diff --git a/.readthedocs.yml b/.readthedocs.yml index 2880d22..aae9256 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -9,4 +9,9 @@ mkdocs: formats: all submodules: - exclude: all \ No newline at end of file + exclude: all + +python: + version: 3.7 + install: + - requirements: mkdocs-requirements.txt \ No newline at end of file diff --git a/docs/gettingstarted.md b/docs/gettingstarted/index.md similarity index 94% rename from docs/gettingstarted.md rename to docs/gettingstarted/index.md index e113881..bb432e9 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted/index.md @@ -1,4 +1,6 @@ -# Getting Started +# Before you start + +## Getting Started Splunk Connect for Syslog is a containerized distribution of syslog-ng with a configuration framework designed to simplify getting syslog data into Splunk Enterprise and Splunk Cloud. Our approach is @@ -6,7 +8,7 @@ to provide a runtime-agnostic solution allowing customers to deploy using the co environment of choice. -# Planning Deployment +## Planning Deployment Syslog is an overloaded term that refers to multiple message formats AND optionally a wire protocol for transmission of events between computer systems over UDP, TCP, or TLS. The protocol is designed to minimize @@ -24,11 +26,11 @@ environment. * Plan for appropriately sized hardware (see)[performance.md] -# Implementation +## Implementation -## Splunk Setup +### Splunk Setup -### Create Indexes +#### Create Indexes SC4S is pre-configured to map each sourcetype to a typical index. For new installations, it is best practice to create them in Splunk when using the SC4S defaults. SC4S can be easily customized to use different indexes if desired. @@ -42,7 +44,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes * netipam * em_metrics (ensure this is created as a metrics index) -### Install Related Splunk Apps +#### Install Related Splunk Apps Install the following: @@ -50,7 +52,7 @@ Install the following: * [Splunk Add-on for Infrastructure](https://splunkbase.splunk.com/app/4217/) * [Splunk Metrics Workspace](https://splunkbase.splunk.com/app/4192/) *NOTE Included in Splunk 7.3.0 and above* -### Configure the Splunk HTTP Event Collector +#### Configure the Splunk HTTP Event Collector - Set up the Splunk HTTP Event Collector with the HEC endpoints behind a load balancer (VIP) configured for https round robin *WITHOUT* sticky session. Alternatively, a list of HEC endpoint URLs can be configured in SC4S (native Syslog-ng load balancing) if no load balancer is in place. In either case, it is @@ -61,14 +63,14 @@ event destinations. or [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) for specific HEC configuration instructions based on your Splunk type. -## Implement a Container Runtime and SC4S +### Implement a Container Runtime and SC4S -### Prerequisites +#### Prerequisites * Linux host with Docker (CE 19.x or greater with Docker Swarm) or Podman enabled, depending on runtime choice (below). * A network load balancer (NLB) configured for round robin. Note: Special consideration may be required when more advanced products are used. The optimal configuration of the load balancer will round robin each http POST request (not each connection). -### Select a Container Runtime and SC4S Configuration +#### Select a Container Runtime and SC4S Configuration | Container and Orchestration | Notes | |-----------------------------|-------| @@ -78,7 +80,7 @@ Splunk type. | [Docker CE + Swarm single node RHEL 7.7](gettingstarted/docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring Docker Compose or Swarm orchestration | | [Bring your own Envionment](gettingstarted/byoe-rhel7.md) | Option for RedHat 7.7 (centos 7) with SC4S configuration without containers | -## Offline Container Installation +### Offline Container Installation Follow these instructions to "stage" SC4S by downloading the container so that it can be loaded "out of band" on a host machine, such as an airgapped system, without internet connectivity. @@ -116,7 +118,7 @@ attempt to obtain the container image via the internet. Environment="SC4S_IMAGE=sc4slocal:latest" ``` -# Scale out +## Scale out Additional hosts can be deployed for syslog collection from additional network zones and locations: diff --git a/docs/logo.png b/docs/logo.png new file mode 100644 index 0000000..fe6f098 Binary files /dev/null and b/docs/logo.png differ diff --git a/docs/sources.md b/docs/sources.md deleted file mode 100644 index 3d868cc..0000000 --- a/docs/sources.md +++ /dev/null @@ -1,1089 +0,0 @@ -# Introduction -When using Splunk Connect for Syslog to onboard a data source, the SC4S filter performs the operations that are traditionally performed at index-time by the corresponding Technical Add-on installed there. These index-time operations include linebreaking, sourcetype setting and timestamping. For this reason, if a data source is exclusively onboarded using SC4S then you will not need to install its corresponding Add-On on the indexers. You must, however, install the Add-on on the search head(s) for the user communities interested in this data source. - -SC4S "unique" filters are based either on the port upon which events arrive or the hostname/CIDR block from which they are sent. The "soup" filters run for events that arrive on port 514 (default for syslog), and contain regex and other syslog-specific parsers to identify events from a specific source, apply the