Skip to content

Commit

Permalink
Support nix on dedicated port
Browse files Browse the repository at this point in the history
When checkpoint devices are configured for syslog they also output os syslog.
  • Loading branch information
rfaircloth-splunk committed Dec 13, 2019
1 parent 37da425 commit d818b87
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 38 deletions.
92 changes: 54 additions & 38 deletions package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -14,47 +14,63 @@ log {
source (s_CHECKPOINT_SPLUNK);
{{- end}}

parser {
kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}"));
date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
};
if {
filter(f_nix_syslog);
rewrite {
set("checkpoint_splunk", value("fields.sc4s_vendor_product"));
subst("^[^\t]+\t", "", value("MESSAGE"), flags("global"));
set("${PROGRAM}", value(".PROGRAM"));
subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
};
rewrite {
r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}") )
};
parser { p_add_context_splunk(key("checkpoint_os")); };

rewrite {
set("${.kv.hostname}", value("HOST"));
set("checkpoint_splunk", value("fields.sc4s_vendor_product"));
r_set_splunk_dest_default(sourcetype("cp_log"), index("netops"))
};

parser {p_add_context_splunk(key("checkpoint_splunk")); };
} else {
parser {
kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}"));
date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
};

rewrite {
set("${.kv.hostname}", value("HOST"));
set("checkpoint_splunk", value("fields.sc4s_vendor_product"));
r_set_splunk_dest_default(sourcetype("cp_log"), index("netops"))
};

parser {p_add_context_splunk(key("checkpoint_splunk")); };

if {
filter(f_checkpoint_splunk_NetworkTraffic);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))};
parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); };
} elif {
filter(f_checkpoint_splunk_Web);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))};
parser {p_add_context_splunk(key("checkpoint_splunk_web")); };
} elif {
filter(f_checkpoint_splunk_NetworkSessions);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))};
parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); };
} elif {
filter(f_checkpoint_splunk_IDS_Malware);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))};
parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
} elif {
filter(f_checkpoint_splunk_IDS);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))};
parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
} elif {
filter(f_checkpoint_splunk_email);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))};
parser {p_add_context_splunk(key("checkpoint_splunk_email")); };
} elif {
filter(f_checkpoint_splunk_DLP);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))};
parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); };
if {
filter(f_checkpoint_splunk_NetworkTraffic);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))};
parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); };
} elif {
filter(f_checkpoint_splunk_Web);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))};
parser {p_add_context_splunk(key("checkpoint_splunk_web")); };
} elif {
filter(f_checkpoint_splunk_NetworkSessions);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))};
parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); };
} elif {
filter(f_checkpoint_splunk_IDS_Malware);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))};
parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
} elif {
filter(f_checkpoint_splunk_IDS);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))};
parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
} elif {
filter(f_checkpoint_splunk_email);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))};
parser {p_add_context_splunk(key("checkpoint_splunk_email")); };
} elif {
filter(f_checkpoint_splunk_DLP);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))};
parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); };
};
};

parser (compliance_meta_by_source);
Expand Down
24 changes: 24 additions & 0 deletions tests/test_checkpoint.py
Original file line number Diff line number Diff line change
Expand Up @@ -138,3 +138,27 @@ def test_checkpoint_splunk_smartconsole(record_property, setup_wordlist, setup_s
record_property("message", message)

assert resultCount == 1


#<6>kernel: sd 2:0:0:0: SCSI error: return code = 0x00040000
def test_checkpoint_splunk_os(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)


mt = env.from_string(
"{{ mark }}kernel: sd 2:0:0:0: SCSI error: return code = 0x{{pid}}\n")
message = mt.render(mark="<6>", pid=pid)

sendsingle(message)

st = env.from_string("search index=main \"0x{{ pid }}\" sourcetype=\"nix:syslog\" | head 2")
search = st.render(pid=pid)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

0 comments on commit d818b87

Please sign in to comment.