n4HR8q4uYT!thtygc~}T)I`AvVS&0bxxvL=g&E<7re0&yaI+iGB z9U)I^2Ob0d`$BH|4qD*rUPv!DD{F*}i;b$NEWfrkTn}j@g7nZ5bawR=@zn9v_jNYZ zFjV%|;?q@-_w^Fi)j+5#sG@|FypSk9FFRLd1Ptz~sqSE>tBq37k#)PTZ)@lcT$QYW zhoZ27fQq}bzLP4Ctg5w=sD_-Xg0-->sEVP!l7XGIo05YoOvw-Cs%8?^V0U<<#B*H+_$pzR6?rjA}vMjd^~vhm7QUJ zR`U1xd8~E#^nG K8Th2+xMaI@iMAuM2M?gzX)6?9? zz(CVM$=yZOS s7y}&P9;N@Vz(Seu$eBE!y z2mbyWW%%W-)%Nu-T!3Csgvsdmn69^6Zr0U3JU@@pF1kJoleW0U%yAhbqsUD1-B|OK zPa3NEtnj)DXK%DpcOI1B*(I4a^3;cf4!M}?%p(0)(9s#N&{@=Z`TkLz%Tl)griA~G zs{OH!!&f6~t=BiF93}c~OKV1KrH-qzYh+AJOtP%&?;2FTn+iHc9&dG!B6nAZH@lAg zU!Jc`wKQ>>G=4Fxb4D5=Yjne;luyl$_cr4Eb;3i)$Z%z)ArKrUjXRJiv(z6e#Fa2i zj_)Fk|7 7;sz$F%iAl5)*q<{y&a#vL*aM!;>HL zOYZznYYFan@5 lBUt YPincjXqsjj?mC6DQ(iMI5+yU_nCUv}Cg%(kN%J-gp z;B6Se1aB9eC200>*W7hSlRD?DNv{cHU;2ny@Z=$G-W0NK(!xnsm*~Gy$>uWQ&gyT+ zN5K#Rnl@4VQV6ztm5Qvw+?OaeTIk4R_5++IYLTYKDU5&C6ih}shK#JO*x6Pm6*leO z!`VsdXMtdo^51N*^^{P{6|4;P3C}3nd2Qa|v^GZDxW73BC{9Ef;Dl zCX7~?;_=(DgJ;Bx%tF>i%FU)a%UyyQ0=8tDjyIc-VBSLJ?Rc~Tb_qZHJ@fwCRVdy) zun}j%R7v0UE0UIvf3!^}+77*yxn4IN 4-Hw$VQoC!dW+U3WENBy@%8gih^ z_n*f!f0o1`cIM)xoCA;d1hwin8rRCUeT+J4FoCOs`H>QPqn4XH3fKNkQx 2O0Wc*Q9RO+`m;oX^{60O zt+KIEtZ6aBv3SWot`2pw-PLr3;VQe@D>v5p*1u1M1~3ErJq;=iH@kFmu*HABcBUh8 zBAPw>exSNz^LxeQn`71XpVt%N3@`tmr-1RK8V5gG&~H`TSsgAZMNZTT1)l|^KT>6* z!K1o+|H0|;zHm~sOT$9ihwFKI|7UgxV6ZWGoiTSVca#St+KC+u$dT6g{#q1O3{|Rx zyfUim%W@U*-ZXX`F4nE=Eb{!n1)&6oBkw`%#*5sOkJQnd19@Q;+SOn&D`?7M!kAvW zFDRwcSig_C_SX5!@P8XF%>nvTk{1@>VTQDEC}Y}wW&Ie9B4=4I%10~Z6bd>I=A7-Y zW6yu@6W;vJ#DxEBr7|MqK-cfMhr7)o4d!7nRhSdxKy8B3^phxc>* rsi>X|cG&jkiroLSzrZ%-e!aoeqC4jPcypBmC=Lig-a+l_N9Y z`wFZ_>s9@=WhPCH7j< $ NR_2dvT3?P=B-f5JWm#^ba<>75g6QEWvUnr`a%LFDqvdup>!wJepUe>;-y z1d-yS4*}H^vrpx8(b=LNFR)I$lQ)v%P&&kNJYMR|NBn0u%deS)=KnSoyV87L%_To^ z&g-LL=LcO aqAGj!|lA@zc|*^Jm@Vr@#WfB@Tn=RPD7fZV*ew z$?U=sLpbd-M?B%&wBhtwRX7gQcz;b~>&?Zu=0^l{uF|hIiroK=6dS5MmilT$4u=UC z1HRV}=@}tYiI!(VX_3{MHv_g0hVhecsuqJlwB$5Ypcs9f#IEgVxP1NOSAV%nn|7g^ zbN*ai>n>;0`PngY>-$@*#dkVS1N(P6-l+4=+&()RX%n&|4LIA1lo|yw{>NF)I(6IG zZaH$q#JjYutl`*FxD|GhJqwkz(Xf>51=5L|gU#cVe-D;M732-g?05YwOb=JnC+JE_ z;Qr)D&|X!}7&)A7@b1^S&bTUIm~XdBcov>{^tloI9Q5*txWyT{NAJI0(VFQCvXWA8 z67}@;myWYpxp%;XY_olBOuEqY8=v_5Ro*d#*yNsW#|KwS1|Er22CO_!ALp$5W>MaH zR4m?_k-`jIDSA?J{Q>msc=}ujvRymjyfz*%p9o){m_DnO0LxlC9dta#-+#}t?chE4 zH^JcZ OO2M)*dBFf z2mJi7`9SbtK-*!j%eU#wSf!3q2%cJ&n4nJZn|Mfo+7q6 IQYdek-$)fm=<|-MymY2tO-WDbK+xBKG@HBvA z Sx7 $vdIKNV8nqFLMpuLyil;t7nv& zHfl4)Vdcu{T vI^AlV4oKrBBIjbC3e5;za(+w9SIQ4ZOlG()%Iasr# zZJ45ij#dgy{PARu_kT=ZpkW@|x+Ov#3NK@MvcKKMNIU4{LlyD;HXX8qSQxeOi}|}e zX2yg}*NK+TDvHS1{q$Y*Rb=O58a2T;Eue4DGm0 8z&g~SBt-X#moOzJ_dcrc* zaGbPua9Cl-Pb|?D);(zrj_|k}3n7dAIP`?Pkx*)Ce1@<%bZ*uqBC2|bz@=laF>C7m zIbuRJyt`lIg}sAo+;+!1oNsP}DE2JnvV;CVx2DQ`!8R(xj9eg`tZjeFpR1nWFucf* z+%AgWepiIu0wjxE7IDru+Se29S~EcYJ-%H~9=PFH>$mIReQxB^vVhooOTg$feLS^q zTtLhB>6BDrM?)g|#U?g2+2-m-x@{u_yrdW3&g{3Hw-DW%a_t~S@8pY(x^>ZS?0i-i z#!dKg>HHyV+M{2B>-BNd^l2YR(^pRldMhlu#2#KbKUz@_UOnq$3LPa<>|`&K5qzV3 zDS&L@!oh=!NFTh`A)J-%65_q-;PXc8j;4O4UJZ)kpg;$o%rS13V(6k5 IiG4*u z{sKzRbO8bnZKim@IzTWzW*$lZnEM>q=QvAyBE8f{S cE|P=`m*lotvrolF%l_2vvpBKwTIAYE0RsZ%@pk+*%fmBO0SaQ8OY2RWjU|cD z?0!hI!IsS|^6vame!S#(X!oKVK5-?n*d=K2K?kGIn}_Fc>HeG2gf8p^^e7FM8L>)I zN&79YaFQD<1jvdKD(1c=Jg>(=E6QfY>|a1Glt}yP%3^8VRO8rjhnL3leO^1C4{y$1 zMeW|%HQ4``6CiHj2puQRl2Fhuqz85L4%$JuBA~2R$x&NoXFsXsNP0%R)oZtagAi%J zE4W6Y69a1lK>>a2lepY&MG`N0R5Vc!i41|s+1!3k!Q=CUI(b IGJEc`hicy`nAJn?RlOV{LY+;YpXRU}y}u-S2S>lP+kYRxsH-f4iVm0+ zV`(~Gi*SFrpC28|TNdZ(=gT@Z%H 17%0W^X=@RTS7|iarHFa 2Oc-sn9m z7UQKvyLq {(eCEn+tx6>(kM$nu_YE4b!M@SVy5({?=hqY*t9M>MO1ckqEd z2PNw+=?E2CN`BAazdkc%Vbh cO?S~TQkiw6??4CX7&C1 zjj7oLbO3O(o5=NtL|m>{Bcgmf_Vc^cFg{K2!{pEp->)UAVc5UC_>&sX)8hzzCof%C z `vte*t=O8QnhOKTo&C7 SuD z0acQnWbB2;{TDI^+5OkAWXO?9d?9xT>I(U;8eK;*rFO5E%q7yQSej+-8n?-nu+X9! z{bdAZ4EA9~LkvGKPT$8-&MZy>vXt4xXdXoIzQ;0(AsVMEJ_vi0x|@{3#u8? zOhtwIL}pb$Z7TCarR9W?o+$c?(RG39-h%G-%Q92ZV%=uY!{#wfSV0H+!X*3O(&BqC z1nLh>#7P|9T^kV&!FT^SvMX|M?b+q0c%gFLuk@jV1<7H?ewCkJsD+%3w4E(Dvv6eT zyj9rCWRkmmH^E+D;enD3vD7zWHr#-6Yz^p9eRP#b|J8lX!m7#S8 1`uWGcvBj4ozv}*wob%{D+df zG1m@p<_t}Qn|%;yUn0557twz+yP)HjK1?iLf;;CAGyuJfmk`umSk}18!7_Kr{qj7) z@VvfVHq!utUT0P&H^EGlA}*KKgvfVK=V$1J6$=D?2R<&LJ6cvTG72SmWMKNIJdyqh zfzn4vS8bEf;M#AD*29x7ZkNm-vnvr19;UJkMm4xJuDm$XVbK(N(U>F?lJycYJ(g;S z=DEY1rNa19_m4~ICcrhN%t%hTy~VN9Oy;;<60lRTB+u05&YEHN&h4Ic>w_M&@H6~( zeR`5>lxbQ?Xm>nuanl~He-3FFp36gMQtY{1vbwKm%t`gD#E+u)awuy>>t^HHtb@_6 z-sMosc!{sAAmTRtS|n1|P9h;+;qZK%LH;}K4*kZYK^MX0rE$U`Wnzl0u>`o17Q<1T zbm^s_XzbREri!ihdafk8qR=pHd-a+D=U;1p`r&<)&ugK2UykW&9T!adU2n3b8_x>d zqtn5FM-g0oRtqT@t>>bOk<3G5>mL6e{Q%YABHS=w3rbZvhmASh4jKl5BA4j_WAKSv z%0_V+2lE^9+?}~cw9fY{huwb<*DEc9;?HnDF@F~(j0>C9f4Z^g*P*;!g3p?9$9z2M zd+cuYn77n9Lv9mu4T(#0@3poh; AKDHBj((aWe}OX?fcqF?>a zP7aCDNuSErYRnHoWU;x3f918lSzyhpjv!Y07({x6CiUO_j$ Vxae2W(67?aNRT>HvJ7)MuVynSbdERid+Am}f~P!lCRaH~2J`<#OE@8>$- zgQU5?tbUfT31o6rOKx!n0Ru7wqBMP>1Psd)zjC$Waz~DZVATJT>TWVz^ZbGASZsB; z?tW6NND&u{t%qtHN5-G0n`Y3*JAN9f>X)3To$_;}758$2_J<+FC=*HWO1Y^1tQ;K+ znGhI#^nvaXK@?-q@ZIQ6d9_yBdp@s;=|p%=8AhH&cu)Bj0!XC;Kvd{A*#xPmC 8-z(S2&|Eo96vf2+gBah1OVepC zTWG&8w^+T$I1He*P(^{-X8``#8-z2C0gUEHhkyyiCERCFMUv$^<;{FCtE+28Fzkd1 zO!7Yd^+(Sk@2-I}sDDy?bTOAA=voYHZkAa1+XJi_N^HNoIt<2QxDF7 UJ#nJHJ%%yE?zKzG#w9c0)gv?+Wa7(|1Jttk0%KzZ{;yCG={DFwGXn>(kU@=t1 z>ZRGkr5qQ4V^#y;b^>5|v)j%14q5knE8`d>#uegjSU)g~qev}~gEii0c`o#4U2+W} ztmF|~d#WcK8B=Hg9xGtnwmV3rP=m{$b{Y-8e03eL8u6XKZWJw)HEp`jH@Hl ^SS^;E?CIg__SMqkiT0Gj9 zT=M2JtnN0KUnG7#Zk=vIu`Qy6bzjk_yc^g4oFfQ1LXNU=lz#ipIlVD)&^4myJ!94! zUOa56i-y*^Oi#7#i?;oY6P|J%y=&I`&AbX=25hTtU$6!UYtoMUlVnR@f)v~)H2Fvj z@O1IIj1vw$ij4-5z#|m=Isplt9h||pfIeXB?X@c#PSawxeRP?Ej%nfomwu|?iEy%U zT~;vOeQ`;6jOmYWJCudSX)bF)V$DuTQ&|smbrE32Q*LXo16;1AFx&4VJ}JX`kb}&s z4A;g>?ZO*pKLGqD y;YnQb$7!jjC+ouqYkZ>?i5HC=ad7 zOC9x;bvw+PM;!;R{QsS|5NWFX0oC1S2f8PgVr~>B%d?;+T7~RlD*~Z!zY8j X<;?XmVo&$VxfOA%68VxE;CIUbWA_TS&!sCt1ip(-qpBVR%7*1Y-~1|LDJL zq6P7XDXV1FS(z8PU$N;=rS-zc)Ho+5BE_%D z->^ITDxPfYx4-XZ$Mubo6&{hB)gO$T{*tt;#nrmiP85e}1MqrXzvS_!zpPv8@$D1; z?Y6^7fW=R~ I^MicNxFSt6AN&s#pcN%; znm-VfOV#!>Ol!`OPadP(Z~zMQi3yjsjm+!bKc*(rxJ*`KUFF^k+Iz2k<)mw*X(_pp zL?T~M!Y`6`*I;%ra{u9SivZP`!GX6+kPkN|A~@|x%Dv4a{&$@W?SXtzq7*|gMw_L= z@BCtIY>sVYzJ)uSgbfHAPZ!IB7oXbR2z<%JEpFz}%+0sZU9tcC1>M*lLe$IwR2GxV z%BrO;J_-}b#i|fUr~`{ekLI$2Wme%H4D;(tCi#&T@}+#uL@Ze`tl01DaEW$hrwI^& zh(gj2aZO}zZ-0Bxa~1)>-Is}+zG>3$<0@9Eab=;Bc$5)n(uwAgyA)ab3?wUNf^5L= z9Iq8bGWc~{mopK7v~6}>aCp>etzWAOFhT{II?bToR=}sN9N7V`-9@)i4ZDJ5cW?p7 z-HHXm6$A|BA$T& G4#J!!$|+;wgUJL< z-gcyk- EJe&{(`VD9_O~xJvX8BmyOfDOZ1V%1Q$ZE3}M3U zW9wI-2wYK+)?7yItLweG8r`P^YDn9pBy_Vv!Ps4h4D81hnOB!SD2&eZnDaiUS$UBu z_Nw|a@7<(EbzmW~U D(O8G2GPae0)fFX*CuqE5kkG>?Sel<(5m{D)-Z$-%bs+_V3G zjA4;Iwt %?2 Ho@SS5QBnn0#Q}U=>H8X`7xkpJF z2mIVuc_nHt )Pp`w(X)d&6a4t-tL%&4v>QN?Cw(6*0ZHt$O-DkUM7ua* zGf08zP@*35WRtfG7E{jhnT>9B9hM(t;;|oM#Rh)~z@iN57H5DB=)Qy-BfEs5)m{om zpjI1MTkxOj$|mAB>6M!z0nb=-_-m<2z=`7n^!0 32Fianl&58ecr8>EDDcb=cC0q79{lj7f%7USqVbt_+uJ= zhkjq*yCA;FNo(2>hl`MtMWe4y(tXXcQH0m93_W|YzfzbpE>CTe(vjU4sSND3EExp| z3(-SY1h#Y}gW$;LU3~jI_98Qsf}ZTPVcWfpB(wwh%2<^x?HJUiH$!(#j(PWt^g7QQ zkQprq(P8aELmYC8&_p~iE2WTmP?0HT#;b($DTGMZ*sIL2<|9}an;)&m&i6l~%u>lm z{nko1QuR$MgplJp4c3C#&D8>rXHovF`CNuTZR~hjW!uOMk=w%lvXB|X5uk(#A%1jv zv|F{%lWyDbzyNF2^4Lzv0~*KJfm4tS9kM=`gWgF(i$v`J1qjll$;*?VxX6kqbgjH? zDvi^~2Gk@yX)~325UcArT53t0wiC#@8f5L*3x{mbkYJHxBU9pX#^%{pUl&^{#6|O$ zw}SZ(EKAvqd!JILGWyNUOeYJ+k+K?)K8a+KbUQF QGz5?z Mhy`dz)OMDIjc<6W}W6-ji^TM>Ld2l;u!wzH`vBO02d6p6Ssnk#? zMd=I~Vdz~&F-#01IbsfwRCPq$%{-JgjkkUAuw*CvLiczcGnlzO9(2&M3te+nO(c&z z+D0AX5tZ|l-*y~0 wW@Kblm7 tKD7*iJA<2|zHcv4vnIVoXxhasJAlcUs8)M?)uUpgH)k2bGC?4e1aif^ zOhV!vy!xb=4Eump58YD52#?$4 ORx zsW^3d_>{-|p~UIV=Uto1>);@F?g5R4z*8 <51eAElP@1P5}&W8~g&M=ugh0)T86pE$V{9Wd~UIF_2b z7RX*29DUp*0ClzjcD #j!3+O;^?bCbbdyJsAYfB5B`|BOlF6MrT1LzUF^_S6Mc{5fboHd<2_941@PR7 z^59cPN08T`Ix`w{{N{s}Xv&!Jilc%16ddfcHv;VsaNY|aqm&EMCeb!0_uU=VM{a&= z5DGf+$>g_HTb`1m?k?;ptsUn;(JM}2;pO`D=)H{zVc$2hNqZ5<<2M&c1%4|0+Le(9 zzTJoH`{90k@JUDDnB!_lnv#(oWuq3JXYhSsxgE@f$E)Psl?4~$7@E45dNY?WEK~O3 zSY9)44U3J$eR}~&X~J)F*d)XRP-W;SZ3OjhRnF-rw8(7K8&7Nu+B^LbELEAJ3G&~T z8J5;SKz6wAC6qp7={?^q52g{VcsmQk2n{A~@2~CdC0$LMtBRGH!S}j#N%$FRNO3b4 zqNb}2>Huga)<^aR^~4S{5Bjcrz&phbjIaA*B9c_9;kc>uu}$Svfv zG{as*!A2ewcFnk_vC;RWbJt Sc5MO`Yf&2CmWw;y! zs|N$pr<|trUZ-UoQKfyLeX5ir5q%f*GdZVznw&WJdnkc1heXsKaF@%>Z;fN;LlD() z%;0HaWa`BS35Hh~?u~K*Q6AhO`fk2>_z5Y{)X|gu0*v_AfpaP Oy4g0nS*R4W5WHAayNv#~gXmONO+)i2U%|J~JvZb>uJ zlQe@Wo3UYiGbC_Ab<;+uERg)%mIcWVrKdt%1~Y|8K0Ra2gh3jL(xSp?jE|*KjY~U9 zAoGf-)$=VKE~!z#dfIN*8wt%w;|)%30`c1}xgBDD`fN`aj=p_D636u}gRV39u*dA1 zO=ltt{6;026W~X!f`J|gjQ~|uZ{jkLT{RW);U((?e37Ai) _f0kv6Dt?OvAN30%29iR-I?7_#QA36hK29b3vZJhonVYy+t zof^Uu2&&c7Da;yhzyJz*7Srt!Wmg?ThQOxOtQ!61nP4FVhUsB~iEh$f9h8`HyRzs6 zKi|S=X*r>nw3W*5t|uv3JvpBX=Qc$^V-n=FHjuy%a~ZBDF1rNG(E{%E0-W!*T}om$ zncz*ale6O=;y?R8m?!ivB6a}ny@B~M?-60=?@qG*A}Ant>xX&Aqv4JVnvd|PshIZ? z_Kchx-qX`GgWPY4rR#!A-K1Ba8lk2a^9NW4)1dGqD%t7AsGcZGSD6j~U+noOAX? zQSo&$H$KqI iCy5#t!brOw)ta;>V8@yPxw~KK8;@)7LXCL<_B5LEs_(+I)n-VFY;K~% z &A7SoeE&^ah6IiRrc&v+E zM@2mKCFU=bC)W8a^G}!gev+Tey~or;--p;m4#)T>+Nod7>9~D6JzUxuTUgYYWZv$A zVfcqlR)mB~l1LDg8FmP+cO)x#Qq7dFMYqu6n~+!03XUoTUt{O}BnX(~V`RcJmw7Wx z5d!2!^Q2Bwmf9>*2o`8wy0Lq7EQP-nd7L0#dN=nazRSG(RutWIQ3JV-i{HcCS#OvK zR+3>V5rEGjvw*B_)J<=qf9w*{(u$*&zgIq{gky37_YCw2-ckDx*vKV_&ZZkrOtI^) z&ppRoQRMvq$CrIa`#8$sDii#w>U@?zbeeM2x`UlYzCCGKRu#oydg1daD#240Dh9H4 zG>P)C4h={xQ)ddBh{(Dz1%RvA<3SAsP~830H`8$G1B()^fH(mwDFv|3I1jp6Tp4*< z6{~A;0)D34y3eTN7H&CIn&s-A{Y-Cj0#eqtQ(z>hB>ech?!8}LYER-zLO3<;FdYSb zEEedmPZ8UqOV8#YUH~a5N9Z*Nd@zj>j}l|eNrynVkC5&*mS(p_2{e%>OpR*uAcwB2 z#mb4v%}uou?4=(L`c_>|vh(8ws6YF@+d1R;0lctBA^TxLL@m=I?8El8p+05x`xGY6 zvgBZf@%&5)#9)Sf3R1%lQ<(>A26}XNcpYJQl}cZ(TddJnYeA^z)4PibmxyuMcB!0E zVOvR?B<^e13P=*HcX}w9N0x)5@#I99o(G? +x1-%Q#cn z#T@5^i~1W)Ay)LDa;cgMJFGNg6*D`1S}$ynirRXhpr>gZ^@Q2e=VZG}&b-G)lzEa& zd7j|?bKCxGwaS_2jdT03cMXxoLr%GObO+R`n9#)G2pBZDn-yA2W*J1vGz}CN#vdh3 z@!P3Z1A&&zBqeh%<4!_AWlZkA0^!`XE&1YyE_PWJ!girLbNuY=_`Ovo#icLQ?gD~i zoF5EKhZGE~B(lbkBOW9%zK>Dz7w{@?t-O(lx{600$n*YKJoDf{{N*a _=K0tAh zcicjEShFxuP*i%miZL7T_~1a9%Z9Gwm`ZlrwNpQwWo9lVXTcka1SR6iTC!msg0=B0 zT>8qHZCuC$?#z({>4a++iFuD6U>eD^g;vNlxu_$+P9iI!od 4uC2#P{~V&V9hQMYT7^r;W968l=2pW2I*^3Pu($}Ty<7UQf*z)V zX`;{rtcwYHJS^)9QnE117vcfX1h3h_lt8O0=|UBusP=Xnk)MPF5~%kCI*kP%A P^hadF {6MhE-64 z9MojELMLpH`OOSBh_!XJR -Ip=*0$UKES=4=>Tkhg>xDp_v{1`TF@c5kjMKEIpOW3*ZY!odOyVK?L^I zI+4oB1s$Z@*k?U2;@!aA1DYS(W?P4mfT7dD_yW#X1qU?hsb9+d0pri3O=*}9-2hcU zVM`>RlbInaeGnvmI#MuEMTmwfo9D?4SMlx7gEbxw%x09BTS1+=lp94POd2KF+PXv{ zhrUf7Q}tQ@X|;eoW~T1cT?;L{<^9bKo+%X^^ue;3e@s#E!OmZ1(lv4bW^jTozcry_ zBAZJ^wnaNybm{KAr5~8In#=TjdnGFyy$nQ6^fuhw_Vw*jAa2_Ov3dy;@9;Jn=ntE2 z3AjHiQciHA@|-AEhs<9C3;t`o>hP!X?*lF7l9YtPV-hlFX27a!u?h3$vU4hm#TBrV zG78doA}=r;{;%c+0(IkfEO!1f1#}Sy@wCEy zSynzkWoc7k
S+`10xX!)#))$*umxf`gJ+JK0mH7TRK6 z -gw%D#EYh zUVVSD3DoX;fE}735noRrY_<*u tb||pNTaG_FJ)QvTkZ?aZoIZY4 zpGl(!0we!YWPLL4zl$|J$wk32i)Tq_C5SSc7P=iBUJppxzERhDfX{rjVk~@XuSLq> z`9*UNa5H06Mox)Eim8u#V8r@!vOv%RkSvIgAngrchXVsEolwX-ww0prqIcxG%byG5 z=|NfU1xix *tm~HuZFbMcyDU(O ztc9tbCmWhqW0clnWj|^b69HwD!0~c^{QA*adH;P<>k(tM1Xh9_fEYa$W9OhReCdI} zzZ`lUTXo=T=vuD>)9xavxUoeRr8Pu;i8opaG!p3olK!Tn)shWx@nGOW6iq0Dgx@HQ z?KAU^NYeO*=Uc;YUek`cGVuuMM(hqxp0ccED1b%I&v$^p*jAz*Cg{xNwfz53l*Kc~ zcZfsp;Q4(>V*3i@xL=y+-`A_QB=c!N!li+SBg wj}he%ZO)MXf1ROsN03yW?{5aLCta3d1doiSaGozP6qSg6GfW&S5&I* zW9YgJcFcr`{=(MXe86oRY_?n(XV4oWXWK?_{M-hdc%$9U!%IX??ctZb4rU^4UlSzr z9{#^9B_E9(vxDHrZMsCoVg-l}eP}`UdtGlG;zcU3``^5fe)L32(1)gGeZL$OMKdbr zfZh%j?g|hsG}#`wsPOEA;PEj4B1B(xH{<9vtyd~LzmD=VUc$dFs>P4>E&L`~MsRtI z$3)GF=iR6R77~mm@-|#sLPpXOVzJbhMK9wt-5Tg8UivYuWxJD>BohFC;!b;@ismrV z$XcAeK0RDvTnY*O2n?Z-?*!#7Mh3hLT @3@ z0rOw~qEjxf%46|U1*p#&*EAj1qvVIf%v zV*I*X@SLu9Ov3sjWz+6gqYa=+t^{|nnsN*i{1TM?SHHY`bnd@VlTJ)4^a-fIC~IT+ zea(#LB$6L=FMnf6=zO5CDU%*n0qlaF=v8qw9d56p*eolheWJTSWIxcS)4iN0m=v(` z>rP;*okNSKg$eSvnbkTONVwS~=Pu0wzA%}F5hEnf=f+r53f!X3LlE^-a|``Hhl4nj z;g|o&$zExQoISDIVkb;B$~2`GAfIR_29Hm?UqSPq;?e{izm9^tVT;Ut&9{8siK=H_ zy0eiY(iQx?b|r|3>>BQkB~7N6eo4Uo#a0-KX7*wk3*4mcf4;l0#eW50ZJO{RGye_2 zx*6vmE&FBXGJ6$cHkpSnUvP|IFW1ofnjU<9sm(qCE cp{{bbP#2mQHc6_0f>~a+Sj1 zGDw^5qgH2t_r^IHG`L%{7 >~1^0Afl*G5mr35Sx>Z|XDCvFE)%u(&_nl@9Qi@@W$= zQmhDEC?>{xV_dN4u(1__lSoV)-Hb*3r~Guztg>O;e=aI+99^0=+95i>dje3mN#x4V z^Icdw3*`wQD&vh4n$rET3N1qz)0!6g^|BOz@|=SX*gB_9w&dy?@Uy&t?72Oo@c1KC zqx4X-gg$RKzfq!m+t{S}4pQ}3{=J7!nFsst{Zh$C(E55tSNj&!QId1r{74q#ZZ#3x zNN%4g;qR4?$c&OZe5<=j$WVm1+nnP*qW|;wo}wtnTbX?uQXKMlyCan~xPZu`QhCkg z*WJ2HlD+Y+B86!%;DCO`q0&qmQT7E@;q#p)lHd)6+GYR@$2kqMJDp3+kY8*gC_gA~ z*iNm1E)?N0PG$z-!3x556Tikk@X?)fh?{Z9T`wo@B@GriY~avkJ<5w@a33S+X6j*I zo?X8 R{b58nyFb6z0$?PBcBMY0+SHWc8>nGhBuO{H zRgyH4i`oz5Z!-^kdwWOo$=%y<%3H-~0VtGt@-=mJP=UElTAj>X?L7rI pe9qIgT0nM(ID-AL)~1@Fss%0QSe%jrTR9ssvYiEJP+x+Qiy<%C-F~&p z@; A>$;M{gKYkD!`oRjm+U0vd~7si=vfC!RZI?JtKte zgP?))4EO%=>$DLEJ@jjzl~xe&MgkP8_6?<8+@~6eH>4|3{KV25Z?y>5MF@1Apn=FF zaghZr(tfnNmj3R#vV7+JmllA3|IaN+4UYAg&k!lnL7-tsa(_2gRV=QEck-!(btASI zS;}}W$LF{fi5bxBefVN+@C4x%^iB!$qwPEho~=kgV2+g(&oOG!*w0{9xTCJp_@i{L zZ*XWT?mc-LM12I>44NQaOf93rU6F?N&l#=3KU?0tvj)%ZvK>;t&>N5X6n`HfVBrN} z_Opdpa3X}-)o%TFo$}-7o9}W-2XaT!JB+o^?vRyzUuo#7Z?eEmL#dN}>5LIl`MlG8 z%Y-|EQYZPkafjppxCV~I>C+S5S`c925P~b$zfVuxX!{A+3pcAq{c=;1Ccq6@-ALpi z@(02cMNvM9aI1g|c RP`|9>xFHpO{x z%#hUsE|>19Brr-WY)zuC*zO$>=%c{70@5Z@u(o!V)g=-ldFrjm?9q_6Aa*?0+HE zVkjVmdCQMJ)Z~peZ3}Ag1fm56G@U)TDx)WmT};&kDAqWVC69Lsw8#`17>7ysotEi~ zN?PboS7>N%FyU(U=0H>(YB@?7x1m`(M~O9V*VVaoOiLEw3)j<%nLZwBl1B%DdbAWs zf)ohrOuQ!r8C)Fe^{Uk+{B~Y |&YqF8lA8+;^CZ%3Oz(dA z*LWXIHHTA>wqyhipG4tzy>N(j2nxSBIAZEw8k@ppT+d^wuKSy-`NzMe8wy|y>+_RP zFl%)OoOE;9TpGL~$+Mau9hU<=|5L>AXbHp58Ka>SNW95__?;}qJj9M7dzKZDt$Ote zj^Nekk3_=0AI!yj)7-nM_UwA)qXXyIqdWuqKwyj`BgLZP5FN4j*`GRVaN}+v6PKE= z@dEOBBc(>Rcl67uLG1Zj3u4A<7(=CeZ+yZVT~{NvUo1S);KpkmF{9)+wR_v|2vxq8 znv*>duulTSc`pOF$IVmM<*rUg IBcu^{Lp+StLE-DoQ7*9_r%}v=#L*1mUayk5sgjp FCaBEc*lG(lAA)60Nf+b1KPfO z?6)-(scfxU?SHu+MbM0#E6}eVE1An`Ec<=@^KVHZZYVO6A~k?HCsCW~B$$ zan;rlu-)7pN4tSN)`hLuS7jyEcn|wZUf;Jrg~S@~ZpK=iMsW~s$YW0JFqugnDmjvq zLEz5N1h~cc06AX$lHhl(Ht9Js24oZy-_J`TQFCbmQc19Bvx%TZcrvRWNS8aE--Cqo z&{0*N?a>ACc Znx|-aM9E2Y3eSlxPNHw0Ee>#gD!5Nvs+DHzylCds51}g_%WL zTmgXSMH }>@XCWT!Sc0A|9ZXQ$u_nl6X=7_~k0JU9DekcL%shxyTd``_^28V(0$H+J8v%Y92#`(TjD? zUlB3PXKQNYh~j00d)|1NIAc%gi-Y1;E|jij9&vnazbWx7`h4 s-V&)_{ofO&)8o1E zq07>nLCd)m=PIbMRG;Ll^Am_nZkQ&vF75;q$Rjg0v3JbGFIKAOF7FTbc$sEtJSnyW z(bhInt_wVSkwT^-^tVq8Qe>`z@JjZcclDOE+Wb$O*6ZSa_g{%-NTj=XeT_E1tPLxM z;WSw?+Y4>_kEoxOEVrfH)>>#he_Sw~*wl9=pb>bKmPJSIQ^4UbL5?q(Mrd2ea5?x> zCFp# WUT?(?dwA;GM$X$U$bBgz581d_ zz!$a~d7a44*m~{229qf0w9Xxsu6Koj$VOSz!YfQ{y{(+|(Zs8vm@H}au=2425`PIc zf`eN$llR2MD7t9)(ZvwfzbGrqjmJ`Ezn^^0xro#jL-vj)X&P+y-MFi#DdKWs&99lf z f}JEaR?S)r`|=-a(;&d*;A l~aHg>hdQrxnR8lS`Zs@tC#k`K)hm1qWeb(=9 zpRN#XfDHF>vZ*ZgLPjNogL`nw0+`DZ>`zXh6cxGA$;238Ye2==4j#n_<{d!J#D-)r zmrZZpG+|E>b#}UO)AD}l14&Cv4U9z3_n#GP|1}cxj22cIH>9?jLwwR4M0DL5slRiw z%hegnzahaxu_ZfWRfKUQX!#?3MZJX}xeVcnbB%jrD_(=(r~gG%%sR)2u7tqgqKHL1 zA_+oV*K})FW9*UQKljoc7&T2j_cm<@?Jl&|xo*(e(gQMu9wGzqdnWFMZbcYZ7GiNs zy~#u!X0Et>#4;^^bvjN2kr~TA%YH4-hdF%ey`R(+>9-h0bHao9CVNsG&W+MG5K9^Q z>6W}0VVDgEL$9r$fh{O?ix{wf7JmPJ0o7S=g2_aNqpM$H)tK)Hi3{8 d_! zN>+KVK4ZAslX{arGW+&(n#0)@luH}Gf9*RynT+5-%C7eiijQ68YKySRnEWb7dv!W? zM^e%YKeA!5ykoQjuVo?RojjivRSAQx9&c2t8XOa{JPWqA>vzjO!k_%T)7kP&=87Q^ zoy$+(WnbmZyi$`bqq|(c+VUB8X& q|*HehvimP zbaC6Q<@!Gca(BUW$+{PnVhlA)TMBXvx0eFnJ*&1Aq t_VV0lflqa4I6gU8~%epjo88f6%9 zc6aJ}o*aW2R8jWALr1p8_FezaQg(nu_%@j6IQeUshh5J9q>R=XUlx?a$*xZ~F(j}J z7m9biG-JU~L|q)*Q&Y~k9@*tUqi5sGToPd}K)%iuf787xWHbz