correct sourcetype, and set other metadata. Data sources which generate events that are not unique enough to accurately identify with soup filters _must_ employ the "unique" filters (port/hostname/CIDR block) instead -- the soup filters are unavailable for these sources. - -If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. - -# Vendor - Checkpoint - -## Product - Log Exporter (Splunk) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ | -| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cp_log | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk | cp_log | netfw | none | - -### Source and Index Configuration - -Checkpoint Software blades with CIM mapping have been sub-grouped into sources -to allow routing to appropriate indexes. All other source meta data is left at default - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk_dlp | dlp | netdlp | none | -| checkpoint_splunk_email | email | email | none | -| checkpoint_splunk_firewall | firewall | netfw | none | -| checkpoint_splunk_sessions | sessions | netops | none | -| checkpoint_splunk_web | web | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cp_log -``` - -Verify timestamp, and host values match as expected -# Vendor - Cisco - -## Product - ASA (Pre Firepower) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1620/ | -| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:asa | None | -| cisco:pix | Not supported | -| cisco:fwsm | Not supported | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_asa | cisco:asa | netfw | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above ensure: - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:asa -``` - -Verify timestamp, and host values match as expected - -## Product - IOS and NX-OS based equipment - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1467/ | -| IOS Manual | https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html | -| NX-OS Manual | https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_5syslog.html| -| Cisco ACI | https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf | -| Cisco WLC & AP | https://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html#anc8 | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ios | cisco:ios | netops | none | -| cisco_nx_os | cisco:ios | netops | none | - -### Filter type - -* Cisco IOS products can be identified by message parsing alone -* Cisco NX OS, WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_nx_os` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* IOS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included -* NX-OS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" user may select alternate levels by module based on use cases - * Protocol is TCP/IP - * device-id is hostname and included - * timestamp is included and milisecond accuracy selected -* ACI Logging configuration of the ACI product often varies by use case. - * Ensure NTP sync is configured and active - * Ensure proper host names are configured -* WLC - * Ensure NTP sync is configured and active - * Ensure proper host names are configured - * For security use cases per AP logging is required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present, for NX-OS, WLC and ACI products ensure each host filter condition is verified - -``` -index= sourcetype=cisco:ios | stats count by host -``` - -## Product - ISE - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1915/ | -| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs_chapter_00.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ise:syslog | Aggregation used | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ise | cisco:ise:syslog | netauth | None | - - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* No special steps required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ise:syslog -``` - -Verify timestamp, and host values match as expected - -## Product - Meraki Product Line MR, MS, MX, MV - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3018/ | -| Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| merkai | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | - - -### Filter type - -IP, Netmask, Host or Port - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=merkai -``` - -Verify timestamp, and host values match as expected - -# Vendor - Forcepoint - -## Product - Webprotect (Websense) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ | -| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| websense:cg:kv | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| forcepoint_webprotect | websense:cg:kv | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command - - -``` -index= sourcetype=websense:cg:kv -``` - -# Vendor - Fortinet - -## Product - Fortigate - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2846/ | -| Product Manual | https://docs.fortinet.com/product/fortigate/6.2 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| fgt_log | The catch all sourcetype is not used | -| fgt_traffic | None | -| fgt_utm | None | -| fgt_event | None - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| fortinet_fortios_traffic | fgt_traffic | netops | none | -| fortinet_fortios_utm | fgt_utm | netids | none | -| fortinet_fortios_event | fgt_event | netops | none | -| fortinet_fortios_log | fgt_log | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - -``` -config log memory filter - -set forward-traffic enable - -set local-traffic