From bc6319e829a1f362bac9a380cb05255d195f0309 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 19 May 2020 13:41:11 -0400 Subject: [PATCH 1/5] Fix --- .../conf.d/filters/cisco/cisco_syslog.conf | 4 +- tests/test_cisco_nx_os.py | 70 ++++++++++++++++--- 2 files changed, 64 insertions(+), 10 deletions(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index e750fc7..9dbcd43 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -52,7 +52,9 @@ parser cisco-parser-ex{ set( "${13}", value("HOST") - condition(not match('^\d+$', value('13')) and match('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' value('13'))) + condition(not match('^\d+$', value('13')) + and not match('^[A-Za-z]{1,3}' value('13')) + and match('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' value('13'))) ); set( "${15}", diff --git a/tests/test_cisco_nx_os.py b/tests/test_cisco_nx_os.py index 3f386f5..97888c2 100644 --- a/tests/test_cisco_nx_os.py +++ b/tests/test_cisco_nx_os.py @@ -13,7 +13,9 @@ env = Environment() # Nov 1 14:07:58 excal-113 %MODULE-5-MOD_OK: Module 1 is online -def test_cisco_nx_os(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_cisco_nx_os( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now() @@ -23,12 +25,17 @@ def test_cisco_nx_os(record_property, setup_wordlist, get_host_key, setup_splunk epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} csconx-{{ host }} %MODULE-5-MOD_OK: Module 1 is online") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} csconx-{{ host }} %MODULE-5-MOD_OK: Module 1 is online" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops host=\"csconx-{{ host }}\" sourcetype=\"cisco:ios\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops host="csconx-{{ host }}" sourcetype="cisco:ios"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -39,7 +46,10 @@ def test_cisco_nx_os(record_property, setup_wordlist, get_host_key, setup_splunk assert resultCount == 1 -def test_cisco_nx_os_soup(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): + +def test_cisco_nx_os_soup( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now() @@ -49,12 +59,17 @@ def test_cisco_nx_os_soup(record_property, setup_wordlist, get_host_key, setup_s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} %MODULE-5-MOD_OK: Module 1 is online") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} %MODULE-5-MOD_OK: Module 1 is online" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cisco:ios\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="cisco:ios"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -65,9 +80,46 @@ def test_cisco_nx_os_soup(record_property, setup_wordlist, get_host_key, setup_s assert resultCount == 1 + +# <187>364241: May 19 16:58:44.814 GMT: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 1.1.1.1 Vlan1 +def test_cisco_nx_os_soup2( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): + host = get_host_key + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ mark }}364241: {{ bsd }} GMT: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve {{ host }} Vlan1\n" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} host!=GMT index=netops sourcetype="cisco:ios" {{ host }}' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +#%ADJ-3-RESOLVE_REQ # Nov 1 14:07:58 excal-113 %MODULE-5-MOD_OK: Module 1 is online # @pytest.mark.xfail -#def test_cisco_nx_os_singleport(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +# def test_cisco_nx_os_singleport(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): # host = get_host_key # # dt = datetime.datetime.now() From ee938f70122c3641b304feb276eb187a64784033 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 19 May 2020 16:03:34 -0400 Subject: [PATCH 2/5] Update cisco_syslog.conf --- .../etc/conf.d/filters/cisco/cisco_syslog.conf | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index 9dbcd43..a714288 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -40,7 +40,8 @@ parser cisco-parser-ex{ } else { # All other cisco syslog filter { - message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Za-z]{3,3} )?)? ?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches)); + message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Za-z]{3,3} )?)? ?((?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*(?:[A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)' + flags(store-matches)); }; rewrite { @@ -50,18 +51,15 @@ parser cisco-parser-ex{ condition(not match('^\d+$', value('4')) and match('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' value('4'))) ); set( - "${13}", + "${11}", value("HOST") - condition(not match('^\d+$', value('13')) - and not match('^[A-Za-z]{1,3}' value('13')) - and match('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' value('13'))) - ); - set( - "${15}", - value("PROGRAM") + condition( + not match('^\d+$', value('11')) + and match('^[A-Za-z]{1,3}.+' value('11')) + and match('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' value('11'))) ); set( - "${14}", + "${12}", value("MESSAGE") ); }; From 273e96f06aaeb924daaaafc5f41ac00ff4c1a2fd Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 19 May 2020 16:27:57 -0400 Subject: [PATCH 3/5] Update test_cisco_nx_os.py --- tests/test_cisco_nx_os.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_cisco_nx_os.py b/tests/test_cisco_nx_os.py index 97888c2..bb08dcb 100644 --- a/tests/test_cisco_nx_os.py +++ b/tests/test_cisco_nx_os.py @@ -97,7 +97,7 @@ def test_cisco_nx_os_soup2( "{{ mark }}364241: {{ bsd }} GMT: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve {{ host }} Vlan1\n" ) message = mt.render( - mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + mark="<111>", bsd=bsd, date=date, time=time, tzoffset=tzoffset ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) From 235f2a182f981c4828de9097d7b5bc4eabb3ed5e Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 19 May 2020 16:53:58 -0400 Subject: [PATCH 4/5] fix test --- package/etc/conf.d/filters/cisco/cisco_syslog.conf | 2 +- tests/test_cisco_nx_os.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index 90ecbbb..d1a77ae 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -60,7 +60,7 @@ parser cisco-parser-ex{ value("HOST") condition( not match('^\d+$', value('11')) - and match('^[A-Za-z]{1,3}.+' value('11')) + and match('^[A-Za-z0-9]{4,}$' value('11')) and match('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' value('11'))) ); set( diff --git a/tests/test_cisco_nx_os.py b/tests/test_cisco_nx_os.py index bb08dcb..97888c2 100644 --- a/tests/test_cisco_nx_os.py +++ b/tests/test_cisco_nx_os.py @@ -97,7 +97,7 @@ def test_cisco_nx_os_soup2( "{{ mark }}364241: {{ bsd }} GMT: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve {{ host }} Vlan1\n" ) message = mt.render( - mark="<111>", bsd=bsd, date=date, time=time, tzoffset=tzoffset + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) From 5915fe012f97223f16ec5a1886d6d53d338ae1a8 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 19 May 2020 17:22:27 -0400 Subject: [PATCH 5/5] Update cisco_syslog.conf --- package/etc/conf.d/filters/cisco/cisco_syslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index d1a77ae..a4f0381 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -60,7 +60,7 @@ parser cisco-parser-ex{ value("HOST") condition( not match('^\d+$', value('11')) - and match('^[A-Za-z0-9]{4,}$' value('11')) + and match('^.{4,}$' value('11')) and match('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' value('11'))) ); set(