From f7e299ecde11fb25d6e65df8653b03b4e30fe305 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 6 Dec 2019 20:24:28 -0500 Subject: [PATCH] Improve docs by creating a nav tree for sources (#220) * Improve table of contents * Split sources.md by vendor * new theme --- .readthedocs.yml | 7 +- .../index.md} | 26 +- docs/logo.png | Bin 0 -> 34258 bytes docs/sources.md | 1089 ----------------- docs/sources/Checkpoint/index.md | 63 + docs/sources/Cisco/index.md | 236 ++++ docs/sources/Forcepoint/index.md | 52 + .../Fortinet}/FortiGate_event.png | Bin .../Fortinet}/FortiGate_traffic.png | Bin docs/{ => sources/Fortinet}/FortiGate_utm.png | Bin docs/sources/Fortinet/index.md | 108 ++ docs/sources/Imperva/index.md | 53 + docs/sources/Juniper/index.md | 207 ++++ docs/sources/Microfocus/index.md | 99 ++ docs/sources/PaloaltoNetworks/index.md | 63 + docs/sources/Proofpoint/index.md | 53 + docs/sources/Symantec/index.md | 51 + docs/sources/Ubiquiti/index.md | 75 ++ docs/sources/Zscaler/index.md | 69 ++ docs/sources/index.md | 7 + mkdocs-requirements.txt | 1 + mkdocs.yml | 44 +- 22 files changed, 1196 insertions(+), 1107 deletions(-) rename docs/{gettingstarted.md => gettingstarted/index.md} (94%) create mode 100644 docs/logo.png delete mode 100644 docs/sources.md create mode 100644 docs/sources/Checkpoint/index.md create mode 100644 docs/sources/Cisco/index.md create mode 100644 docs/sources/Forcepoint/index.md rename docs/{ => sources/Fortinet}/FortiGate_event.png (100%) rename docs/{ => sources/Fortinet}/FortiGate_traffic.png (100%) rename docs/{ => sources/Fortinet}/FortiGate_utm.png (100%) create mode 100644 docs/sources/Fortinet/index.md create mode 100644 docs/sources/Imperva/index.md create mode 100644 docs/sources/Juniper/index.md create mode 100644 docs/sources/Microfocus/index.md create mode 100644 docs/sources/PaloaltoNetworks/index.md create mode 100644 docs/sources/Proofpoint/index.md create mode 100644 docs/sources/Symantec/index.md create mode 100644 docs/sources/Ubiquiti/index.md create mode 100644 docs/sources/Zscaler/index.md create mode 100644 docs/sources/index.md create mode 100644 mkdocs-requirements.txt diff --git a/.readthedocs.yml b/.readthedocs.yml index 2880d22..aae9256 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -9,4 +9,9 @@ mkdocs: formats: all submodules: - exclude: all \ No newline at end of file + exclude: all + +python: + version: 3.7 + install: + - requirements: mkdocs-requirements.txt \ No newline at end of file diff --git a/docs/gettingstarted.md b/docs/gettingstarted/index.md similarity index 94% rename from docs/gettingstarted.md rename to docs/gettingstarted/index.md index e113881..bb432e9 100644 --- a/docs/gettingstarted.md +++ b/docs/gettingstarted/index.md @@ -1,4 +1,6 @@ -# Getting Started +# Before you start + +## Getting Started Splunk Connect for Syslog is a containerized distribution of syslog-ng with a configuration framework designed to simplify getting syslog data into Splunk Enterprise and Splunk Cloud. Our approach is @@ -6,7 +8,7 @@ to provide a runtime-agnostic solution allowing customers to deploy using the co environment of choice. -# Planning Deployment +## Planning Deployment Syslog is an overloaded term that refers to multiple message formats AND optionally a wire protocol for transmission of events between computer systems over UDP, TCP, or TLS. The protocol is designed to minimize @@ -24,11 +26,11 @@ environment. * Plan for appropriately sized hardware (see)[performance.md] -# Implementation +## Implementation -## Splunk Setup +### Splunk Setup -### Create Indexes +#### Create Indexes SC4S is pre-configured to map each sourcetype to a typical index. For new installations, it is best practice to create them in Splunk when using the SC4S defaults. SC4S can be easily customized to use different indexes if desired. @@ -42,7 +44,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes * netipam * em_metrics (ensure this is created as a metrics index) -### Install Related Splunk Apps +#### Install Related Splunk Apps Install the following: @@ -50,7 +52,7 @@ Install the following: * [Splunk Add-on for Infrastructure](https://splunkbase.splunk.com/app/4217/) * [Splunk Metrics Workspace](https://splunkbase.splunk.com/app/4192/) *NOTE Included in Splunk 7.3.0 and above* -### Configure the Splunk HTTP Event Collector +#### Configure the Splunk HTTP Event Collector - Set up the Splunk HTTP Event Collector with the HEC endpoints behind a load balancer (VIP) configured for https round robin *WITHOUT* sticky session. Alternatively, a list of HEC endpoint URLs can be configured in SC4S (native Syslog-ng load balancing) if no load balancer is in place. In either case, it is @@ -61,14 +63,14 @@ event destinations. or [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) for specific HEC configuration instructions based on your Splunk type. -## Implement a Container Runtime and SC4S +### Implement a Container Runtime and SC4S -### Prerequisites +#### Prerequisites * Linux host with Docker (CE 19.x or greater with Docker Swarm) or Podman enabled, depending on runtime choice (below). * A network load balancer (NLB) configured for round robin. Note: Special consideration may be required when more advanced products are used. The optimal configuration of the load balancer will round robin each http POST request (not each connection). -### Select a Container Runtime and SC4S Configuration +#### Select a Container Runtime and SC4S Configuration | Container and Orchestration | Notes | |-----------------------------|-------| @@ -78,7 +80,7 @@ Splunk type. | [Docker CE + Swarm single node RHEL 7.7](gettingstarted/docker-swarm-rhel7.md) | Option for RedHat 7.7 desiring Docker Compose or Swarm orchestration | | [Bring your own Envionment](gettingstarted/byoe-rhel7.md) | Option for RedHat 7.7 (centos 7) with SC4S configuration without containers | -## Offline Container Installation +### Offline Container Installation Follow these instructions to "stage" SC4S by downloading the container so that it can be loaded "out of band" on a host machine, such as an airgapped system, without internet connectivity. @@ -116,7 +118,7 @@ attempt to obtain the container image via the internet. Environment="SC4S_IMAGE=sc4slocal:latest" ``` -# Scale out +## Scale out Additional hosts can be deployed for syslog collection from additional network zones and locations: diff --git a/docs/logo.png b/docs/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..fe6f098044f72325e8617c57dc11a8b10fade08c GIT binary patch literal 34258 zcmeFZbyQYS_doa$(g=cdcXxL;NOyO4H%Lh%DGfe!NFxnOBi#*>($dm%LBBC;{{F2s zYvy$k5BHw4&ptap`-G87@1&3sa1lTt5VDN4xC#gaDGPiv!odJfge9qFKp-SaYcVk; z88ILDJiXw(R#^{uh5h+eXpLh3R*SIZn>ajQO_I5Lb00Kdj90@hiOJ@-gDs5?+fQxBJY_fNWbg^ruqz6G zU#Df8EssO zf~4sD!CA=Pg)#4$QsU9#hEqX=VzKMR3p~uT^z&x^LVKUex_M1dSrV{iktlV3wlr}a zM@Dp)Gug#8;T;R&&vE&FM;C?t`Q|5Yev*@KOP=t(*p@sh1g~+-H?f7nfLsEH*X_KU zk4;z?DE^yBdRX%to9prcO(b!}kUv*yJkS--DpHbH`Eu8hksa2?FNwp2o zUiveN?GC8#Ni~73uA7HH<0 zg!2R0Mz|N5h%`4^2ssIjG%u-m!GN9_i^}_CQj7u40?Zo%o|r7*Q8I!7`z?~mkTyxd zd~8_>4rTvoe1hnf`~WL#+=zD)Qxo{?L=57ZdD~VPEqM0Aig{QQ2Ub+KkVpNXq8Jut zvSCcuZpdnCdK|g#o_W6tY`X5UYM%-m!M$=Vs@Z7&o=9#2%Z)~-_VA5UZrHJJyPH2w z5&WoDgL1!DZJ?YA-qQt3j+4!!^25=8Cl}>4rp*7KBsnj_EzXU+mhJGJkM!dJu@0*K z&(<{YVd7B|Mk)u=V+ukl57gEV59DYv5oTg%q!J(J3-napSVLKJ?P2dBlxALt$Y>8L z4Jy-U(P+z*sO6~@)ywUbOkxxk%R-rP)Z#3J;7jZzS|({GmJg0>{n&Ci14(3?h@5`z zQD&u%rru8W8L}P{7{W6*H#ar++>RWA+zuPs9=b~&qY+Yjl%C1cQH3f|Em7G=utC1$ zzT~__j+JC9zL`w4Zm!3u*IATVgj$5fXo<>3kP9oX6)sdM6xog%l2flOOE1gaXP@z# zVV!|0OH=oq8L-*0fv~Y_xUosGiI{OHyDXoYA(#eF*UhArpQs2`J<5j^7=L+F@NI^A zdj5;E3OG7$Lg5#L+iQQ8_Kbjx)k>M^`f)RB3#(MC;|aT|!>P$}+~Slx4!LrbgAW>1 zP^O>Qv|{M{Wcvd8ko$_2Z^8GHr;-eK>O%WNCD)7K2LA@{#ok5VhAP{@N#lL!J+u9a zS?lTMs^|lqgLl)}rLEf6^$sUiBNI7b9&ohO36Z}P%1qsC^h753tNux%L1#yBz=sa$ zz>r6o2Lq_^;3|>uZ#p4h7=ds%F-NiBpE}*9;bZAK@YN z*p2Lr@g4Py+UEXr!1wlykdK&E%9P9GmgZZB?&(eOPVrfov2n3=Ecn#bS)7b845N>v zed5XxsvB=K(%#aY)?ThF(7x5$(bCX1s3X;B);8C%ueJFqS(#mVGn+D-X0L>Yg%>3z6gW7!|j;Mq7$bdSoRh)E^8S5q?~KHu z%E{!W&3?v4%fw|-W|40FlFL`uV`$I7>sQAN$3y~p{4N4lzV}Dg2kCpwKh77tqEFjS zXEs~gV%p~omfCpR(^qL$b=&#;WBld?)dl1I6#SYy`22EjwQtP-99{YDIi4_G32i+I zc99twbe#&*Gm}?yS2IYHQ45xk{t~HncJgu3cQX9oI*^sHnIAe{JwB7qrF~2Px;%A; z>zn)cHu&Q2CB`+z7{>A6E4zDtj=Ztz3H`wF=9+YbH0)!nGI10}1Lb}|y@cDl3nKJL zbTF01J3q8dR5q?1J9+^RpTjTnp3aZXbeqS0x_xq+y69@?MdZ_zZHh?p^a_Vr>>iVC zGFVA&NzgJ1g9TfmTLgm-Ng1{~?<^IC5=5nC zwNvKcNMKc%iHN((Qr_PY5`+J@Rt*w8HqKNSkfaUV?D9W4B?5E?-leX@To z7{ONT{$*lW!j)+BJoBr)AghpjzyV~^t1!eCtZ@3}<`1>ht`oVhu3iSxybYPrj z($kv1lpA1jm!Or{_?#)npJt~W#e_j`ue(!k*IirHyS#x&aYbQHk(=h4YWQd7=iHeg ztY$%_mF`}x%Q@`^?awm2a(|5zdUd7|rXwBnnj&KcSNqe&uLng{e1@D~?0)zR`Rv_} zp8Y;6LN3D7u>Yg?t*Xgj&#>7OyxM1ux8}Iv&{DhL>H2{Az(AoZXpdpn-oRj{E0*G| zzTmNO)pn#JWg0Ev5&X(7+?