enable - -set sniffer-traffic disable - -set anomaly enable - -set voip disable - -set multicast-traffic enable - -set dns enable - -end - -config system global - -set cli-audit-log enable - -end - -config log setting - -set neighbor-event enable - -end - -``` - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command - -``` -diag log test -``` - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) -``` - -### UTM Message type - -![FortiGate UTM message](FortiGate_utm.png) - -### Traffic Message Type - -![FortiGate Traffic message](FortiGate_traffic.png) - -###Event Message Type -![FortiGate Event message](FortiGate_event.png) - -Verify timestamp, and host values match as expected - -# Vendor - Imperva - -## Product - Incapsula - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| Imperva:Incapsula | Common sourcetype | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="Imperva:Incapsula") -``` - -# Vendor - Juniper - -## Product - Juniper JunOS - -| Ref | Link | -|-------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| JunOS TechLibrary | https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-messages-configuring-qfx-series.html | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|------------------------------------------------------------------| -| juniper:junos:firewall | None | -| juniper:junos:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------------------|------------------------|----------------|---------------| -| juniper_junos_flow | juniper:junos:firewall | netfw | none | -| juniper_junos_idp | juniper:junos:idp | netids | none | -| juniper_junos_utm | juniper:junos:firewall | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | - -### Verification - -Use the following search to validate events are present; for Juniper JunOS ensure each host filter condition is verified - -``` -index= sourcetype=juniper:junos:firewall | stats count by host -index= sourcetype=juniper:junos:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper NSM - -| Ref | Link | -|----------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:nsm | None | -| juniper:nsm:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_nsm | juniper:nsm | netfw | none | -| juniper_nsm_idp | juniper:nsm:idp | netids | none | - -### Filter type - -* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified - -``` -index= sourcetype=juniper:nsm | stats count by host -index= sourcetype=juniper:nsm:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper Netscreen - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Netscreen Manual | http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 | - -### Sourcetypes - -| sourcetype | notes | -|-------------------------|------------------------------------------------------------------------------------------------| -| netscreen:firewall | None | -| juniper:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_netscreen | netscreen:firewall | netfw | none | -| juniper_idp | juniper:idp | netfw | none | - -### Filter type - -* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper Netscreen products ensure each host filter condition is verified - -``` -index= sourcetype=netscreen:firewall | stats count by host -index= sourcetype=juniper:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper SSLVPN - -| Ref | Link | -|------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:sslvpn | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_sslvpn | juniper:sslvpn | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified - -``` -index= sourcetype=juniper:sslvpn | stats count by host -``` - -Verify timestamp, and host values match as expected - -# Vendor - Microfocus ArcSight - -## Product - Internal Agent Events - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ArcSight:ArcSight | Internal logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_ArcSight_ArcSight | ArcSight:ArcSight | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="ArcSight:ArcSight") -``` - -## Product - Microsoft Windows - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| CEFEventLog:System or Application Event | Windows Application and System Event Logs | -| CEFEventLog:Microsoft Windows | Windows Security Event Logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | -| cef_Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) -``` - -# Vendor - PaloAlto - -## Product - NGFW - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | -| Product Manual | https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pan:log | None | -| pan:traffic | None | -| pan:threat | None | -| pan:system | None | -| pan:config | None | -| pan:hipwatch | None | -| pan:correlation | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| pan_log | pan:log | netops | none | -| pan_traffic | pan:traffic | netfw | none | -| pan_threat | pan:threat | netproxy | none | -| pan_system | pan:system | netops | none | -| pan_config | pan:config | netops | none | -| pan_hipwatch | pan:hipwatch | netops | none | -| pan_correlation | pan:correlation | netops | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration - * Select TCP or SSL transport option - * Select IETF Format - * Ensure the format of the event is not customized - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active firewall will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=pan:*| stats count by host -``` - -# Vendor - Proofpoint - -## Product - Proofpoint Protection Server - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3080/ | -| Product Manual | https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pps_filter_log | | -| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| proofpoint_pps_filter | pps_filter_log | email | none | -| proofpoint_pps_sendmail | pps_mail_log | email | none | - - -### Filter type - -MSG Parse: This filter parses message content -* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related -messages to create meaningful final output. This will require follow-on processing in Splunk. - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | - -### Verification - -One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: - -``` -index= sourcetype=pps_*_log | stats count by host -``` - -# Vendor - Symantec - -## Product - ProxySG/ASG (Bluecoat) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | -| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| bluecoat:proxysg:access:kv | Requires version TA 3.6 | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| bluecoat_proxy | bluecoat:proxysg:access:kv | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=bluecoat:proxysg:access:kv | stats count by host -``` - - -# Vendor - Ubiquiti - Unifi - -All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. - - -* Login to NMS -* Navigate to settings -* Navigate to Site -* Enable Remote syslog server -* Enter hostname and port -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls - -## Product - Unifi Switch and Access Points - -Unifi devices are managed using the Network Management Controller - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ | -| Product Manual | https://https://help.ubnt.com/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ubnt | Used when no sub source type is required by add on | -| ubnt:fw | USG events | -| ubnt:threat | USG IDS events | -| ubnt:switch | Unifi Switches | -| ubnt:wireless | Access Point logs | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| ubiquiti_unifi | ubnt | netops | none | -| ubiquiti_unifi_fw | ubnt:fw | netfw | none | -| ubiquiti_unifi_link | ubnt:link | netops | none | -| ubiquiti_unifi_sudo | ubnt:sudo | netops | none | -| ubiquiti_unifi_switch | ubnt:switch | netops | none | -| ubiquiti_unifi_threat | ubnt:threat | netids | none | -| ubiquiti_unifi_wireless | ubnt:wireless | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` - - -# Vendor - Zscaler - -## Product - All Products - -The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page -26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize -the IP or host name of the SC4S instance and port 514 - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | -| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | -| zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | -| zscalernss-web | None | -| zscalernss-zpa-app | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-auth | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-connector | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth_connector`` immediately prior to the ``\n`` in the LSS Connector format. See Zscaler manual for more info. | -| zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| zscalernss_alerts | zscalernss-alerts | main | none | -| zscalernss_dns | zscalernss-dns | netdns | none | -| zscalernss_fw | zscalernss-fw | netfw | none | -| zscalernss_web | zscalernss-web | netproxy | none | -| zscalernss-zpa-app | zscalernss_zpa-app | netids | none | -| zscalernss-zpa-auth | zscalernss_zpa_auth | netauth | none | -| zscalernss-zpa-connector | zscalernss_zpa_connector | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` diff --git a/docs/sources/Checkpoint/index.md b/docs/sources/Checkpoint/index.md new file mode 100644 index 0000000..ee2c590 --- /dev/null +++ b/docs/sources/Checkpoint/index.md @@ -0,0 +1,63 @@ +# Vendor - Checkpoint + +## Product - Log Exporter (Splunk) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ | +| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cp_log | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk | cp_log | netfw | none | + +### Source and Index Configuration + +Checkpoint Software blades with CIM mapping have been sub-grouped into sources +to allow routing to appropriate indexes. All other source meta data is left at default + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk_dlp | dlp | netdlp | none | +| checkpoint_splunk_email | email | email | none | +| checkpoint_splunk_firewall | firewall | netfw | none | +| checkpoint_splunk_sessions | sessions | netops | none | +| checkpoint_splunk_web | web | netproxy | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | +| SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | +| SC4S_ARCHIVE_CHECKPOINT_SPLUNK | no | Enable archive to disk for this specific source | +| SC4S_DEST_CHECKPOINT_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cp_log +``` + +Verify timestamp, and host values match as expected diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md new file mode 100644 index 0000000..9d6cad4 --- /dev/null +++ b/docs/sources/Cisco/index.md @@ -0,0 +1,236 @@ +# Vendor - Cisco + +## Product - ASA (Pre Firepower) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1620/ | +| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:asa | None | +| cisco:pix | Not supported | +| cisco:fwsm | Not supported | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_asa | cisco:asa | netfw | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above ensure: + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ASA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_ASA | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ASA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_ARCHIVE_CISCO_ASA_LEGACY | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ASA_LEGACY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:asa +``` + +Verify timestamp, and host values match as expected + +## Product - IOS and NX-OS based equipment + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1467/ | +| IOS Manual | https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html | +| NX-OS Manual | https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_5syslog.html| +| Cisco ACI | https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf | +| Cisco WLC & AP | https://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html#anc8 | + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ios | cisco:ios | netops | none | +| cisco_nx_os | cisco:ios | netops | none | + +### Filter type + +* Cisco IOS products can be identified by message parsing alone +* Cisco NX OS, WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_nx_os` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* IOS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included +* NX-OS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" user may select alternate levels by module based on use cases + * Protocol is TCP/IP + * device-id is hostname and included + * timestamp is included and milisecond accuracy selected +* ACI Logging configuration of the ACI product often varies by use case. + * Ensure NTP sync is configured and active + * Ensure proper host names are configured +* WLC + * Ensure NTP sync is configured and active + * Ensure proper host names are configured + * For security use cases per AP logging is required + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_IOS_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_IOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_IOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_NX_OS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_NXOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_NXOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present, for NX-OS, WLC and ACI products ensure each host filter condition is verified + +``` +index= sourcetype=cisco:ios | stats count by host +``` + +## Product - ISE + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1915/ | +| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs_chapter_00.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ise:syslog | Aggregation used | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ise | cisco:ise:syslog | netauth | None | + + +### Filter type + +PATTERN MATCH + +### Setup and Configuration + +* No special steps required + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_ISE | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ISE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:ise:syslog +``` + +Verify timestamp, and host values match as expected + +## Product - Meraki Product Line MR, MS, MX, MV + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3018/ | +| Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| merkai | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | + + +### Filter type + +IP, Netmask, Host or Port + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_MERAKI | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_MERAKI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=merkai +``` + +Verify timestamp, and host values match as expected + diff --git a/docs/sources/Forcepoint/index.md b/docs/sources/Forcepoint/index.md new file mode 100644 index 0000000..e5fdeff --- /dev/null +++ b/docs/sources/Forcepoint/index.md @@ -0,0 +1,52 @@ +# Vendor - Forcepoint + +## Product - Webprotect (Websense) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ | +| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| websense:cg:kv | None | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| forcepoint_webprotect | websense:cg:kv | netproxy | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_FORCEPOINT_WEBPROTECT | no | Enable archive to disk for this specific source | +| SC4S_DEST_FORCEPOINT_WEBPROTECT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command + + +``` +index= sourcetype=websense:cg:kv +``` + diff --git a/docs/FortiGate_event.png b/docs/sources/Fortinet/FortiGate_event.png similarity index 100% rename from docs/FortiGate_event.png rename to docs/sources/Fortinet/FortiGate_event.png diff --git a/docs/FortiGate_traffic.png b/docs/sources/Fortinet/FortiGate_traffic.png similarity index 100% rename from docs/FortiGate_traffic.png rename to docs/sources/Fortinet/FortiGate_traffic.png diff --git a/docs/FortiGate_utm.png b/docs/sources/Fortinet/FortiGate_utm.png similarity index 100% rename from docs/FortiGate_utm.png rename to docs/sources/Fortinet/FortiGate_utm.png diff --git a/docs/sources/Fortinet/index.md b/docs/sources/Fortinet/index.md new file mode 100644 index 0000000..a13bc1d --- /dev/null +++ b/docs/sources/Fortinet/index.md @@ -0,0 +1,108 @@ +# Vendor - Fortinet + +## Product - Fortigate + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2846/ | +| Product Manual | https://docs.fortinet.com/product/fortigate/6.2 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fgt_log | The catch all sourcetype is not used | +| fgt_traffic | None | +| fgt_utm | None | +| fgt_event | None + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| fortinet_fortios_traffic | fgt_traffic | netops | none | +| fortinet_fortios_utm | fgt_utm | netids | none | +| fortinet_fortios_event | fgt_event | netops | none | +| fortinet_fortios_log | fgt_log | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + +``` +config log memory filter + +set forward-traffic enable + +set local-traffic enable + +set sniffer-traffic disable + +set anomaly enable + +set voip disable + +set multicast-traffic enable + +set dns enable + +end + +config system global + +set cli-audit-log enable + +end + +config log setting + +set neighbor-event enable + +end + +``` + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_FORTINET_FORTIOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_FORTINET_FORTIOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command + +``` +diag log test +``` + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) +``` + +### UTM Message type + +![FortiGate UTM message](FortiGate_utm.png) + +### Traffic Message Type + +![FortiGate Traffic message](FortiGate_traffic.png) + +###Event Message Type +![FortiGate Event message](FortiGate_event.png) + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md new file mode 100644 index 0000000..2ae9eea --- /dev/null +++ b/docs/sources/Imperva/index.md @@ -0,0 +1,53 @@ +# Vendor - Imperva + +## Product - Incapsula + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| Imperva:Incapsula | Common sourcetype | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT | no | Enable archive to disk for this specific source | +| SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="Imperva:Incapsula") +``` \ No newline at end of file diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md new file mode 100644 index 0000000..98cd701 --- /dev/null +++ b/docs/sources/Juniper/index.md @@ -0,0 +1,207 @@ +# Vendor - Juniper + +## Product - Juniper JunOS + +| Ref | Link | +|-------------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| JunOS TechLibrary | https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-messages-configuring-qfx-series.html | + +### Sourcetypes + +| sourcetype | notes | +|--------------------------|------------------------------------------------------------------| +| juniper:junos:firewall | None | +| juniper:junos:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------------------|------------------------|----------------|---------------| +| juniper_junos_flow | juniper:junos:firewall | netfw | none | +| juniper_junos_idp | juniper:junos:idp | netids | none | +| juniper_junos_utm | juniper:junos:firewall | netfw | none | + +### Filter type + +* MSG Parse: This filter parses message content + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | +| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper JunOS ensure each host filter condition is verified + +``` +index= sourcetype=juniper:junos:firewall | stats count by host +index= sourcetype=juniper:junos:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper NSM + +| Ref | Link | +|----------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 | + +### Sourcetypes + +| sourcetype | notes | +|------------------|-----------------------------------------------------------------------| +| juniper:nsm | None | +| juniper:nsm:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_nsm | juniper:nsm | netfw | none | +| juniper_nsm_idp | juniper:nsm:idp | netids | none | + +### Filter type + +* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_NSM | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_NSM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified + +``` +index= sourcetype=juniper:nsm | stats count by host +index= sourcetype=juniper:nsm:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper Netscreen + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| Netscreen Manual | http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 | + +### Sourcetypes + +| sourcetype | notes | +|-------------------------|------------------------------------------------------------------------------------------------| +| netscreen:firewall | None | +| juniper:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_netscreen | netscreen:firewall | netfw | none | +| juniper_idp | juniper:idp | netfw | none | + +### Filter type + +* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_NETSCREEN | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_NETSCREEN_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper Netscreen products ensure each host filter condition is verified + +``` +index= sourcetype=netscreen:firewall | stats count by host +index= sourcetype=juniper:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper SSLVPN + +| Ref | Link | +|------------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 | + +### Sourcetypes + +| sourcetype | notes | +|------------------|-----------------------------------------------------------------------| +| juniper:sslvpn | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_sslvpn | juniper:sslvpn | netfw | none | + +### Filter type + +* MSG Parse: This filter parses message content + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified + +``` +index= sourcetype=juniper:sslvpn | stats count by host +``` + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Microfocus/index.md b/docs/sources/Microfocus/index.md new file mode 100644 index 0000000..5909324 --- /dev/null +++ b/docs/sources/Microfocus/index.md @@ -0,0 +1,99 @@ +# Vendor - Microfocus ArcSight + +## Product - Internal Agent Events + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ArcSight:ArcSight | Internal logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_ArcSight_ArcSight | ArcSight:ArcSight | main | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="ArcSight:ArcSight") +``` + +## Product - Microsoft Windows + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| CEFEventLog:System or Application Event | Windows Application and System Event Logs | +| CEFEventLog:Microsoft Windows | Windows Security Event Logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | +| cef_Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT | no | Enable archive to disk for this specific source | +| SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) +``` \ No newline at end of file diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md new file mode 100644 index 0000000..bc27602 --- /dev/null +++ b/docs/sources/PaloaltoNetworks/index.md @@ -0,0 +1,63 @@ +# Vendor - PaloAlto + +## Product - NGFW + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | +| Product Manual | https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pan:log | None | +| pan:traffic | None | +| pan:threat | None | +| pan:system | None | +| pan:config | None | +| pan:hipwatch | None | +| pan:correlation | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| pan_log | pan:log | netops | none | +| pan_traffic | pan:traffic | netfw | none | +| pan_threat | pan:threat | netproxy | none | +| pan_system | pan:system | netops | none | +| pan_config | pan:config | netops | none | +| pan_hipwatch | pan:hipwatch | netops | none | +| pan_correlation | pan:correlation | netops | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration + * Select TCP or SSL transport option + * Select IETF Format + * Ensure the format of the event is not customized + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_PALOALTO_PANOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PALOALTO_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active firewall will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=pan:*| stats count by host +``` diff --git a/docs/sources/Proofpoint/index.md b/docs/sources/Proofpoint/index.md new file mode 100644 index 0000000..1fac35c --- /dev/null +++ b/docs/sources/Proofpoint/index.md @@ -0,0 +1,53 @@ +# Vendor - Proofpoint + +## Product - Proofpoint Protection Server + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3080/ | +| Product Manual | https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pps_filter_log | | +| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| proofpoint_pps_filter | pps_filter_log | email | none | +| proofpoint_pps_sendmail | pps_mail_log | email | none | + + +### Filter type + +MSG Parse: This filter parses message content +* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related +messages to create meaningful final output. This will require follow-on processing in Splunk. + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | +| SC4S_PROOFPOINT_PPS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined. | +| SC4S_ARCHIVE_PROOFPOINT_PPS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PROOFPOINT_PPS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: + +``` +index= sourcetype=pps_*_log | stats count by host +``` \ No newline at end of file diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md new file mode 100644 index 0000000..e169c78 --- /dev/null +++ b/docs/sources/Symantec/index.md @@ -0,0 +1,51 @@ +# Vendor - Symantec + +## Product - ProxySG/ASG (Bluecoat) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | +| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| bluecoat:proxysg:access:kv | Requires version TA 3.6 | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| bluecoat_proxy | bluecoat:proxysg:access:kv | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | +| SC4S_DEST_SYMANTEC_PROXY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=bluecoat:proxysg:access:kv | stats count by host +``` diff --git a/docs/sources/Ubiquiti/index.md b/docs/sources/Ubiquiti/index.md new file mode 100644 index 0000000..1769377 --- /dev/null +++ b/docs/sources/Ubiquiti/index.md @@ -0,0 +1,75 @@ +# Vendor - Ubiquiti - Unifi + +All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. + + +* Login to NMS +* Navigate to settings +* Navigate to Site +* Enable Remote syslog server +* Enter hostname and port +* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls + +## Product - Unifi Switch and Access Points + +Unifi devices are managed using the Network Management Controller + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ | +| Product Manual | https://https://help.ubnt.com/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ubnt | Used when no sub source type is required by add on | +| ubnt:fw | USG events | +| ubnt:threat | USG IDS events | +| ubnt:switch | Unifi Switches | +| ubnt:wireless | Access Point logs | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| ubiquiti_unifi | ubnt | netops | none | +| ubiquiti_unifi_fw | ubnt:fw | netfw | none | +| ubiquiti_unifi_link | ubnt:link | netops | none | +| ubiquiti_unifi_sudo | ubnt:sudo | netops | none | +| ubiquiti_unifi_switch | ubnt:switch | netops | none | +| ubiquiti_unifi_threat | ubnt:threat | netids | none | +| ubiquiti_unifi_wireless | ubnt:wireless | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_UBIQUITI_UNIFI | no | Enable archive to disk for this specific source | +| SC4S_DEST_UBIQUITI_UNIFI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=zscalernss-* | stats count by host +``` diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md new file mode 100644 index 0000000..67b70e1 --- /dev/null +++ b/docs/sources/Zscaler/index.md @@ -0,0 +1,69 @@ +# Vendor - Zscaler + +## Product - All Products + +The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page +26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize +the IP or host name of the SC4S instance and port 514 + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | +| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | +| zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | +| zscalernss-web | None | +| zscalernss-zpa-app | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | +| zscalernss-zpa-auth | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | +| zscalernss-zpa-connector | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth_connector`` immediately prior to the ``\n`` in the LSS Connector format. See Zscaler manual for more info. | +| zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| zscalernss_alerts | zscalernss-alerts | main | none | +| zscalernss_dns | zscalernss-dns | netdns | none | +| zscalernss_fw | zscalernss-fw | netfw | none | +| zscalernss_web | zscalernss-web | netproxy | none | +| zscalernss-zpa-app | zscalernss_zpa-app | netids | none | +| zscalernss-zpa-auth | zscalernss_zpa_auth | netauth | none | +| zscalernss-zpa-connector | zscalernss_zpa_connector | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_ZSCALER_NSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_ZSCALER_NSS | no | Enable archive to disk for this specific source | +| SC4S_DEST_ZSCALER_NSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=zscalernss-* | stats count by host +``` diff --git a/docs/sources/index.md b/docs/sources/index.md new file mode 100644 index 0000000..c32c773 --- /dev/null +++ b/docs/sources/index.md @@ -0,0 +1,7 @@ +# Introduction +When using Splunk Connect for Syslog to onboard a data source, the SC4S filter performs the operations that are traditionally performed at index-time by the corresponding Technical Add-on installed there. These index-time operations include linebreaking, sourcetype setting and timestamping. For this reason, if a data source is exclusively onboarded using SC4S then you will not need to install its corresponding Add-On on the indexers. You must, however, install the Add-on on the search head(s) for the user communities interested in this data source. + +SC4S "unique" filters are based either on the port upon which events arrive or the hostname/CIDR block from which they are sent. The "soup" filters run for events that arrive on port 514 (default for syslog), and contain regex and other syslog-specific parsers to identify events from a specific source, apply the correct sourcetype, and set other metadata. Data sources which generate events that are not unique enough to accurately identify with soup filters _must_ employ the "unique" filters (port/hostname/CIDR block) instead -- the soup filters are unavailable for these sources. + +If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. + diff --git a/mkdocs-requirements.txt b/mkdocs-requirements.txt new file mode 100644 index 0000000..4c8f017 --- /dev/null +++ b/mkdocs-requirements.txt @@ -0,0 +1 @@ +mkdocs-material diff --git a/mkdocs.yml b/mkdocs.yml index cc7f4e8..6b82a92 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,10 +1,44 @@ site_name: Splunk Connect for Syslog -theme: readthedocs + nav: - Home: 'index.md' - - Performance: 'performance.md' - - Getting Started: 'gettingstarted.md' - - Demo Lab: 'demo.md' + - Getting Started: + - 'Read First': 'gettingstarted/index.md' + - 'Podman + systemd single node': 'gettingstarted/podman-systemd-general.md' + - 'Docker CE + systemd single node': 'gettingstarted/docker-systemd-general.md' + - 'Docker CE + Swarm single node': 'gettingstarted/docker-swarm-rhel7.md' + - 'Bring your own Envionment': 'gettingstarted/byoe-rhel7.md' - Configuration: 'configuration.md' - - Sources: 'sources.md' + - Sources: + - About: sources/index.md + - Checkpoint: sources/Checkpoint/index.md + - Cisco: sources/Cisco/index.md + - Forcepoint: sources/Forcepoint/index.md + - Fortinet: sources/Fortinet/index.md + - Imperva: sources/Imperva/index.md + - Juniper: sources/Juniper/index.md + - Microfocus: sources/Microfocus/index.md + - 'Paloalto Networks': sources/PaloaltoNetworks/index.md + - Proofpoint: sources/Proofpoint/index.md + - Symantec: sources/Symantec/index.md + - Ubiquiti: sources/Ubiquiti/index.md + - Zscaler: sources/Zscaler/index.md + - 'Demo Lab': 'demo.md' + - Performance: 'performance.md' - Troubleshooting: 'troubleshooting.md' + +markdown_extensions: + - toc: + permalink: True + - smarty + - fenced_code + - sane_lists + - codehilite + +theme: + name: 'material' + palette: + primary: 'black' + accent: 'orange' + favicon: 'logo.png' + logo: 'logo.png' \ No newline at end of file