[filteradd] Support Cisco ESA

CSVD · Aug 19, 2020 · a95314c · a95314c
1 parent 9dc6c3c
commit a95314c
Show file tree

Hide file tree

Showing 8 changed files with 387 additions and 1 deletion.
diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md
@@ -445,3 +445,60 @@ index=netops sourcetype=cisco:wsa:*
 ```
 
 Verify timestamp, and host values match as expected
+
+## Product - ESA
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | https://splunkbase.splunk.com/app/1761/                                                                |
+| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1.html |
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| cisco:esa:http     |  The HTTP logs of Cisco IronPort ESA record information about the secure HTTP services enabled on the interface.  |
+| cisco:esa:textmail     |  Text mail logs of Cisco IronPort ESA record email information and status.  |
+| cisco:esa:amp     |  Advanced Malware Protection (AMP) of Cisco IronPort ESA records malware detection and blocking, continuous analysis, and retrospective alerting details.   |
+| cisco:esa:authentication     |  These logs record successful user logins and unsuccessful login attempts.   |
+| cisco:esa:cef     |  The Consolidated Event Logs summarizes each message event in a single log line.  |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| cisco_esa    | cisco:esa:http    | email          | None     |
+| cisco_esa    | cisco:esa:textmail    | email          | None     |
+| cisco_esa    | cisco:esa:amp    | email          | None     |
+| cisco_esa    | cisco:esa:authentication    | email          | None     |
+| cisco_esa    | cisco:esa:cef    | email          | None     |
+
+### Filter type
+
+IP, Netmask or Host
+
+### Setup and Configuration
+
+* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
+* ESA Follow vendor configuration steps per Product Manual.
+* Ensure host and timestamp are included.
+* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_cisco_esa`` to identiy the esa events.
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_CISCO_ESA_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_CISCO_ESA_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_CISCO_ESA | no | Enable archive to disk for this specific source |
+| SC4S_DEST_CISCO_ESA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+Use the following search to validate events are present
+
+```
+index=email sourcetype=cisco:esa:*
+```
+
+Verify timestamp, and host values match as expected
diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
@@ -34,6 +34,10 @@ template t_everything {
         template("${ISODATE} ${HOST} ${LEGACY_MSGHDR}${MESSAGE}");
         };
 
+template t_cef_hdr_msg_for_esa {
+        template("${fields.cef_version}|${fields.cef_device_vendor}|${fields.cef_device_product}|${fields.cef_device_version}|${fields.cef_device_event_class}|${fields.cef_name}|${fields.cef_severity}|${MSGONLY}");
+        };  
+
 # ===============================================================================================
 # Message Header with Message; for Palo Alto
 # ===============================================================================================

diff --git a/package/etc/conf.d/filters/cisco/esa.conf b/package/etc/conf.d/filters/cisco/esa.conf
@@ -0,0 +1,40 @@
+filter f_cisco_esa {
+    match("cisco_esa", value("fields.sc4s_vendor_product") type(glob))
+};
+
+filter f_cisco_esa_http {
+    match('https?\s*service\s*', value("MESSAGE"))
+    or match('[sS]ession\s*\w+\s*from\s*', value("MESSAGE"))
+    or match('\s*PERIODIC\s*REPORTS\s*:\s*', value("MESSAGE"))
+    or match('\s*req\s*:.+\s*user\s*:\s*.+\s*id\s*:\s*', value("MESSAGE"))
+    or match('testmaillog\s*:\s*[iI]nfo\s*:', value("MESSAGE"))
+    or match('[sS]ystem\s*is\s*coming\s*up', value("MESSAGE"))
+};
+
+filter f_cisco_esa_textmail {
+    match('mail_logs:', value("MESSAGE"))
+    or match('MID\s+\d+', value("MESSAGE"))
+    or match('ICID\s+\d+', value("MESSAGE"))
+    or match('DCID\s+\d+', value("MESSAGE"))
+    or match('RID\s+\[?(\d+(?:\s*,\s*\d+)*)', value("MESSAGE"))
+    or match('(?:SplunkMailSyslog|MAIL_SecurityAudit|CES_VPN_Mail_SecurityAudit)\s*:', value("MESSAGE"))
+};
+
+filter f_cisco_esa_amp {
+    match('SHA256:', value("MESSAGE"))
+    or match('File\s*not\s*uploaded\s*for\s*analysis', value("MESSAGE"))
+    or match('Response\s*received\s*for\s*file\s*reputation\s*query\s*from\s*Cloud', value("MESSAGE"))
