Skip to content

Commit

Permalink
Cisco ASA conflict with Cisco IOS
Browse files Browse the repository at this point in the history 
While the IOS and ASA sources are not sharing a code base there is overlap in some variations of the format. The Cisco IOS parser will now be the cisco_syslog parser and ASA and IOS can share
  • Loading branch information
rfaircloth-splunk committed Mar 12, 2020
1 parent 3f40892 commit aec103f
Show file tree
Hide file tree
Showing 8 changed files with 72 additions and 79 deletions.
6 changes: 0 additions & 6 deletions package/etc/conf.d/conflib/_common/syslog_format.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,6 @@ rewrite set_rfc3164{
filter f_is_rfc3164{
match("rfc3164" value("fields.sc4s_syslog_format"))
};
rewrite set_cisco_ios{
set("cisco_ios" value("fields.sc4s_syslog_format"));
};
filter f_is_cisco_ios{
match("cisco_ios" value("fields.sc4s_syslog_format"))
};
rewrite set_no_parse{
set("no_parse" value("fields.sc4s_syslog_format"));
};
Expand Down
62 changes: 62 additions & 0 deletions package/etc/conf.d/filters/cisco/cisco_syslog.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
filter f_cisco_syslog{
match("cisco_syslog", value("fields.sc4s_vendor_product") type(glob));
};
rewrite set_cisco_syslog{
set("cisco_syslog" value("fields.sc4s_syslog_format"));
};
filter f_is_cisco_syslog{
match("cisco_syslog" value("fields.sc4s_syslog_format"))
};

parser cisco-parser-ex{
channel {
filter {
#message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Z]{3,3})?)?( \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} )?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
message('^^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Z]{3,3})?)? ?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
};
if {
#Mar 4 11:45:20
#Apr 29 13:58:46.000001
#Apr 29 13:58:46.411
#Mar 1 18:48:50.483 UTC NOTE: Reverse TZ "%Z" parsing will not work for non-local timezones.
# guess-timezone() will be used to reconcile timezones
parser {
date-parser(format(
'%b %d %H:%M:%S.%f',
'%b %d %H:%M:%S',
'%b %d %I:%M:%S %p.%f',
'%b %d %I:%M:%S %p',
'%b %d %Y %H:%M:%S.%f'
'%b %d %Y %H:%M:%S',
)
template("$8")
flags(guess-timezone)
);
};
} else {
# rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
rewrite { set("date/time parser failed on string $8" value("fields.sc4s_error")); };
};
rewrite {
set(
"${4}",
value("HOST")
condition(match('..' value('4')))
);
set(
"${13}",
value("HOST")
condition(match('..' value('13')))
);
set(
"${15}",
value("PROGRAM")
);
set(
"${14}",
value("MESSAGE")
);
};

};
};
51 changes: 0 additions & 51 deletions package/etc/conf.d/filters/cisco/ios.conf
View file
Original file line number Diff line number Diff line change
@@ -1,54 +1,3 @@
# In general this will not be used; parser setting will override the need for this

filter f_cisco_ios{
match("cisco_ios", value("fields.sc4s_vendor_product") type(glob));
};


