Skip to content

Commit

Permalink
Merge branch 'develop' into docs/initial_config
Browse files Browse the repository at this point in the history
  • Loading branch information
mbonsack authored and GitHub committed Feb 3, 2020
2 parents 0896a46 + 1008c53 commit e315b4f
Show file tree
Hide file tree
Showing 7 changed files with 40 additions and 8 deletions.
1 change: 1 addition & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ services:
- SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005
- SC4S_LISTEN_PFSENSE_TCP_PORT=5006
- SC4S_ARCHIVE_GLOBAL=yes
# - SC4S_SOURCE_STORE_RAWMSG=yes
volumes:
- ./tls:/opt/syslog-ng/tls
splunk:
Expand Down
2 changes: 1 addition & 1 deletion docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ and/or move them to an archival system to avoid exhaustion of disk space.
| SC4S_SOURCE_TCP_IW_SIZE | 20000000 | Initial Window size |
| SC4S_SOURCE_TCP_FETCH_LIMIT | 2000 | Number of events to fetch from server buffer at once |
| SC4S_SOURCE_UDP_SO_RCVBUFF | 425984 | UDP server buffer size in bytes |

| SC4S_SOURCE_STORE_RAWMSG | undefined or "no" | Store unprocessed "on the wire" raw message in the RAWMSG macro for use with the "fallback" sourcetype. Do _not_ set this in production; substantial memory and disk overhead will result. Use for log path/filter development only. |

## Syslog Source TLS Certificate Configuration

Expand Down
1 change: 1 addition & 0 deletions package/etc/conf.d/conflib/_common/templates.conf
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ template t_JSON_3164 {
template('$(format-json --scope rfc3164
--pair PRI="<$PRI>"
--key LEGACY_MSGHDR
--key RAWMSG
--exclude FACILITY
--exclude PRIORITY
)');
Expand Down
9 changes: 7 additions & 2 deletions package/etc/conf.d/filters/cisco/asa.conf
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
filter f_cisco_asa {
message('^%ASA-\d+-\d{1,10}: ');
};
message('^%ASA-\d+-\d{1,10}: ') or
match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
};

filter f_cisco_asa_nohost {
match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
};
6 changes: 5 additions & 1 deletion package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ log {
};
parser {p_add_context_splunk(key("cisco_asa")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
if (filter (f_cisco_asa_nohost)) {
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
} else {
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
};

{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no")) }}
destination(d_hec);
Expand Down
8 changes: 4 additions & 4 deletions package/etc/go_templates/source_network.t
Original file line number Diff line number Diff line change
Expand Up @@ -60,14 +60,14 @@ source s_{{ .port_id }} {
};
{{ if eq .parser "rfc3164" }}
parser {
syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
syslog-parser(time-zone({{getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}));
};
rewrite(set_rfc3164);
{{ else if eq .parser "rfc3164_version" }}
# filter(f_rfc3164_version);
rewrite(set_rfc3164_no_version_string);
parser {
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}));
};
rewrite(set_rfc3164_version);
{{ else if eq .parser "rfc5424_strict" }}
Expand Down Expand Up @@ -104,7 +104,7 @@ source s_{{ .port_id }} {
filter(f_rfc3164_version);
rewrite(set_rfc3164_no_version_string);
parser {
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}));
};
rewrite(set_rfc3164_version);
} elif {
Expand All @@ -118,7 +118,7 @@ source s_{{ .port_id }} {
rewrite(set_cisco_ios);
} else {
parser {
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone));
syslog-parser(time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}) flags(guess-timezone {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}));
};
rewrite(set_rfc3164);
};
Expand Down
21 changes: 21 additions & 0 deletions tests/test_cisco_asa.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,27 @@ def test_cisco_asa_traditional(record_property, setup_wordlist, setup_splunk):

assert resultCount == 1

# <164>Jan 31 2020 17:24:03: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x0C190BF9, sequence number= 0x598243) from 192.0.0.1 (user= 192.0.0.1) to 192.0.0.2 that failed anti-replay checking.
def test_cisco_asa_traditional_nohost(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string(
"{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %}: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x0C190BF9, sequence number= 0x598243) from {host} (user= 192.0.0.1) to 192.0.0.2 that failed anti-replay checking.\n")
message = mt.render(mark="<111>", host=host)

sendsingle(message)

st = env.from_string("search index=netfw sourcetype=\"cisco:asa\" \"%ASA-4-402119\" \"{host}\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1


# <166>2018-06-27T12:17:46Z asa : %ASA-3-710003: TCP access denied by ACL from 179.236.133.160/8949 to outside:72.142.18.38/23
def test_cisco_asa_rfc5424(record_property, setup_wordlist, setup_splunk):
Expand Down

0 comments on commit e315b4f

Please sign in to comment.