8yF!9HvE&l%R_ zpLP461m91j9!F?zcC;~r07cMDd^)Dz&6P>Q{_L(Vo%FXzeX3~lr^XYAyO)(0j|699 zWMn0|Et!KUu|ZKU5GP$MOE4F_bhga5D-h*sa-#tP-zCIVI`}GurGtnE5Ah-)HnRyI z%PZYr%-f6Ha%3(((=9ZSUHE!ENc@25<*qFlx@&nTD^-n7av4Xh_3IfO)PXR5SxGLw z@$O7^R8P7hI+uWtf(s&QE-7K1oD>kxcrs zWp1+F^GjTd<=dAdb_ic_(VY;R|1w%u{fzK@z`n~n(-dq)ZSvTUakC~dF`}Cage0sX zbZPgsKp%l4#KSS!ouU>Hm~=fw(T-O5Dp vzR|^^OLtn<3G5uNP0 %pjI1Y zX^|3^GfJI@VnJ;jNiiqa_=x(BH;P+TN~$uUit!NJ%(RQ$tT&^jpdPtmPiV3WiJtO) zRq^^%zOw3QfsoJcn#>>Xi{sjqNc3s7N{tMzRXwk$uxZsbOF6%Luqs3*7N}BDH-Fvf zV(USDbsnFt=}^x#$KPM?G!ZZaQ^)PCtKVh9&?@^SYen)?EOmvSgEB~|2oY;Ee@M%v zJ7UT%mois>m4Rbz8SnX1^C6eJH+&)lZ8$QW`zXmo`aZ0En6_t1W8aX<0K~&1#D+8m zFphHqgpbP7ZYIHKdYjIK@^`p&I5Cxa?Apm;dzl&_o5Ib8XFCsCND_5Sz1J$8#JG P G?q z*#*OCh59xfnjI3uheX`#8L|=)XL;&8+%SoYJfleQa~LE!bA8h2{j8FN6^}P^vdzhI zxnv3}a6sMwhjv|a?`59;I{BCA-e-hlPDysvVKjF!O4thFQvXI09
*sWIPE-TU~p|M?g86HkDbS#Xk30j{2^`oyxlGcvzx*^elU~{LS@H;lSR7J zA#xeJg_6a$k3zqN_PEs9mMtWNVeBO5))W@O@s~Gvrk{NALk{JT9{xlpNid6FGiDpD zpu6}(U0|aWU9OqD%*}K3nT#nyn?PQ$m83AvI6);4t6fp!m34lOZ>XgP&la5-e8Y}! zjM?M*&zZnR8rpE>3MMKvEq{YwvlPy?8lBBNO_}jqCY`A}Ye2eNk<=djZ9a#o^K!7P zDd=BzUwGi+ %8U-!eHFWO~Uc%fAbuh&f z0X!vnah~Zqwspr-zs@^K`ZM*aWEa!Hp`5vGF<|F!5X1(dyBhi@<=}@km)8%%Pp%g= zQpH~OEpZ5Q1-K2Imm9(yM0KxT4(6^*6J))W`DJ4K=W68_?C9{XPP7DQtwbzDQuRl% zI_r#cAH-QspJZ1J@RIuW@q0O zSeLwHbJ>I%rPaoHc=~ng>1h>$Gm(rEQHK%c@1sip_ Q@N(Fu_%Ma@k!}}e zJVPo+MgQ *4-X|BLIP+*uP5qz3Ay<9RH{9>^@Qe^gDba+!|u^4U+*e$ zxES-LEk(LSb99Mi;+A~zAa$=H27`SNDU0&WaT)$Jl&4f$7J+r2{w7-23JeA8-wcIF zobS1!2=g`vTlO%ldwHZ3MQEMB({6O5X)BX-pb*8F-fu m6W=vSN1q`l9 zP0Z-DstVjReoBX_F`!I|TciuPL{d*Wb2Wg-!FG?SjrZvbuCwqk`#YPHGg{puAfj+0 zUGX{pwDsn(Hlhu^On}QOJ3-OK(b@fRBRXIc(!9Z9`x4oytJU#6pA04{cxZ2z^SoNJ z%r6a$_>~!-toc|~d*#nJveiwZhuWUO9o7Ox6c=R$_2g6Qw {Ku*RIwhyuP*l;My@@hITn(4 z@N^2Rn-1od$+&op?&Lzs`t&(VI}G|=5T=4DFf;)5q-2$S3fAQw4~$5UYeoo}LGS|9 ztpX&jGD}Q9Z;5Rg7BxR5wiDACNKgIy-8wd?g}yI{I!cCWvga0!fPCydX5#NIQ0+9< zwQSmp-1Kax)PGNi^Px7&VXNaT7VGW&+<4Bej_t-LrgclM&Gl^Qyj}Wf%Eo)~tRo%O zVfC$a_Aff
osvVK$_(^r?%pV#1PX~DXMm>fD*K5vTZDuVd z2}J{EbZ?uc3-v2*iJ;~49;d=5sbXi`2Y#I2a?OAm=Y7KA%_yh+T78{Icz7vy;{yz$ zLZuiFiAqb!Tefg~>ZG?$+0RRld?S lDsvi9@5YWoDe>`(eSw1V9G zPepYK4ESO^Z2=v*#sXIM4*WGr>%6&Ehd$WMB7a6{J{&fBKY{DCrT=t44=Wye&BrF< zc1X{AY+)Vzs|wNF# >Zj!>7tv z`tjJCD67!5)A$Bg@SeT7!g&sXa nt{l`{Inf*dI7qa+%rw z>rXBj-d8Xr{wyK>+|c9JtcF03k^q-0hW2 Gkq{>F$J*qHVD8xR5Y^eNAAWQi zIH~tXdkbOLqIZKE`dNC-7bR4?&0OULy`SDL(O)80hkQPth#n6lGSgiHC72!W1QYr; z?oP<_`B^($ogUWsOo*Qq!sK{1jX8-^m#I&Md=?JY;c8cS9-s4_+zqg%kdlASQIchK z$oA4+BI~m#iR}!pporFOU1^^7PxiNhX`;< Z3&Q!<=kS^F1o!Pan9!gZc$owIP)_(=7 z+8)a#b|EC2E>$(kA!b4U(16GvQh4@ERts|1gFm@vQK*Wo`A3_j^r2taw&8nCzyl zobfro6izfWZ)BggznM
7?C}?4d%EkV^!eAxr&;C;`{gr| z?uk={lHQ8z6A<@vPZxbo&X&v&hPB7ry_I<@Rs9R=vlD4(g@NX#;iqf05B7?9elH}J zt44+8MQVFW{X7;&O*AMy;}Pns^peO3CeD;$Ay(nOFK{L*D*T{Ao^PlvXf%{<4Lo>b z7S_pbv!8|UVj}%fT7d+auVx)&`vREe*km&5WAx1ngWW2EBlo^TpvKp;G1pVV+706W z#}Rff3Qt }*#(`Jq%O(ND#pbeCfyFzSWkg^#b08M2D>&6LnR2GH`!;nSFbzAu5%Ojq* zUTn1Vb-8_fkU%RDB_?M}W!S h(1y*PYdxb2kinP!pDzw?R;nLh?f*_AdjX ;f$)? z_;g7|p-H+tIi_ht10* kS|;ln7_;vp+j)cUBYx4w z^JV$7EN>;K-5SSk#?BxG3)&`yyQ&m>N<8&^7UEyMD2Z$+Xo60^pcfTzdXaxvdUnL% zOPk}O&uc(xNc~kR;WqzwsRUW%ye+)^n~D;hcN37p%Zr(5QHlXFI-%0Us)DNwL=kP? zaC&h9;O5Rdkwm5ZHz$IwG!K;X(DG@8pz^r!2T~dCiRXWBkh~XScbK>Rj(E~6v19-W zIV(FU437X1Q~q)Fzn~w<@hxRlMB@ee`D-7}a?Gq=i^$3x$&_4rbPD7o-_`HJ#P~rJ z?1rqr9t=;s{9Cz;MW1z&8DbKR?~wfq{UJJ`a7FjO mIR{1m$eq87!3#- zyK~tJ`}W9BJ?|YLAKZ(az7Rs1@_R6ASIx6C>B;r^gH@Rfi-_mQ@*zM62DkUW)@uR_ znYMna$ R|8WRfE02r^*=} iiwIZwMn5yNv?x&D$whTfk;npf4j!htIC$rBuM zVL#8&i+qLYNLez-uelG%4b%P{6?*~^rR=^_b$$Cc3p1XZo1JkV<{-#O6d#aMUyu`% zXRY@#v7-CbPZB$rzpI9Tym5A3n#vhBPeR(+12Hoq*i_jU7s$is`0p$r?r(%2`1mW^ z$$qYvrDR|7f}h?MEyq<`Qse7hUb!cpaj^jrCWL}80eD6&*TZ(nF9v@aKv1?anKVE~ zreskr1@eg4Jpwzu?;s|aX|sn+Exi-?S{~)ppQ}ihg9@8ZbQW{JwEQPR3C2zjk~^MS z-0<+1XZea5U??Wsq2$Uh-e^oacYynUVvpEO*?tK!|FY15ciz#YR?mH}9_&26d2=ch zx2URKZ#8+7Wx2v9HR3IPx>|jsN&MbGJVRN8d5_HcMQN0%^YS9mLqNJ8x~FY$B8b?a zuJxG?dI6Bv8*<;=uKmy|<8oM)rnEYvxlG=+vGZ-OcXPF?eJ^ruEn%}sW`mi2gZY0( zk|=~XG>@e5nuUQvwu3$q-&NKw;?LxqB<-7+rY22r{D&8hZ1wciwVxEZCw?>-qI(}1 zS?|-2y)dHU`BE7-X>yel9wP9?n_!3$a9MruM}tJ2%+5j;s?V$5CH33oP}>>?Ho;_? zKKtWWqke|Ve~k2lIUDJ}T?QIih6I#ODFUo)2VQM4CoRZb4I6kjD`CF{zt1b4ub5Gf zSNeE>LylutQt({DWdMFI0nSL_Mg83oz5mkuQ7XCX=2gB9vVar=*&5di(&2d;-+K%_ zps5LqanQ>(cW~U7+{mnPVU+?L2o|# 9vGAP+!W-M2on-9tm-u<_%4#q ziCIw>Qst- 8Qs!(9=uG0??s;Hh_C-5`WsmTGwbjIpLO&{!wqJyQA$?8q1@V= z&&=QbM)HpqAnZ;9vZXbR!IrOo{A|$}xUC@! _fW0PA zhrjsSh2qogM &SpuL>Cy3%qy z>kNf6C&H#xjh#R0$JWp?;3fn`p&64 T}s3nPQPY$kryTfvJfJfdX}9J;X@wgKht%6?{)5NI>_u3h-4yZ9DqT zRlhq$IA`6U0*{YTSCmE%Rt-?~ai1E+NsgDh$W~-3S9{ct<(8e7)!;1fxGUVHP}RE# z+56;Zdj?u+`@Zpsw=>7PQs|G%=tpW3h&}8`1HDdJQo Ci;HGI4|sk>{_z3);)$21VZPe2vgeJ}j;xE;uj MZK|zZHlidvq_!*3gUEG_q*~>e=mbld+*SV32?m>d)r%X9X?iX@sOda6 zt_xygXIl|^OT|n&L0??$QC_bX6s;FF@}wmIdV(}VsChlKz 5o>;9(I+v2cJe^G z2C@*7#0rPe|8ACWSBKZ0Vc1SgN=4IcsMJWnVg5_!5JSK#+t5F3mKyX@jHCp7vr`gU zj@p;t*B&z$Z+G%UhAuE&(y2G9eQ7)i)y^gP4M0m9fd-c3zSist^Zx-yxv`=lOxP!I zxnsBhY%**p2o8v;wB-8W6|#<< <*H6Y5AfWb4?s}BJ z3_P_~qb9r)59~kS5t_7nHGKMX{rzE85d_SAMCJ$Z6OS9zVZb J87jAk%EqDK%@y$YRiG6y& zS`%(bE+FgoT7bk|{7d{3xSCty-3TUFz_jzieW1-U`vcf+)jp~CdIb=^TO)sg7E5>$ z81>N>dQlg=6HY6Cnxn?+3IN@?iVzEhKIK^QWme8eb?k0wQFGWe^Hg{k0oQdCL>K>E zD3^lN7rfA)BY%M&Y#8Ba*~DTzbYiB2jC8)%q4F-ko8%08@LY^;dfh0-v{L {SxnYqK zUxg{%yz-N*Hn=ppANM@^vdngcN(~jow#2?1_HVLE{KwSxm!F|hAC8c!oj{S1{cV-) z)04+3(MD2?_yl}%=o4yMnuyFgU)rGdoa|vlVdeWg^i<1Dw>||{UFf=^Z{NlL=KHYL z_QAj9e0OJFb_nYH61w`suNZ|7X02Yttaa55m PacjNUVNC8p9~6``jU8M{E>`|ga)&|W4k;{T3cd8j qchb-LeegB7Vz^zBNt9X9MYob@{n$ZXU0RqAq+E9a32&95Rd?pZys`8&UC!i~osb zX%Ba;$$3t6@E=^3{BMur*L3)&zDA(hi0~8TF8*RmumF}3K^gO%CBlbawi{*Jg|Dwb zne9yocMY4<*#QY5g8$VOqEQR=vp9W `Cm217 y)rexe3I1U&YcC{k9A zR7PtRvnXO|8K#-&n!7<@s0&i{MF40NeZ`I$ULioZjqXrtC T2 zWniWxJ6U#*QUrJF2IX|6WSt58vHc9&iC{o#GINIS 6hd0+YGPT=IuiF?Mch9( zxt_suGm?pfk*o}o9YX*~vjmGu6&Ol%rhU@ZG}TVl=mK@C0Q5ANy%3)FC|W7Tf4*cR z%@LfeuzR~q_vgknAOwB~Q$c( scCdque zpm5l8!YoY }Jk zeeipFPEX2jKMHkuz|-o2xGWHA#l^IJI8QtQAX9`VXd}L5$dK&AZE@ZXd1+aaw zJ&VZU{ocKCND|9rZuEw`u1jG=RO=J)4a-6N>K|fqgxTWZMtWXYkJSuAFP_V^V*tqe zAXD*n clz2L1>F1A3Xo9$DoHObc4qOfsRLKBu>yOUMyda1_`Q2qizC zYlWT;Pe8b%(qhg=tAE`;pHT`{8fF3wt%OIRKIy)oX-=|&HUOuMxNn8p0N)Eai(HhG zCA|6%fJ6Y)wayD5ZF(XO61znla~RRR*ncP_KgOX>{^8Hd8Y4Joy+x!Rptu*_?~8js z&CPWGlw9KRg5mKE^y-5(K>v&a0QUJF2gF(oK`jUmMt)JgJSzIO$mi`*dsR`8UoCV& zfTcnq{wBqcpiRmF{!gTR(LxF|kYFtWclB}s9U(RUmJ~ASM##K(q?uVo?L)lXAARt_ zbD9bjyjSbAB=rnVGUoFR#%Ga@;>6=3?F1QiLX%aHu-dkE6dN|YR~xhy 9|yC7%PW$ZeQ+2qrT5yIKvYo@PJE8nF>b(wbOKSJXoj-u zL;#H?P#p?bd#5$L0B1HjTMN?jT5}4Lg`0myr`p7L=ykd4=m5EQ$q7&uqJr4;iqWL< zn~ML1S(>f>SP_a~mTG8v8_WL|bHAr}ze=8m$O^tck+OEW?KxAeuAs(OL$T@bGzR(p zf=xpQW3|{@;drZG>HmT*LRx^*%|Fq6iQah>bQ?~0)5kr5U{eIe_ YR#hkq!huyZ>3$Ytl=O?*QuYHkU3jjbNWJPW}T!(e?M*DloiA_<`}w1pwyiyZy=z z`%0n9Qrjkev_^(Bl@Mi|ecNzY^y>I37gTs^$DnsYU=deh0A>#gg=LU27`W;Le#YX4 z^A^NeNtNEH PySe;o2X`Ns8^F%wc? z)V|xHiQI*!2o9p=5lPFZ!Pk>Fpy$(f@8iR}q%( z!xxb$TN${}A&o)shqBm15Cq$&F@u1S_pey8S(5lqnak=gN;GcS3FM^(;S$p5 b*CQA7#pgJ7F*Th2F%LuM)DKCAopAM##(}pMaf`as !7J0fj%K)G+aCso-n@!Tm;q&h2XqC_PH1v zk{Oj2+jzfszAn7ca)*^7CDco?J{FvDF(+g5SZ VhV5 zxa%Zjkw!=1s;Ssbrsok&K%pGBYGe8bvJzN@ic*lw?0hKuHGX~-a?&d|o};e#c?ig5 zz@G4wCVQ6gBCd*c?t}I3Kh%;(p#r0vs7LZPM#7-mrn6|6d3k>n|8K-f2uGUBO?~0N z04v#y{|m5^bxCaVi?lwyIN Pv-==4>5ZI}am<_(~+#_~PlC292}=3Yd?nlkz< zZwtxA$qQa0`9Cl$)@xa3>4d&`ZDum?qkFOWjGYl?)H((iZr|L}q=_UPYy_gj{{Uez z_Bc h^8HSFI;ZgejHFFZ@tjy;P%75iy&>x@=& zH>O^!Wu$niE7@c>Ss#)7Ji<@UXuhnAH9q&Tg`3!f;^FdV4DJFsxzu1M_YN@O<4&0{ zVIR2~0WlrNl!u6x@1L!2L=Qo~!?;ITLKH}gs2Y*GLS=+j0t5-CqE%!O(rLlzeV5k~ zZtBYGk-n(4)65wL*tT9QrR&_~Ho*Wl@Py9u#Th9$yke>Olv^@NgMSW{7lYl<3gwaS z{ITM>;=bj$k jo|!^+y67VWl>-*g8MnpUPAPE9e-=S^(B*1qDq{< z_Id*spXtb=?$IqgC*-FehV9q+Pi#wQEXrW>`&4VV^LA{MJ!;?+L&gHOSolUt %O#G^ ?RKFsr7GlOS3C8o4gI zBDFhlY|Zj4mf>uf?9s=Sd78F@I8Olm@(o2;;YxId(&eXznR_dxQ*|=h4UDE3)X!mP z0=%dwY Xft8c08+NHDXLnM->WdT^4m7lB|gqPw0>@s>XQjTLX7J9{1Z!>LQ z=9b*g)l8jFcbs=)ijX5nWbU0=$MQPwDt@YXajv $3W-@uCQ zzIkluZia8ArFFb^m6%0C`3eaU(Zy!QgtN~Ts4jCz$xvRW=~ggTe*L+DFVBa7Lh96w zi`3HO)PA71@uNVI@kz!g;8R}3JygdX?=2o5*C9n6=T_dajj<>7S9ZF`n#@*ecaneX zrqmBBCDP1OoVUw$WeURyv!grlEGTds4?9 wEAB$5L~n!+!RHj0AxqtArbk;B=N- zwd3ULjNW^`UgQzjeVJRTBj@Zn -vSBz+%?Q!6vR}JAL`-Fc-Qi5WMa7*kl@8WB^wZl1?i&Y++ zTwGj +ZH$<8h!F@pmQRym}DddM#9nf<9-M_^x47a(iUHglL=V z#W2r+{+kY09%$q&Uoh5i9J=aHud0caAXo>+PVX*noYBQ#j0hL+`43(>oEefArC1JA zfq6bQ7t>#**{I^vWQh3MEahTs!sY8}@W^e5*l3I1{JesvP#IUbkylijV`qZ?(p_1W zwgFtWbFJ0|{?R9bDpvV?t=|6iXTp&`BbY0BIT9n%RzdmmeZcit=1ab&97Ee-o?*ha zN>`Ezgwg|&n8L2=kmHfJslvF;&DEW@)r^{F>{cY&iz$k5yV IZ4~W!a+L1@D;%?qdTdd$Y{8_BT>gb**0|S~h(>?2@?-;%pcDA Mb1TDQ{^KvZDuMwayFP1=2wXY&&X$tWhDhUx?jml$k?dyPWBK4u3Z1yr$3Zy z3wx@u55Ng!3Z59#waFIlH|dYz+w;2(6Dqyu&bxiqVA4Mat|R;DxpppBzmOgP2qHf8 zl3*e@y4^(>9v3>`@Bdj5gb(~$-JLu%ya+3J5pwQFV|4YH5tSNOZRZFL;R6cuoE@kK z&O)2o8&AF!UXSI_YOl~G`(YCw?&pVJ;k0zGOKvAe^(M7%G9?`H=j62}jwvIsPuR1R zKd7o*Er^z!r 6ckHZqWx%u^1r{~xaNTwT`0Y~_D4tVrtp~!Qtds-%o6>6Tm&^m(`5~Ja5IDTb# zxteF#Xj3@Y_2WqK6dXh<(H>SP4Pif)FWu`G0LBcxAzvf_t-xRB#arn)0)=g#ROpBL z_FMr!T>1scPw;7+PYhGckml7oa^f>@q^&$^?t#ODeJ5CDyCC&`kn)bGavZP?yx@)H zh3q-e3vFq5S#2>e855%V=M 9nDrjw*GC!B{9whCkbRE&&XSpY6oy}O3- zCcceKy7S_Y5zMdH@gT=HFjX*c K-gO5(MhVkmYAN=yMQYdSBmpzQZp`KA67A96fW*dQ^xP zx+CxcdYTtL3FZ7RW-qQo3hqXxZ0HSWQ^ FxBd*>m|mH_#YB*=pA2J>lJ@j$1Bc6&hXU#$hAM_~T(Z^)}k zAZrYLay5~=DyG*cO)_qu!Cy1X12sQnF;Za`e!dajqb?KT1L&x@F#a1ddXII>Hcl5N z3RuyOf6SYMN#F}PXNLzl=&$sV*dVvP(UrO%_zTYa))c1V#sp>1s#hDe@U3XU)c#fe z{^~^2%P!xOgj`8*F7yA_EtDdoxwv~qX$5W}ft_LRmotalEfR-C2c%I2u`#R&Dl6ml zDsT?;h+lfZR}Jm{Djv2FyPFfQcSfUNnSiAdK-az2cS5yOqUO!JobP3B@y0T9;M0pT zfyhb_&c*ytF6KkBnBr>kTMu}apuNV0Pd{>0F7ZOIhyDid U$ybP)m6h-`M z9C!`bZzWF8%BjNWMNPA#7}j$lf59Up2A;cgIy*%7kMZ%*q0D5bl3(`)=nfp~IF>K* zUoRSsA7x$?;!kj(ID@N^XjMJU!z7|MBI5Y_?l2wLuwJWYE6!^#!<*^?YnEkm!lhGk z$y? ;nJoIZPpE^g&$Hwwa-YJ0iydJ}EfF&z#&U|?#ePyqa8-whB|6cwZ`xz7* zTxQ!VQr%MEp1QlfE(1j#yZJUf{X??2_qb+(c9&*}!Prsrk?_&V!7>~)1D_e~1RvUG zG{kZ0bVIqf7^?}-JX?J+<}os}@yK8@F5yj!S)w;7>Wy1T?LpI!;k}yTy=i=WX@3rY z=n0LDjp#@lf4}2TN5hdM+siY&Y8(bRcJk?C`nr$`D*q9#*)p{2m4zPFlTLMl1!s)j z|1s>PD7-kBX8IJR2OPT@B(Yee27Lu>wOF8()fG98Mbq)L6Up2dcFM5EjzH>O7v1-= zXYyz4klVoR^%CD=m}2k`PQ;f@E^|gFq3Gy?;^w8Nb!zCIa`0SVS?7w>d)onxuwk&e z1b=Y##(B8-FKGd`cw|YdU=LP#`1JdjP_gEf&>&e$ZTpRH)I8GLclp+b%jIHzVLv=S zgv4d3%j|>d=q2v?V1Z6g=}Ej=GKb$^*$49R9aCst(^1Szs8ox<1`ID@^_XCtpZ02l zomucccQ4Ylq4(B1qPz;S}jv6Wuud!dR>NWKSD_)uv>4+LTn!($d`TvKp`^DgM4S z_cHJ?<=+oP;p_2SwxeX!u=+jH-F*%#pnfG;ng%yLt0b9`B7FmwE^1r|)$0dA^G@(I zBBdH7VZlB`I3J>ENxpktGfOwNH8av&XD>F9?KVS?cZ44CmU;UXztc%uq{n*%lXU0L zkIy{k6^2!65@4E;juM*+c%L|N>9+!uPaF!Qk*8tAKSShy9Udp~>A@4*>qD$IM)yilV rZ8H#7`g>s`V`T`(%q bd@&Y^Hv56WhatHTm~5X=nKs^@d!HP+JsoxJ8(bhU5V<@Bt27E zppo7F_be8}{4_(}d^dKkucSO`9`e@l0K%ZHvOzL(V;8ObpIrI#8uC%I2tgoMutv-7 z%KPg4)*{<{gTDufTt3c+q1Sv@tEM7me5-oB;Kh|aaN1Qy_JIwHzdm*0cjXy9pghk) zg@g|>uJ=dMRJMKfvf(3-j{LUr_iZ%Fe^`Kzsl8S!s>tvWrWZjZ8|}xjrn)rNM#|P@ zLxp;5`R8?Ty(UMs$skiVS0kex83YLeeAy2L$hG^yJ)cVYUd}`5E*{*@iC~HD*oTW- zAh3&vk2w*tJHlp|^7B6}#nUQ$^U(jgf16+*8o2*hrRX@RHwk-M?G&Dq&1W=fovbR1 znoifAOL{I&fUswXiHXl91?v>u<1e^vl7y_0#0|H&{`!7VXnboKSV=zKB}mxOQl#i2 z0E}*zDb(o&vL#v!@sUNGm97}L@0zdGuS|8DL?f49sJ+GZ_vKRf)>!27dqltX;Bx&E zgPToB88GVSzL_(RCP7b_;S@E}%VP1@1C(Wi`gznJ9L zj+S~b;vqMO{mgW4^A}|ujDQ@{T(c9%C7r )u~qK29PP)%FPH!1+;` z$b7?C_FiZR0nNY?praG!9doEl4?^Tl>RSUwdX@}28s?9~J)C11vTEQYE>pD0AlDuQ zL_Rl+<>-aN247v#JJ`E^hVxC{gu-L)MPa)v&xvaTQN^fSchCI8FOGjN5@-|){;(`O z_C&&xiC65MjBwbI?^Rh^K#*C#`U0*lf~edTpcKlXwER&~@`A{RP4$}lU#mCDS2?qH zy tEO9{&U@hf3AxuKgjpT z!e9Ny_jG*pa$W`nH$D)Z1(2{D^mA+#Q?H-f<_`vhM7eSP^`02 tv2M3 znbm2*>_KoESjxXY{n|fT0yf!B2$hw0*Jmh683&M&5}GrtN8%7X^3^~I5oDSP+E1Et z1|Q_dV=G8nVOn;Edu=ic?!T(h$E<#lCQDF^<+wP`p`!VIE%a%8iN_3QU`$xwbApkU zGwK6>51gws;{dYr9B8Drm4N5CRh~iE4pX49+8EA0$}Hq{@U9x#z;!~VKivPM0!!Ox zF9vIo-}QgJFj(osB=V8@vK+s!rGakXh?+;3!O%0R35YwCUR$b5v$zj{=P|tn7=-WA zb`O=xkp~H5kr+VUxDOFFP@)|9^WHC|>I}~-IDnP53qnv!Dvc|n1ml2@Zc>m3JrTP= zM7g>!=F3E?{g%OBbM*rQ{^yL|bx!ZumQd}f!*<0@KwNf0$Z)omE`OR3FU$fm^WTx+ zFyypmBAZhBhH*DP@!wymH&L@(=Gtor{Sv}G7meXZa+=?08zVo0@F$Rk7>*>D25Gfg z#wmts919Yl-Ae*ArLcNeiL7{UH!{Bcy _Fw@8kT!TXP5s+nb)H$ zBEwbYyZi^{FIc=pQ?SSmZC-dP6!b2z%zW^~zs=_cV888|qvPGQ `}OK1 z)hwt5oj5u%m(_<5j-O*K&zq+49g2>e4A8|-F|;r0{d?G4RDUAX6Q~u1Rf9p@YAPTg zAO{X#+Q}=mE4QR;3Sk9vwXKzDE#cM$>1qpv+6e;%I<;e_BU@<@fL%8BY&owJ50U0j zKtj(9#NM;eMBSt}?z&eYV$1G?uf~j4z|tH#-IZstS=X(}HoXrVCFe1y8-kKpLs?p+ z1glIg$={=ZWn{;zI`w`w@ku9iap?k7%iYC2$!Dh%kWSady8}OtkDM1|;P0!B^jy>P z*~p$0kh~Bwr4t8;uBl1HcFhaaO7;CW?tiRn {7@klHxUsm-Om0$m==3_GV 42!9gF-TwVKr8$9z4cM3SI$Bg41R>k5<+@6Qlj=|Qoi9| zFNyIn!H%;#%*Vib{}d2ky&X!|(e;WwlM5}cdX MX!C-d982xucNO ztZB~XwKB2rI9;3E_ebY5D(Oc4fTLb?#?-+3(6PV#k&- O#m z-Pd#R&OOQHTN?>I@gNQD_?oZPfg+c&LFm`t<*0!&Aqa2r2CHgn=jV8zaLx4_dbzh# z3X{V@=qm;e@mb)MSM`o46HDzrV>tN0m|hlO+$}t_f)q6@e!Q>W1sGB%!c5*sS@CG) z7LqgNwcs5#dx!UHw7LRf<042qgt!80qZ4GlmdIh|Xfs!Q_^ms+H}xQo*BXgEh%;!d z-QELg@w@P=p6pn5jhwr9a}8X|XB^6hzx-?C#WM2ZBScmn@=2K(MD#K)$I(&JX9aX{ z>^78w%TyC1H`5Lm&9-|UodR8vhxJFlQ@;eBl*oNOV|P1MO!zhS7zpNEw%Rhf48%!T zQ7^~O0LHQ-*PRYyPrx!erR_AcE Dqnc(-^A$P-EE$KA zGt0&!SQ8@lXgJ<4JnXWwf?jo9C0<*c8%0k&3+A1<=zi0QION4DPDj?FF>BCiwRGt# z1l0zrR7v{m@s@isHN=#AQw+yL1{)wGNP zR?2^SkXQZm(@;gL0GLdNtpZ zh998ZT@pwco(yXiwL4`K$=Tc7+6M L9lg6$@3}q=$R#=aT^us2#Z=0I4vAGA)QKfGK><1$serCvo zSW@E!%_Au>x3d(7Uo}*Rp%33;g@D#Je3);y*phvzM$(QC<^<#gp?G?!vU%Yh6E1ch zLi^!uA~$L(DymDTBh8baKv`WtsLc`S^RD9h@w-r|zhB%>S)@~)6$7h-*r^6d&0pUE zhH7OKxnNt5sO5doX;%nS)+Td<52B Tju-}`!!{9ba>62z-V?Q%M0nf z?ey{bWoju{;fv_(&yjGc?T=1G61GUqcImBWLtDrP%)cQ3uOtbPQOj05-{I3DTYn%# z64rm3{<^8!YPLz4#=Gkht10TBH@akWTk}C%RX`=HZ+FX}tmEH{Gfu(|pJ00DZIVMf z1QV_*EhQiDP!GjkoS<6|P7@+GZ%(iZQNW{zQo2e#<5SuoK>n~Ey3pKTW7^xHOl#G# zNkw47xnu7rx*O*Vq1uiHAG*518q>7Edm#!H@d($0Ss-%1{U~YBh}}#1Q~MqwvP4K~ zjntrw^k$Gl!~0MD&Q-)F$(6yP6h1AH@Bh@V42wt4DtaqzDEZZu9nBJX)QnD*w3e)n zD-|~!?S&}Y>9#~_vyfCvx0iY|-U2p?DO5!jt|X3LSnht;!6Zj?2SCnM7MHM %Zb{l CLh+O@TEcPa6?0WnIFs`zJh^rScJ3~o*R0=u z+?dcGF^m6EiS8}?MTa#D{zMT8p}Fa6imowy*Lnmhnu6Q$yE_hBlg#m@U=#e8Jcb5n zg;Y6`w(HIs5S70PCuHjm@of|PFcj(6>}nDtB_hK?(Z!5seU^<&B%>}Y@6)VDg^S{o zG*J$-sGxI~v@3~{ZJ8!F(^@{KTolCM_;P90P`@F-ZuTPI$%yc4jP?Wj?C=j>LN4ql z =C9Mf7qZ})VaZHFM zB*qov)})Q1TH~l;%FViBqM}i9M!CyPC0DM9hHBUvp%ppSXhOmiYjb9wueI8J{a(L$ z&7a@T_jta~_xU{U_j6&M<8ysbJey2UCs9?{zMo|>)wxXx!M=y;xw_iB*?7V09SN}$ z_?%#cY4;uF!Ly|F(W?VccDy&T8`=|N6&-S1)Odq@2?D}QtXM4f5dpuSOx&(CyEN1c z`!UW3($!Ko6RcA*pIgjY>S)|#PioED?ucfnW7Dn*m|*hlDDK+apW1K*p)j|of@WT- z@`2B)R=UPY?ne#n;GR=#7DoE^fQHtVXqm=KE5hj0auLg-Jj{@pJo{5tGqA6p^@}Ll zS!Q5moa5q`<02B^UeB|-yIkph*z~ffTA%~HRIM#Ema5uhlo&nSa{cu-{zpvDcKMhD z)4c;byssGRp^pT#4#_ikqtBREB~==oTqCm9h=(C`^R>iAzZ6d|?=4wT&)HE?wSp?F zt@_1i{B3zgQi%9f1E+g aa zw9b@vaY-I6aVZ9$RQhB=mcj3#bLjal9|D1Qd0 RW~t^MUAR7_9IiwFAT321$3P=k917e z$U2=Q5~IjO>)e;i+^lbi-@1217PZgw$(Z?O=F0xl89R7}8fnHqCAhf;@>lRtIg*^w zO~&2|g4aLBW32wjD4amX$U0E*+ijn(if*omsqt|@4YiH(1??