diff --git a/docs/sources/vendor/a10networks/vthunder.md b/docs/sources/vendor/a10networks/vthunder.md new file mode 100644 index 0000000000..15c44b991f --- /dev/null +++ b/docs/sources/vendor/a10networks/vthunder.md @@ -0,0 +1,33 @@ +# a10networks vthunder + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|---------------------------------------|----------------------------------------------------------------------------------| +| A10 Networks SSL Insight App | | +| A10 Networks Application Firewall App | | +| A10 Networks L4 Firewall App | | + + +## Sourcetypes + +| sourcetype | notes | +|--------------------------|-----------------------------------------------------------------------------------------------| +| a10networks:vThunder:cef | None | + +## Source + +| source | notes | +|----------------------|---------------------------------------------------------------------------------------------------| +| a10networks:vThunder | None | + +### Index Configuration + +| key | source | index | notes | +|--------------------|---------------------|----------------|----------------| +|a10networks_vThunder| a10networks:vThunder| netwaf | none | diff --git a/package/etc/conf.d/conflib/cef/app-cef-a10_vthunder.conf b/package/etc/conf.d/conflib/cef/app-cef-a10_vthunder.conf new file mode 100644 index 0000000000..dcbba69259 --- /dev/null +++ b/package/etc/conf.d/conflib/cef/app-cef-a10_vthunder.conf @@ -0,0 +1,21 @@ +block parser app-cef-a10_vthunder() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netwaf'), + source('a10networks:vThunder'), + sourcetype('a10networks:vThunder:cef') + vendor('a10networks') + product('vThunder') + ); + }; + }; +}; + +application app-cef-a10_vthunder[cef] { + filter{ + match("A10" value(".metadata.cef.device_vendor")) + and match("vThunder" value(".metadata.cef.device_product")); + }; + parser { app-cef-a10_vthunder(); }; +}; diff --git a/tests/test_a10.py b/tests/test_a10.py new file mode 100644 index 0000000000..16c4492697 --- /dev/null +++ b/tests/test_a10.py @@ -0,0 +1,42 @@ +# Copyright 2023 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import datetime +import random +import pytz + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +import random +from .timeutils import * + +env = Environment() + +def test_a10_vthunder( + record_property, setup_splunk, setup_sc4s +): + mt = env.from_string( + "{{ mark }} CEF:0|A10|vThunder|4.1.4-GR1-P12|WAF|session-id|2|rt={{ bsd }} src=1.1.1.1 spt=34860 dst=1.1.1.1 dpt=80 dhost=test.host.local cs1=uiext_sec_waf cs2=1 act=learn cs3=learn app=HTTP requestMethod=GET cn1=0 request=/sales/ msg=New session created: Id\=1\n" + ) + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + message = mt.render(mark="<6>", bsd=dt.strftime("%b %d %Y %H:%M:%S")) + + # Tune time functions + epoch = epoch[:-7] + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + st = env.from_string( + f'search index=netwaf sourcetype="a10networks:vThunder:cef" earliest={epoch}' + ) + search = st.render(epoch=epoch) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 \ No newline at end of file