Skip to content

Commit

Permalink
Fixes #129 Support Checkpoint Splunk Log exporter format (#137)
Browse files Browse the repository at this point in the history
* Checkpoint Splunk Format
  • Loading branch information
Ryan Faircloth authored and GitHub committed Oct 12, 2019
1 parent 9f42d48 commit f61e177
Show file tree
Hide file tree
Showing 7 changed files with 349 additions and 0 deletions.
65 changes: 65 additions & 0 deletions docs/sources.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,68 @@
# Vendor - Checkpoint

## Product - Log Exporter (Splunk)

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ |
| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| cp_log | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| checkpoint_splunk | cp_log | netfw | none |

### Source and Index Configuration

Checkpoint Software blades with CIM mapping have been sub-grouped into sources
to allow routing to appropriate indexes. All other source meta data is left at default

| key | source | index | notes |
|----------------|----------------|----------------|----------------|
| checkpoint_splunk_dlp | dlp | netdlp | none |
| checkpoint_splunk_email | email | email | none |
| checkpoint_splunk_firewall | firewall | netfw | none |
| checkpoint_splunk_sessions | sessions | netops | none |
| checkpoint_splunk_web | web | netproxy | none |

### Filter type

MSG Parse: This filter parses message content

### Setup and Configuration

* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source.
* Follow vendor configuration steps per Product Manual above ensure:
* Log Level is 6 "Informational"
* Protocol is TCP/IP
* permit-hostdown is on
* device-id is hostname and included
* timestamp is included

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined |

### Verification

Use the following search to validate events are present

```
index=<asconfigured> sourcetype=cisco:asa
```

Verify timestamp, and host values match as expected
# Vendor - Cisco

## Product - ASA (Pre Firepower)
Expand Down
2 changes: 2 additions & 0 deletions package/etc/conf.d/conflib/_splunk/splunkfields.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,12 @@ rewrite r_set_splunk_default {
#overridden by user defined values
block rewrite r_set_splunk_dest_default(
index()
source("${.splunk.source}")
sourcetype()
template(`splunk-template`)
) {
set("`index`", value(".splunk.index"));
set("`source`", value(".splunk.source"));
set("`sourcetype`", value(".splunk.sourcetype"));
set("`template`", value("fields.sc4s_template"));
};
Expand Down
57 changes: 57 additions & 0 deletions package/etc/conf.d/filters/checkpoint/splunk.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
filter f_checkpoint_splunk {
match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("RAWMSG") type("pcre"));
};

filter f_checkpoint_splunk_alerts {
match('*IOS Profile*' value('.kv.product') type('glob'))
or match('*Device*' value('.kv.product') type('glob'))
};

filter f_checkpoint_splunk_Change {
match('*Application Control*' value('.kv.product') type('glob'))
};

filter f_checkpoint_splunk_DLP {
match('*DLP*' value('.kv.product') type('glob'))
};

filter f_checkpoint_splunk_email {
match('*MTA*' value('.kv.product') type('glob'))
or match('*Anti-Spam*' value('.kv.product') type('glob'))
or match('*Anti Spam*' value('.kv.product') type('glob'))
};

filter f_checkpoint_splunk_IDS {
match('*IPS*' value('.kv.product') type('glob'))
or match('*WIFI*' value('.kv.product') type('glob'))
or match('*Cellular*' value('.kv.product') type('glob'))
};

filter f_checkpoint_splunk_IDS_Malware {
match('*Threat Emulation*' value('.kv.product') type('glob'))
or match('*Anti-Virus*' value('.kv.product') type('glob'))
or match('*Anti-Bot*' value('.kv.product') type('glob'))
or match('*Threat Extraction*' value('.kv.product') type('glob'))
or match('*Anti-Ransomware*' value('.kv.product') type('glob'))
or match('*Anti-Exploit**' value('.kv.product') type('glob'))
or match('*Forensics*' value('.kv.product') type('glob'))
or match('*OS Exploit*' value('.kv.product') type('glob'))
or (match('*Application*' value('.kv.product') type('glob')) and not match('*Application Control*' value('.kv.product') type('glob')))
or match('*Text Message*' value('.kv.product') type('glob'))
or match('*Network Access*' value('.kv.product') type('glob'))
or match('*Zero Phishing*' value('.kv.product') type('glob'))
};