`bXBocpz?XuB>mnf{ z9Mr1l!=~-hr1zf@u#)Wh0-Iv*EBz0=tb3B-93xW%Q &;zgdC zo#7ygV*7^ri0O2#Ks&11kziqsmD^=w7)_yp&;yY;Lr?7t-Q9IZA}TB6)Lo*s)g9Zr z-_ ?_ke93Bd#>w4Wt}`#K%B_<|;wgh>0q$Eai#3fH zn+_$vi`I)&Ke=xk_1HUt4ikIZQYKAZr~=)~caekCKzz1zQm$cpSb Fz%OAUQy<@jp^EuKSf9PSNrAg z6D8It`ZaxFqdwvF-ca8EA)${sbn&*>zK=U((h581`AK3Y-jX{`3t4+(ns~xknJQh@ z&b$mGF-1L7&tL^cQY?{#8_L 0wXXwP4K}jyuokup~szMyVI`!{O99Ma52*NYWdc-g&6M3ZHTg zs!J3>Au-Os{|#74XhK}quk>s&IoT~I&)s~?HZ7umv(3u0$2ZJIa9;T(>mEcnD(J8Q z<-M+7&B++#tm@;>3Whzm;peb&&83nJeG`+TQiOHpLz45WKs<4wWe~x^C1yEV-^U-i zha|&kzO~Ji5FDn?F*0%e(lpzR`&gES`-lrGJsJDuF8CHw)mqFOVvPOAw_-O{e{xyU zsqQ|y#Ld&d>Pd q?ilsTDVYnW4fE4NV7z1MnjPn-YF*K+{TYrL{yerRDZq@6Z;*xldQ o{mMc(c}3R>P8tbW>M>x zi5oxYQ$mAG#LKe)PxZXMXWtDo7v-F#-*~UDlg!{^9e ccFL@xH%FPA~GsFH9ge<@obx>O7~QPc}xfI zQB-i~+v}#88c>89v@D-L_$hH5ra7b`wJQjEwJEWY50Z|xi~Cpjw{_H^MQF`@(|5z` zaeR5Eo|2r1SHmlm9xaRwW0nEneIoYD<&c)1OTeJ20^CuBg1OjNbPbz--m5;c@C8|p zl3anu8BId+>Id-B>mZHqk}AwAcZRwf5@c2)lqOp2VHBiktnIf8h|2#i?mBUtY^iP} z{w>a1eF1Lr*9^%viB}MFyxvRKIJJH$>UWzKlE2JmTt|3bJ|Bqil15*oBChKY2vMop zbMP%P+l+6Qw)(#%e*z>w^fIuTl3b2gYn|$^Nr&ieI*n%74QbtMlU)fZ!|hybV6m#8 zmJ*ZOqw>!ydkYJv85c^I6%;}GFp9YBq9&AZB8*X>>8?9(0iFFjqKkZSlE}rTUj! ^{eeZ{cs{XCp_3sX0v&uK%fX>9fLLMy6ra`E8Qr<( zGB@!X30gk?`DzDi0aC+5_B_8sxc0ZAhoj~#4JdQOuax;@tl$)%&)4Mz65wqTw6!4t z68#g)Q!Fu=-{|;+vt_=&itGaYU7Z)du-R #7Hze2&5|qzvpEvwnR=au(COKCd zHhMvIC=I~%)K!YvQW5mMe75=J95+Z3rmGI~X6&mNVrj%-cHW>*7-u13H7LhLH83Fk9%SywbF zyH_8(c)rf}{R`kyEbvc}S=5j0tq*NT2s)g>DM`advYpXUwddX_BXQXqPiw(;7L=8# t$TCfu+qylGkKKPx{@atFq+r#I`4Z8%#l@L9|Cr4IKXYROzSPk1;$OsP7x(}G literal 0 HcmV?d00001 diff --git a/docs/gettingstarted.md b/docs/gettingstarted.md index 8abfe3b..8370d61 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted.md @@ -45,7 +45,7 @@ services: ```bash wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv ``` -* Edit splunk_index.csv review the index configuration and revise as required for sourcertypes utilized in your environment. +* Edit splunk_index.csv review the index configuration and revise as required for sourcertypes utilized in your environment. For instance, add *cisco:asa,index,netfw* to splunk_index.csv for Cisco-ASA data source. ## Configure sources by source IP or host name * This step is required even if not used @@ -66,6 +66,7 @@ docker stack deploy --compose-file docker-compose.yml sc4s Additional hosts can be deployed for syslog collection from additional network zones and locations + ## Single Source Technology instance - Alpha diff --git a/docs/sources.md b/docs/sources.md index c9a426c..dff4b07 100644 --- a/docs/sources.md +++ b/docs/sources.md @@ -30,7 +30,7 @@ MSG Parse: This filter parses message content ### Setup and Configuration * Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. * Follow vendor configuration steps per Product Manual above ensure: * Log Level is 6 "Informational" * Protocol is TCP/IP @@ -80,7 +80,7 @@ Verify timestamp, and host values match as expected ### Setup and Configuration * Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. * IOS Follow vendor configuration steps per Product Manual above ensure: * Ensure a reliable NTP server is set and synced * Log Level is 6 "Informational" @@ -151,7 +151,7 @@ MSG Parse: This filter parses message content ### Setup and Configuration * Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. * Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. ``` @@ -189,7 +189,7 @@ end ### Verification -An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a build in command +An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command ``` diag log test @@ -431,7 +431,7 @@ MSG Parse: This filter parses message content ### Setup and Configuration * Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. * Refer to the admin manual for specific details of configuration * Select TCP or SSL transport option * Select IETF Format @@ -439,7 +439,7 @@ MSG Parse: This filter parses message content ### Verification -An active firewall will generate frequent events use the following search to validate events are present per source device +An active firewall will generate frequent events. Use the following search to validate events are present per source device ``` index= sourcetype=pan:*| stats count by host @@ -475,14 +475,14 @@ MSG Parse: This filter parses message content ### Setup and Configuration * Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. * Refer to the Splunk TA documentation for the specific customer format required for proxy configuration * Select TCP or SSL transport option * Ensure the format of the event is customized per Splunk documentation ### Verification -An active proxy will generate frequent events use the following search to validate events are present per source device +An active proxy will generate frequent events. Use the following search to validate events are present per source device ``` index= sourcetype=bluecoat:proxysg:access:kv | stats count by host From 242204939f5ac545450790b44bea09feef666771 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Tue, 10 Sep 2019 15:22:21 -0400 Subject: [PATCH 06/11] update compose for swarm (#76) Documentation updates for beta users covering podman, docker, and docker swarm --- docker-compose.yml | 3 + docs/gettingstarted.md | 69 +++++++++ docs/gettingstarted/docker-swarm-general.md | 111 ++++++++++++++ docs/gettingstarted/docker-swarm-rhel7.md | 136 ++++++++++++++++++ docs/gettingstarted/docker-systemd-general.md | 69 +++++++++ docs/gettingstarted/podman-systemd-general.md | 73 ++++++++++ tests/conftest.py | 6 +- tests/sendmessage.py | 6 +- 8 files changed, 470 insertions(+), 3 deletions(-) create mode 100644 docs/gettingstarted/docker-swarm-general.md create mode 100644 docs/gettingstarted/docker-swarm-rhel7.md create mode 100644 docs/gettingstarted/docker-systemd-general.md create mode 100644 docs/gettingstarted/podman-systemd-general.md diff --git a/docker-compose.yml b/docker-compose.yml index f070f97..7493bab 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,7 +17,10 @@ services: volumes: - sc4s-results:/work/test-results environment: + - SPLUNK_USER=admin - SPLUNK_PASSWORD=${SPLUNK_PASSWORD} + - SPLUNK_HOST=splunk + - SYSLOG_HOST=sc4s sc4s: image: splunk/scs:latest diff --git a/docs/gettingstarted.md b/docs/gettingstarted.md index 8370d61..0172e22 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted.md @@ -1,4 +1,73 @@ +# Getting Started +Splunk Connect for Syslog is a containerized distribution of syslog-ng with a configuration framework +designed to simplify getting syslog data into Splunk Enterprise and Splunk Cloud. Our approach is +to provide a container runtime agnostic solution allowing customers to follow our guidance or adapt the solution +to their enterprise container strategy. + + +# Planning Deployment + +Syslog is an overloaded term that refers to multiple message formats AND optionally a wire protocol for +transmission of events between computer systems over UDP, TCP, or TLS. The protocol is designed to minimize +overhead on the sender favoring performance over reliability. This fundamental choice means any instability +or resource constraint will cause data to be lost in transmission. + +* When practical and cost effective considering the importance of completeness as a requirement, place the scs +instance in the same VLAN as the source device. + +* Avoid crossing a Wireless network, WAN, Firewall, Load Balancer, or inline IDS. +* When High Availability of a single instance of SCS is required, implement multi node clustering of the container +environment. +* Avoid TCP except where the source is unable to contain the event to a single UDP packet. +* Avoid TLS except where the event may cross a untrusted network. + + +# Implementation + +## Setup indexes in Splunk + +SCS is pre-configured to map each sourcetype to a typical index, for new installations best practice is to create the following +indexes in Splunk. The indexes can be customized easily if desired. If using defaults create the following indexes on Splunk: + +* netauth +* netfw +* netids +* netops +* netproxy +* netipam +* em_metrics (ensure this is created as a metrics index) + +## Install Related Splunk Apps + +Install the following: + +* [Splunk App for Infrastructure](https://splunkbase.splunk.com/app/3975/) +* [Splunk Add-on for Infrastructure](https://splunkbase.splunk.com/app/4217/) +* [Splunk Metrics Workspace](https://splunkbase.splunk.com/app/4192/) *NOTE Included in Splunk 7.3.0 and above* + +## Setup Splunk HTTP Event Collector + +- Set up the Splunk HTTP Event Collector with the HEC endpoints behind a load balancer (VIP) configured for https round robin *WITHOUT* sticky session. Alternatively, a list of HEC endpoint URLs can be configured in SC4S if no load balancer is in place. In either case, it is recommended that SC4S traffic be sent to HEC endpoints configured directly on the indexers rather than an intermediate tier of HWFs. +- Create a HEC token that will be used by SCS and ensure the token has access to place events in main, em_metrics, and all indexes used as event destinations + +### Splunk Cloud + +Refer to [Splunk Cloud](http://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_managed_Splunk_Cloud) + +### Splunk Enterprise + +Refer to [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) + +## Implement a container run time and SCS + +| Container and Orchestration | Notes | +|-----------------------------|-------| +| [Podman + systemd single node](gettingstarted/podman-systemd-general.md) | First choice for RedHat 7.x and 8.x, second choice for Debian and Ubuntu (packages provided via PPA) | +| [Docker CE + systemd single node](gettingstarted/docker-systemd-general.md) | First choice for Debian, Ubuntu, and CentOS distributions with limited existing docker experience | +| [Docker CE + Swarm single node](gettingstarted/docker-swarm-general.md) | Option for Debian, Ubuntu, and CentOS desiring swarm orchestration | +| [Docker CE + Swarm single node RHEL 7.7](gettingstarted/docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring swarm orchestration | +======= # Pre-req * Linux host with Docker 19.x or newer with Docker Swarm enabled diff --git a/docs/gettingstarted/docker-swarm-general.md b/docs/gettingstarted/docker-swarm-general.md new file mode 100644 index 0000000..24861a0 --- /dev/null +++ b/docs/gettingstarted/docker-swarm-general.md @@ -0,0 +1,111 @@ + +# Install Docker CE and Swarm + +Refer to [Getting Started](https://docs.docker.com/get-started/) + +# Setup + +* Create a directory on the server for configuration. This should be available to all administrators, for example: +``/opt/scs/`` +* Create a docker-compose.yml file and place it in the directory created above based on the following template: + +```yaml +version: "3.7" +services: + sc4s: + image: splunk/scs:latest + ports: + - target: 514 + published: 514 + protocol: tcp +#Comment the following line out if using docker-compose + mode: host + - target: 514 + published: 514 + protocol: udp +#Comment the following line out if using docker-compose + mode: host + environment: + - SPLUNK_HEC_URL=https://inputs-hec.kops.spl.guru/services/collector/event + - SPLUNK_HEC_TOKEN=02450979-d363-4e6c-b6c9-796d8b546a6e + - SPLUNK_CONNECT_METHOD=hec + - SPLUNK_DEFAULT_INDEX=main + - SPLUNK_METRICS_INDEX=em_metrics + volumes: +#Uncomment the following line if overriding index destinations +# - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +#Uncomment the following lines if using a host or network based filter and log_path +# - ./sc4s-juniper/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv +# - ./sc4s-juniper/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf + +``` + +## Configure index destinations for Splunk + +Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. + +* Download the latest context.csv file to a subdirectory sc4s below the docker-compose.yml file created above. + +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv +``` +* Edit splunk_index.csv review the index configuration and revise as required for sourcetypes utilized in your environment. + +## Configure sources by source IP or host name + +Legacy sources and non-standard-compliant source require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. + +* Download the latest vendor_product_by_source.conf file to a subdirectory sc4s below the docker-compose.yml file created above. +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv +``` +* Edit the file to identify appropriate vendor products by host glob or network mask using syslog-ng filter syntax. + +* Start SC4S. + +```bash +docker stack deploy --compose-file docker-compose.yml sc4s +``` + + +## Scale out + +Additional hosts can be deployed for syslog collection from additional network zones and locations. + + +## Single Source Technology instance - Alpha + +For certain source technologies message categorization by content is impossible. To support collection +of such legacy nonstandard sources, we provide a means of dedicating a container to a specific source using +an alternate port. In the following configration example a dedicated port is opened (6514) for legacy juniper netscreen devices. + +This approach is "alpha" and subject to change. + +```yaml +version: "3" +services: + sc4s-juniper-netscreen: + image: splunk/scs:latest + hostname: sc4s-juniper-netscreen + ports: + - target: 514 + published: 6514 + protocol: tcp +#Comment the following line out if using docker-compose + mode: host + - target: 514 + published: 6514 + protocol: udp +#Comment the following line out if using docker-compose + mode: host + environment: + - SPLUNK_HEC_URL=https://foo:8088/services/collector/event + - SPLUNK_HEC_TOKEN= + - SPLUNK_CONNECT_METHOD=hec + - SPLUNK_DEFAULT_INDEX= + - SPLUNK_METRICS_INDEX=em_metrics + - SYSLOG_PRESUME_FILTER=f_juniper_netscreen + volumes: + - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +``` diff --git a/docs/gettingstarted/docker-swarm-rhel7.md b/docs/gettingstarted/docker-swarm-rhel7.md new file mode 100644 index 0000000..ebabb18 --- /dev/null +++ b/docs/gettingstarted/docker-swarm-rhel7.md @@ -0,0 +1,136 @@ + +# Install Docker CE and Swarm + +*Warning* this method of installing docker on RHEL does not appear to be supported: + +Enable required repositories +```bash +subscription-manager repos --enable=rhel-7-server-rpms +subscription-manager repos --enable=rhel-7-server-extras-rpms +subscription-manager repos --enable=rhel-7-server-optional-rpms +yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo +``` + +Enable EPEL +```bash +yum install wget -y +cd /tmp +wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm +rpm -Uvh