~q^pKu5P#&T(#txBi{ZT%GUG@s&WZ zZ^pj;!Pg`6Lxu&|E17G7CxPv2yu0qJuY^u~N`d2t>wRJuV!g=H-G|{Fk^!ccsw%4e zKj9;EGX*kH9*nQ06rz>ow%=5e(Z#F8VGi(aO`h{#9%6 zbuW>d;NktRtJA~c9z{i1ivUW0#wU}@!W-N9Ip2_lkPyTY-I|s~-J|yk|vtmO9zB*1@ zm%8D)|LH7_nvvcB6b|rC(%P;d5GKX*H-wA|`EL*iBHLO`%S}r`p4ZgTp3&IM(Zrn5 z%ialS4Fd6d@d6+1&E1TNz3lBATzS0&NMBm;0-v8BGm#R%G;y;PAk|V(A{KLWF(>9= zWM^b16+|E=CgyiBv*1+`m;Bcq_)CD)%FWG*mx;;K)05GYjnUD?l8J?fhlh!om5G&= z0cgSC>h0iW?8V^VO7@q?f6);)cQtjfc5<_JbRd4FYi#1^?j}G=`aIBo|NG0QxtI0- zjO5_@Z(6_vnV#P;u`n_-{Woo(EC2ITUL|WUb2}|@YkPACS6~c54sK5Vm-hdUH~%x@ z|LUpzzj|_T|L>mv>&?HO{7lai_+JzHE3KEOfVcz^_?iA&^nwVMWC}`vHt?;*71e;> zkk6_C6o&=;p#J;&`7`6&;f`%m5Qt%2MqEVA3*s;vB|&{AdsngZQOZE?|@1J;K*yhc7d53zmnnIIp({aIK=_}bO+_EX@DtVtdzQAW&DdT}(IWy}> zqM4^T4;y_BFLg%LC$|}w6rrdIuDj-B=O;Yr@IAT7zB_3fE8q7ySrOXJTHC!A*bTVr z@Ex;PlC?gG$ATsXLBI)vAW?&aUj@UQ@JW_JA{dhV*Rvo+5IFSp|1<$X#HfI1B>D_IRaRb0OH26b z!&vtkA0OW!^Ivyar-r<{I#PA)d}#DJAK{wOb!_LjFnIJ{YP8=kOfyiqyFL-J5$c$x z3jU5=_=ZffgvWKKgel-OS}c&wa#XEQrBtv^a{46}Cr}4puLT+koDZ|@mlo&X-Y&Jc z+kU=O_6mUCTBN>_v^rjH-p{c8qKt^esCIO8bVDKY<0Wo)X+w4>-%i8_6x`n3&0HNV zWydCU#Ze^4fv1<3D{gOZr$@NfDvA^`J?zT0A^&EAfuNwLx|PKS+Zh7S<@|u_);05S z$TIm%;V&^Nrl#PQvmv?}&(1r2_p?E&;*s~a{}RMUIIGGTvUq-0w>F=f?KHBZZpmKq z1U#_YgalS82AxL9)H}Y)Pvq7dFVdMNfOvX;LiG4M!e*h?TnsC0jv$B^j@uRNwh>8H z=6l>MrSG#>=pK}b`jQ8`Bp`jS4sm!}w}{5>b9cR(#faI!)8pfLm`ny0$1MkpjFTQx zisH{R$om4%|8##Y#zp+_c->iL`*;c9(YC6W9)o+L6o=x;BQP*^>iGB=a`W@v-*JPz zppQGB9`kKo9%x>9VZ;m5N)8HzTpZSo(LPyn8T@PHL-zaOB+zihYcuu|vl0E2(ji$g zp0G0D;lQvQhs}Z;B8K=MbCl5c#R|*byV;bjwTj`;XdJSS@=FJ^m8w{Ve$L?}Dt|>T zOzaE!sOXqx7;rNlv%2s#98;Vkp+xz1^}3_D<2?IB+#YdBl8b# zgrKMLh$rT&oAcdrM8+oJ?7+txo2`M5kx9RwYOW8?PT+P^0wEuJUe7-6jAkEf3oXp8 zujd_~oXi0ZS3m2JiA4P)C&vh0jy(uwa=Od8pP;yXH^Js4_qQ2}nZX`Y$DhwvqYlpa zb-zT=CZpQl{o-*w5UT-q>7$+~+~CuUEieGU}DI zXNIBi^!Xpz8oH)tl38XSVi&TFa+AG*5I7qkTNHY=4`;WrF8m&59E3|<0y8Rbt=Dcj zMtIQQqL9g%AL(cNJx*Dt!6wE1l>d6!)u-pf8#wAUNK&CKSmeCmmWeKkG`-Iccu{tp zMT)rwTu6vs8)6R0IyyQRttTC}>Rd}-9p_g0<>4YAu#o|tf?!+Ia{i9wUe7f0xAoO?|uMzJ*j7)t^2LFlNFyt)!=H2}4 zK`htm_+zLc=b{A8+46VPa6q_u!TY#>Zs$534#v6EMuFHjTr>8bN=CS9<`rtgXPG2Q zZHy=(GMnj^g?FiZf4-qSk7M*DSf#X}eK$jg4@U6u&nEtp9=oijo^u$-$3JX&jg5_@ z$$ki7Z3$Swe8+{uV7_$R+SvAYd9Hd#93<2J+36X`Y_%2&+WwKIi$0j`xhg|7Tr53+ z=q>WBZMBIYp|FuJ`mGfNu&u4FKlQ>~`@&@`k^^q1a&^!Lcy_ZwgwLo@T}0o#2#14x zU8rDX*7ouKruxe_Ub1d-Hd&^&-|sQ}|I}rly*1ZnWJN>G<_*lw$VxzGPxuUT54*JJ zfy9nV;X_sZ@1cp>Vf4C*RO}on~2~T$&C| zwCEu!DjvlcNY{E081FeVRU}K0{ELM3aBdzRWx>G^bTgF(?K%wFwLP-hZ%raVl7p|M zWP_grZ!j-Kkg^NkDK^E|b2+z{ehJJ#q4Yh7jgb(X>QUU}d@RmnF z-?B(Z(b~$&f?8v>b>7Nz(9LSx?6(%Z9MJ zzlN{n&%s%inuXMT;Pnxg%R&CIvEzD_Z-0=AP*ceFP`TlBZmf)JEkMe;(ljlp zp8!{2>QDM!u6lcWyUkBS2DM^^Z2a={llJq}#os+b<*<)?BA0$3JDRmeT4q_H* z(0!a*HY>kT51u8Ydg(02O?_qPgYPVVSDPvsEo!NzBe3sZ7qVCH&LQtP8E|#kK)Ydk#!^$D{g81hy!K-jZBe&AImH?L}$2uf%eX0@O-Se$6! zi)<}FIYr6X@T2IVUQu&*%j1cq4cwR3?JM@~SoJwg-yO3d$}g0T2F;Wj ze%p9d*2%x1ZtycV_UQ(Xp64r$X>?;maTD`A-$)Uoowiqr$wf^kaTir%G#vYD$IB@u zF&63qi=CfQEv)ai_ADR>7wKr8Ia+H}C9f=zf{X{CUrP=op;_w8L{<(QQtVZ!tuH5;0XR?nmOi;ZjY7&L$4{*1x& zoM)CKFxMxRf-UT z$$x~Tyjz>s8^}$e0Dx0IauOZbyhGKE!r zYh>6bS&EhU`4Xx6hCO(F^h-^jy9?8U+jet>= zC2`d_*^&-fgQHsi>1|vJ3chZP)8NG*I_ZpIY@}EEHCvHAy44RrhqXizJ-4z~!=f_* zA<8ZWT(zLE&C8!FFSZ4XRZ2476c9@|F{$Q`8adSnbJCJx`PG510&xmusnG%Ts|2g+ zMa|J_`B=JlnRBMB0>ka3B@@6>;^@1E zAbwo%Jsc%i*+=3{JcVo6EA z{D#AJQQVcxXm2;)k>NJc8}EI9=f*WNV^|>nN$Rp4M1B4Vz z%YtU(PASDiEBt$&y>3D}fR z$ysBa^umay%Svya!-E-AWq_znG!t9QIdD#$0qvBV^rARy_!v;?<#@P zp7(gBUjWJ8o-i|Z0K`7*?B>YD9UQi&BtiSd(w5d%-FQ4c4Nte2S^L%DRR#tIu{yuB zwn5s5^iFW9rfq9;`&^hz!_MvKl?B~V$xPpn`^b^0O{0vj#`$B4=K)ZnjaM@4HB|W@ z_9S?`s*2+yDO{$eQFvBE*|ht|e-_xap3k_7`>cjZk=~2hUu4>=m92e6LQL`O$3qVk zNhHUM%{=Z&?8}d5h#x(V{8ZOGekl0tZ^^7~n&PtAsD^MhqdvKuC^J48J9%dPQ#0DkVa-*<;|swCly_c^np}*^pR;}wX!54MjgicN(mNk4udij6wprv@E{1b_#fL_@A$k_S z4KI7F>uk(;tY(g*Xz*(}WXneHf>NBxp^nT~9Drb9nnT}}_mk<^NCEwim>pvZ-e=>JW_7l9EhfN%pXitt*uH_@#RRRJ%S$q@;p2;(18u}&A zr_chyv;E?^su?PGPj#NAp@rDD@^K~YKhp5f?j2_=9FnMQ_YZGAx_X(3#cR(<6>oJ@ z&zKTPi{f3XP)f=O!tCnN)q>)Y{Av}SozO1YuCMJ?Z75~SwSj==6^;gS(qWgDceX-@ zi?uGERLb16jT`0heC~31`gS+<4a=-95jSm>yWPD4w^4HVT~*ylZI>MZ%5(JjX?er9jeSal{@(AcSCMO8eqNG@jm-d#+wiaA$M?+G@oM0fV63K z0QUkcX;=arRtp+@h2W+>A8GH?E(SXlR5Oln_#)#xM%6mN9ON{9Ny|a zc97b7-|?38V`mfsmVyIYXMfO=u{=4Tu;^~b>E&d91PJIdR}suUJhv^#j8AsbtrPPY zryMm}mUo-@%F55Jbp8#1cf@oyY_0j;3DrODMICPM9T==kz73=e=6Qbu-am>-OfU80 z+sF>S;gk&!a&15<;0SNhLXj-R?q>?VGJ{y;6@Rt@RJg8RcGBgRpB!`pzE)o7GFnO< zej0xL2%Fh%e-J)@S(weFd&%)No@HpJ;7iN<7kzbp<+X_pl_Cx@zr!v&qb$h>YzWTC|xom?E`?O zIJ=Bs)dqHi{Hha^ypCu7-ahj;5ca!`s`Cyu1}JhC6T?cfx)lqq z0~p~q$(j!;4Pp`(piIG!Tbx;76Wqe?TUsX~ZhW!O$M22ZJ_3K@lzB5ELT(dYQS&CI z9KFEr`0w}&g0f>L+Id9Uo%!@r)&Vh(==kTYM4p5TfZFwVCkpDOLiE^p2mFJe@Egr-Kgck;_;crtN=LvGi~ zb&(l~nM6m!mzuisz*RaO+(j~HuA8aKxI0|;IlF?)%aW_*@oyTMjFLCl%6r)&4$L5M zV{+9!UurEe<1j+<{uqL)DxG>QN3N!swz3ap^vg{F?pAz$9<`S3)&kCl1JajoSrp|` ztI9+V-KR9sp_a9)rt{nOx3=CF1$ZmdPHVdDksIq&(WD*0Ps@4$7} zEEWtPD;bzU%wjW{R(=O)qZX@TnJ=lRMhAEtG-~mdHJ-*sGsd~0`ddw<+O$gPG@4Ik zNV}8wc9d4?KeruW7lo%k$JdXLR^Xylxm_keiBCojw_}4W z_%seLe|MvlcXV__75XVe3zw>?FjQ6o3&fk#RFv{cRM~E4<7*4M!z!xpay}Qy^GE>e z%R5T0j|H-YoaQu_A4Ts+M)hrWe%_KDxp;xES8uRpcpeYC*Fps4v#xj=Hn#(jbqHGS zlQ!d21HG=n<41|}U3_>&9lUpS5E4%^`cGVjnnE{*@udPp;*PnN$O)B1;Z>6AVID@cU&1yzs?a zExq$v_A&$C(I9=LXyfe4&g#Rc=Jy`QjX!a3f_J*v6-DmsIR$@spjuSsDgj*G=uzBw zG@wB5#ct2^zll+CXMDXUfthz&Q*I*l%v;fWz4ic83CayW0{J5x%S|f9_^IkB`%Qg5 zw}nY_jJy837Tet&wU|k@Zw)ftZ(?l_bN2HMp4S92Yx>=Whc*MSDRw!?5uLocQeJ=u zGXcNFur9Hz{Jnx~3HJLogmZejE}@yWyD;T0J@9*&XQAQZr|CiUwslkrY@D9v9p8YW_= z%?;hg?e)Jpx0tpwY=15sIZfmDKBe?O01B{`#?0Fz)^8?yMu3CsB<-WUW82Bc&KxK$ zMMt(od^IYxHJysN{DK}!8B2VobE@{R2bQUAwhaMvZH#+HeBD(`i3ZdLu~Ml&Y;Y`Y zg*`Uo_vRCd0n!c!5$VnCs~RUvCo!=;r+ZSp*d6z2mSygpej<9KP7qY`f(j2mXVStu zaXU^vq%3qdN`P_)C?G`UL|X7zd9K!r76xXzB;;o$hax5JDA!>aqRda`3cL} zYpm6wUH0MVI>7IbZvzT)tit|K=VQiV!}*F$IlA^N&*PNM$devM>mkf`G*u5!&#u?|kjFQ;({SeY=VtvGL|elJ0K%c#b!BL!ZUh3gdNZ zoGrD@LDyAno2Z%L8L(8j{q{eeYFs=|ukkST_38{tQ_b$UtkA(~wizKMNBJmbd@vFt zs)S#=shcYa0({PW2$r0a==kPC$n~X7hzs8pz_>Q714O>0T}#rv6R@PlCSX(e-&0F9 z@_M?Yw^3)HUQ}&*e^!H<0APTJ$9iRw`B>ucF^QEUoT+2 z0w_D6$$hV8oH*+Oh{j_n?)aDba}wN*`Yx9^;~FnK?06RNC~kuuI$Z5?R?48jTN;Ap zztn*MGN4~W_RI-wB!{5y?^5eJ+FI3$s!cS%S)Df{DwVKni_@{$wY6Nb0r(fe_c2l) zZYg&B*o9^{JHk-Ucu4datj}XkF0b0!7jn+Hypyro_~Fu_V1J}hj4X{g9;f9=nA)E{ zvg-#_cpkUH9eo9M7uc~7k~Fx*{JYEr_5cy&v*#!wnrP?dvFCcu*pRZSHpJt91~2K1 zTXVj%;@vxhv@n>z03i3HmDvnJbUOF#e(IZ+Je0QzLJRd+;ACV^aLtlk7J!XyKRw6S zgk&Sh*dyAmg(Q)Oy)SX{NZ(@Nhh5FUivE_?hLrqUyu)eAXPfybTdsDAwj&05*c86> z=gD)mjld!xOUa$N5r90Y)~|aFHo~ygAD`ckS(#PvYT_jfi3MCw|&YPCqtt238~QYX`K4dCdVh zjQh;ghjh0Ih|4YO+?gfT7Qx*x1;u@Bw&KXeT=sI;UHyWu#eJ4lkL5W`Zx7!e>F78z zvu<({8ly>JT?Fg!RCKxnG2WFC5fx0niDl_Dy43g#V&AU{K9nmk%_oY?xXfM&t*3*h z+)LH&7OcECr)C9ZuNibI*6JNHU@oJ!zwRl<5G2`lTcx7ZX^&SOWM{%7-U>g&1#aK= z0U;ksJ4ij=4hE6u8EkqNk8IU>BKHH^D7W|ChT~7BHwX`tvzo|id6zp1os(Zz&c5Cb zr?XuQG`0yjkO6DFv9UgrTQokWlX$>#DwlZ9w(s0%Hc;&MUm(k29nd6E?d=rx$s>tS zW<)t>YcVcL5tZoLn48B0)%6{swHzopq&*I0yD$b_`0r+-k{u*= zp~)^&#U*wjvuMT3*bs2j#6iks5dFdG*c7md(r|zGCkcSDJr1WzaKOnh=KFt-a9RQ+ zvlNb$jQ+Ec2?*r>_(tZ-j%ScCGN3bDCw#3iWf$Ve(7y+77v6MHoA(RGX0XUwD;2$d zY3Y;-Y&kDXzkU_|jB&+bU-m}f0mGs|;@;d~k;S13+J8B(ls6CTtoDu?Y5_ZK#-Un& zH&IbbM1aj_s5q!{X4%)|A5mXU?-26=V;{~JE3-+`AP-GLypSA4>!Rk#T+HtR@X>DC zufGkAfrgG@H;$e+~F;Ca|MCe}iZ%AW0L0dhqYeFb813HeJp}7?Oj*5?s>YU#ql=%n(K&vz?k-zq__{Ee!cji%xO zDzdUs*L;FOAh_o*VSdzsBr24`q9WSC{ZA~WCBE0kvKyl0HgE+=6WA)esIoS+kTriB z_fSE=75=HUQxUo5-LH1+l?@z8(0j3|Tc7HTKvYfMwfA+ABP%(SsRETS^jrKmVB z{XuX&BoJ^EyXv^1iRb&!JdiJZNh<-|j+T1?FJ|CfpkKyM$OG8Q(mZ{BfxZRz!YZ){ zJTQ9I1_|(jYT(UZVZBESQgSiq6$4(pOCWomCMX!10+hei78L=!$R?Kh%Nx8bNOaH} z0|j`&D-!oSa}YFIG9Zw1T0-E3`+NMqvLmN{VUYj-?F_b=hE95}`AeZw$~zH~{F4v} z`a7z$tnBA}v54?y(I*->iie7dmPtTYz?Jjl#6%PI=8v!cX@Z(0fl853RzX1>4J$Me zEk>3sSV<)c{o_9|-~wXsoZ}8nY(2m#gnH2vb2=cd!65rMKwvuv!e@U4d#V5urRg|e zQaL6`CVlhW`$Yv1sBmJyVzdALPObSxFEs^8bdYtr1^vC!WGn*K`Tf=bktiKQ2@bD8C)LB73(@Q_p*GJR;)oG5|lrftGe!JbXbwqtTLE!rTd~R z4ic4lBP|Z~k~fTmfN^bs{}O`3Vfj-AyS1qKkJJVsRRmY3<7FP5b{`G~-Nu+yMtxa6 z&tr0u(C=?i)ro;jCrtY1_20aw2`!t(sKB68pO?y@tFqGKP9qkM( zf#c@>;<*90G}!{av-?~6DTJYklfcbZQbr(&L0^1cE-0G(*c?~D zhutUr!c@+cVhl3+hJxxN4LqC0@CP0g$+LK0(<M`+o6o|piX2{)Rg`V=Do@|(xIg?sK<;rD@rVH)GPXE^fo7kyp7hs(L} zMYQFL+^%3KSn+s50pd@j(G;daUJvSMkFszSrk6&2Vu;S4-x)zwL(ti+$MGGbMq@G{ ztVyp|SVIFh5~z4R4ym`yyf2tvVJY+xLYLXR79G?Q&^l!n!!02LW+q&SJWwgt0~D#f zYk^OdWi%rEFmU(4O8#e&5ExWB>)yl~qK;tR(^ib-lS^; zd!ntLCyhK*R}?7uW<805~Z-_4{Wxx(gEz zfcxsSx3Hga%*K1+4!;|#!}*$v0kZfWiGUFEGhh$E?bkR7Z@@h_pqkM;llZxgHE%W@ zo@-g(?SYTocj@t`*UQbWsvk)usA*_uv{;>;?YhH}FM7}w$ALrUxL7ypDKc;r>f~=w z{yJrva1y10)ntK;T9cFU2@6%=IH}RaFgL~fUDMJ5?Ajo|9(?=L2Y+?V~3+Kb4hGjYOwC_{5mj~8>*DdlP zQt&}t^Ujp1NAFLUin$-m7G`kR+O(^9?9k{fp6`rIU9HI}C?I>L(~XKyH-E-ehI`RT zE~v_Eb7j9U!v2nJGYP8sm%$RM$IaPxz1;#U;QtMrb~~<-n}W6L70O_k760p%=_Y4W z1@TiBs#kjpnSj%>=kFExrGLZ{>p)ZU_75VW_+$UE&wc>YS?JF&=;Yjn}EkM7ysi$t%5OAzhc9VVcEyYcj!