"));
+};
diff --git a/package/etc/conf.d/filters/infoblox/ddi.conf b/package/etc/conf.d/filters/infoblox/ddi.conf
@@ -1,4 +1,3 @@
 filter f_infoblox {
     match("^infoblox", value("fields.sc4s_vendor_product"));
-
 };
diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
@@ -0,0 +1,128 @@
+# DELL_RSA_SECUREID
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "DELL_RSA_SECUREID" "parser" "rfc3164" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+log {
+    junction {
+{{- if or (or (getenv  (print "SC4S_LISTEN_DELL_RSA_SECUREID_TCP_PORT")) (getenv  (print "SC4S_LISTEN_DELL_RSA_SECUREID_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_DELL_RSA_SECUREID_TLS_PORT")) }}
+        channel {
+        # Listen on the specified dedicated port(s) for DELL_RSA_SECUREID traffic
+            source (s_DELL_RSA_SECUREID);
+            flags (final);
+	    };
+{{- end}}
+        channel {
+        # Listen on the default port (typically 514) for DELL_RSA_SECUREID traffic
+            source (s_DEFAULT);
+            filter(f_is_rfc3164);
+            filter(f_dell_rsa_secureid);
+            flags(final);
+        };
+    };
+    if {
+        filter{
+            message('\.com\.rsa\.');
+        };
+        parser {
+         #basic parsing
+
+            #we need to actual even time from the field GeneratedTime. Use csv-parser to extract it.
+            csv-parser(
+                columns("time","ms","HOST","type")
+                prefix(".rsa.")
+                delimiters(',')
+                );
+            #2012/04/10 04:39:55
+            #parse the date
+            date-parser-nofilter(format(
+                    '%Y-%m-%d %H:%M:%S,%f')
+                    template("${.rsa.time},${.rsa.ms}")
+            );
+        };
+        if {
+            filter{match('audit\.admin' value('.rsa.type'))};
+            rewrite {
+                set("dell_rsa_secureid", value("fields.sc4s_vendor_product"));
+                r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog"), index("netauth"))
+            };
+            parser { p_add_context_splunk(key("dell_rsa_secureid")); };
+        } elif {
+            filter{match('system\.com\.rsa|,\s+system\.erationsconsole' value('.rsa.type'))};
+            rewrite {
+                set("dell_rsa_secureid", value("fields.sc4s_vendor_product"));
+                r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog"), index("netauth"))
+            };
+            parser { p_add_context_splunk(key("dell_rsa_secureid")); };
+        } elif {
+            filter{match('audit\.runtime\.com\.rsa' value('.rsa.type'))};
+            rewrite {
+                set("dell_rsa_secureid", value("fields.sc4s_vendor_product"));
+                r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog"), index("netauth"))
+            };
+            parser { p_add_context_splunk(key("dell_rsa_secureid")); };
+        } else {
+            rewrite {
+                set("dell_rsa_secureid", value("fields.sc4s_vendor_product"));
+                r_set_splunk_dest_default(sourcetype("rsa:securid:syslog"), index("netauth"))
+            };
+            parser { p_add_context_splunk(key("dell_rsa_secureid")); };
+        };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+    } elif {
+        filter{
+            program('...*')
+            and not program('at')
+            and not program('Caused')
+        };
+        rewrite {
+            set("dell_rsa_secureid", value("fields.sc4s_vendor_product"));
+            subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
+            set("${PROGRAM}", value(".PROGRAM"));
+            subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
+            r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}"))
+        };
+        parser { p_add_context_splunk(key("nix_syslog")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+    } else {
+        parser {
+            grouping-by(
+                scope(host)
+                key('x')
+                timeout(1)
+                aggregate(
+                    value("MESSAGE" "$(implode '\n' $(context-values ${LEGACY_MSGHDR}${MESSAGE}))")
+                )
+            );
+        };
+        rewrite {
+            set("dell_rsa_secureid", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(sourcetype("rsa:securid:trace"), index("netauth"));
+        };
+        parser { p_add_context_splunk(key("nix_syslog")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+
+    };
+
+
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_DELL_RSA_SECUREID_HEC" "no")) }}
+    destination(d_hec);
+{{- end}}
+
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_DELL_RSA_SECUREID" "no")) }}
+    destination(d_archive);
+{{- end}}
+
+{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+{{- if (print (getenv "SC4S_DEST_DELL_RSA_SECUREID_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_DELL_RSA_SECUREID_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+    flags(flow-control,final);
+};
diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
@@ -21,6 +21,7 @@
 #cisco_ise,index,netauth
 #cisco_nx_os,index,netops
 #cisco_ucm,index,main
+#dell_rsa_secureid,index,netauth
 #citrix_netscaler,index,netfw
 #local_example,index,main
 #forcepoint_webprotect,index,netproxy

diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example
@@ -15,6 +15,10 @@ filter f_citrix_netscaler {
     host("test_ctitrixns-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
+filter f_dell_rsa_secureid {
+    host("test_rsasecureid*" type(glob))
+    #or netmask(xxx.xxx.xxx.xxx/xx)
+};
 filter f_juniper_idp {
     host("jnpidp-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)

diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example
@@ -3,6 +3,7 @@ f_brocade_syslog,sc4s_vendor_product,"brocade_syslog"
 f_catch_first,sc4s_vendor_product,"catch_first"
 f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
 f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
+f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid"
 f_infoblox,sc4s_vendor_product,"infoblox"
 f_juniper_nsm,sc4s_vendor_product,"juniper_nsm"
 f_juniper_nsm_idp,sc4s_vendor_product,"juniper_nsm_idp"