Merge pull request #444 from splunk/feature/3.27.1

Update source template for multiple listener per log path
CSVD · May 8, 2020 · f68e831 · f68e831
2 parents 5110d74 + 661a4e4
commit f68e831
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 7 deletions.
diff --git a/docs/sources/index.md b/docs/sources/index.md
@@ -19,3 +19,13 @@ A key aspect of SC4S is to properly set Splunk metadata prior to the data arrivi
 
 It is understood that default values will need to be changed in many installations.  Each source documented in this section has a table entitled "Sourcetype and Index Configuration", which highlights the default index and sourcetype for each source.  See the section "SC4S metadata configuration" in the "Configuration" page for more information on how to override the default values in this table.
 
+## Unique listening ports
+
+SC4S supports unique listening ports for each source technology/log path (e.g. Cisco ASA), which is useful when the device is
+sending data on a port different from the typical default syslog port (UDP port 514).  In some cases, when the source device emits data that
+is not able to be distinguished from other device types, a unique port is sometimes required.  The specific environment variables used for
+setting "unique ports" are outlined in each source document in this section.
+
+In most cases only one "unique port" is needed for each source.  However, SC4S also supports multiple network listening ports per source,
+which can be useful for a narrow set of compliance use cases. When configuring a source port variable to enable multiple ports, use a
+comma-separated list with no spaces (e.g. `SC4S_LISTEN_CISCO_ASA_UDP_PORT=5005,6005`).
diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
@@ -1,9 +1,12 @@
 {{ define "UDP" }}
+{{- $port_id := .port_id }}
+{{- $port := .port }}
+    {{- range (math.Seq (getenv "SC4S_SOURCE_LISTEN_UDP_SOCKETS" "1"))}}
         syslog (
                 transport("udp")
                 so-reuseport(1)
-                persist-name("{{ .port_id }}{{ .instance }}")
-                port({{ getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT") "514" }})
+                persist-name("{{ $port_id }}_{{ $port }}_{{ . }}")
+                port({{ $port }})
                 ip-protocol(4)
                 so-rcvbuf({{getenv "SC4S_SOURCE_UDP_SO_RCVBUFF" "1703936"}})
                 keep-hostname(yes)
@@ -13,6 +16,7 @@
                 chain-hostnames(off)
                 flags(validate-utf8, no-parse {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}})
             );   
+    {{- end}}
 {{- end}}
 
 {{ define "T1" }}
@@ -24,15 +28,16 @@ source s_{{ .port_id }} {
         source {
 {{- if or (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT")) (eq .port_id "DEFAULT") }}
 {{- $port_id := .port_id }}
-{{- range (math.Seq (getenv "SC4S_SOURCE_LISTEN_UDP_SOCKETS" "1"))}}
-{{- $context := dict "instance" . "port_id" $port_id }}
+{{- range split (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT") "514") "," }}                
+{{- $context := dict "port" . "port_id" $port_id }}
 {{- template "UDP"  $context }}
 {{- end}}
 {{- end}}
 {{- if or (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) (eq .port_id "DEFAULT") }}
+        {{- range split (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT") "514") "," }}                                
             network (
-                transport("tcp")
-                port({{ getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT") "514" }})
+                transport("tcp")                
+                port({{ . }})
                 ip-protocol(4)
                 max-connections({{getenv "SC4S_SOURCE_TCP_MAX_CONNECTIONS" "2000"}})
                 log-iw-size({{getenv "SC4S_SOURCE_TCP_IW_SIZE" "20000000"}})
@@ -44,8 +49,10 @@ source s_{{ .port_id }} {
                 chain-hostnames(off)
                 flags(validate-utf8, no-parse {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}})
             );
+        {{- end }}
 {{- end}}
 {{- if (conv.ToBool (getenv "SC4S_SOURCE_TLS_ENABLE" "no")) }}
+        {{- range split (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT") "6514") "," }}                
             network(
                 transport("tls")
                 port({{ getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT") "6514" }})
@@ -66,6 +73,7 @@ source s_{{ .port_id }} {
                     cipher-suite("{{- getenv "SC4S_SOURCE_TLS_CIPHER_SUITE" "HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH" }}")
                     )
             );
+    {{- end }}            
 {{- end}}
         };
 {{ if eq .parser "rfc3164" }}

diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
@@ -36,7 +36,8 @@ services:
       - SC4S_LISTEN_CISCO_IOS_TCP_PORT=5002
       - SC4S_LISTEN_CISCO_MERAKI_TCP_PORT=5003
       - SC4S_LISTEN_JUNIPER_IDP_TCP_PORT=5004
-      - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005
+      - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005,6005
+      - SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT=5005,6005
       - SC4S_LISTEN_PFSENSE_TCP_PORT=5006
       - SC4S_LISTEN_CISCO_ASA_UDP_PORT=5001
       - SC4S_LISTEN_CISCO_IOS_UDP_PORT=5002
@@ -47,6 +48,7 @@ services:
       - SC4S_LISTEN_F5_BIGIP_UDP_PORT=5007
       - SC4S_ARCHIVE_GLOBAL=no
       - SC4S_SOURCE_STORE_RAWMSG=yes
+      - SC4S_SOURCE_LISTEN_UDP_SOCKETS=2
   splunk:
     build:
       context: ../splunk