epel-release-latest-7.noarch.rpm +``` + +Install required packages and enable docker +```bash +yum install docker-ce -y +systemctl enable docker.service +systemctl start docker.service +``` + +Initialize Docker Swarm +```bash +sudo docker swarm init +``` + +# Setup + +* Create a directory on the server for configuration. This should be available to all administrators, for example: +``/opt/scs/`` +* Create a docker-compose.yml file and place it in the directory created above based on the following template: + +```yaml +version: "3.7" +services: + sc4s: + image: splunk/scs:latest + ports: + - target: 514 + published: 514 + protocol: tcp +#Comment the following line out if using docker-compose + mode: host + - target: 514 + published: 514 + protocol: udp +#Comment the following line out if using docker-compose + mode: host + environment: + - SPLUNK_HEC_URL=https://inputs-hec.kops.spl.guru/services/collector/event + - SPLUNK_HEC_TOKEN=02450979-d363-4e6c-b6c9-796d8b546a6e + - SPLUNK_CONNECT_METHOD=hec + - SPLUNK_DEFAULT_INDEX=main + - SPLUNK_METRICS_INDEX=em_metrics + volumes: +#Uncomment the following line if overriding index destinations +# - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +#Uncomment the following lines if using a host or network based filter and log_path +# - ./sc4s-juniper/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv +# - ./sc4s-juniper/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf + +``` + +## Configure index destinations for Splunk + +Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. + +* Download the latest context.csv file to a subdirectory sc4s below the docker-compose.yml file created above. + +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv +``` +* Edit splunk_index.csv review the index configuration and revise as required for sourcertypes utilized in your environment. + +## Configure sources by source IP or host name + +Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. + +* Download the latest vendor_product_by_source.conf file to a subdirectory sc4s below the docker-compose.yml file created above +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv +``` +* Edit the file to identify appropriate vendor products by host glob or network mask using syslog-ng filter syntax. + +* Start SC4S. + +```bash +sudo docker stack deploy --compose-file docker-compose.yml sc4s +``` + +## Scale out + +Additional hosts can be deployed for syslog collection from additional network zones and locations. + + +## Single Source Technology instance - Alpha + +For certain source technologies message categorization by content is impossible. To support collection of such legacy nonstandard sources, we provide a means of dedicating a container to a specific source using an alternate port. In the following configration example a dedicated port is opened (6514) for legacy juniper netscreen devices. + +This approach is "alpha" and subject to change. + +```yaml +version: "3" +services: + sc4s-juniper-netscreen: + image: splunk/scs:latest + hostname: sc4s-juniper-netscreen + ports: + - target: 514 + published: 6514 + protocol: tcp +#Comment the following line out if using docker-compose + mode: host + - target: 514 + published: 6514 + protocol: udp +#Comment the following line out if using docker-compose + mode: host + environment: + - SPLUNK_HEC_URL=https://foo:8088/services/collector/event + - SPLUNK_HEC_TOKEN= + - SPLUNK_CONNECT_METHOD=hec + - SPLUNK_DEFAULT_INDEX= + - SPLUNK_METRICS_INDEX=em_metrics + - SYSLOG_PRESUME_FILTER=f_juniper_netscreen + volumes: + - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +``` diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md new file mode 100644 index 0000000..eb63866 --- /dev/null +++ b/docs/gettingstarted/docker-systemd-general.md @@ -0,0 +1,69 @@ + +# Install Docker CE + +Refer to [Getting Started](https://docs.docker.com/get-started/) + +# Setup + +* Create a systemd unit file use to start the container with the host os. ``/lib/systemd/system/scs.service`` + +*NOTE*: The 3 volumes "-v" are optional and should be omited if the customization options are not used + +*NOTE-2*: Replace the URL and HEC tokens with the appropriate values for our environment + +```ini +[Unit] +Description=Splunk Container +After=docker.service +Requires=docker.service + +[Service] +TimeoutStartSec=0 +Restart=always +ExecStartPre=/usr/bin/docker pull splunk/scs:latest +ExecStart=/usr/bin/docker run -p 514:514\ + -e "SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event" \ + -e "SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94" \ + -e "SPLUNK_CONNECT_METHOD=hec" \ + -e "SPLUNK_DEFAULT_INDEX=main" \ + -e "SPLUNK_METRICS_INDEX=em_metrics" \ + --name scs \ + --rm \ + -v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv \ + -v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv \ + -v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf \ +splunk/scs:latest + +[Install] +WantedBy=multi-user.target +``` + +## Configure index destinations for Splunk + +Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. + +* Download the latest context.csv file to a directory ``/opt/scs/default/`` + +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv +``` +* Edit splunk_index.csv review the index configuration and revise as required for sourcertypes utilized in your environment. + +## Configure sources by source IP or host name + +Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. + +* Download the latest vendor_product_by_source.conf file to a directory ``/opt/scs/default/`` +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv +``` +* Edit the file to identify appropriate vendor products by host glob or network mask using syslog-ng filter syntax. + +* Start SC4S. + +```bash +sudo systemctl enable scs +sudo systemctl start scs +``` + diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md new file mode 100644 index 0000000..6b69f03 --- /dev/null +++ b/docs/gettingstarted/podman-systemd-general.md @@ -0,0 +1,73 @@ + +# Install podman + +Refer to [Installation](https://podman.io/getting-started/installation) + +# Configure SCS + +# Setup + +* Create a systemd unit file use to start the container with the host os. ``/lib/systemd/system/scs.service`` + +*NOTE*: The 3 volumes "-v" are optional and should be omited if the customization options are not used + +*NOTE-2*: Replace the URL and HEC tokens with the appropriate values for our environment + +```ini +[Unit] +Description=SCS Container +After=network.service +Requires=network.service + +[Service] +TimeoutStartSec=0 +Restart=always +ExecStartPre=/usr/bin/podman pull splunk/scs:latest +ExecStart=/usr/bin/podman run -p 514:514 \ + -e "SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event" \ + -e "SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94" \ + -e "SPLUNK_CONNECT_METHOD=hec" \ + -e "SPLUNK_DEFAULT_INDEX=main" \ + -e "SPLUNK_METRICS_INDEX=em_metrics" \ + --name scs \ + --rm \ + -v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv \ + -v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv \ + -v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf \ +splunk/scs:latest + +[Install] +WantedBy=multi-user.target +``` + + +## Configure index destinations for Splunk + +Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. + +* Download the latest context.csv file to a directory ``/opt/scs/default/`` + +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv +``` +* Edit splunk_index.csv review the index configuration and revise as required for sourcertypes utilized in your environment. + +## Configure sources by source IP or host name + +Legacy sources and non-standard-compliant sources require configuration by source IP or hostname as included in the event. The following steps apply to support such sources. To identify sources which require this step refer to the "sources" section of this documentation. + +* Download the latest vendor_product_by_source.conf file to a directory ``/opt/scs/default/`` +```bash +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf +sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.csv +``` +* Edit the file to identify appropriate vendor products by host glob or network mask using syslog-ng filter syntax. + +* Start SC4S. + +```bash +sudo systemctl daemon-reload +sudo systemctl enable scs +sudo systemctl start scs +``` + diff --git a/tests/conftest.py b/tests/conftest.py index ab4fd96..7777889 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -33,9 +33,13 @@ def get_host_key(setup_wordlist): @pytest.fixture def setup_splunk(): tried = 0 + username = os.getenv('SPLUNK_USER', "admin") + password = os.getenv('SPLUNK_PASSWORD', "Changed@11") + host = os.getenv('SPLUNK_HOST', "splunk") + port = os.getenv('SPLUNK_PORT', "8089") while True: try: - c = client.connect(username="admin", password="Changed@11", host="splunk", port="8089") + c = client.connect(username=username, password=password, host=host, port=port) break except ConnectionRefusedError: tried += 1 diff --git a/tests/sendmessage.py b/tests/sendmessage.py index 6b591ad..122381f 100644 --- a/tests/sendmessage.py +++ b/tests/sendmessage.py @@ -6,9 +6,11 @@ import socket from time import sleep +import os - -def sendsingle(message, host="sc4s", port=514): +def sendsingle(message, + host=os.getenv('SYSLOG_HOST', "sc4s"), + port=514): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (host, port) From c964c07f97ab209e3500067a6093105c34a5a580 Mon Sep 17 00:00:00 2001 From: mbonsack Date: Wed, 11 Sep 2019 11:26:54 -0700 Subject: [PATCH 07/11] Docs Cleanup (#81) Fixed filter references in Juniper; cleaned up main gettingstarted page --- docs/gettingstarted.md | 55 ++---------------------------------------- docs/sources.md | 4 +-- 2 files changed, 4 insertions(+), 55 deletions(-) diff --git a/docs/gettingstarted.md b/docs/gettingstarted.md index 0172e22..90917fe 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted.md @@ -67,7 +67,7 @@ Refer to [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE | [Docker CE + systemd single node](gettingstarted/docker-systemd-general.md) | First choice for Debian, Ubuntu, and CentOS distributions with limited existing docker experience | | [Docker CE + Swarm single node](gettingstarted/docker-swarm-general.md) | Option for Debian, Ubuntu, and CentOS desiring swarm orchestration | | [Docker CE + Swarm single node RHEL 7.7](gettingstarted/docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring swarm orchestration | -======= + # Pre-req * Linux host with Docker 19.x or newer with Docker Swarm enabled @@ -76,60 +76,9 @@ Refer to [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE * One or more Splunk indexes for events collected by SC4S * Splunk HTTP event collector enabled with a token dedicated for SC4S * [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) - * [Splunk Enterprise Cloud](http://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_managed_Splunk_Cloud) + * [Splunk Cloud](http://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_managed_Splunk_Cloud) * A network load balancer (NLB) configured for round robin. Note: Special consideration may be required when more advanced products are used. The optimal configuration of the load balancer will round robin each http POST request (not each connection) -# Setup - -* Create a directory on the server for configuration -* Create a docker-compose.yml file based on the following template - -```yaml -version: "3" -services: - sc4s: - image: splunk/scs:latest - hostname: sc4s - ports: - - "514:514" - - "601:601" - - "514:514/udp" - - "5514:5514" - - "5514:5514/udp" - stdin_open: true - tty: true - environment: - - SPLUNK_HEC_URL=https://foo:8088/services/collector/event - - SPLUNK_HEC_TOKEN= - - SPLUNK_CONNECT_METHOD=hec - - SPLUNK_DEFAULT_INDEX= - - SPLUNK_METRICS_INDEX=em_metrics - volumes: - - ./sc4s/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv - - ./sc4s/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv -``` - -## Configure index destinations for Splunk -* Download the latest context.csv file to a subdirectory sc4s below the docker-compose.yml file created above -```bash -wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/splunk_index.csv -``` -* Edit splunk_index.csv review the index configuration and revise as required for sourcertypes utilized in your environment. For instance, add *cisco:asa,index,netfw* to splunk_index.csv for Cisco-ASA data source. - -## Configure sources by source IP or host name -* This step is required even if not used -* Download the latest vendor_product_by_source.conf file to a subdirectory sc4s below the docker-compose.yml file created above -```bash -wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/master/package/etc/context-local/vendor_product_by_source.conf -``` -* Edit the file to identify appropriate vendor products by host glob or network mask using syslog-ng filter syntax. - -* Start SC4S - -```bash -docker stack deploy --compose-file docker-compose.yml sc4s -``` - ## Scale out diff --git a/docs/sources.md b/docs/sources.md index dff4b07..0ff737a 100644 --- a/docs/sources.md +++ b/docs/sources.md @@ -284,7 +284,7 @@ Verify timestamp, and host values match as expected ### Filter type -* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_uniper_idp` as required +* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required ### Setup and Configuration @@ -328,7 +328,7 @@ Verify timestamp, and host values match as expected ### Filter type -* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `juniper_idp` as required +* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required ### Setup and Configuration From d08cd20b1765d01f13e1b09e572ae75e03165669 Mon Sep 17 00:00:00 2001 From: mbonsack Date: Tue, 17 Sep 2019 15:57:36 -0700 Subject: [PATCH 08/11] Fix/dynamic template (#82) * Template fixes Add dynamic templates Introduce new t_JSON_5424 template Add default source * change default source preamble change source preamble to sc4s per official branding --- .../etc/conf.d/conflib/_common/templates.conf | 21 ++++++++++++++++--- .../conf.d/conflib/_splunk/splunkfields.conf | 13 +++++------- .../etc/conf.d/destinations/splunk_hec.conf | 2 +- .../log_paths/P_rfc3164-juniper_nsm_idp.conf | 6 ++---- package/etc/conf.d/log_paths/internal.conf | 4 ++-- .../log_paths/p_rfc3164-cisco-nx-os.conf | 7 +++---- .../conf.d/log_paths/p_rfc3164-cisco_asa.conf | 6 ++---- .../conf.d/log_paths/p_rfc3164-cisco_ios.conf | 6 ++---- .../log_paths/p_rfc3164-fortinet_fortios.conf | 11 ++++------ .../log_paths/p_rfc3164-juniper-idp.conf | 7 +++---- .../log_paths/p_rfc3164-juniper-junos.conf | 14 ++++++------- .../p_rfc3164-juniper_netscreen.conf | 6 ++---- .../log_paths/p_rfc3164-juniper_nsm.conf | 6 ++---- .../log_paths/p_rfc3164-paloalto-panos.conf | 20 +++++++----------- .../p_rfc5424_noversion-cisco_asa.conf | 6 ++---- .../p_rfc_5424_noversion-symantec-proxy.conf | 8 +++---- .../p_rfc_5424_strict-juniper-junos.conf | 19 ++++++++--------- package/etc/conf.d/log_paths/zfallback.conf | 3 +-- package/etc/context-local/splunk_index.csv | 5 +++++ package/etc/syslog-ng.conf | 3 ++- 20 files changed, 83 insertions(+), 90 deletions(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index b07a8a5..5efd586 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -44,13 +44,28 @@ template t_hdr_sdata_msg { }; # =============================================================================================== -# JSON; for JSON pretty-printing +# JSON; for JSON pretty-printing (for debugging) # =============================================================================================== - + template t_JSON { template("$(format-json --scope all-nv-pairs --exclude fields.