`Ep+FzEtzgVH3_HfA&k>y*D-jW z3he8cZhoPdhibKN;YzF;D8{t&BYn}eB6{Cp@Qt9x1n(*my0yzPpu|q?mYbB_4rUbw zFg(6AAg>NLs+Vh+e0%@ueOMIwcff3*`Ow_0bZJTp@9^^;N+1y{SaKqSMhow1u$}w0n;Tek()ncIJ4k}E zSZAsDJz3}tB5lO`=LRY>>C$8_VVaKf}f;BcXv`hO^yd`fZJySFH z`-oiXC5y`_vnZ3zm=d|Ye&>~KkPxCuOG8ewWUmu!fc?L$`-l+>EJT053ta}!f2oPy=(CZQ{nYtj%8|f$Ojoj zd&;XiXlpG-Y!H13`w*^Leum?TmuOZW+O-7>3SFjIMRLSS`|M}IcV8PruUDj31%Zy~w^UZ^36n1BgKjuZ@BcjC?=N`}w$G?=b+-F^4t z@B-KaNmYQpg2PmYq@MNSCh9m!z{o9ED>bk67 zk_>$IDCG23otk;wehE(%D}Md#H8dHdgdjZlXtZGryBlP;Ne9QB6QuXbbg+B=lz4+Y z1OO_Z!w|7-1hZDeD;g%wE8V>)ppbZlmd~e z&%tgagF|+cgN+rg5Y%$doVHR7A$5uY)Xdbuz-27Fr%>!LtBD7C>ZYH`Nr4KAr%R5V zg@8Xz0vGr!baYNB6Cg#jNIo@PI|26>rU7H=+DZu&0s?XkH(TAPx&^K%O%SE8Ps->t zWZVWFTu_iQWW;L%QXZOlEB2-}NJuEy*98F&x9K^FZnCmKkR&-aXC~`u6-F>K2{YPX zZf1+c=Skd>?FPsOq@AypcpNRd-CkH1o@QXA=MSpaZX`n&H^Kh7m{LqhhW!WtjX&rK z=V(X*wp&oB*ScMKru}h`7?$6^p6`xDCnvvEJy4A*NRazun(cO!d^h~aFi_b-@BHd? zJI&C>-OR%~rZ1k5LS~$c9Y9t9g4*|m%M}4ZzeO!E>=dljZ`BZy|L~n2a#8?+!LTFC zYmK??dv4&P3=02mko`h!Zv{D;$!+L#RnfcK)N+D`_WJ@)$Ep2DGD3DMRGH%Bq9S8< z7q~)VXe_X^Z!5oFsIwfA71cc(J5NMo_$>-w2YH_S znzq#QWYvNqe?-*;>+NJ|skJqB?EE-)P1#S|;$h`PW)4CQn`u-a2=vz)44C4D9Gzfe|HNRmi& zv$L|%r)-fvgQKbIos4GcuqvyJ!Djic#us_19h%Q2!>E!#2a-PSkOywh%o=PDrG#v@ zNsl`T=EGHkXZ2e>-i(R-oC6LFSoOyd!1odpBI3>9aKDzc zC!UeEMdMoHS!yPqy#>JGK%dQ6E>Q}{U);OdyVW%-+zi+%PGwt#=)TEj5;!Iyci&Jr zL3mDO$O8m$p?YB@`)_h6a{wL?_M-bQEK78Kk_xOa0L+0td~~y$iv>XS*oF4s1pzq# za?7Z$mA#fW41aeR$$3Sr`U>_Ls&QW$$N1$N7(_OYjN z8^yHGyxrpVV?s(I6tUVnP${MpPRD4A4JzqNJR@n|B9vAVg zA8BJWN1-(l5on~WXfN2fHw4}~FU|<+)DcR+_e$+@{wjL+Z2QN?m)7Ij3gh#OzNVl0 zyr!3?IERQ;gj?R`6RC5DYj*jfVLbqN3^8B$T?1rV9Sg-b+&FhX@hDFfp`YOci6{kM z?|cHv1?e{!yLyN{cik*r_y4QBul}mCi?&ueqy?0gE>Q$Q8tIVkE-9r$;?Ui3ICM!X zDBUd~B`HeRp&O+8?!$ZU7~lW!{Rm_5u%BngnrqIv)|UHYHuEBj!=O=Hv(9cy!E~wf zYF-jcFqDNP=l!QL!aAX5UW)yNB7Pa^v|Nz6Bu#02`Sf`2A^lSn1Qe4&K>}xJE>jjD zOjW?jk_WI(jmrKDhWT=t#}clqa8``7&U@*Hvc8)0Hg_QVskWQrhaR*c@FJ)CjByE$tySGiaMHPe;jtw=gK(z1ka@8NzOk#@}o;yykJxkwKH?21(j zunv8EG*Nj^7&)sr&3-BeqTyJ9;@&PHpRw3D7Ulv6&K9lkvqvjgFIoB%la@9{^VAF9 zrKUi})!+Y&Q&lS<8_j!sDe_jQFJuejERfoUro#3!$P$aG{`edo(7!LSja;9V*b@42 zK|c1<)J}8!4=6rlU%}7G&ir!z%DDZ3{6Fd_0#6t{@%`6!V0*adA5Y{T?q;d=bR~iw z#D}VWX4h^8$+*&O2Nhi;r;XRUZ;4`Db|&LNO`=%=XSRS_Og;wPo(y z^$SK68v9%Vbdp%uD{c$Y_G)ux6fu_5VwjLXAzqt@Q=Rb-Bv67~uwDXnYv{)A+cki7 z5i8K+%Z-k7)F3h)d`pxSA3OSFZMMM^0I;PaNndD^6=n6#@`%VPrD_`FW!rCFDerk_Ve~W?t!RkE6Vw$NU<9P+|JjQv$M_%43^m z+othLNlxI5dHOq0W4#CW>N}JgI|UT@ElUT}CD*qG6p%R`5+E$uzR>{guL*SE=sdgE350!Dj3Ob^KRp*;DBumobA#O-#cjON(jhmU6(ezD97E z3gXKV5G)}fwgSlBocLZN3Zwg94H@RzH>{F0I;}=jzR8Qm5M$9bwJxjEWp>1!G~rIpHeBj8-PE+@`}*DsLbC!P!F>nG`jh_RE^v$n*F#;Qf;u zJ>=6g5u+1%cJK4xLfex!cC+OK!V+jrByL6tgl@|!0_5fv8!Wc{#eTyR-n<_xb z8wpCnDkMhi1SYg@?Bf9oW~)JVO1SPicYAY92)ZOoJY;@2TSO@si#WH+a+oYadUz0D z&XakG?EYgAA?>tDV5RpfHLmT+Tp(-wSaYzegvzi0xA#5rW6Zz{$VP>z`$S| zVk$WHRgGzts$JZ?Tlq|*>y|T<)Oh1LXDCL#3R$JdES^vKLtpYZw%;zot|taR5BdB# zL*~bES~%qew$vLjM=V|VftS;(fnilN7Ftd6-)_P72T4p;vF7*U{5OKlD&Mp@O&4B& z3U%L6f%mQN6y~^Wj!g@jgS;`X?e*zB`Eqsd<< zKlJZ0y8tlFbx=6<>(q}p+TSeKw1y#640m@}<^|-%q=*6fcUAenGVho0`YYx917MSl zly&9i6Xre*9kJ5mh%miI1AJ<)1OGV4zi@!RtrNZrC6o?&)|E(yXUhVx?JmJMsy~t^ zjmKs)KG{j1h7{aHf{2HoRZv6#-?7+DYV_zVCHis}^j|QMq|0ZE)((Q|CvmJuxNv%% zJ5*Q55I(hr|$*f|Y^z;{jNxvJOcDQJ%#j8u^)A>8l?I3OLT!OgGFsFRB;3#m!R#4X$ zkBNb(kDd_SWkV-%&3MM$E3X*;KD!|sfWut=&6x~61#ivg;PIQnzoBIk>NoY;ha^nRX`ygyj{!MQ%rCnjrGzN7c9Gn-BGn^oZ; z*~iZ~$$Qxt;28OX97G8C4Z;aDK-T7OseDuLTf0zHtSWL4V*&k&#XRwOyNp2!$cYUF z4C)g(f!V>?5*Q#+Q;taF*i&bb^9Fo;02$;U8M`&hH7uCNHuz+Bda{$D7#h@|-N?gR z6&I%W!}mKU*^|jYA)EI1;|V>kjuULS0mPswK&jKL ztpmv~&|6~gDo3ywSUV`ojM{v9-ykbF_|&f}?J1GCv+kUMBc}&e=Wy{UK-u#Q_~ViU z(h|UcIe*(lV=`zYOn|lnb{5YF>iY0LFbQkNGnuv79z;_6uqNe0$O?Gp-8a*!X&eA4;8iN}(1cr{X1<$^Ex&cb- zoejmKK8^0!=Q^XQ2$WxVGe!B3Yb|;9gOq?40P6@6stw}Z<{;=)W!C2IwH&otMHECR zklpOC6kxA{x1)-zvSYPJJ9Nev%JZGGQ>(Rsn#2arp9IaB!(??ZGHw_TtvHo4? zx1Mmqi<}*wgv_3aS9=@*+mvMyM!|$3WUwwJM7Rw^+mK!Mpc`@`xgS46%$~EvPK5N* z$K=Haf-xB*zqMHmCN&H@iBDf^1?1W9iYReRhP{HrW9CErL}`qRh(Ii2R*Z(uX3cq! zJATZiS1Wwi;no|Y^iN-B;fmH9_fPMUuswKv9CA|o0LUR+^0`um{jgWD#bBCs57M1O zkwpHr1Y{m_*A_r#q)4(Ox2$9f)zm0V(DuiZWlaoqJ`8j2=T-+jGUvbnzI~h&o@>~G zXf@AE^L|*nwDqrrbYA zvdOJX=M=0R7tmtlD|0ppI(ftI*|l_&Ct<%+2K^E1`PLE{j6n1B(Hdr_q6K;JkF(4S zN;@u{*e^EYU*Z}00e*r{$Vjunenvedf(b!n@e(K6m#ZuW$KdB{>GstS_aTih_@y@f zhg%nWutwaSDQt~fnVtrw*icgi=7~EWhYE=y;+|ABVr`8cDBi5uH>w|a*B}Y9MjqX> zCE3y$y!FnoL(U=d&B9y3L^KYOi5~+Uk9I3TQ;i--blLAttKhMb9C4w(%a%5P!{*P$ zSErnt6*Kv#TLgK-V;$4USj%}o4tulCXR0m$(n047t+aPW=t~9W$P-#q2<9Cr>vM�ce73cp?QB~ebENJu zXQ^x&#jsC!zPQ9>JT^}>n*BFXeCjIqItqyGPK=pJa$=4mIvlLK-G|OQs{j(u`A2c& zm~dvxiA)cdu)h~hzTzDC4i_VpWkpsHRP402hs+-d0dg^N2{eV8Cw`xG)VdG4nUG$? z%{15&9~ae%u$JEFcVA7vY05bN?8|v*(-V-Z6^i6jW*56kN^Cc@#iR+o#j3*0k;!Da ziOkB`Th5QE0Zj!!tRMj8HH_cT_LXQZ=We`-jS}a zLE5M1*hi<%j&csPrg{4!`KT;xxCATy{EHlus-P3WLx3J%j+r+O$tO!5pD)L5H)`%n z_5(aXBnooIvGmf??HDQ{IaO<@{=cGaPyKrbOt{2n-@9A-GYd7<70;6`7Tci2_pCHf z5UNnkk~s{T-FiJ<9A9piLE6xLzNoz>e@zs-`(E4wa0XgL+u2~HM2IKc`Wv!haIT~YD|LBC-hD1$dzI@DBJBLOLM?q z(`Uwz#W1}@Vwh8J{w6Xz^sC}iNre&0Cy^Ii(WFlhhhq6dYI5V)p<*Qa?WN;&n|hN1 zbSn3DJXEE)q?Q+Oz#5W(NODSEdFhsZ4L?qjn|7Ev%EXEgyWk3^MdgaD9X#@ky~6Fe z@bUR>`Rvd*K@eU@&J_-qtPF!}tzBA9mZsI;>XAF%9N-_GO(mL6!BMAGPaHgO1=n>F z*R|q&Tis{TQRdB7niAHKjtXm8kzR19+4l5%!nD0*sfp>C%nzjt-rDiY0C9_+X^|zG z^xoPcDoB*VZB2-1ha?w4lU$JC^7=D9M-^>6j=&+Cc5en>)!#t6OxZ#{gK8@ks3HrC z(cUBO-MROTS3?xjuP;8@7MYRT=Plss=iqvus+`OuY_udt<~J;yJ-};<&UOt5Iexwa zdDFX2Zgr}f%j9_{>NKq$cVvy%cQb4CZ>7`F@e|1bba^o>221{uyG#|BI6rx3^sWd=St#3D= zF3wIC&q+gL4GPl#S&j>9d2f(TzbeZ()fuMVH1Si-T96jmYn0KjSIAWgA;I&Q3HiSM zb$|`sYM44%+;Eu>Xp*?llGCwY_HaHeU_z>MQdy?YsRmgFe90)!Ka>%hgx!jptnDfh ziy=nGPFyTj=rqNMmbL9=5O_zu^!8q}w0lEP+!vI5JQ`>d-4l*muvo&#t&2is02oW; zv7KJoO?`56`;psW1i$#xM~lnzJ1C1=%<(+!Kf(POy`3>n2+ttPw%ZUSJ{K>!3?uE8 zNFtiA3+$A#nUF_wQztDy@&Odmsxsf~VGV)~x9_bNoc|Tw8*{O?ys9)<@4Ps2QQrpbVcq+58=fhDY^{J1>WJxm5g^ zwbFQT`3?UkR-Y0YQ}YNeO>Mp{Q~of=&KvDj!@Sye(U!x*l)U?^VY}M%h)=h1iQ>7A zn^d~KorX^)EzCVE-rM6Vh7A*IAd6TyS8q&Pt<97eAYN2cjk-|p{S}{6{PcoUe?Ho@ z+K3F^{0ggPTX;;z^|~?plTq$wcG1|cGR4uHJS_!<0T!Z0B2{L`LAf@PX(y>aTSMw4 zZ&wgwi!(-XFBZ!YyK_z2Sjm;%QX!i!!#J@bU7+ntzSG#$^fMrM^u#qtF{5z}A~%JA zc{)`Vqj|ByAL{iTxsKQLR1JrQsZe5mX7S>Ax@(@#UIN zWB}@WL>ha;UYzyMtWg=RdUX375GQ}V#Ge%U0Ut3Ue8Gso++Vag7KIv%eYLzIx1N+A zGODo*dM?nwt_?vy?6Uv!15+%Vm#|c)s&FYcl{3mFTp12Mij8aftNuos>m4Bhf=2=> z5JB9P>loO>*D-vD@-K6^w_6C0jfu`)P&76i4!bPAI5GW;c?6prR04e#anff&hV@mS z@5b=&3B6USGW?gr#GYlgH(Eu0k%a>e;(^*SerHqDt=>(+EI*UfU*>e_C2%*fS=tcr zuW-zZ@3r*xtYEz3-(q3PPfpY;JxAM9={HCr}C*Vo|11k~C^{y;rBs z?AX7<=?uuWalreuMJ;0g=Rfd9*=ty*(rtA4>iu*i)#+u9i&7@Vad*9{Q>T7r{F|N1 z?*cDW6MT11a7$_$d3gt)thM>h4ntn36eP8!BsmL&F4PmPg1s--{}ZzM+J0VNRzFLI zom4I>2vAybouPQK>6k%TUdxpCjF-%3=k+0ON4P`}>GKq2_&YaunitVKMnTZZFDLyr zJaKB4WxtobPe&&{4tpk$omp^RYLzt4?_V#S#D`jsXdi`0?e1v6pYc+8su4_vOeJZc z%>)sW=86SlP2;J#@}|m(hTR)*3H{qaw?E0U*307MNV1`1LVLYeE5RLILa!8Yo4xzM z<43eghDKg(M$d4)Z8B~6cC0%bFrKS2eW4jGuvhSUA+3tDG&IqmMQ%2|0c3$nJdaw^ zO?qmv7z%&PWC9v17!8-=%P!0&4Brmz-nJ4Jeos!=V27u?`g~OAAl66JjU4SvaMr&v zxSH|&o%W+a1Fy6~+1Q!wx{M+qblTf_=v7{=UKdmC9;tPvO$Fjo+f6yfZx!xvdJ`Em zc_w-uZ@fj&S4EePTJEkE?g~MVJ@N>;1B;npD3iFy(OLm$A({Fl<%6Y47Wcvb8m%(g zfmDicNc~Xa-}pk6(>3*6jh5?qmIIgLiv$Dz?vZ{4OY8pYglgj{>qdu7YFBzL^?YNg zt#f5VQ|Z+1$e@MY+io|!(el_>Np>lal5Q@AQWt`Te3H#PyT^?J-0iaj5=mhRQu zMHp%A$B7s~^@{;?7vb^bPmEy!5WQ5vPqax&!>AyEL7M-u;U05A&Oa7s!VoVy)Lh-I$ zdF(C7o2WU^AOX+TxMq);bbVU_ar)hI;?zYy4c(u98yYK3QjWkJhxn}M^90KvwlJPH zQrVVQYK3nffqt}d`p6DCIy**frGHt9%z~jsrXW+70_|f(YV79H0JR;W;Y9V)9UZZH zx>4LqSm-)=BC3eE8?Ax~rN;_&?8r`ZRr*s6b~6g{1X&=1Pj%}rA3eWYqsUBRn|yQ7 zFObF5y~$IY7+CrK?}T&y9K}H>s+MX2wd;ivAe$cVPF3}gcY=n72wA?`v>R)mQ;7N- z*gRC9jeKu3lxk@WkCtOafO#;H){t};HHK8K71h)TyICxzX#>&8wee_3;C0)()`>-~ z`;$V{1_dy)(n>-n>NdQ3E?Vqj;Z>UTqEcID>TkEk_>D#|f5%t)-oh7-JBLX(uXaf{ zns)zr_n=<7E|}X76D$}th-q%oC!Z8?59dJ^__9`Re(%XoOYDBAV^le%r#?g5bRMnA zCxO9cnN&}k*C$F1a&gqY-+iHQwnUoIn`@hUTW3;Q_|HL3>+WW$;5N(fQnKC ztjmOV%RKh795X5jtJ%*ebwInAPF$g4le{~EM<1R`2j8zsJBD_Mb@Ajo*hRUe-Ra2g z3Vw<5KNySB(6M^4wgsyWJJB4w5ksU!p=w_$x4#p7+?C()9~otG+4%2?nzPQH(ox0D zo%nT1)T4+@7Bl`q%C~1dcKKWfoDf?kv+WJ6DvTHqmq+fY`o*?w=QxR z(#*R$(N?*atAD}s;nI=p->3?|2ji}O8psrjQYXPxXcB@`hDwX^q*MWLlX_(Y8>?QV zNI4BCpfB>(%bLfmyOR}xb`7gZ)-7mtjE+rND=d5#APUk)sa^hBekwe#)-`S>Y&%jgF03Z8a*E?v_j22NaMJsGriEKsT414kaa0H`zINVj$)V%S~Z)_~e z2+#B@jnxPMY!{zva?>KvNP9yA8>9L0U-)`~)Liv&SOD`cIf1>TH!g;*>Z3CqGk*ShlcRu!*UaR$H=DMx zB$b)`a~l(MwaQyrdC%{CS)Da-Q)_ z?71GD$Egw+8B?(59wH$F0`&n8eh*K%>$c{_a9i4e@7rM@9_Hutk0p(Nej*+#JAyFWCOWR;1Iu%^x9f3Qm3lIsL|)J?a%lPJ$lI ztF7zbvw~v(EI9QX*x`a76N!})#2gH#3VDs+$EXi~?jA1&^)ZTACidipNfJ8^ga<4_3 zx-`wgyJQwyW=Uj26PhDzFL*6)*7!W&iMhe$hJqZF(QOJD;ZJw)LHdW0V z%tBkqdF|9mvLnLkbMQ#qC!@8LDwJ517DHN0IztdPfZ=CtXHiebM!A$$ijtd%#~IzO zGNTTHg`AGCY7eUvK?mAFl>>@rpWr%WhAkMJTLLW(OJWF7`Z<#3r%h)0WP>LZ!d{bc z4#x~XX<@+?sXwasSW~ULaL~#hBIs@;^0@Rc>;`WB9ehb{CXbX}+2MosCHjSZABka$*C8anCD3H(wBO)ul3HwI@4(UYnu4`z6@cTW_?m8 z;@o-wzDB&B@-b`m1S`xWM{W%lhb#g=X%vl&bJ;PbdF^+xUvEHm-P}%Pf?V#eZ7W(z zEB8CB%Tu&8j8L$S;cxSo=2-F#hv?Rw3oM;qjjr1vEfc)+8B<(gD;=rb-_4=bXUa#> zUi+BW`VCIzhjVTV!M|chi9q-vs??HoOGP@eJZ_5cG^l(ZuJUO9Dwcwe7D%l2wVCjo z{9HHz`VIy#!t@KmdBj>^ckGIV}AwTB4m7xs}maV6$+bx$+@72(U10{mgY16xY zhndd}i1W`3u(VZ6MNQ1BwPZaXkxr}{zAO%)n2xd%$MQ*buV?YIl9YUggB|k17~7qy ztLolCogw0Ds6kHux6H_X+nEU}1DCo6PU$G^dBC@(va+s7nC3YBG3i3;!