+    or match('File\s*reputation\s*query\s*initiating', value("MESSAGE"))
+};
+
+filter f_cisco_esa_authentication {
+    match('[Ii]nfo\s*:\s*Begin\s*Logfile', value("MESSAGE"))
+    or match('authenticated\s*successfully.', value("MESSAGE"))
+    or match('successfully\s*logged\s*on\s*from', value("MESSAGE"))
+    or match('An\s*authentication\s*attempt', value("MESSAGE"))
+    or match('failed\s*authentication.', value("MESSAGE"))
+    or match('Time\s*offset\s*from\s*UTC:', value("MESSAGE"))
+    or match('[vV]ersion:\s+.*\s+SN:\s+.*', value("MESSAGE"))
+    or match('\s*login|logout:\s*[^\s]*\s*[Uu]ser:[\w\-]+\s*session:[^\s]+', value("MESSAGE"))
+    or match('MAR_SecurityAudit', value("MESSAGE"))
+};
diff --git a/package/etc/conf.d/log_paths/lp-cisco_esa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_esa.conf.tmpl
@@ -0,0 +1,71 @@
+# Cisco ESA
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_ESA" "parser" "rfc3164" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+log {
+    junction {
+{{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_ESA_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_ESA_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_ESA_TLS_PORT")) }}
+        channel {
+        # Listen on the specified dedicated port(s) for CISCO_ESA traffic
+            source (s_CISCO_ESA);
+            flags (final);
+	    };
+{{- end}}
+        channel {
+        # Listen on the default port (typically 514) for CISCO_ESA traffic
+            source (s_DEFAULT);
+            filter(f_is_rfc3164);
+            filter(f_cisco_esa);
+            flags(final);
+        };
+    };
+
+    if {
+        filter(f_cisco_esa_amp);
+        rewrite {
+            set("cisco_esa", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(source("esa:amp") sourcetype("cisco:esa:amp"));
+        };
+    } elif {
+        filter(f_cisco_esa_http);
+        rewrite {
+            set("cisco_esa", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(source("esa:http") sourcetype("cisco:esa:http"));
+        };
+    } elif {
+        filter(f_cisco_esa_textmail);
+        rewrite {
+            set("cisco_esa", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(source("esa:textmail") sourcetype("cisco:esa:textmail"));
+        };
+    } elif {
+        filter(f_cisco_esa_authentication);
+        rewrite {
+            set("cisco_esa", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(source("esa:authentication") sourcetype("cisco:esa:authentication"));
+        };
+    };
+
+    parser { p_add_context_splunk(key("cisco_esa")); };
+    parser (compliance_meta_by_source);
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no")) }}
+    destination(d_hec);
+{{- end}}
+
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_CISCO_ASA" "no")) }}
+    destination(d_archive);
+{{- end}}
+
+{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+{{- if (print (getenv "SC4S_DEST_CISCO_ASA_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_CISCO_ASA_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+    flags(flow-control,final);
+};
diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example
@@ -120,3 +120,8 @@ zscaler_lss,index,netproxy
 unknown,index,main
 unknown,source,SC4S:unknown
 unknown,sourcetype,SC4S:unknown
+Cisco_C100V Email Security Virtual Appliance_ESA_CONSOLIDATED_LOG_EVENT,index,email
+Cisco_C100V Email Security Virtual Appliance_ESA_CONSOLIDATED_LOG_EVENT,sc4s_template,t_cef_hdr_msg_for_esa
+Cisco_C100V Email Security Virtual Appliance_ESA_CONSOLIDATED_LOG_EVENT,sourcetype,cisco:esa:cef
+Cisco_C100V Email Security Virtual Appliance_ESA_CONSOLIDATED_LOG_EVENT,source,esa:consolidated
+cisco_esa,index,email
diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example
@@ -74,3 +74,7 @@ filter f_tzfixny {
     host("tzfny-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
+filter f_cisco_esa {
+    host("cisco_esa" type(glob))
+    #or netmask(xxx.xxx.xxx.xxx/xx)
+};
diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example
@@ -16,4 +16,5 @@ f_proofpoint_pps_filter,sc4s_vendor_product,"proofpoint_pps_filter"
 f_schneider_apc,sc4s_vendor_product,"schneider_apc"
 f_ubiquiti_unifi_fw,sc4s_vendor_product,"ubiquiti_unifi_fw"
 f_tzfixhst,sc4s_time_zone,"Pacific/Honolulu"
-f_tzfixny,sc4s_time_zone,"America/New_York"
+f_tzfixny,sc4s_time_zone,"America/New_York"
+f_cisco_esa,sc4s_vendor_product,"cisco_esa"