filter f_checkpoint_splunk_NetworkSessions {
match('*VPN*' value('.kv.product') type('glob'))
or match('*Mobile*' value('.kv.product') type('glob'))
or match('*VPN*' value('.kv.fw_subproduct') type('glob'))
};

filter f_checkpoint_splunk_NetworkTraffic {
match('*Firewall*' value('.kv.product') type('glob'))
and not match('*VPN*' value('.kv.fw_subproduct') type('glob'))
};
filter f_checkpoint_splunk_Web {
match('*Url Filtering*' value('.kv.product') type('glob'))
};
72 changes: 72 additions & 0 deletions package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Checkpoint Splunk format
{{- if (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT") "no") "no") }}
{{ $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }}
{{ tmpl.Exec "t/source_network.t" $context }}
{{- end -}}
{{ define "log_path" }}
log {
{{- if eq (.) "yes"}}
source(s_default-ports);
filter(f_is_rfc3164);
filter(f_checkpoint_splunk);
{{- end}}
{{- if eq (.) "no"}}
source (s_dedicated_port_CHECKPOINT_SPLUNK);
{{- end}}

parser {
kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}"));
date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}}));

};

rewrite { set("${.kv.hostname}", value("HOST")); };

rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), index("netops"), template("t_hdr_msg"))};
parser {p_add_context_splunk(key("checkpoint_splunk")); };

if {
filter(f_checkpoint_splunk_NetworkTraffic);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"), template("t_standard"))};
parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); };
} elif {
filter(f_checkpoint_splunk_Web);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"), template("t_standard"))};
parser {p_add_context_splunk(key("checkpoint_splunk_web")); };
} elif {
filter(f_checkpoint_splunk_NetworkSessions);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"), template("t_standard"))};
parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); };
} elif {
filter(f_checkpoint_splunk_IDS_Malware);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"), template("t_standard"))};
parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
} elif {
filter(f_checkpoint_splunk_IDS);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"), template("t_standard"))};
parser {p_add_context_splunk(key("checkpoint_splunk_ids")); };
} elif {
filter(f_checkpoint_splunk_email);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"), template("t_standard"))};
parser {p_add_context_splunk(key("checkpoint_splunk_email")); };
} elif {
filter(f_checkpoint_splunk_DLP);
rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"), template("t_standard"))};
parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); };
};


parser (compliance_meta_by_source);

destination(d_hec); #--HEC--

flags(flow-control);
};
{{- end}}
{{- if (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT") "no") "no") }}
# Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic
{{ tmpl.Exec "log_path" "no" }}
{{- end}}

# Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic
{{ tmpl.Exec "log_path" "yes" }}
8 changes: 8 additions & 0 deletions package/etc/context_templates/splunk_index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
#cef_Incapsula_SIEMintegration,index,netwaf
#cef_Microsoft_Microsoft Windows,index,oswinsec
#cef_Microsoft_System or Application Event,index,oswin
#checkpoint_splunk,index,netops
#checkpoint_splunk_dlp,index,netdlp
#checkpoint_splunk_email,index,email
#checkpoint_splunk_firewall,index,netfw
#checkpoint_splunk_sessions,index,netops
#checkpoint_splunk_web,index,netproxy
#checkpoint_splunk,index,netops
#checkpoint_splunk,index,netops
#cisco_asa,index,netfw
#cisco_ios,index,netops
#cisco_nx_os,index,netops
Expand Down
5 changes: 5 additions & 0 deletions splunk/etc/apps/SA-syslog-ng/default/indexes.conf
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ homePath = $SPLUNK_DB/oswinsec/db
coldPath = $SPLUNK_DB/oswinsec/colddb
thawedPath = $SPLUNK_DB/oswinsec/thaweddb

[netdlp]
homePath = $SPLUNK_DB/netdlp/db
coldPath = $SPLUNK_DB/netdlp/colddb
thawedPath = $SPLUNK_DB/netdlp/thaweddb

[netfw]
homePath = $SPLUNK_DB/netfw/db
coldPath = $SPLUNK_DB/netfw/colddb
Expand Down
Loading

0 comments on commit f61e177

Please sign in to comment.