_FUgpi&@5 ztTsT*3>936zLs*AEa;~>q$3(S&<0P{oycFwIO-?aj`w*qGtUZcSuanbV-+Z!`MRdD-tKM z`Z%KV@8wE@D?6STGzODYVB>zCM$1pOGshv2=C&TAXCuqyw%*uOAbV--w^x}3OfbDd zBe3uY;O(0mZ;s^{QgTjH39_be1|$BxAAxe{^d+pw zo5t=q;Df(>k9 zR2>Z-hJJu~#||h!YWjY?omMgkjiDByIw|Jd99R97C8Vcy{YiiPn+})3ju&6?`L`ZM zZDnuZs*$S@1VA=va#>`xQ(Rt2a+z!r6LD%P@swMQ(iY$(5Ffoge$?Q&4Af|ePV*+u zlj0{lHYsuGl_A7W1WgbcTL2_CgJLonhP6Z_PZ94!3NUS$s!MYvmr|Bs5+;L<3GK%x z|JfC!5Js9VJ;N_pP8^TsoCcm(13#CB%4Ij5B;g^ODsU&G$=0FLlOM|@Z}AU9zBqc7 zXnxPNZ@mavnPvK(q5l`~0cya#AXCczn>cxn6gd0BG|LQaJ$Ul5uo_xqL1eN9jwaye zd1`)f34*FjgqHc?W_a%_4MwiO>h=d<;{9;6jge;s=*XE1?)rw)d55bTfB#N+MsBbw z{zmTM6vY&XQxp>=$G{lQQq)28@A+RM{1+t1b&Ub>S*X#3HWWlQ1X7&(~bS`JzA1<6HQ+ep61V3>qOO4+!XOHYP+skl~8NmKUQ_n&wsNPx?E zfLApdWo7N#w6e}-FQ#8a3e z$lp684@l>8W~{OPEoH4q<#q5@x7^r&?9GXUMFW3As#uya;{Dpu*vtJ5TRgiDd?Dw0 z2omet-tp;&=Ieh0OI*QKWd6e_IlG>P-qIoq1Tw8GUta0nqu%4n*UOE7Bx31d3$B#O7WV#iN>Y+}>rCAh{nqc3 z2E~}Gwi${*M^)EX9-4JlOujl9kLB*$C{q?^ZrX72e^#e1YKFaUq7GWl=BpH#Q!D)Z zNv1xj1pm2C1pI-|_7Yq~03)pu55?sMmgBj@t<2_K@}&?Q@-ILQ zYz;l&d*lx;T#!6MC0-*`Q>@r$**u2=$6+D&Eg+56zU$UpGe)o}(1^VU{-Os<+z6ms z@BaWB27*>R#ZOgTicJO`BF-IkWu-VF2~UnA!_H{C43d5k4|Pmt!1Pm_?ICEe)b#(&aHT)L>sASvBZC;JNv zkF$2Zsh0kA5t|7PO-rEu&`Z8U1a_9PHL_&HV*)2%E;TZqEC~wsvWf_LyC5J=8mRr- zI+an%c=ODCfHZb7>Ue0vlSh>b==O0}GndtHZ!$@ zFtj}&iRFS~j(N-UB7&Hc8(@s#VaN{0-vnmTCz=~5B}At>uA5^FIKznYC=e3@em-Ne zjRd+?YCwFq7GP7GdER&1(~6O~zm$BilHV_8I6{Zmj?5Ln2%d=U&8`HkALSL&dHG8aF8lQeAlb{nU#v+MkVB_-g~o@F^LBMk@xRMV7;*t zVpxJxq9A^u@&;I-X7#9oPmuf#j@e3(qOf z{6~us?#=FE&e}+XWAP6fqbL3TIQ75KR(R-(XN20$5n=4;Y~qAg0H=-bc+6{qj8wt-;bPwosHW`XXLD`0C&H6KR}V-?r- zIgdOkkmd2ih6Z7}u@m05ZhGgjZju3R3zz<5{6eqx7p$3HHy?BaAO<$B@CYHi7D|9~ z)zve~nmvyATQYx$(@lya_ZX8RK2z>gy8`bV{ptRK{fExpcsxpe_2h{SVD!e~TJKIV zR1Rf0_{BB6K_WMcY@Wm=i$^k_yHY!2=iDd*zg{xI_zx>T;5jfNUkslRd}r}#aVZI8 zSfRG{9{Zdqt|;!NLS+`%s}cUOM{+VGl@_-0a2A}a1CW#H2!_#PFbGnNiXv7&!k@Qj zzNmS;vIF}4gCalytIoMrZ-`QQgj+BoQ6Yr!M&_G#M_`s*Yo2V3(iut+1`$%l-Qvj{ zJir6r*3TAEtWbEy>TorDl;mE5v!J2V?D)cdE8=t31A8S^PrOt8T! zEr&V4bvd@-%ocyuiWG^PRh$HCnl^9yzIln?JAgq}?280I0%ObNR>>{8!X@JwF&*EF z@Rjm(Sr!^yyoU`8mwUdhjoe##LOY2vL2k)j<9$!Y%u0_ozg(Dk{~m3tgnK*{IE`VyFypKtqI1phxB zA>uKPccv1gqMp1RJ5$V;cNBh$`AxSbLbulDX&tcJ{6WiEkw-=pgaFXtLSQvh`&=PQ zFg2ga(qLjax9b_r9G(>$X~8g~)?+fUKH@)NVu;x9cXEG85?qQC?A51y%`B`i>uHQZ3W9DI zKSsT8De)2WF{^qQ3A?r^i1KwjCi!a^NKRD-p2wro;ob}loTAJP6`CrHhBDc%@c^1M?Z7wc1R4x>Q47-6I+Fq~NfO9BjBz179) z9+0SMHzNhCq{1x+9oY1|JfB=QpTYDET9_&B2`Ht{AN~|`oBez=aEf2m8Wf%h2VRda zAmB|qe58%@QNDx?!e<6r|%7x~f z-0{|F1SqpZ1pB*Z;DVz1%3vWLF1px;A_rrB3+!ziz`u_rLm^=dYN8P^cofv! zQo`6Eh=;%M&A-2kPR?L6p z*V?+S5k*+!_RVj>O)<6X2J{jxz~b+@p6OOCH0^FqE~X3mjaa8HVj!l-&kqOX z)%#viQ23VzT)ZY7b$!?1pp*bM<{WVOR2+wXy|L4WLrS3_Rj&zZCp^R(m(s<7jq16P z6Z!?z1gTe9C`=>{4yxB}C$*F|NfPI!9tGZ?(EI8Ftz&SV6U07+a3;Ief> zE2zd!aeweQ(H*!Pxq(3!oF`?3LniquLHKe~m~bD&A3S*Y8?lOIoIQK>av#4ioIO6C zje9W6mnQ7pxTbIgAg_yfybTL-5cK(EJoEjlh_a)&!`(nMem#1;7>K6|oVRA-KmVK| zq8GPG2MPjtGQWQP=Z|?!t^>ZDrm_^-e=DRP^WZNth`EKJx>_xh-<3JOP8xW4nFc{V z2LU9jIN!EJ489mk{6}i@dl?`ZpINt>dCvFlW;|CC8~$B&cJCye$rO+=Y4>+Z0WoD6 zn&x82iD=^Tf4y4#9wMGAxqxrAQL=C;^t`?H04`i2F!&hl$F{Te z@jwa6JF?R+go2I&a%umGY@#$A7>`+0C5V)oUFAT+RILR{0@|JF;SR%C Q#5KLLl8O?gV#Wdg1LjH?MgRZ+ literal 0 HcmV?d00001 diff --git a/docs/sources.md b/docs/sources.md deleted file mode 100644 index 3d868cc..0000000 --- a/docs/sources.md +++ /dev/null @@ -1,1089 +0,0 @@ -# Introduction -When using Splunk Connect for Syslog to onboard a data source, the SC4S filter performs the operations that are traditionally performed at index-time by the corresponding Technical Add-on installed there. These index-time operations include linebreaking, sourcetype setting and timestamping. For this reason, if a data source is exclusively onboarded using SC4S then you will not need to install its corresponding Add-On on the indexers. You must, however, install the Add-on on the search head(s) for the user communities interested in this data source. - -SC4S "unique" filters are based either on the port upon which events arrive or the hostname/CIDR block from which they are sent. The "soup" filters run for events that arrive on port 514 (default for syslog), and contain regex and other syslog-specific parsers to identify events from a specific source, apply the correct sourcetype, and set other metadata. Data sources which generate events that are not unique enough to accurately identify with soup filters _must_ employ the "unique" filters (port/hostname/CIDR block) instead -- the soup filters are unavailable for these sources. - -If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. - -# Vendor - Checkpoint - -## Product - Log Exporter (Splunk) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ | -| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cp_log | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk | cp_log | netfw | none | - -### Source and Index Configuration - -Checkpoint Software blades with CIM mapping have been sub-grouped into sources -to allow routing to appropriate indexes. All other source meta data is left at default - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk_dlp | dlp | netdlp | none | -| checkpoint_splunk_email | email | email | none | -| checkpoint_splunk_firewall | firewall | netfw | none | -| checkpoint_splunk_sessions | sessions | netops | none | -| checkpoint_splunk_web | web | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cp_log -``` - -Verify timestamp, and host values match as expected -# Vendor - Cisco - -## Product - ASA (Pre Firepower) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1620/ | -| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:asa | None | -| cisco:pix | Not supported | -| cisco:fwsm | Not supported | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_asa | cisco:asa | netfw | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above ensure: - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:asa -``` - -Verify timestamp, and host values match as expected - -## Product - IOS and NX-OS based equipment - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1467/ | -| IOS Manual | https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html | -| NX-OS Manual | https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_5syslog.html| -| Cisco ACI | https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf | -| Cisco WLC & AP | https://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html#anc8 | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ios | cisco:ios | netops | none | -| cisco_nx_os | cisco:ios | netops | none | - -### Filter type - -* Cisco IOS products can be identified by message parsing alone -* Cisco NX OS, WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_nx_os` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* IOS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included -* NX-OS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" user may select alternate levels by module based on use cases - * Protocol is TCP/IP - * device-id is hostname and included - * timestamp is included and milisecond accuracy selected -* ACI Logging configuration of the ACI product often varies by use case. - * Ensure NTP sync is configured and active - * Ensure proper host names are configured -* WLC - * Ensure NTP sync is configured and active - * Ensure proper host names are configured - * For security use cases per AP logging is required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present, for NX-OS, WLC and ACI products ensure each host filter condition is verified - -``` -index= sourcetype=cisco:ios | stats count by host -``` - -## Product - ISE - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1915/ | -| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs_chapter_00.