Merge pull request #469 from splunk/feature/cisco-aci-enhanced

Additional type of ACL log from APIC
CSVD · May 18, 2020 · b7cd3b7 · b7cd3b7
2 parents 4acdb03 + 0710acf
commit b7cd3b7
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/package/etc/conf.d/filters/cisco/apic.conf b/package/etc/conf.d/filters/cisco/apic.conf
@@ -1,6 +1,6 @@
 
 filter f_cisco_apic {
     program('^%LOG_LOCAL\d-\d-');
-    or
-    program('^%ACLLOG-\d-ACLLOG_PKTLOG');
+    or program('^%LOG_-\d-');
+    or program('^%ACLLOG-\d-ACLLOG_PKTLOG');
 };
diff --git a/tests/test_cisco_apic.py b/tests/test_cisco_apic.py
@@ -14,7 +14,7 @@
 env = Environment()
 
 #<11>July 22 22:45:28 apic1 %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110] Node 102 not reachable. unknown
-def test_cisco_aci(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+def test_cisco_aci_loglocal(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
@@ -39,6 +39,31 @@ def test_cisco_aci(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 
     assert resultCount == 1
 
+def test_cisco_aci_log(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Cisco APIC
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} %LOG_-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110]\n")
+    message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cisco:apic:events\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
 #%ACLLOG-5-ACLLOG_PKTLOG
 def test_cisco_aci_acl(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))