From c0302e024892ba8ff2d4c6325c9ce6d60e4a27bb Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Mon, 6 Apr 2020 18:22:34 -0700 Subject: [PATCH] Add APM support to log path * Add APM support to log path --- package/etc/conf.d/filters/f5/bigip.conf.tmpl | 1 + .../conf.d/log_paths/lp-f5_bigip.conf.tmpl | 22 +++++++++++++++++++ tests/docker-compose.yml | 1 + tests/test_f5_bigip.py | 2 ++ 4 files changed, 26 insertions(+) diff --git a/package/etc/conf.d/filters/f5/bigip.conf.tmpl b/package/etc/conf.d/filters/f5/bigip.conf.tmpl index 0f8d58a..c39f24c 100644 --- a/package/etc/conf.d/filters/f5/bigip.conf.tmpl +++ b/package/etc/conf.d/filters/f5/bigip.conf.tmpl @@ -3,6 +3,7 @@ filter f_f5_bigip { or program("tmsh") or program("mcpd") + or program("apmd") or program("tmm\d?") or program('^,f5_irule'); }; diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl index 537de44..b22df02 100644 --- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl @@ -35,6 +35,19 @@ log { parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_program_msg))" value("MSG")); }; + } elif { + filter { + program('apmd') + }; + rewrite { + set("f5_bigip", value("fields.sc4s_vendor_product")); + set("${PROGRAM}", value(".PROGRAM")); + subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); + r_set_splunk_dest_default(sourcetype("f5:bigip:apm:syslog"), index("netops"), source("program:${.PROGRAM}")) + }; + parser { p_add_context_splunk(key("f5_bigip")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_program_msg))" value("MSG")); }; } elif { filter { program('^,f5_irule') @@ -58,6 +71,15 @@ log { parser { p_add_context_splunk(key("f5_bigip")); }; parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_program_msg))" value("MSG")); }; + } else { + rewrite { + set("f5_bigip_rogue_message", value("fields.sc4s_vendor_product")); + set("Possible rogue message on f5 unique port", value("fields.sc4s_error")); + r_set_splunk_dest_default(sourcetype("f5:bigip:rogue"), index("netops")) + }; + parser { p_add_context_splunk(key("f5_bigip")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; }; diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index 643be05..336c469 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -44,6 +44,7 @@ services: - SC4S_LISTEN_JUNIPER_IDP_UDP_PORT=5004 - SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT=5005 - SC4S_LISTEN_PFSENSE_UDP_PORT=5006 + - SC4S_LISTEN_F5_BIGIP_UDP_PORT=5007 - SC4S_ARCHIVE_GLOBAL=no - SC4S_SOURCE_STORE_RAWMSG=yes splunk: diff --git a/tests/test_f5_bigip.py b/tests/test_f5_bigip.py index ad38d69..57d22c3 100644 --- a/tests/test_f5_bigip.py +++ b/tests/test_f5_bigip.py @@ -23,6 +23,7 @@ #Jan 17 03:38:00 SV5-F5-5600-2 err tmm[23068]: 01220001:3: TCL error: /Common/stg-Artifactory-iRule - ERR_NOT_SUPPORTED (line 8) invoked from within "HTTP::method" #Jan 17 04:03:37 SV5-F5-5600-2 warning tmm1[23068]: 01260009:4: Connection error: ssl_passthru:5234: not SSL (40) #Jan 17 04:42:37 SV5-F5-5600-2.splunk.com notice mcpd[10653]: 01070638:5: Pool /Common/infra-docs-pool member /Common/go_web3:4000 monitor status down. [ /Common/tcp_half_open: down; last error: ] [ was up for 837hrs:31mins:36sec ] +#Jan 17 04:42:37 SV5-F5-5600-2 notice apmd[11023]: 01490248:5: /Common/Network_Access_02:Common:8c6be305: Received client info - Hostname: Type: IE Version: 8 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0 #2019-12-12T15:54:12.972208-08:00 10.160.21.242 ,f5_irule=Splunk-HSL-iRule-HTTP,src_ip=10.32.30.21,vip=10.156.1.160,http_method=GET,http_host=confluence.splunk.com: 443,http_uri=/download/attachments/185799227/Dynamic%20Lookups%20in%20RZ%20-%20architecture.png?version=1&modificationDate=1574471645759&api=v2,http_url=confluence.splunk.com:443/download/attachments/185799227/Dynamic%20Lookups%20in%20RZ%20-%20architecture.png?version=1&modificationDate=1574471645759&api=v2,http_version=1.1,http_user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",http_content_type=,http_referrer="https://confluence.splunk.com/display/SEC/Dynamic+Lookups+in+RZ",req_start_time=2019/12/12 15:54:12,cookie="optimizelyBuckets _ga __ktt _gid optimizelyEndUserId __lc.visitor_id.3988321 _cs_c SPLUNK_SUB_LOGIN confluence.list.pages.cookie __kti __ktv _gcl_au crowd.token_key __utmv SPLUNK_USER_LOGIN_STATUS OptanonConsent trackAffiliate lc_sso3988321 _fbp _fbc confluence.browse.space.cookie _biz_pendingA ELOQUA __utmz ajs_group_id SPLUNK_SUB_SIGNUP _biz_nA _cs_id _hjid __utma mywork.tab.tasks optimizelySegments __utmc SPLUNK_AFFILIATE_CODE JSESSIONID Apache _biz_uid distance ajs_anonymous_id _biz_flagsA _st _gaexp __kts",user=,virtual_server="/Common/confluence-pool 10.156.18.12 8090",bytes_in=0,res_start_time=2019/12/12 15:54:12,node=10.156.18.12,node_port=8090,http_status=200,req_elapsed_time=21,bytes_out=75366#015 testdata_nix = [ @@ -38,6 +39,7 @@ '{{ mark }}{{ bsd }} {{ host }} err tmm[23068]: 01220001:3: TCL error: /Common/stg-Artifactory-iRule - ERR_NOT_SUPPORTED (line 8) invoked from within "HTTP::method"', '{{ mark }}{{ bsd }} {{ host }} warning tmm1[23068]: 01260009:4: Connection error: ssl_passthru:5234: not SSL (40)', '{{ mark }}{{ bsd }} {{ host }} notice mcpd[10653]: 01070638:5: Pool /Common/infra-docs-pool member /Common/go_web3:4000 monitor status down. [ /Common/tcp_half_open: down; last error: ] [ was up for 837hrs:31mins:36sec ]', +'{{ mark }}{{ bsd }} {{ host }} notice apmd[11023]: 01490248:5: /Common/Network_Access_02:Common:8c6be305: Received client info - Hostname: Type: IE Version: 8 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0', ] testdata_irule = [ '{{ mark }}{{ iso }} {{ host }} ,f5_irule=Splunk-HSL-iRule-HTTP,src_ip=10.111.30.21,vip=10.1111.1.160,http_method=GET,http_host=confluence.splunk.com: 443,http_uri=/download/attachments/185799227/Dynamic%20Lookups%20in%20RZ%20-%20architecture.png?version=1&modificationDate=1574471645759&api=v2,http_url=confluence.splunk.com:443/download/attachments/185799227/Dynamic%20Lookups%20in%20RZ%20-%20architecture.png?version=1&modificationDate=1574471645759&api=v2,http_version=1.1,http_user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",http_content_type=,http_referrer="https://confluence.splunk.com/display/SEC/Dynamic+Lookups+in+RZ",req_start_time=2019/12/12 15:54:12,cookie="optimizelyBuckets _ga __ktt _gid optimizelyEndUserId __lc.visitor_id.3988321 _cs_c SPLUNK_SUB_LOGIN confluence.list.pages.cookie __kti __ktv _gcl_au crowd.token_key __utmv SPLUNK_USER_LOGIN_STATUS OptanonConsent trackAffiliate lc_sso3988321 _fbp _fbc confluence.browse.space.cookie _biz_pendingA ELOQUA __utmz ajs_group_id SPLUNK_SUB_SIGNUP _biz_nA _cs_id _hjid __utma mywork.tab.tasks optimizelySegments __utmc SPLUNK_AFFILIATE_CODE JSESSIONID Apache _biz_uid distance ajs_anonymous_id _biz_flagsA _st _gaexp __kts",user=,virtual_server="/Common/confluence-pool 10.156.18.12 8090",bytes_in=0,res_start_time=2019/12/12 15:54:12,node=10.156.18.12,node_port=8090,http_status=200,req_elapsed_time=21,bytes_out=75366#015'