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ise:syslog | Aggregation used | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ise | cisco:ise:syslog | netauth | None | - - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* No special steps required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ise:syslog -``` - -Verify timestamp, and host values match as expected - -## Product - Meraki Product Line MR, MS, MX, MV - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3018/ | -| Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| merkai | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | - - -### Filter type - -IP, Netmask, Host or Port - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | -| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=merkai -``` - -Verify timestamp, and host values match as expected - -# Vendor - Forcepoint - -## Product - Webprotect (Websense) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ | -| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| websense:cg:kv | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| forcepoint_webprotect | websense:cg:kv | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command - - -``` -index= sourcetype=websense:cg:kv -``` - -# Vendor - Fortinet - -## Product - Fortigate - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2846/ | -| Product Manual | https://docs.fortinet.com/product/fortigate/6.2 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| fgt_log | The catch all sourcetype is not used | -| fgt_traffic | None | -| fgt_utm | None | -| fgt_event | None - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| fortinet_fortios_traffic | fgt_traffic | netops | none | -| fortinet_fortios_utm | fgt_utm | netids | none | -| fortinet_fortios_event | fgt_event | netops | none | -| fortinet_fortios_log | fgt_log | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - -``` -config log memory filter - -set forward-traffic enable - -set local-traffic enable - -set sniffer-traffic disable - -set anomaly enable - -set voip disable - -set multicast-traffic enable - -set dns enable - -end - -config system global - -set cli-audit-log enable - -end - -config log setting - -set neighbor-event enable - -end - -``` - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command - -``` -diag log test -``` - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) -``` - -### UTM Message type - -![FortiGate UTM message](FortiGate_utm.png) - -### Traffic Message Type - -![FortiGate Traffic message](FortiGate_traffic.png) - -###Event Message Type -![FortiGate Event message](FortiGate_event.png) - -Verify timestamp, and host values match as expected - -# Vendor - Imperva - -## Product - Incapsula - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| Imperva:Incapsula | Common sourcetype | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="Imperva:Incapsula") -``` - -# Vendor - Juniper - -## Product - Juniper JunOS - -| Ref | Link | -|-------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| JunOS TechLibrary | https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-messages-configuring-qfx-series.html | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|------------------------------------------------------------------| -| juniper:junos:firewall | None | -| juniper:junos:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------------------|------------------------|----------------|---------------| -| juniper_junos_flow | juniper:junos:firewall | netfw | none | -| juniper_junos_idp | juniper:junos:idp | netids | none | -| juniper_junos_utm | juniper:junos:firewall | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | - -### Verification - -Use the following search to validate events are present; for Juniper JunOS ensure each host filter condition is verified - -``` -index= sourcetype=juniper:junos:firewall | stats count by host -index= sourcetype=juniper:junos:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper NSM - -| Ref | Link | -|----------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:nsm | None | -| juniper:nsm:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_nsm | juniper:nsm | netfw | none | -| juniper_nsm_idp | juniper:nsm:idp | netids | none | - -### Filter type - -* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified - -``` -index= sourcetype=juniper:nsm | stats count by host -index= sourcetype=juniper:nsm:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper Netscreen - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Netscreen Manual | http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 | - -### Sourcetypes - -| sourcetype | notes | -|-------------------------|------------------------------------------------------------------------------------------------| -| netscreen:firewall | None | -| juniper:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_netscreen | netscreen:firewall | netfw | none | -| juniper_idp | juniper:idp | netfw | none | - -### Filter type - -* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper Netscreen products ensure each host filter condition is verified - -``` -index= sourcetype=netscreen:firewall | stats count by host -index= sourcetype=juniper:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper SSLVPN - -| Ref | Link | -|------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:sslvpn | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_sslvpn | juniper:sslvpn | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified - -``` -index= sourcetype=juniper:sslvpn | stats count by host -``` - -Verify timestamp, and host values match as expected - -# Vendor - Microfocus ArcSight - -## Product - Internal Agent Events - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ArcSight:ArcSight | Internal logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_ArcSight_ArcSight | ArcSight:ArcSight | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="ArcSight:ArcSight") -``` - -## Product - Microsoft Windows - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| CEFEventLog:System or Application Event | Windows Application and System Event Logs | -| CEFEventLog:Microsoft Windows | Windows Security Event Logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| cef_Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | -| cef_Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) -``` - -# Vendor - PaloAlto - -## Product - NGFW - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | -| Product Manual | https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pan:log | None | -| pan:traffic | None | -| pan:threat | None | -| pan:system | None | -| pan:config | None | -| pan:hipwatch | None | -| pan:correlation | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| pan_log | pan:log | netops | none | -| pan_traffic | pan:traffic | netfw | none | -| pan_threat | pan:threat | netproxy | none | -| pan_system | pan:system | netops | none | -| pan_config | pan:config | netops | none | -| pan_hipwatch | pan:hipwatch | netops | none | -| pan_correlation | pan:correlation | netops | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration - * Select TCP or SSL transport option - * Select IETF Format - * Ensure the format of the event is not customized - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active firewall will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=pan:*| stats count by host -``` - -# Vendor - Proofpoint - -## Product - Proofpoint Protection Server - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3080/ | -| Product Manual | https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pps_filter_log | | -| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| proofpoint_pps_filter | pps_filter_log | email | none | -| proofpoint_pps_sendmail | pps_mail_log | email | none | - - -### Filter type - -MSG Parse: This filter parses message content -* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related -messages to create meaningful final output. This will require follow-on processing in Splunk. - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | - -### Verification - -One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: - -``` -index= sourcetype=pps_*_log | stats count by host -``` - -# Vendor - Symantec - -## Product - ProxySG/ASG (Bluecoat) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | -| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| bluecoat:proxysg:access:kv | Requires version TA 3.6 | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| bluecoat_proxy | bluecoat:proxysg:access:kv | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=bluecoat:proxysg:access:kv | stats count by host -``` - - -# Vendor - Ubiquiti - Unifi - -All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. - - -* Login to NMS -* Navigate to settings -* Navigate to Site -* Enable Remote syslog server -* Enter hostname and port -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls - -## Product - Unifi Switch and Access Points - -Unifi devices are managed using the Network Management Controller - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ | -| Product Manual | https://https://help.ubnt.com/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ubnt | Used when no sub source type is required by add on | -| ubnt:fw | USG events | -| ubnt:threat | USG IDS events | -| ubnt:switch | Unifi Switches | -| ubnt:wireless | Access Point logs | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| ubiquiti_unifi | ubnt | netops | none | -| ubiquiti_unifi_fw | ubnt:fw | netfw | none | -| ubiquiti_unifi_link | ubnt:link | netops | none | -| ubiquiti_unifi_sudo | ubnt:sudo | netops | none | -| ubiquiti_unifi_switch | ubnt:switch | netops | none | -| ubiquiti_unifi_threat | ubnt:threat | netids | none | -| ubiquiti_unifi_wireless | ubnt:wireless | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` - - -# Vendor - Zscaler - -## Product - All Products - -The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page -26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize -the IP or host name of the SC4S instance and port 514 - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | -| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | -| zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | -| zscalernss-web | None | -| zscalernss-zpa-app | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-auth | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | -| zscalernss-zpa-connector | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth_connector`` immediately prior to the ``\n`` in the LSS Connector format. See Zscaler manual for more info. | -| zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| zscalernss_alerts | zscalernss-alerts | main | none | -| zscalernss_dns | zscalernss-dns | netdns | none | -| zscalernss_fw | zscalernss-fw | netfw | none | -| zscalernss_web | zscalernss-web | netproxy | none | -| zscalernss-zpa-app | zscalernss_zpa-app | netids | none | -| zscalernss-zpa-auth | zscalernss_zpa_auth | netauth | none | -| zscalernss-zpa-connector | zscalernss_zpa_connector | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` diff --git a/docs/sources/Checkpoint/index.md b/docs/sources/Checkpoint/index.md new file mode 100644 index 0000000..ee2c590 --- /dev/null +++ b/docs/sources/Checkpoint/index.md @@ -0,0 +1,63 @@ +# Vendor - Checkpoint + +## Product - Log Exporter (Splunk) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ | +| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cp_log | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk | cp_log | netfw | none | + +### Source and Index Configuration + +Checkpoint Software blades with CIM mapping have been sub-grouped into sources +to allow routing to appropriate indexes. All other source meta data is left at default + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk_dlp | dlp | netdlp | none | +| checkpoint_splunk_email | email | email | none | +| checkpoint_splunk_firewall | firewall | netfw | none | +| checkpoint_splunk_sessions | sessions | netops | none | +| checkpoint_splunk_web | web | netproxy | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | +| SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | +| SC4S_ARCHIVE_CHECKPOINT_SPLUNK | no | Enable archive to disk for this specific source | +| SC4S_DEST_CHECKPOINT_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cp_log +``` + +Verify timestamp, and host values match as expected diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md new file mode 100644 index 0000000..9d6cad4 --- /dev/null +++ b/docs/sources/Cisco/index.md @@ -0,0 +1,236 @@ +# Vendor - Cisco + +## Product - ASA (Pre Firepower) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1620/ | +| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:asa | None | +| cisco:pix | Not supported | +| cisco:fwsm | Not supported | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_asa | cisco:asa | netfw | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above ensure: + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ASA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_ASA | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ASA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_CISCO_ASA_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_LISTEN_CISCO_ASA_LEGACY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC3164 format | +| SC4S_ARCHIVE_CISCO_ASA_LEGACY | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ASA_LEGACY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:asa +``` + +Verify timestamp, and host values match as expected + +## Product - IOS and NX-OS based equipment + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1467/ | +| IOS Manual | https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html | +| NX-OS Manual | https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_5syslog.html| +| Cisco ACI | https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf | +| Cisco WLC & AP | https://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html#anc8 | + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ios | cisco:ios | netops | none | +| cisco_nx_os | cisco:ios | netops | none | + +### Filter type + +* Cisco IOS products can be identified by message parsing alone +* Cisco NX OS, WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_nx_os` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* IOS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included +* NX-OS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" user may select alternate levels by module based on use cases + * Protocol is TCP/IP + * device-id is hostname and included + * timestamp is included and milisecond accuracy selected +* ACI Logging configuration of the ACI product often varies by use case. + * Ensure NTP sync is configured and active + * Ensure proper host names are configured +* WLC + * Ensure NTP sync is configured and active + * Ensure proper host names are configured + * For security use cases per AP logging is required + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_IOS_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_IOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_IOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CISCO_NX_OS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CISCO_NXOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_NXOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present, for NX-OS, WLC and ACI products ensure each host filter condition is verified + +``` +index= sourcetype=cisco:ios | stats count by host +``` + +## Product - ISE + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/1915/ | +| Product Manual | https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs_chapter_00.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ise:syslog | Aggregation used | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ise | cisco:ise:syslog | netauth | None | + + +### Filter type + +PATTERN MATCH + +### Setup and Configuration + +* No special steps required + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_ISE | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_ISE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=cisco:ise:syslog +``` + +Verify timestamp, and host values match as expected + +## Product - Meraki Product Line MR, MS, MX, MV + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3018/ | +| Product Manual | https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| merkai | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | + + +### Filter type + +IP, Netmask, Host or Port + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per Product Manual above + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined expecting RFC5424 format | +| SC4S_ARCHIVE_CISCO_MERAKI | no | Enable archive to disk for this specific source | +| SC4S_DEST_CISCO_MERAKI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index= sourcetype=merkai +``` + +Verify timestamp, and host values match as expected + diff --git a/docs/sources/Forcepoint/index.md b/docs/sources/Forcepoint/index.md new file mode 100644 index 0000000..e5fdeff --- /dev/null +++ b/docs/sources/Forcepoint/index.md @@ -0,0 +1,52 @@ +# Vendor - Forcepoint + +## Product - Webprotect (Websense) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ | +| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| websense:cg:kv | None | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| forcepoint_webprotect | websense:cg:kv | netproxy | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_FORCEPOINT_WEBPROTECT | no | Enable archive to disk for this specific source | +| SC4S_DEST_FORCEPOINT_WEBPROTECT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command + + +``` +index= sourcetype=websense:cg:kv +``` + diff --git a/docs/FortiGate_event.png b/docs/sources/Fortinet/FortiGate_event.png similarity index 100% rename from docs/FortiGate_event.png rename to docs/sources/Fortinet/FortiGate_event.png diff --git a/docs/FortiGate_traffic.png b/docs/sources/Fortinet/FortiGate_traffic.png similarity index 100% rename from docs/FortiGate_traffic.png rename to docs/sources/Fortinet/FortiGate_traffic.png diff --git a/docs/FortiGate_utm.png b/docs/sources/Fortinet/FortiGate_utm.png similarity index 100% rename from docs/FortiGate_utm.png rename to docs/sources/Fortinet/FortiGate_utm.png diff --git a/docs/sources/Fortinet/index.md b/docs/sources/Fortinet/index.md new file