-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #129 Support Checkpoint Splunk Log exporter format (#137)
* Checkpoint Splunk Format
- Loading branch information
Ryan Faircloth
authored and
GitHub
committed
Oct 12, 2019
1 parent
9f42d48
commit f61e177
Showing
7 changed files
with
349 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| filter f_checkpoint_splunk { | ||
| match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("RAWMSG") type("pcre")); | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_alerts { | ||
| match('*IOS Profile*' value('.kv.product') type('glob')) | ||
| or match('*Device*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_Change { | ||
| match('*Application Control*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_DLP { | ||
| match('*DLP*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_email { | ||
| match('*MTA*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Spam*' value('.kv.product') type('glob')) | ||
| or match('*Anti Spam*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_IDS { | ||
| match('*IPS*' value('.kv.product') type('glob')) | ||
| or match('*WIFI*' value('.kv.product') type('glob')) | ||
| or match('*Cellular*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_IDS_Malware { | ||
| match('*Threat Emulation*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Virus*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Bot*' value('.kv.product') type('glob')) | ||
| or match('*Threat Extraction*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Ransomware*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Exploit**' value('.kv.product') type('glob')) | ||
| or match('*Forensics*' value('.kv.product') type('glob')) | ||
| or match('*OS Exploit*' value('.kv.product') type('glob')) | ||
| or (match('*Application*' value('.kv.product') type('glob')) and not match('*Application Control*' value('.kv.product') type('glob'))) | ||
| or match('*Text Message*' value('.kv.product') type('glob')) | ||
| or match('*Network Access*' value('.kv.product') type('glob')) | ||
| or match('*Zero Phishing*' value('.kv.product') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_NetworkSessions { | ||
| match('*VPN*' value('.kv.product') type('glob')) | ||
| or match('*Mobile*' value('.kv.product') type('glob')) | ||
| or match('*VPN*' value('.kv.fw_subproduct') type('glob')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_NetworkTraffic { | ||
| match('*Firewall*' value('.kv.product') type('glob')) | ||
| and not match('*VPN*' value('.kv.fw_subproduct') type('glob')) | ||
| }; | ||
| filter f_checkpoint_splunk_Web { | ||
| match('*Url Filtering*' value('.kv.product') type('glob')) | ||
| }; |
72 changes: 72 additions & 0 deletions
72
package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| # Checkpoint Splunk format | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT") "no") "no") }} | ||
| {{ $context := dict "port_id" "CHECKPOINT_SPLUNK" "parser" "common" }} | ||
| {{ tmpl.Exec "t/source_network.t" $context }} | ||
| {{- end -}} | ||
| {{ define "log_path" }} | ||
| log { | ||
| {{- if eq (.) "yes"}} | ||
| source(s_default-ports); | ||
| filter(f_is_rfc3164); | ||
| filter(f_checkpoint_splunk); | ||
| {{- end}} | ||
| {{- if eq (.) "no"}} | ||
| source (s_dedicated_port_CHECKPOINT_SPLUNK); | ||
| {{- end}} | ||
|
|
||
| parser { | ||
| kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); | ||
| date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})); | ||
|
|
||
| }; | ||
|
|
||
| rewrite { set("${.kv.hostname}", value("HOST")); }; | ||
|
|
||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), index("netops"), template("t_hdr_msg"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk")); }; | ||
|
|
||
| if { | ||
| filter(f_checkpoint_splunk_NetworkTraffic); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_Web); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_NetworkSessions); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_IDS_Malware); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_IDS); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_email); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; | ||
| } elif { | ||
| filter(f_checkpoint_splunk_DLP); | ||
| rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"), template("t_standard"))}; | ||
| parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; | ||
| }; | ||
|
|
||
|
|
||
| parser (compliance_meta_by_source); | ||
|
|
||
| destination(d_hec); #--HEC-- | ||
|
|
||
| flags(flow-control); | ||
| }; | ||
| {{- end}} | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CHECKPOINT_SPLUNK_TLS_PORT") "no") "no") }} | ||
| # Listen on the specified dedicated port(s) for CHECKPOINT_SPLUNK traffic | ||
| {{ tmpl.Exec "log_path" "no" }} | ||
| {{- end}} | ||
|
|
||
| # Listen on the default port (typically 514) for CHECKPOINT_SPLUNK traffic | ||
| {{ tmpl.Exec "log_path" "yes" }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.