* --exclude .splunk.* - --exclude HOST --exclude HOSTFROMgit m + --exclude HOST + --exclude HOST_FROM + )"); + }; + +# =============================================================================================== +# JSON; for JSON pretty-printing (for RFC5424) +# =============================================================================================== + +template t_JSON_5424 { + template("$(format-json --scope all-nv-pairs + --exclude fields.* + --exclude .splunk.* + --exclude HOST + --exclude HOST_FROM + --exclude RAWMSG )"); }; diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf b/package/etc/conf.d/conflib/_splunk/splunkfields.conf index 3e1d2c9..68e9a01 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf @@ -2,8 +2,9 @@ rewrite r_set_splunk_default { set("`index`", value(".splunk.index")); - set("`sourcetype`", value(".splunk.sourcetype")); - set("`source`", value(".splunk.source")); + set("`splunk-sourcetype`", value(".splunk.sourcetype")); + set("`splunk-source`:$LOGHOST", value(".splunk.source")); + set("`splunk-template`", value(".splunk.template")); set($FACILITY, value("fields.sc4s_syslog_facility")); set($LEVEL, value("fields.sc4s_syslog_severity")); set($LOGHOST, value("fields.sc4s_syslog_server")); @@ -14,16 +15,12 @@ rewrite r_set_splunk_default { block rewrite r_set_splunk_dest_default( index() sourcetype() + template(`splunk-template`) ) { set("`index`", value(".splunk.index")); set("`sourcetype`", value(".splunk.sourcetype")); + set("`template`", value(".splunk.template")); }; -block rewrite r_set_splunk( - template(`splunk-default-template`) - ) { - set("`template`", value("fields.sc4s_template")); - }; - diff --git a/package/etc/conf.d/destinations/splunk_hec.conf b/package/etc/conf.d/destinations/splunk_hec.conf index 81f3187..0132bfe 100644 --- a/package/etc/conf.d/destinations/splunk_hec.conf +++ b/package/etc/conf.d/destinations/splunk_hec.conf @@ -45,7 +45,7 @@ destination d_hec { source=${.splunk.source} sourcetype=${.splunk.sourcetype} index=${.splunk.index} - event=$(template ${fields.sc4s_template} $(template `splunk-default-template`)) + event=$(template ${.splunk.template} $(template `splunk-template`)) fields.*)') ); }; diff --git a/package/etc/conf.d/log_paths/P_rfc3164-juniper_nsm_idp.conf b/package/etc/conf.d/log_paths/P_rfc3164-juniper_nsm_idp.conf index 740a10c..3e95c30 100644 --- a/package/etc/conf.d/log_paths/P_rfc3164-juniper_nsm_idp.conf +++ b/package/etc/conf.d/log_paths/P_rfc3164-juniper_nsm_idp.conf @@ -4,13 +4,11 @@ log { filter(f_is_rfc3164); filter(f_juniper_nsm_idp); - rewrite {r_set_splunk_dest_default(sourcetype("juniper:nsm:idp"), index("netids"))}; + rewrite {r_set_splunk_dest_default(sourcetype("juniper:nsm:idp"), index("netids"), template("t_standard"))}; parser { p_add_context_splunk(key("juniper_idp")); }; - rewrite { - r_set_splunk(template("t_standard")) - }; + destination(d_hec); #--HEC-- flags(flow-control); }; diff --git a/package/etc/conf.d/log_paths/internal.conf b/package/etc/conf.d/log_paths/internal.conf index 352c2ac..743c15c 100644 --- a/package/etc/conf.d/log_paths/internal.conf +++ b/package/etc/conf.d/log_paths/internal.conf @@ -30,10 +30,10 @@ log { }; destination(d_hecmetrics); #--HEC-- } else { - rewrite { r_set_splunk_dest_default(sourcetype("syslog-ng:events"), index("_internal"))}; + rewrite { r_set_splunk_dest_default(sourcetype("syslog-ng:events"), index("_internal"), template("t_msg_only"))}; parser {p_add_context_splunk(key("syslog-ng_events")); }; - rewrite {r_set_splunk(template("t_msg_only")) }; #--HEC-- + destination(d_hec); #--HEC-- }; }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco-nx-os.conf b/package/etc/conf.d/log_paths/p_rfc3164-cisco-nx-os.conf index d282022..a0c1e8e 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco-nx-os.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco-nx-os.conf @@ -3,13 +3,12 @@ log { source(s_default-ports); filter(f_cisco_nx_os); - rewrite { r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_hdr_msg"))}; parser { p_add_context_splunk(key("cisco_nx_os")); }; - rewrite { - r_set_splunk(template("t_hdr_msg")) - }; + destination(d_hec); #--HEC-- + flags(flow-control); }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf index f63aad9..866fa14 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf @@ -9,13 +9,11 @@ log { filter(f_is_rfc3164); filter(f_cisco_asa); #set the source type based on program field and lookup index from the splunk context csv + #Using the 5424 parser the message content is all we need - rewrite { r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw"), template("t_msg_only"))}; parser {p_add_context_splunk(key("cisco_asa")); }; - #Using the 5424 parser the message content is all we need - rewrite {r_set_splunk(template("t_msg_only")) }; #--HEC-- - destination(d_hec); #--HEC-- flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf index bd4ce8d..09848fd 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf @@ -9,13 +9,11 @@ log { filter(f_cisco_ios); - rewrite { r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cisco:ios"), index("netops"), template("t_msg_only"))}; parser { p_add_context_splunk(key("cisco_ios")); }; - rewrite { - r_set_splunk(template("t_msg_only")) #--HEC-- - }; + destination(d_hec); #--HEC-- flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf index cd419db..0c451ed 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf @@ -14,22 +14,19 @@ log { if (match("traffic" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_traffic"), index("netfw"), template("t_standard"))}; parser {p_add_context_splunk(key("fortinet_fortios_traffic")); }; } elif (match("utm" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_utm"), index("netids"), template("t_standard"))}; parser {p_add_context_splunk(key("fortinet_fortios_utm")); }; } elif (match("event" value(".kv.type"))) { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_event"), index("netops"), template("t_standard"))}; parser {p_add_context_splunk(key("fortinet_fortios_event")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("fgt_log"), index("netops"), template("t_standard"))}; parser {p_add_context_splunk(key("fortinet_fortios_log")); }; }; - #rewrite the final message for splunk json - #sourcetype and index are set in the filter defaults won't be used - rewrite {r_set_splunk(template("t_standard")) }; #--HEC-- destination(d_hec); #--HEC-- flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf b/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf index 82c9ecd..0f4db26 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf @@ -4,13 +4,12 @@ log { filter(f_is_rfc5424_strict); filter(f_juniper_idp); - rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp"), index("netids"), template("t_hdr_sdata_msg"))}; parser { p_add_context_splunk(key("juniper_idp")); }; - rewrite { - r_set_splunk(template("t_hdr_sdata_msg")) - }; + destination(d_hec); #--HEC-- + flags(flow-control); }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf b/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf index b0106ca..f112311 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf @@ -9,26 +9,26 @@ log { filter(f_juniper_junos_standard); if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"), template("t_standard"))}; parser {p_add_context_splunk(key("juniper_idp")); }; } elif (program('RT_FLOW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"), template("t_standard"))}; parser {p_add_context_splunk(key("juniper_junos_flow")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"), template("t_standard"))}; parser {p_add_context_splunk(key("juniper_junos_ids")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"), template("t_standard"))}; parser {p_add_context_splunk(key("juniper_junos_utm")); }; } elif (program('Juniper')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:sslvpn"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:sslvpn"), index("netfw"), template("t_standard"))}; parser {p_add_context_splunk(key("juniper_sslvpn")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"), index("netops"), template("t_standard"))}; parser {p_add_context_splunk(key("juniper_legacy")); }; }; - rewrite { r_set_splunk(template("t_standard")) }; destination(d_hec); #--HEC-- + flags(flow-control); }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf index 0d3667d..f963649 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf @@ -3,14 +3,12 @@ log { source(s_default-ports); filter(f_juniper_netscreen); - rewrite { r_set_splunk_dest_default(sourcetype("netscreen:firewall"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("netscreen:firewall"), index("netfw"), template("t_standard"))}; parser { p_add_context_splunk(key("juniper_netscreen")); }; - rewrite { - r_set_splunk(template("t_standard")) - }; + destination(d_hec); #--HEC-- flags(flow-control); }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf index 9d79fe1..645d7ea 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf @@ -8,14 +8,12 @@ log { filter(f_is_rfc3164); filter(f_juniper_nsm); - rewrite { r_set_splunk_dest_default(sourcetype("juniper:nsm"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:nsm"), index("netfw"), template("t_standard"))}; parser { p_add_context_splunk(key("juniper_nsm")); }; - rewrite { - r_set_splunk(template("t_standard")) - }; + destination(d_hec); #--HEC-- flags(flow-control); }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto-panos.conf b/package/etc/conf.d/log_paths/p_rfc3164-paloalto-panos.conf index a2ac570..9f1bb65 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto-panos.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto-panos.conf @@ -33,35 +33,31 @@ log { #set the source type based on program field and lookup index from the splunk context csv if (message(',\d+,THREAT')) { - rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"), index("netproxy"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_threat")); }; } elif (message(',\d+,TRAFFIC')) { - rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"), index("netfw"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_traffic")); }; } elif (message(',\d+,SYSTEM')) { - rewrite { r_set_splunk_dest_default(sourcetype("pan:system"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:system"), index("netops"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_system")); }; } elif (message(',\d+,CONFIG')) { - rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_config")); }; } elif (message(',\d+,HIPWATCH')) { - rewrite { r_set_splunk_dest_default(sourcetype("pan:hipwatch"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:hipwatch"), index("main"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_hipwatch")); }; } elif (message(',\d+,CORRELATION')) { - rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"), index("main"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_correlation")); }; } elif (message(',\d+,USERID')) { - rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"), index("netauth"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"), index("netauth"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_userid")); }; } else { - rewrite { r_set_splunk_dest_default(sourcetype("pan:log"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("pan:log"), index("netops"), template("t_msg_only"))}; parser {p_add_context_splunk(key("pan_log")); }; }; - #rewrite the final message for splunk json - #sourcetype and index are set in the filter defaults won't be used - rewrite {r_set_splunk(template("t_msg_only")) }; #--HEC-- - destination(d_hec); #--HEC-- flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf b/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf index ecc4459..de558e7 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf +++ b/package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf @@ -4,13 +4,11 @@ log { filter(f_cisco_asa); #set the source type based on program field and lookup index from the splunk context csv + #Using the 5424 parser the message content is all we need - rewrite { r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw"), template("t_msg_only"))}; parser {p_add_context_splunk(key("cisco_asa")); }; - #Using the 5424 parser the message content is all we need - rewrite {r_set_splunk(template("t_msg_only")) }; #--HEC-- - destination(d_hec); #--HEC-- flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec-proxy.conf b/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec-proxy.conf index 2c7085a..1d596bf 100644 --- a/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec-proxy.conf +++ b/package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec-proxy.conf @@ -3,15 +3,13 @@ log { filter(f_is_rfc5424_noversion); filter(f_symantec_bluecoat_proxy); - #set the source type based on program field and lookup index from the splunk context csv + #set the source type based on program field and lookup index from the splunk context csv. + #With the 5424 parser the message is the only portion needed in the template. - rewrite { r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv"), index("netproxy"))}; + rewrite { r_set_splunk_dest_default(sourcetype("bluecoat:proxysg:access:kv"), index("netproxy"), template("t_msg_only")) }; parser {p_add_context_splunk(key("bluecoat_proxy")); }; - #Using the 5424 parser the message content is all we need - rewrite {r_set_splunk(template("t_msg_only")) }; #--HEC-- - destination(d_hec); #--HEC-- flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf b/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf index 36505fb..56f064c 100644 --- a/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf +++ b/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf @@ -9,17 +9,17 @@ log { filter(f_juniper_junos_structured); if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) }; - parser {p_add_context_splunk(key("juniper_idp")); }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids"), template("t_JSON_5424")) }; + parser {p_add_context_splunk(key("juniper_idp_structured")); }; } elif (program('RT_FLOW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; - parser {p_add_context_splunk(key("juniper_junos_flow")); }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw"), template("t_JSON_5424")) }; + parser {p_add_context_splunk(key("juniper_junos_flow_structured")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids")) }; - parser {p_add_context_splunk(key("juniper_junos_ids")); }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids"), template("t_JSON_5424")) }; + parser {p_add_context_splunk(key("juniper_junos_ids_structured")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids")) }; - parser {p_add_context_splunk(key("juniper_junos_utm")); }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw"), template("t_JSON_5424")) }; + parser {p_add_context_splunk(key("juniper_junos_utm_structured")); }; } # Legacy Netscreen IDP is handled in the "p_rfc3164-juniper-idp.conf" log path # @@ -28,11 +28,10 @@ log { # parser {p_add_context_splunk(key("juniper_junos_idp")); }; # } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) }; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops"), template("t_JSON_5424")) }; parser {p_add_context_splunk(key("juniper_structured")); }; }; - rewrite { r_set_splunk(template("t_hdr_sdata_msg")) }; destination(d_hec); #--HEC-- diff --git a/package/etc/conf.d/log_paths/zfallback.conf b/package/etc/conf.d/log_paths/zfallback.conf index 1100605..3b5b7fc 100644 --- a/package/etc/conf.d/log_paths/zfallback.conf +++ b/package/etc/conf.d/log_paths/zfallback.conf @@ -1,12 +1,11 @@ log { source(s_default-ports); - rewrite { r_set_splunk_dest_default(sourcetype("syslog-ng:fallback"), index("main"))}; + rewrite { r_set_splunk_dest_default(sourcetype("syslog-ng:fallback"), index("main"), template("t_JSON")) }; parser { p_add_context_splunk(key("syslog-ng_fallback")); }; - rewrite { r_set_splunk(template("t_JSON"))}; #--HEC-- destination(d_hec); #--HEC-- flags(flow-control,fallback); }; diff --git a/package/etc/context-local/splunk_index.csv b/package/etc/context-local/splunk_index.csv index aa92083..71bcd53 100644 --- a/package/etc/context-local/splunk_index.csv +++ b/package/etc/context-local/splunk_index.csv @@ -7,6 +7,11 @@ #fortinet_fortios_traffic,index,netfw #fortinet_fortios_utm,index,netids #juniper_idp,index,netids +#juniper_structured,index,netops +#juniper_idp_structured,index,netids +#juniper_junos_flow_structured,index,netfw +#juniper_junos_ids_structured,index,netids +#juniper_junos_utm_structured,index,netfw #juniper_junos_flow,index,netfw #juniper_junos_ids,index,netids #juniper_junos_utm,index,netfw diff --git a/package/etc/syslog-ng.conf b/package/etc/syslog-ng.conf index 27e1a6e..bfb2c10 100644 --- a/package/etc/syslog-ng.conf +++ b/package/etc/syslog-ng.conf @@ -50,11 +50,12 @@ options { # =============================================================================================== @define splunk-sourcetype "syslog-ng:fallback" @define splunk-index "main" +@define splunk-source "sc4s" # =============================================================================================== # Default message template # =============================================================================================== -@define splunk-default-template "t_standard" +@define splunk-template "t_standard" # =============================================================================================== # Data collection parameters, buffers, and Timezone From 1f9ac59fa9bccb223962f94186cbe270f417b680 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 20 Sep 2019 03:18:34 -0400 Subject: [PATCH 09/11] Conf Gen support (#83) Implement gomplate as a confgen engine to allow dynamic configuration, essentially #83 ifdefs Allow any supported filter to open a dedicated port Make options in source and destination drivers configurable Eliminate entrypoint.sh allowing command arg to syslog such as -s (verify) and -i interactive Enhance unit file templates to check config in pre steps so errors are more clear Externalize run time env variables to an env file to simplify configuration using a common structure in all methods --- .circleci/config.yml | 26 ++-- docker-compose-ci.yml | 23 +--- docker-compose-debug.yml | 1 + docker-compose-demo.yml | 19 +-- docker-compose-perf.yml | 19 +-- docker-compose.yml | 29 +---- docs/Configuration.md | 9 ++ docs/gettingstarted.md | 29 ----- docs/gettingstarted/docker-swarm-general.md | 89 +++++++++---- docs/gettingstarted/docker-swarm-rhel7.md | 87 +++++++++---- docs/gettingstarted/docker-systemd-general.md | 117 +++++++++++++++--- docs/gettingstarted/podman-systemd-general.md | 107 ++++++++++++++-- docs/sources.md | 54 ++++++++ package/Dockerfile | 19 +-- .../etc/conf.d/conflib/_common/network.conf | 10 ++ .../conf.d/conflib/_common/network.conf.tmpl | 93 ++++++++++++++ .../vendor_product_by_source_context.conf | 2 +- .../etc/conf.d/destinations/splunk_hec.conf | 77 +----------- .../conf.d/destinations/splunk_hec.conf.tmpl | 42 +++++++ .../destinations/splunk_hec_metrics.conf | 6 + .../destinations/splunk_hec_metrics.conf.tmpl | 20 +++ .../log_paths/P_rfc3164-juniper_nsm_idp.conf | 14 --- .../log_paths/p_rfc3164-cisco-nx-os.conf | 14 --- .../conf.d/log_paths/p_rfc3164-cisco_asa.conf | 19 +-- .../log_paths/p_rfc3164-cisco_asa.conf.tmpl | 26 ++++ .../conf.d/log_paths/p_rfc3164-cisco_ios.conf | 20 ++- .../log_paths/p_rfc3164-cisco_ios.conf.tmpl | 25 ++++ .../log_paths/p_rfc3164-cisco_nx-os.conf | 14 +++ .../log_paths/p_rfc3164-cisco_nx-os.conf.tmpl | 25 ++++ .../log_paths/p_rfc3164-fortinet_fortios.conf | 40 ++---- .../p_rfc3164-fortinet_fortios.conf.tmpl | 45 +++++++ .../log_paths/p_rfc3164-juniper-idp.conf | 15 --- .../log_paths/p_rfc3164-juniper_idp.conf | 17 +++ .../log_paths/p_rfc3164-juniper_idp.conf.tmpl | 25 ++++ .../log_paths/p_rfc3164-juniper_junos.conf | 17 +++ ...conf => p_rfc3164-juniper_junos.conf.tmpl} | 23 ++-- .../p_rfc3164-juniper_netscreen.conf | 21 ++-- .../p_rfc3164-juniper_netscreen.conf.tmpl | 28 +++++ .../log_paths/p_rfc3164-juniper_nsm.conf | 22 ++-- .../log_paths/p_rfc3164-juniper_nsm.conf.tmpl | 25 ++++ .../log_paths/p_rfc3164-juniper_nsm_idp.conf | 21 ++++ .../p_rfc3164-juniper_nsm_idp.conf.tmpl | 24 ++++ .../log_paths/p_rfc3164-paloalto_panos.conf | 17 +++ ...onf => p_rfc3164-paloalto_panos.conf.tmpl} | 17 ++- .../p_rfc5424_noversion-cisco_asa.conf | 19 ++- .../p_rfc5424_noversion-cisco_asa.conf.tmpl | 27 ++++ .../p_rfc_5424_noversion-symantec_proxy.conf | 10 ++ ...c_5424_noversion-symantec_proxy.conf.tmpl} | 16 ++- .../p_rfc_5424_strict-juniper_junos.conf | 14 +++ ...p_rfc_5424_strict-juniper_junos.conf.tmpl} | 22 ++-- package/etc/conf.d/sources/network.conf | 75 +---------- package/etc/conf.d/sources/network.conf.tmpl | 72 +++++++++++ package/etc/syslog-ng.conf | 32 +---- package/sbin/entrypoint.sh | 10 -- tests/test_juniper_legacy.py | 2 +- 55 files changed, 1155 insertions(+), 536 deletions(-) create mode 100644 docs/Configuration.md create mode 100644 package/etc/conf.d/conflib/_common/network.conf create mode 100644 package/etc/conf.d/conflib/_common/network.conf.tmpl create mode 100644 package/etc/conf.d/destinations/splunk_hec.conf.tmpl create mode 100644 package/etc/conf.d/destinations/splunk_hec_metrics.conf create mode 100644 package/etc/conf.d/destinations/splunk_hec_metrics.conf.tmpl delete mode 100644 package/etc/conf.d/log_paths/P_rfc3164-juniper_nsm_idp.conf delete mode 100644 package/etc/conf.d/log_paths/p_rfc3164-cisco-nx-os.conf create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-cisco_nx-os.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl delete mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf rename package/etc/conf.d/log_paths/{p_rfc3164-juniper-junos.conf => p_rfc3164-juniper_junos.conf.tmpl} (72%) create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf rename package/etc/conf.d/log_paths/{p_rfc3164-paloalto-panos.conf => p_rfc3164-paloalto_panos.conf.tmpl} (85%) create mode 100644 package/etc/conf.d/log_paths/p_rfc5424_noversion-cisco_asa.conf.tmpl create mode 100644 package/etc/conf.d/log_paths/p_rfc_5424_noversion-symantec_proxy.conf rename package/etc/conf.d/log_paths/{p_rfc_5424_noversion-symantec-proxy.conf => p_rfc_5424_noversion-symantec_proxy.conf.tmpl} (50%) create mode 100644 package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper_junos.conf rename package/etc/conf.d/log_paths/{p_rfc_5424_strict-juniper-junos.conf => p_rfc_5424_strict-juniper_junos.conf.tmpl} (75%) create mode 100644 package/etc/conf.d/sources/network.conf.tmpl delete mode 100755 package/sbin/entrypoint.sh diff --git a/.circleci/config.yml b/.circleci/config.yml index 4a82547..d482dff 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -168,13 +168,13 @@ jobs: path: /clair-reports publish-common: + machine: + image: ubuntu-1604:201903-01 + docker_layer_caching: true # default - false environment: IMAGE_NAME: rfaircloth/scs - docker: - - image: circleci/buildpack-deps:stretch steps: - - setup_remote_docker: - docker_layer_caching: true + - checkout - run: name: Docker Login command: docker login -u $DOCKER_USER -p $DOCKER_PASS @@ -183,10 +183,14 @@ jobs: command: docker pull $IMAGE_NAME:$CIRCLE_SHA1 - run: name: Docker tag image - command: docker tag $IMAGE_NAME:$CIRCLE_SHA1 $IMAGE_NAME:$CIRCLE_BRANCH + command: | + SEMVER=$(docker run --rm -v "$(pwd):/repo" gittools/gitversion:latest-linux-netcoreapp2.1 /repo /showvariable SemVer /nofetch) + docker tag $IMAGE_NAME:$CIRCLE_SHA1 $IMAGE_NAME:$SEMVER - run: name: Docker push tag - command: docker push $IMAGE_NAME:$CIRCLE_BRANCH + command: | + SEMVER=$(docker run --rm -v "$(pwd):/repo" gittools/gitversion:latest-linux-netcoreapp2.1 /repo /showvariable SemVer /nofetch) + docker push $IMAGE_NAME:$SEMVER publish-edge: environment: @@ -273,11 +277,11 @@ workflows: requires: - dgoss - test-unit - filters: - branches: - only: - - master - - develop +# filters: +# branches: +# only: +# - master +# - develop - publish-edge: requires: - dgoss diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml index 987fbfa..0c983a3 100644 --- a/docker-compose-ci.yml +++ b/docker-compose-ci.yml @@ -25,8 +25,8 @@ services: - "514" - "601" - "514/udp" - - "5514" - - "5514/udp" + - "5000" + - "5000/udp" stdin_open: true tty: true links: @@ -38,23 +38,8 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - sc4s-juniper: - image: rfaircloth/scs:${CIRCLE_SHA1} - hostname: sc4s-juniper - ports: - - "514" - stdin_open: true - tty: true - links: - - splunk - environment: - - SPLUNK_HEC_URL=${SPLUNK_HEC_URL} - - SPLUNK_HEC_STATSURL=${SPLUNK_HEC_STATSURL} - - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN} - - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SYSLOG_PRESUME_FILTER=juniper_netscreen + - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 splunk: image: splunk/splunk:latest hostname: splunk diff --git a/docker-compose-debug.yml b/docker-compose-debug.yml index 55cb296..ecb8f6a 100644 --- a/docker-compose-debug.yml +++ b/docker-compose-debug.yml @@ -38,6 +38,7 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} + - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no splunk: image: splunk/splunk:latest hostname: splunk diff --git a/docker-compose-demo.yml b/docker-compose-demo.yml index b15d755..b696193 100644 --- a/docker-compose-demo.yml +++ b/docker-compose-demo.yml @@ -40,23 +40,8 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - sc4s-juniper: - image: splunk/scs:latest - hostname: sc4s-juniper - ports: - - "514" - stdin_open: true - tty: true - links: - - splunk - environment: - - SPLUNK_HEC_URL=${SPLUNK_HEC_URL} - - SPLUNK_HEC_STATSURL=${SPLUNK_HEC_STATSURL} - - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN} - - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SYSLOG_PRESUME_FILTER=juniper_netscreen + - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 splunk: image: splunk/splunk:latest hostname: splunk diff --git a/docker-compose-perf.yml b/docker-compose-perf.yml index 67f3844..729f51b 100644 --- a/docker-compose-perf.yml +++ b/docker-compose-perf.yml @@ -31,14 +31,9 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} -# logging: -# driver: splunk -# options: -# splunk-token: a778f63a-5dff-4e3c-a72c-a03183659e94 -# splunk-url: https://splunk:8088/services/collector/event -# splunk-index: main -# splunk-insecureskipverify: true -# splunk-verify-connection: false + - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 + splunk: image: splunk/splunk:latest hostname: splunk @@ -53,14 +48,6 @@ services: - SPLUNK_APPS_URL=${SPLUNK_APPS_URL} - SPLUNKBASE_USERNAME=${SPLUNKBASE_USERNAME} - SPLUNKBASE_PASSWORD=${SPLUNKBASE_PASSWORD} -# logging: -# driver: splunk -# options: -# splunk-token: a778f63a-5dff-4e3c-a72c-a03183659e94 -# splunk-url: https://splunk:8088/services/collector/event -# splunk-index: main -# splunk-insecureskipverify: true -# splunk-verify-connection: false egbundles: image: rfaircloth/scs:egb-edge hostname: egbundles diff --git a/docker-compose.yml b/docker-compose.yml index 7493bab..fcf5e48 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,7 +13,6 @@ services: links: - splunk - sc4s - - sc4s-juniper volumes: - sc4s-results:/work/test-results environment: @@ -34,8 +33,8 @@ services: - "514" - "601" - "514/udp" - - "5514" - - "5514/udp" + - "5000" + - "5000/udp" stdin_open: true tty: true links: @@ -47,28 +46,8 @@ services: - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - sc4s-juniper: - image: splunk/scs:latest - build: - context: ./package - args: - RH_ORG: ${RH_ORG} - RH_ACTIVATION: ${RH_ACTIVATION} - hostname: sc4s-juniper - ports: - - "514" - stdin_open: true - tty: true - links: - - splunk - environment: - - SPLUNK_HEC_URL=${SPLUNK_HEC_URL} - - SPLUNK_HEC_STATSURL=${SPLUNK_HEC_STATSURL} - - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN} - - SPLUNK_CONNECT_METHOD=${SPLUNK_CONNECT_METHOD} - - SPLUNK_DEFAULT_INDEX=${SPLUNK_DEFAULT_INDEX} - - SPLUNK_METRICS_INDEX=${SPLUNK_DEFAULT_INDEX} - - SYSLOG_PRESUME_FILTER=juniper_netscreen + - SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no + - SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 splunk: image: splunk/splunk:latest hostname: splunk diff --git a/docs/Configuration.md b/docs/Configuration.md new file mode 100644 index 0000000..c4f2903 --- /dev/null +++ b/docs/Configuration.md @@ -0,0 +1,9 @@ + +| Variable | Values | Description | +|----------|---------------|-------------| +| SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list | +| SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token | +| SCS_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | +| SCS_DEST_SPLUNK_HEC_CIPHER_SUITE | comma separated list | Open SSL cipher suite list | +| SCS_DEST_SPLUNK_HEC_SSL_VERSION | comma separated list | Open SSL version list | +| SCS_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | diff --git a/docs/gettingstarted.md b/docs/gettingstarted.md index 90917fe..351786f 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted.md @@ -86,32 +86,3 @@ Additional hosts can be deployed for syslog collection from additional network z  -## Single Source Technology instance - Alpha - -For certain source technologies message categorization by content is impossible to support collection -of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using -an alternate port. In the following configration example a dedicated port is opened (6514) for legacy juniper netscreen devices - -This approach is "alpha" and subject to change - -```yaml -version: "3" -services: - sc4s-juniper-netscreen: - image: splunk/scs:latest - hostname: sc4s-juniper-netscreen - ports: - - "6514:514" - - "6514:514/udp" - stdin_open: true - tty: true - environment: - - SPLUNK_HEC_URL=https://foo:8088/services/collector/event - - SPLUNK_HEC_TOKEN= - - SPLUNK_CONNECT_METHOD=hec - - SPLUNK_DEFAULT_INDEX= - - SPLUNK_METRICS_INDEX=em_metrics - - SYSLOG_PRESUME_FILTER=f_juniper_netscreen - volumes: - - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv -``` \ No newline at end of file diff --git a/docs/gettingstarted/docker-swarm-general.md b/docs/gettingstarted/docker-swarm-general.md index 24861a0..0bad67a 100644 --- a/docs/gettingstarted/docker-swarm-general.md +++ b/docs/gettingstarted/docker-swarm-general.md @@ -25,12 +25,8 @@ services: protocol: udp #Comment the following line out if using docker-compose mode: host - environment: - - SPLUNK_HEC_URL=https://inputs-hec.kops.spl.guru/services/collector/event - - SPLUNK_HEC_TOKEN=02450979-d363-4e6c-b6c9-796d8b546a6e - - SPLUNK_CONNECT_METHOD=hec - - SPLUNK_DEFAULT_INDEX=main - - SPLUNK_METRICS_INDEX=em_metrics + env_file: + - /opt/scs/env_file volumes: #Uncomment the following line if overriding index destinations # - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv @@ -40,6 +36,20 @@ services: ``` +## Configure the SCS environment + +Create the following file ``/opt/scs/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +``` + ## Configure index destinations for Splunk Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. @@ -74,38 +84,69 @@ docker stack deploy --compose-file docker-compose.yml sc4s Additional hosts can be deployed for syslog collection from additional network zones and locations. -## Single Source Technology instance - Alpha +# Single Source Technology instance -For certain source technologies message categorization by content is impossible. To support collection -of such legacy nonstandard sources, we provide a means of dedicating a container to a specific source using -an alternate port. In the following configration example a dedicated port is opened (6514) for legacy juniper netscreen devices. +For certain source technologies message categorization by content is impossible to support collection +of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using +an alternate port. +Refer to the Sources documentation to identify the specific variable used to enable a specific port for the technology in use. -This approach is "alpha" and subject to change. +In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate +* Modify the unit file ``/opt/scs/docker-compose.yml`` ```yaml -version: "3" +version: "3.7" services: - sc4s-juniper-netscreen: + sc4s: image: splunk/scs:latest - hostname: sc4s-juniper-netscreen ports: - target: 514 - published: 6514 + published: 514 protocol: tcp #Comment the following line out if using docker-compose mode: host - target: 514 - published: 6514 + published: 514 + protocol: udp +#Comment the following line out if using docker-compose + mode: host + - target: 5000-5021 + published: 5000-5021 + protocol: tcp +#Comment the following line out if using docker-compose + mode: host + - target: 5000-5021 + published: 5000-5021 protocol: udp #Comment the following line out if using docker-compose mode: host - environment: - - SPLUNK_HEC_URL=https://foo:8088/services/collector/event - - SPLUNK_HEC_TOKEN= - - SPLUNK_CONNECT_METHOD=hec - - SPLUNK_DEFAULT_INDEX= - - SPLUNK_METRICS_INDEX=em_metrics - - SYSLOG_PRESUME_FILTER=f_juniper_netscreen + env_file: + - /opt/scs/env_file volumes: - - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +#Uncomment the following line if overriding index destinations +# - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +#Uncomment the following lines if using a host or network based filter and log_path +# - ./sc4s-juniper/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv +# - ./sc4s-juniper/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf +``` + +Modify the following file ``/opt/scs/default/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +#Uncomment the following line if using untrusted SSL certificates +#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +``` + +* Start SC4S. + +```bash +docker stack deploy --compose-file docker-compose.yml sc4s ``` diff --git a/docs/gettingstarted/docker-swarm-rhel7.md b/docs/gettingstarted/docker-swarm-rhel7.md index ebabb18..8575a0f 100644 --- a/docs/gettingstarted/docker-swarm-rhel7.md +++ b/docs/gettingstarted/docker-swarm-rhel7.md @@ -53,12 +53,8 @@ services: protocol: udp #Comment the following line out if using docker-compose mode: host - environment: - - SPLUNK_HEC_URL=https://inputs-hec.kops.spl.guru/services/collector/event - - SPLUNK_HEC_TOKEN=02450979-d363-4e6c-b6c9-796d8b546a6e - - SPLUNK_CONNECT_METHOD=hec - - SPLUNK_DEFAULT_INDEX=main - - SPLUNK_METRICS_INDEX=em_metrics + env_file: + - /opt/scs/env_file volumes: #Uncomment the following line if overriding index destinations # - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv @@ -68,6 +64,21 @@ services: ``` +## Configure the SCS environment + +Create the following file ``/opt/scs/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +``` + + ## Configure index destinations for Splunk Log paths are preconfigured to utilize a convention of index destinations that is suitable for most customers. This step is optional to allow customization of index destinations. @@ -101,36 +112,68 @@ sudo docker stack deploy --compose-file docker-compose.yml sc4s Additional hosts can be deployed for syslog collection from additional network zones and locations. -## Single Source Technology instance - Alpha +# Single Source Technology instance -For certain source technologies message categorization by content is impossible. To support collection of such legacy nonstandard sources, we provide a means of dedicating a container to a specific source using an alternate port. In the following configration example a dedicated port is opened (6514) for legacy juniper netscreen devices. +For certain source technologies message categorization by content is impossible to support collection +of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using +an alternate port. +Refer to the Sources documentation to identify the specific variable used to enable a specific port for the technology in use. -This approach is "alpha" and subject to change. +In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate +* Modify the unit file ``/opt/scs/docker-compose.yml`` ```yaml -version: "3" +version: "3.7" services: - sc4s-juniper-netscreen: + sc4s: image: splunk/scs:latest - hostname: sc4s-juniper-netscreen ports: - target: 514 - published: 6514 + published: 514 protocol: tcp #Comment the following line out if using docker-compose mode: host - target: 514 - published: 6514 + published: 514 protocol: udp #Comment the following line out if using docker-compose mode: host - environment: - - SPLUNK_HEC_URL=https://foo:8088/services/collector/event - - SPLUNK_HEC_TOKEN= - - SPLUNK_CONNECT_METHOD=hec - - SPLUNK_DEFAULT_INDEX= - - SPLUNK_METRICS_INDEX=em_metrics - - SYSLOG_PRESUME_FILTER=f_juniper_netscreen + - target: 5000-5021 + published: 5000-5021 + protocol: tcp +#Comment the following line out if using docker-compose + mode: host + - target: 5000-5021 + published: 5000-5021 + protocol: udp +#Comment the following line out if using docker-compose + mode: host + env_file: + - /opt/scs/env_file volumes: - - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +#Uncomment the following line if overriding index destinations +# - ./sc4s-juniper/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv +#Uncomment the following lines if using a host or network based filter and log_path +# - ./sc4s-juniper/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv +# - ./sc4s-juniper/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf +``` + +Modify the following file ``/opt/scs/default/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +#Uncomment the following line if using untrusted SSL certificates +#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +``` +* Start SC4S. + +```bash +docker stack deploy --compose-file docker-compose.yml sc4s ``` diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md index eb63866..cb11a5c 100644 --- a/docs/gettingstarted/docker-systemd-general.md +++ b/docs/gettingstarted/docker-systemd-general.md @@ -13,29 +13,49 @@ Refer to [Getting Started](https://docs.docker.com/get-started/) ```ini [Unit] -Description=Splunk Container -After=docker.service -Requires=docker.service +Description=SCS Container +After=network.service +Requires=network.service [Service] +Environment="SCS_IMAGE=splunk/scs:latest" + +#Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started +Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +#Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started +#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" + TimeoutStartSec=0 Restart=always -ExecStartPre=/usr/bin/docker pull splunk/scs:latest -ExecStart=/usr/bin/docker run -p 514:514\ - -e "SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event" \ - -e "SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94" \ - -e "SPLUNK_CONNECT_METHOD=hec" \ - -e "SPLUNK_DEFAULT_INDEX=main" \ - -e "SPLUNK_METRICS_INDEX=em_metrics" \ +ExecStartPre=/usr/bin/docker pull $SCS_IMAGE +ExecStartPre=/usr/bin/docker run \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ + --name scs_preflight --rm \ + $SCS_IMAGE -s +ExecStart=/usr/bin/docker run -p 514:514 \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ --name scs \ --rm \ - -v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv \ - -v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv \ - -v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf \ -splunk/scs:latest +$SCS_IMAGE +``` + +## Configure the SCS environment -[Install] -WantedBy=multi-user.target +Create the following file ``/opt/scs/default/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +#Uncomment the following line if using untrusted SSL certificates +#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no ``` ## Configure index destinations for Splunk @@ -63,7 +83,72 @@ sudo wget https://raw.githubusercontent.com/splunk/splunk-connect-for-syslog/mas * Start SC4S. ```bash +sudo systemctl daemon-reload sudo systemctl enable scs sudo systemctl start scs ``` + +# Single Source Technology instance + +For certain source technologies message categorization by content is impossible to support collection +of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using +an alternate port. + +Refer to the Sources documentation to identify the specific variable used to enable a specific port for the technology in use. + +In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate + +* Modify the unit file ``/opt/scs/default/env_file`` +```ini +[Unit] +Description=SCS Container +After=network.service +Requires=network.service + +[Service] +Environment="SCS_IMAGE=splunk/scs:latest" + +#Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started +Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +#Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started +#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" + +TimeoutStartSec=0 +Restart=always +ExecStartPre=/usr/bin/docker pull $SCS_IMAGE +ExecStartPre=/usr/bin/docker run \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ + --name scs_preflight --rm \ + $SCS_IMAGE -s +ExecStart=/usr/bin/docker run -p 514:514 -p 5000-5020:5000-5020 \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ + --name scs \ + --rm \ +$SCS_IMAGE + +``` + +Modify the following file ``/opt/scs/default/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +#Uncomment the following line if using untrusted SSL certificates +#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +``` + +* Restart SC4S. + +```bash +sudo systemctl restart scs +``` diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md index 6b69f03..6884d4d 100644 --- a/docs/gettingstarted/podman-systemd-general.md +++ b/docs/gettingstarted/podman-systemd-general.md @@ -20,26 +20,46 @@ After=network.service Requires=network.service [Service] +Environment="SCS_IMAGE=splunk/scs:latest" + +#Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started +Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +#Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started +#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" + TimeoutStartSec=0 Restart=always -ExecStartPre=/usr/bin/podman pull splunk/scs:latest +ExecStartPre=/usr/bin/podman pull $SCS_IMAGE +ExecStartPre=/usr/bin/podman run \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ + --name scs_preflight --rm \ + $SCS_IMAGE -s ExecStart=/usr/bin/podman run -p 514:514 \ - -e "SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event" \ - -e "SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94" \ - -e "SPLUNK_CONNECT_METHOD=hec" \ - -e "SPLUNK_DEFAULT_INDEX=main" \ - -e "SPLUNK_METRICS_INDEX=em_metrics" \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ --name scs \ --rm \ - -v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv \ - -v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv \ - -v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf \ -splunk/scs:latest +$SCS_IMAGE -[Install] -WantedBy=multi-user.target ``` +## Configure the SCS environment + +Create the following file ``/opt/scs/default/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +#Uncomment the following line if using untrusted SSL certificates +#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +``` ## Configure index destinations for Splunk @@ -71,3 +91,66 @@ sudo systemctl enable scs sudo systemctl start scs ``` +# Single Source Technology instance + +For certain source technologies message categorization by content is impossible to support collection +of such legacy nonstandard sources we provide a means of dedicating a container to a specific source using +an alternate port. + +Refer to the Sources documentation to identify the specific variable used to enable a specific port for the technology in use. + +In the following example ``-p 5000-5020:5000-5020`` allows for up to 21 technology specific ports modify the range as appropriate + +* Modify the unit file ``/lib/systemd/system/scs.service`` +```ini +[Unit] +Description=SCS Container +After=network.service +Requires=network.service + +[Service] +Environment="SCS_IMAGE=splunk/scs:latest" + +#Note Uncomment this line to use custom index names AND download the splunk_index.csv file template per getting started +Environment="SCS_UNIT_SPLUNK_INDEX=-v /opt/scs/default/splunk_index.csv:/opt/syslog-ng/etc/context-local/splunk_index.csv" +#Note Uncomment the following two linese for host and ip based source type mapping AND download the two file templates per getting started +#Environment="SCS_UNIT_VP_CSV=-v /opt/scs/default/vendor_product_by_source.csv:/opt/syslog-ng/etc/context-local/vendor_product_by_source.csv" +#Environment="SCS_UNIT_VP_CONF=-v /opt/scs/default/vendor_product_by_source.conf:/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf" + +TimeoutStartSec=0 +Restart=always +ExecStartPre=/usr/bin/podman pull $SCS_IMAGE +ExecStartPre=/usr/bin/podman run \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ + --name scs_preflight --rm \ + $SCS_IMAGE -s +ExecStart=/usr/bin/podman run -p 514:514 -p 5000-5020:5000-5020 \ + --env-file=/opt/scs/default/env_file \ + "$SCS_UNIT_SPLUNK_INDEX" "$SCS_UNIT_VP_CSV" "$SCS_UNIT_VP_CONF" \ + --name scs \ + --rm \ +$SCS_IMAGE + +``` + +Modify the following file ``/opt/scs/default/env_file`` + +* Update ``SPLUNK_HEC_URL`` and ``SPLUNK_HEC_TOKEN`` to reflect the correct values for your environment + +```dotenv +SPLUNK_HEC_URL=https://splunk.smg.aws:8088/services/collector/event +SPLUNK_HEC_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 +SPLUNK_CONNECT_METHOD=hec +SPLUNK_DEFAULT_INDEX=main +SPLUNK_METRICS_INDEX=em_metrics +SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 +#Uncomment the following line if using untrusted SSL certificates +#SCS_DEST_SPLUNK_HEC_TLS_VERIFY=no +``` + +* Restart SC4S. + +```bash +sudo systemctl restart scs +``` diff --git a/docs/sources.md b/docs/sources.md index 0ff737a..0d16a48 100644 --- a/docs/sources.md +++ b/docs/sources.md @@ -38,6 +38,13 @@ MSG Parse: This filter parses message content * device-id is hostname and included * timestamp is included +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_JUNIPER_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SCS_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | + ### Verification Use the following search to validate events are present @@ -102,6 +109,12 @@ Verify timestamp, and host values match as expected * Ensure proper host names are configured * For security use cases per AP logging is required +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SCS_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -187,6 +200,12 @@ end ``` +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | + ### Verification An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command @@ -249,6 +268,12 @@ Verify timestamp, and host values match as expected * Review and update the splunk_index.csv file and set the index as required. * Follow vendor configuration steps per referenced Product Manual +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| +| SCS_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | ### Verification @@ -293,6 +318,12 @@ Verify timestamp, and host values match as expected * Review and update the splunk_index.csv file and set the index as required. * Follow vendor configuration steps per Product Manual +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SCS_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -337,6 +368,12 @@ Verify timestamp, and host values match as expected * Review and update the splunk_index.csv file and set the index as required. * Follow vendor configuration steps per Product Manual +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SCS_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -379,6 +416,11 @@ Verify timestamp, and host values match as expected * Review and update the splunk_index.csv file and set the index as required. * Follow vendor configuration steps per referenced Product Manual +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | ### Verification @@ -437,6 +479,12 @@ MSG Parse: This filter parses message content * Select IETF Format * Ensure the format of the event is not customized +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_PALOALTO_PANOS_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | + ### Verification An active firewall will generate frequent events. Use the following search to validate events are present per source device @@ -480,6 +528,12 @@ MSG Parse: This filter parses message content * Select TCP or SSL transport option * Ensure the format of the event is customized per Splunk documentation +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SCS_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | + ### Verification An active proxy will generate frequent events. Use the following search to validate events are present per source device diff --git a/package/Dockerfile b/package/Dockerfile index 4e3b4c4..091e2cb 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -67,11 +67,9 @@ RUN cd /tmp ;\ rm epel-release-latest-7.noarch.rpm ;\ rpm --import https://packages.confluent.io/rpm/5.2/archive.key ;\ yum install gcc tzdata libdbi libsecret libxml2 sqlite tcp_wrappers librdkafka \ - rh-python36 rh-python36-python-tools libcurl ivykis scl-utils tcp_wrappers-libs curl -y;\ + rh-python36 rh-python36-python-tools libcurl ivykis scl-utils tcp_wrappers-libs curl wget -y;\ echo source scl_source enable rh-python36 >>/etc/profile.d/enablepython36.sh ;\ - source scl_source enable rh-python36 ;\ - pip install dumb-init - + source scl_source enable rh-python36 ENV DEBCONF_NONINTERACTIVE_SEEN=true ENV SPLUNK_CONNECT_METHOD=hec @@ -81,15 +79,18 @@ RUN source scl_source enable rh-python36 ; curl -fsSL https://goss.rocks/install COPY goss.yaml /etc/goss.yaml COPY --from=0 /opt/syslog-ng /opt/syslog-ng + +RUN curl -o /usr/local/bin/gomplate -sSL https://github.com/hairyhenderson/gomplate/releases/download/v3.5.0/gomplate_linux-amd64-slim && \ + chmod 755 /usr/local/bin/gomplate + + COPY etc/syslog-ng.conf /opt/syslog-ng/etc/syslog-ng.conf COPY etc/conf.d /opt/syslog-ng/etc/conf.d COPY etc/context-local /opt/syslog-ng/etc/context-local -COPY sbin/entrypoint.sh /sbin/entrypoint.sh RUN mkdir -p /opt/syslog-ng/var/data/disk-buffer -RUN source scl_source enable rh-python36 ;/opt/syslog-ng/sbin/syslog-ng -V +RUN source scl_source enable rh-python36 ;/opt/syslog-ng/sbin/syslog-ng -V RUN source scl_source enable rh-python36 ;/opt/syslog-ng/sbin/syslog-ng -t -RUN mkdir -p /var/log/syslog-ng/data/disk-buffer EXPOSE 514 EXPOSE 601/tcp @@ -97,6 +98,6 @@ EXPOSE 6514/tcp ENV SPLUNK_CONNECT_METHOD=UF -ENTRYPOINT ["/sbin/entrypoint.sh", "--"] +ENTRYPOINT ["/opt/syslog-ng/sbin/syslog-ng", "-F"] -HEALTHCHECK --interval=1s --timeout=6s CMD source scl_source enable rh-python36 ;goss -g /etc/goss.yaml validate \ No newline at end of file +HEALTHCHECK --interval=1s --timeout=6s CMD source scl_source enable rh-python36 ;goss -g /etc/goss.yaml validate diff --git a/package/etc/conf.d/conflib/_common/network.conf b/package/etc/conf.d/conflib/_common/network.conf new file mode 100644 index 0000000..ae13635 --- /dev/null +++ b/package/etc/conf.d/conflib/_common/network.conf @@ -0,0 +1,10 @@ +@module confgen context(source) name(gen_source_dedicated_port) exec("gomplate --file `syslog-ng-sysconfdir`/conf.d/conflib/_common/network.conf.tmpl") + +block source dedicated_port(udp_port(no) tcp_port(no) tls_port(no) flags("no-parse")) { + gen_source_dedicated_port( + udp_port(`udp_port`) + tcp_port(`tcp_port`) + tls_port(`tls_port`) + flags(`flags`) + ) +}; \ No newline at end of file diff --git a/package/etc/conf.d/conflib/_common/network.conf.tmpl b/package/etc/conf.d/conflib/_common/network.conf.tmpl new file mode 100644 index 0000000..3a789e9 --- /dev/null +++ b/package/etc/conf.d/conflib/_common/network.conf.tmpl @@ -0,0 +1,93 @@ +# =============================================================================================== +# source definition for remote devices +# =============================================================================================== + +# =============================================================================================== +# Defaults for the default-network-drivers() source: +# 514, both TCP and UDP, for RFC3164 (BSD-syslog) formatted traffic +# 601 TCP, for RFC5424 (IETF-syslog) formatted traffic +# 6514 TCP, for TLS-encrypted traffic +# =============================================================================================== + + channel { + source { +{{ if ne (getenv "confgen_udp_port") "no" }} + syslog ( + transport("udp") + port({{getenv "confgen_udp_port"}}) + ip-protocol(4) + so-rcvbuf({{getenv "SCS_SOURCE_UDP_SO_RCVBUFF" "425984"}}) + keep-hostname(yes) + keep-timestamp(yes) + use-dns(no) + use-fqdn(no) + chain-hostnames(off) + flags(no-parse) + ); +{{ end }} +{{ if ne (getenv "confgen_tcp_port") "no" }} + network ( + transport("tcp") + port({{getenv "confgen_tcp_port"}}) + ip-protocol(4) + max-connections({{getenv "SCS_SOURCE_TCP_MAX_CONNECTIONS" "2000"}}) + log-iw-size({{getenv "SCS_SOURCE_TCP_IW_SIZE" "20000000"}}) + log-fetch-limit({{getenv "SCS_SOURCE_TCP_FETCH_LIMIT" "2000"}}) + keep-hostname(yes) + keep-timestamp(yes) + use-dns(no) + use-fqdn(no) + chain-hostnames(off) + flags(no-parse) + ); +{{ end }} + }; + #TODO: #60 Remove this function with enhancement + rewrite(set_metadata_presume); + rewrite(set_rfcnonconformant); + rewrite(r_set_splunk_default); + +{{ if eq (getenv "confgen_parser") "rfc5424_strict" }} + filter(f_rfc5424_strict); + parser { + syslog-parser(flags(syslog-protocol store-raw-message)); + }; + rewrite(set_rfc5424_strict); +{{ else if eq (getenv "confgen_parser") "rfc5424_noversion" }} + filter(f_rfc5424_noversion); + parser { + syslog-parser(flags(syslog-protocol store-raw-message)); + }; + rewrite(set_rfc5424_noversion); +{{ else if eq (getenv "confgen_parser") "cisco_parser" }} + parser {cisco-parser()}; + rewrite(set_metadata_vendor_product_cisco_ios); +{{ else if eq (getenv "confgen_parser") "rfc3164" }} + parser { + syslog-parser(time-zone({{getenv "SCS_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); + }; + rewrite(set_rfc3164); +{{ else }} + if { + filter(f_rfc5424_strict); + parser { + syslog-parser(flags(syslog-protocol store-raw-message)); + }; + rewrite(set_rfc5424_strict); + } elif { + filter(f_rfc5424_noversion); + parser { + syslog-parser(flags(syslog-protocol store-raw-message)); + }; + rewrite(set_rfc5424_noversion); + } elif { + parser {cisco-parser()}; + rewrite(set_metadata_vendor_product_cisco_ios); + } else { + parser { + syslog-parser(time-zone({{getenv "SCS_DEFAULT_TIMEZONE" "GMT"}}) flags(store-raw-message)); + }; + rewrite(set_rfc3164); + }; +{{ end }} + }; diff --git a/package/etc/conf.d/conflib/_common/vendor_product_by_source_context.conf b/package/etc/conf.d/conflib/_common/vendor_product_by_source_context.conf index cb238de..f3789a7 100644 --- a/package/etc/conf.d/conflib/_common/vendor_product_by_source_context.conf +++ b/package/etc/conf.d/conflib/_common/vendor_product_by_source_context.conf @@ -1,6 +1,6 @@ block parser vendor_product_by_source() { add-contextual-data( - selector(filters("/opt/syslog-ng/etc/context-local/vendor_product_by_source.conf")), + selector(filters("`syslog-ng-sysconfdir`/context-local/vendor_product_by_source.conf")), database("context-local/vendor_product_by_source.csv") ignore-case(yes) prefix("fields.") diff --git a/package/etc/conf.d/destinations/splunk_hec.conf b/package/etc/conf.d/destinations/splunk_hec.conf index 0132bfe..81db7ee 100644 --- a/package/etc/conf.d/destinations/splunk_hec.conf +++ b/package/etc/conf.d/destinations/splunk_hec.conf @@ -1,76 +1,5 @@ - - -# =============================================================================================== -# Direct connection to Splunk via HEC -# =============================================================================================== - -# =============================================================================================== -# Be sure to adjust batch paramaters below to suit scale/environment -# Set workers to the number of indexers or HWF HEC endpoints -# If validated certs are used, uncomment relevant lines in the tls() block below -# and change peer-verify() to "yes" -# =============================================================================================== +@module confgen context(destination) name(gen_splunk_hec) exec("gomplate --file `syslog-ng-sysconfdir`/conf.d/destinations/splunk_hec.conf.tmpl") destination d_hec { - http( - url("`SPLUNK_HEC_URL`") - method("POST") - log-fifo-size(`splunk-log-fifo-size`) - workers(`SYSLOGNG_HEC_WORKERS`) - batch-lines(1000) - batch-bytes(2048Kb) - batch-timeout(3) - timeout(15) - user_agent("syslog-ng User Agent") - user("syslog-ng") - headers("Connection: close") - password("`SPLUNK_HEC_TOKEN`") - persist-name("splunk") - disk-buffer(mem-buf-length(15000) - disk-buf-size(200000) - reliable(no) - dir("/opt/syslog-ng/var/data/disk-buffer/")) - tls(peer-verify(no) -# ca-dir("dir") -# ca-file("ca") -# cert-file("cert") -# cipher-suite("cipher") -# key-file("key") -# peer-verify(yes|no) -# ssl-version( ) - ) - body('$(format-json - time=$S_UNIXTIME.$S_MSEC - host=${HOST} - source=${.splunk.source} - sourcetype=${.splunk.sourcetype} - index=${.splunk.index} - event=$(template ${.splunk.template} $(template `splunk-template`)) - fields.*)') - ); - }; - -destination d_hecmetrics { - http( - url("`SPLUNK_HEC_URL`") - method("POST") - batch-lines(5) - batch-bytes(512Kb) - batch-timeout(1) - timeout(15) - user_agent("syslog-ng User Agent") - user("syslog-ng") - password("`SPLUNK_HEC_TOKEN`") - persist-name("splunk_metrics") - tls(peer-verify(no) -# ca-dir("dir") -# ca-file("ca") -# cert-file("cert") -# cipher-suite("cipher") -# key-file("key") -# peer-verify(yes|no) -# ssl-version(