mode 100644 index 0000000..a13bc1d --- /dev/null +++ b/docs/sources/Fortinet/index.md @@ -0,0 +1,108 @@ +# Vendor - Fortinet + +## Product - Fortigate + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2846/ | +| Product Manual | https://docs.fortinet.com/product/fortigate/6.2 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fgt_log | The catch all sourcetype is not used | +| fgt_traffic | None | +| fgt_utm | None | +| fgt_event | None + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| fortinet_fortios_traffic | fgt_traffic | netops | none | +| fortinet_fortios_utm | fgt_utm | netids | none | +| fortinet_fortios_event | fgt_event | netops | none | +| fortinet_fortios_log | fgt_log | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + +``` +config log memory filter + +set forward-traffic enable + +set local-traffic enable + +set sniffer-traffic disable + +set anomaly enable + +set voip disable + +set multicast-traffic enable + +set dns enable + +end + +config system global + +set cli-audit-log enable + +end + +config log setting + +set neighbor-event enable + +end + +``` + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_FORTINET_FORTIOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_LISTEN_FORTINET_FORTIOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_FORTINET_FORTIOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_FORTINET_FORTIOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command + +``` +diag log test +``` + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) +``` + +### UTM Message type + +![FortiGate UTM message](FortiGate_utm.png) + +### Traffic Message Type + +![FortiGate Traffic message](FortiGate_traffic.png) + +###Event Message Type +![FortiGate Event message](FortiGate_event.png) + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md new file mode 100644 index 0000000..2ae9eea --- /dev/null +++ b/docs/sources/Imperva/index.md @@ -0,0 +1,53 @@ +# Vendor - Imperva + +## Product - Incapsula + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| Imperva:Incapsula | Common sourcetype | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT | no | Enable archive to disk for this specific source | +| SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="Imperva:Incapsula") +``` \ No newline at end of file diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md new file mode 100644 index 0000000..98cd701 --- /dev/null +++ b/docs/sources/Juniper/index.md @@ -0,0 +1,207 @@ +# Vendor - Juniper + +## Product - Juniper JunOS + +| Ref | Link | +|-------------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| JunOS TechLibrary | https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-messages-configuring-qfx-series.html | + +### Sourcetypes + +| sourcetype | notes | +|--------------------------|------------------------------------------------------------------| +| juniper:junos:firewall | None | +| juniper:junos:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------------------|------------------------|----------------|---------------| +| juniper_junos_flow | juniper:junos:firewall | netfw | none | +| juniper_junos_idp | juniper:junos:idp | netids | none | +| juniper_junos_utm | juniper:junos:firewall | netfw | none | + +### Filter type + +* MSG Parse: This filter parses message content + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_JUNOS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using legacy 3164 format| +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined using 5424 format | +| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper JunOS ensure each host filter condition is verified + +``` +index= sourcetype=juniper:junos:firewall | stats count by host +index= sourcetype=juniper:junos:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper NSM + +| Ref | Link | +|----------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 | + +### Sourcetypes + +| sourcetype | notes | +|------------------|-----------------------------------------------------------------------| +| juniper:nsm | None | +| juniper:nsm:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_nsm | juniper:nsm | netfw | none | +| juniper_nsm_idp | juniper:nsm:idp | netids | none | + +### Filter type + +* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_NSM | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_NSM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified + +``` +index= sourcetype=juniper:nsm | stats count by host +index= sourcetype=juniper:nsm:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper Netscreen + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| Netscreen Manual | http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 | + +### Sourcetypes + +| sourcetype | notes | +|-------------------------|------------------------------------------------------------------------------------------------| +| netscreen:firewall | None | +| juniper:idp | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_netscreen | netscreen:firewall | netfw | none | +| juniper_idp | juniper:idp | netfw | none | + +### Filter type + +* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_NETSCREEN | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_NETSCREEN_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper Netscreen products ensure each host filter condition is verified + +``` +index= sourcetype=netscreen:firewall | stats count by host +index= sourcetype=juniper:idp | stats count by host +``` + +Verify timestamp, and host values match as expected + +## Product - Juniper SSLVPN + +| Ref | Link | +|------------------|-------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | +| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 | + +### Sourcetypes + +| sourcetype | notes | +|------------------|-----------------------------------------------------------------------| +| juniper:sslvpn | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_sslvpn | juniper:sslvpn | netfw | none | + +### Filter type + +* MSG Parse: This filter parses message content + + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index as required. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified + +``` +index= sourcetype=juniper:sslvpn | stats count by host +``` + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Microfocus/index.md b/docs/sources/Microfocus/index.md new file mode 100644 index 0000000..5909324 --- /dev/null +++ b/docs/sources/Microfocus/index.md @@ -0,0 +1,99 @@ +# Vendor - Microfocus ArcSight + +## Product - Internal Agent Events + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ArcSight:ArcSight | Internal logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_ArcSight_ArcSight | ArcSight:ArcSight | main | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="ArcSight:ArcSight") +``` + +## Product - Microsoft Windows + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | +| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | +| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| CEFEventLog:System or Application Event | Windows Application and System Event Logs | +| CEFEventLog:Microsoft Windows | Windows Security Event Logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| cef_Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | +| cef_Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_MICROFOCUS_ARCSIGHT | no | Enable archive to disk for this specific source | +| SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) +``` \ No newline at end of file diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md new file mode 100644 index 0000000..bc27602 --- /dev/null +++ b/docs/sources/PaloaltoNetworks/index.md @@ -0,0 +1,63 @@ +# Vendor - PaloAlto + +## Product - NGFW + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | +| Product Manual | https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pan:log | None | +| pan:traffic | None | +| pan:threat | None | +| pan:system | None | +| pan:config | None | +| pan:hipwatch | None | +| pan:correlation | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| pan_log | pan:log | netops | none | +| pan_traffic | pan:traffic | netfw | none | +| pan_threat | pan:threat | netproxy | none | +| pan_system | pan:system | netops | none | +| pan_config | pan:config | netops | none | +| pan_hipwatch | pan:hipwatch | netops | none | +| pan_correlation | pan:correlation | netops | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration + * Select TCP or SSL transport option + * Select IETF Format + * Ensure the format of the event is not customized + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_PALOALTO_PANOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PALOALTO_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active firewall