From 374073e5ef6ef06165b553769d4b69fde901549c Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Tue, 14 Apr 2020 08:21:23 -0700 Subject: [PATCH] Add support for structured (RFC 5424) f5 * Add RFC 5424 event support for f5 log path --- package/etc/conf.d/filters/f5/bigip.conf.tmpl | 5 ++-- tests/test_f5_bigip.py | 28 +++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/filters/f5/bigip.conf.tmpl b/package/etc/conf.d/filters/f5/bigip.conf.tmpl index fdf7984..a0138bb 100644 --- a/package/etc/conf.d/filters/f5/bigip.conf.tmpl +++ b/package/etc/conf.d/filters/f5/bigip.conf.tmpl @@ -1,7 +1,7 @@ filter f_f5_bigip { match("^f5_bigip", value("fields.sc4s_vendor_product")) - or - program("tmsh") + or match('^\[F5@12276' value("SDATA")) + or program("tmsh") or program("mcpd") or program("apmd") or program("tmm\d?") @@ -18,6 +18,7 @@ filter f_f5_bigip_message { flags(store-matches) ); }; + parser p_f5_bigip_message { syslog-parser( template("$1 $2") diff --git a/tests/test_f5_bigip.py b/tests/test_f5_bigip.py index bc06fc0..3b17512 100644 --- a/tests/test_f5_bigip.py +++ b/tests/test_f5_bigip.py @@ -180,3 +180,31 @@ def test_f5_bigip_irule_default(record_property, setup_wordlist, get_host_key, s record_property("message", message) assert resultCount == 1 + +# <141>1 2020-04-14T14:39:05.271965+00:00 f5-bigip.com apmd 7389 01490248:5: [F5@12276 hostname="f5-bigip.com" errdefs_msgno="01490248:5:" partition_name="RAS" session_id="7a7860e5" Access_Profile="/RAS/BSP-Prod-200407" Partition="RAS" Session_ID="7a7860e5" Client_Hostname="PFF-client" Client_Type="Standalone" Client_Version="2.0" Client_Platform="Win10" Client_CPU="WOW64" Client_UI_Mode="Standalone" Client_JS_Support="1" Client_Activex_Support="1" Client_Plugin_Support="0"] /RAS/BSP-Prod-200407:ras:a7860e5: Received client info - Hostname: PFF-client Type: Standalone Version: 2.0 Platform: Win10 CPU: WOW64 UI Mode: Standalone Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0# @pytest.mark.xfail +def test_f5_bigip_app_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): + host = get_host_key + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + iso = dt.isoformat() + epoch = epoch[:-3] + + mt = env.from_string( + "{{ mark }} {{ iso }} {{ host }} apmd 7389 01490248:5: [F5@12276 hostname=\"f5-bigip.com\" errdefs_msgno=\"01490248:5:\" partition_name=\"RAS\" session_id=\"7a7860e5\" Access_Profile=\"/RAS/BSP-Prod-200407\" Partition=\"RAS\" Session_ID=\"7a7860e5\" Client_Hostname=\"PFF-client\" Client_Type=\"Standalone\" Client_Version=\"2.0\" Client_Platform=\"Win10\" Client_CPU=\"WOW64\" Client_UI_Mode=\"Standalone\" Client_JS_Support=\"1\" Client_Activex_Support=\"1\" Client_Plugin_Support=\"0\"] /RAS/BSP-Prod-200407:ras:a7860e5: Received client info - Hostname: PFF-client Type: Standalone Version: 2.0 Platform: Win10 CPU: WOW64 UI Mode: Standalone Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0# @pytest.mark.xfail\n") + message = mt.render(mark="<141>1", iso=iso, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"f5:bigip:syslog\"") + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1