-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
13 changed files
with
391 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| [submodule "package/syslog-ng"] | ||
| path = package/syslog-ng | ||
| url = https://github.com/balabit/syslog-ng.git | ||
| branch = syslog-ng-3.23.1 | ||
| branch = syslog-ng-3.24.1 | ||
| # | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| filter f_checkpoint_splunk { | ||
| match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("RAWMSG") type("pcre")); | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_alerts { | ||
| match('*IOS Profile*' value('.kv.product') type('glob')) | ||
| or match('*Device*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_Change { | ||
| match('*Application Control*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_DLP { | ||
| match('*DLP*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_email { | ||
| match('*MTA*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Spam*' value('.kv.product') type('glob')) | ||
| or match('*Anti Spam*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_IDS { | ||
| match('*IPS*' value('.kv.product') type('glob')) | ||
| or match('*WIFI*' value('.kv.product') type('glob')) | ||
| or match('*Cellular*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_IDS_Malware { | ||
| match('*Threat Emulation*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Virus*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Bot*' value('.kv.product') type('glob')) | ||
| or match('*Threat Extraction*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Ransomware*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Exploit**' value('.kv.product') type('glob')) | ||
| or match('*Forensics*' value('.kv.product') type('glob')) | ||
| or match('*OS Exploit*' value('.kv.product') type('glob')) | ||
| or (match('*Application*' value('.kv.product') type('glob')) and not match('*Application Control*' value('.kv.product') type('glob'))) | ||
| or match('*Text Message*' value('.kv.product') type('glob')) | ||
| or match('*Network Access*' value('.kv.product') type('glob')) | ||
| or match('*Zero Phishing*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_NetworkSessions { | ||
| match('*VPN*' value('.kv.product') type('glob')) | ||
| or match('*Mobile*' value('.kv.product') type('glob')) | ||
| or match('*VPN*' value('.kv.fw_subproduct') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_NetworkTraffic { | ||
| match('*Firewall*' value('.kv.product') type('glob')) | ||
| and not match('*VPN*' value('.kv.fw_subproduct') type('glob')) | ||
| }; | ||
| filter f_checkpoint_splunk_Web { | ||
| match('*Url Filtering*' value('.kv.product') type('glob')) | ||
| }; |
2 changes: 1 addition & 1 deletion
2
package/etc/conf.d/local/context/compliance_meta_by_source.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| @version: 3.23 | ||
| @version: 3.24 | ||
| filter f_test_test { | ||
| host("something-*" type(glob)) or | ||
| netmask(192.168.100.1/24) | ||
|
|
||
72 changes: 72 additions & 0 deletions
72
package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| # Checkpoint Splunk format | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT") "no") "no") }} | ||
| {{ $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }} | ||
| {{ tmpl.Exec "t/source_network.t" $context }} | ||
| {{- end -}} | ||
| {{ define "log_path" }} | ||
| log { | ||
| {{- if eq (.) "yes"}} | ||
| source(s_default-ports); | ||
| filter(f_is_rfc3164); | ||
| filter(f_checkpoint_splunk); | ||
| {{- end}} | ||
| {{- if eq (.) "no"}} | ||
| source (s_dedicated_port_CHECKPOINT_SPLUNK); | ||
| {{- end}} | ||
|
|
||
| parser { | ||
| kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); | ||
| date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})); | ||
|
|
||
| }; | ||
|
|
||
| rewrite { set("${.kv.hostname}", value("HOST")); }; | ||
|
|
||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), index("netops"), template("t_hdr_msg"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk")); }; | ||
|
|
||
| if { | ||
| filter(f_checkpoint_splunk_NetworkTraffic); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_Web); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_NetworkSessions); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_IDS_Malware); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_IDS); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_email); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_DLP); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; | ||
| }; | ||
|
|
||
|
|
||
| parser (compliance_meta_by_source); | ||
|
|
||
| destination(d_hec); #--HEC-- | ||
|
|
||
| flags(flow-control); | ||
| }; | ||
| {{- end}} | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT") "no") "no") }} | ||
| # Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic | ||
| {{ tmpl.Exec "log_path" "no" }} | ||
| {{- end}} | ||
|
|
||
| # Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic | ||
| {{ tmpl.Exec "log_path" "yes" }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| @version: 3.23 | ||
| @version: 3.24 | ||
| filter f_test_test { | ||
| host("something-*" type(glob)) or | ||
| netmask(192.168.100.1/24) | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| @version: 3.23 | ||
| @version: 3.24 | ||
|
|
||
| filter f_test_test { | ||
| host("testvp-*" type(glob)) or | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| @version:3.23 | ||
| @version:3.24 | ||
|
|
||
| # syslog-ng configuration file. | ||
| # | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.