will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=pan:*| stats count by host +``` diff --git a/docs/sources/Proofpoint/index.md b/docs/sources/Proofpoint/index.md new file mode 100644 index 0000000..1fac35c --- /dev/null +++ b/docs/sources/Proofpoint/index.md @@ -0,0 +1,53 @@ +# Vendor - Proofpoint + +## Product - Proofpoint Protection Server + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3080/ | +| Product Manual | https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pps_filter_log | | +| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| proofpoint_pps_filter | pps_filter_log | email | none | +| proofpoint_pps_sendmail | pps_mail_log | email | none | + + +### Filter type + +MSG Parse: This filter parses message content +* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related +messages to create meaningful final output. This will require follow-on processing in Splunk. + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Follow vendor configuration steps per referenced Product Manual + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined. | +| SC4S_PROOFPOINT_PPS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined. | +| SC4S_ARCHIVE_PROOFPOINT_PPS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PROOFPOINT_PPS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: + +``` +index= sourcetype=pps_*_log | stats count by host +``` \ No newline at end of file diff --git a/docs/sources/Symantec/index.md b/docs/sources/Symantec/index.md new file mode 100644 index 0000000..e169c78 --- /dev/null +++ b/docs/sources/Symantec/index.md @@ -0,0 +1,51 @@ +# Vendor - Symantec + +## Product - ProxySG/ASG (Bluecoat) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | +| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| bluecoat:proxysg:access:kv | Requires version TA 3.6 | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| bluecoat_proxy | bluecoat:proxysg:access:kv | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | +| SC4S_DEST_SYMANTEC_PROXY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=bluecoat:proxysg:access:kv | stats count by host +``` diff --git a/docs/sources/Ubiquiti/index.md b/docs/sources/Ubiquiti/index.md new file mode 100644 index 0000000..1769377 --- /dev/null +++ b/docs/sources/Ubiquiti/index.md @@ -0,0 +1,75 @@ +# Vendor - Ubiquiti - Unifi + +All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. + + +* Login to NMS +* Navigate to settings +* Navigate to Site +* Enable Remote syslog server +* Enter hostname and port +* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls + +## Product - Unifi Switch and Access Points + +Unifi devices are managed using the Network Management Controller + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ | +| Product Manual | https://https://help.ubnt.com/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ubnt | Used when no sub source type is required by add on | +| ubnt:fw | USG events | +| ubnt:threat | USG IDS events | +| ubnt:switch | Unifi Switches | +| ubnt:wireless | Access Point logs | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| ubiquiti_unifi | ubnt | netops | none | +| ubiquiti_unifi_fw | ubnt:fw | netfw | none | +| ubiquiti_unifi_link | ubnt:link | netops | none | +| ubiquiti_unifi_sudo | ubnt:sudo | netops | none | +| ubiquiti_unifi_switch | ubnt:switch | netops | none | +| ubiquiti_unifi_threat | ubnt:threat | netids | none | +| ubiquiti_unifi_wireless | ubnt:wireless | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_UBIQUITI_UNIFI | no | Enable archive to disk for this specific source | +| SC4S_DEST_UBIQUITI_UNIFI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=zscalernss-* | stats count by host +``` diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md new file mode 100644 index 0000000..67b70e1 --- /dev/null +++ b/docs/sources/Zscaler/index.md @@ -0,0 +1,69 @@ +# Vendor - Zscaler + +## Product - All Products + +The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page +26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize +the IP or host name of the SC4S instance and port 514 + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | +| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| zscalernss-alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | +| zscalernss-dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | +| zscalernss-web | None | +| zscalernss-zpa-app | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | +| zscalernss-zpa-auth | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | +| zscalernss-zpa-connector | Requires format customization add ``\tvendor=Zscaler\tproduct=zpa_auth_connector`` immediately prior to the ``\n`` in the LSS Connector format. See Zscaler manual for more info. | +| zscalernss-fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | + + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| zscalernss_alerts | zscalernss-alerts | main | none | +| zscalernss_dns | zscalernss-dns | netdns | none | +| zscalernss_fw | zscalernss-fw | netfw | none | +| zscalernss_web | zscalernss-web | netproxy | none | +| zscalernss-zpa-app | zscalernss_zpa-app | netids | none | +| zscalernss-zpa-auth | zscalernss_zpa_auth | netauth | none | +| zscalernss-zpa-connector | zscalernss_zpa_connector | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_ZSCALER_NSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_ZSCALER_NSS | no | Enable archive to disk for this specific source | +| SC4S_DEST_ZSCALER_NSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=zscalernss-* | stats count by host +``` diff --git a/docs/sources/index.md b/docs/sources/index.md new file mode 100644 index 0000000..c32c773 --- /dev/null +++ b/docs/sources/index.md @@ -0,0 +1,7 @@ +# Introduction +When using Splunk Connect for Syslog to onboard a data source, the SC4S filter performs the operations that are traditionally performed at index-time by the corresponding Technical Add-on installed there. These index-time operations include linebreaking, sourcetype setting and timestamping. For this reason, if a data source is exclusively onboarded using SC4S then you will not need to install its corresponding Add-On on the indexers. You must, however, install the Add-on on the search head(s) for the user communities interested in this data source. + +SC4S "unique" filters are based either on the port upon which events arrive or the hostname/CIDR block from which they are sent. The "soup" filters run for events that arrive on port 514 (default for syslog), and contain regex and other syslog-specific parsers to identify events from a specific source, apply the correct sourcetype, and set other metadata. Data sources which generate events that are not unique enough to accurately identify with soup filters _must_ employ the "unique" filters (port/hostname/CIDR block) instead -- the soup filters are unavailable for these sources. + +If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. + diff --git a/mkdocs-requirements.txt b/mkdocs-requirements.txt new file mode 100644 index 0000000..4c8f017 --- /dev/null +++ b/mkdocs-requirements.txt @@ -0,0 +1 @@ +mkdocs-material diff --git a/mkdocs.yml b/mkdocs.yml index cc7f4e8..6b82a92 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,10 +1,44 @@ site_name: Splunk Connect for Syslog -theme: readthedocs + nav: - Home: 'index.md' - - Performance: 'performance.md' - - Getting Started: 'gettingstarted.md' - - Demo Lab: 'demo.md' + - Getting Started: + - 'Read First': 'gettingstarted/index.md' + - 'Podman + systemd single node': 'gettingstarted/podman-systemd-general.md' + - 'Docker CE + systemd single node': 'gettingstarted/docker-systemd-general.md' + - 'Docker CE + Swarm single node': 'gettingstarted/docker-swarm-rhel7.md' + - 'Bring your own Envionment': 'gettingstarted/byoe-rhel7.md' - Configuration: 'configuration.md' - - Sources: 'sources.md' + - Sources: + - About: sources/index.md + - Checkpoint: sources/Checkpoint/index.md + - Cisco: sources/Cisco/index.md + - Forcepoint: sources/Forcepoint/index.md + - Fortinet: sources/Fortinet/index.md + - Imperva: sources/Imperva/index.md + - Juniper: sources/Juniper/index.md + - Microfocus: sources/Microfocus/index.md + - 'Paloalto Networks': sources/PaloaltoNetworks/index.md + - Proofpoint: sources/Proofpoint/index.md + - Symantec: sources/Symantec/index.md + - Ubiquiti: sources/Ubiquiti/index.md + - Zscaler: sources/Zscaler/index.md + - 'Demo Lab': 'demo.md' + - Performance: 'performance.md' - Troubleshooting: 'troubleshooting.md' + +markdown_extensions: + - toc: + permalink: True + - smarty + - fenced_code + - sane_lists + - codehilite + +theme: + name: 'material' + palette: + primary: 'black' + accent: 'orange' + favicon: 'logo.png' + logo: 'logo.png' \ No newline at end of file