parser cisco-parser-ex{
channel {
filter {
#message('^<\d*>(?:(?<ciscoseq>\d+)\: )?(?:(?<HOST>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(?<ciscorule>\d+): )?(?:(?<ciscotimereliable>\*)?(?<ciscotime>(?<time>\w\w\w {1,2}\d{1,2} \d\d:\d\d:\d\d)(?<ciscofrac>\.\d{3,6})? ?(?<ciscotz>\w+)?): )?(?:(?<ciscouptime>\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(?<cisomsg>(?<ciscoprogram>%.{2,15}\-\d{1,3}\-[^:]{3,}): (?<ciscodescription>.*))' flags(store-matches));
message('^<\d*>(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( \w+)?: )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(%.{2,15}\-\d{1,3}\-[^:]+): (.*)' flags(store-matches));
};
if {
#Mar 4 11:45:20
#Apr 29 13:58:46.000001
#Apr 29 13:58:46.411
#Mar 1 18:48:50.483 UTC NOTE: Reverse TZ "%Z" parsing will not work for non-local timezones.
# guess-timezone() will be used to reconcile timezones
parser {
date-parser(format(
'%b %d %H:%M:%S.%f',
'%b %d %H:%M:%S',
'%b %d %I:%M:%S %p.%f',
'%b %d %I:%M:%S %p',
'%b %d %Y %H:%M:%S.%f'
'%b %d %Y %H:%M:%S',
)
template("$7")
flags(guess-timezone)
);
};
} else {
# rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
rewrite { set("date/time parser failed on string $7" value("fields.sc4s_error")); };
};
rewrite {
set(
"$4",
value("HOST")
condition(match('..' value('4')))
);
set(
"$11",
value("PROGRAM")
);
set(
"$12",
value("MSG")
);
};

};
};
4 changes: 2 additions & 2 deletions package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Cisco ASA
{{- /* The following provides a unique port source configuration if env var(s) are set */}}
{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "rfc3164" }}
{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "cisco_parser" }}
{{- tmpl.Exec "t/source_network.t" $context }}

log {
Expand All @@ -15,7 +15,7 @@ log {
channel {
# Listen on the default port (typically 514) for CISCO_ASA_LEGACY traffic
source (s_DEFAULT);
filter(f_is_rfc3164);
filter(f_is_cisco_syslog);
filter(f_cisco_asa);
flags(final);
};
Expand Down
4 changes: 2 additions & 2 deletions package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ log {
channel {
# Listen on the default port (typically 514) for CISCO_IOS traffic
source (s_DEFAULT);
filter(f_is_cisco_ios);
filter(f_is_cisco_syslog);
flags(final);
};
};
Expand All @@ -27,7 +27,7 @@ log {
};
parser { p_add_context_splunk(key("cisco_ios")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_program_msg))" value("MSG")); };
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };

{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_IOS_HEC" "no")) }}
destination(d_hec);
Expand Down
4 changes: 2 additions & 2 deletions package/etc/go_templates/source_network.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ source s_{{ .port_id }} {
rewrite(set_rfc5424_noversion);
{{ else if eq .parser "cisco_parser" }}
parser (cisco-parser-ex);
rewrite(set_cisco_ios);
rewrite(set_cisco_syslog);
{{ else if eq .parser "cisco_meraki_parser" }}
parser (p_cisco_meraki);
rewrite(set_rfc5424_epochtime);
Expand Down Expand Up @@ -129,7 +129,7 @@ source s_{{ .port_id }} {
rewrite(set_rfc5424_epochtime);
} elif {
parser(cisco-parser-ex);
rewrite(set_cisco_ios);
rewrite(set_cisco_syslog);
} elif {
filter(f_cisco_ucm_message);
parser (p_cisco_ucm_date);
Expand Down
5 changes: 2 additions & 3 deletions tests/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,13 @@
#work. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
version: "3.7"


services:
sc4s:
build:
context: ../package
hostname: sc4s
#When this is enabled test_common will fail
# command: -det
command: -det
ports:
- "514"
- "601"
Expand Down Expand Up @@ -60,4 +59,4 @@ volumes:
results:
external: false
splunk-var:
external: false
external: false
15 changes: 2 additions & 13 deletions tests/test_cisco_ios.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,8 @@
import pytest
env = Environment()

#30: foo: 6340004: *Mar 4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
#30: foo: *Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
#30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
#foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
#30: foo: 6340004: Mar 4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
#30: foo: Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
#30: foo: Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
#foo: Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
#foo: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the
#00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the
#foo: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
#101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
#*Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)



testdata = [
"{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
Expand Down

0 comments on commit aec103f

Please sign in to comment.