feat: parser dell avamar (#2393)

splunk · May 1, 2024 · 812228a · 812228a
1 parent 560dcf3
commit 812228a
Show file tree

Hide file tree

Showing 4 changed files with 150 additions and 0 deletions.
diff --git a/docs/sources/vendor/Dell/avamar.md b/docs/sources/vendor/Dell/avamar.md
@@ -0,0 +1,25 @@
+# Dell Avamar
+
+## Key facts
+
+* MSG Format based filter
+* Legacy BSD Format default port 514
+
+## Links
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | na                                                                                                      |
+| Add-on Manual  | <https://www.delltechnologies.com/asset/en-us/products/data-protection/technical-support/docu91832.pdf> |
+
+## Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| dell:avamar:msc| None                                                                                                    |
+
+### Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| dell_avamar_cms| dell:avamar:msc| netops         | none           |
diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-dell_avamar.conf b/package/etc/conf.d/conflib/syslog/app-syslog-dell_avamar.conf
@@ -0,0 +1,36 @@
+block parser app-syslog-dell_avamar() {
+    channel {
+        parser {
+            regexp-parser(
+                template("${MESSAGE}")
+                prefix(".tmp.")
+                patterns('<(?<message>.*)')
+            );
+            kv-parser(
+                prefix(".values.")
+                pair-separator("<")
+                value-separator(">")
+                template("${.tmp.message}")
+            );
+        };
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops')
+                sourcetype('dell:avamar:msc')
+                vendor('dell')
+                product('avamar')
+                class('msc')
+                template("t_json_values")
+            );
+        };
+    };
+};
+
+application app-syslog-dell_avamar[sc4s-syslog] {
+    filter {
+        message('<HwSource>' type(string) flags(substring)) and
+        message('<Severity>' type(string) flags(substring)) and
+        message('<Code>' type(string) flags(substring));
+    };
+    parser { app-syslog-dell_avamar(); };
+};
diff --git a/package/lite/etc/addons/dell/app-syslog-dell_avamar.conf b/package/lite/etc/addons/dell/app-syslog-dell_avamar.conf
@@ -0,0 +1,36 @@
+block parser app-syslog-dell_avamar() {
+    channel {
+        parser {
+            regexp-parser(
+                template("${MESSAGE}")
+                prefix(".tmp.")
+                patterns('<(?<message>.*)')
+            );
+            kv-parser(
+                prefix(".values.")
+                pair-separator("<")
+                value-separator(">")
+                template("${.tmp.message}")
+            );
+        };
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops')
+                sourcetype('dell:avamar:msc')
+                vendor('dell')
+                product('avamar')
+                class('msc')
+                template("t_json_values")
+            );
+        };
+    };
+};
+
+application app-syslog-dell_avamar[sc4s-syslog] {
+    filter {
+        message('<HwSource>' type(string) flags(substring)) and
+        message('<Severity>' type(string) flags(substring)) and
+        message('<Code>' type(string) flags(substring));
+    };
+    parser { app-syslog-dell_avamar(); };
+};
diff --git a/tests/test_dell_avamar.py b/tests/test_dell_avamar.py
@@ -0,0 +1,53 @@
+# Copyright 2024 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+
+from jinja2 import Environment, select_autoescape
+
+from .sendmessage import sendsingle
+from .splunkutils import  splunk_single
+from .timeutils import time_operations
+import datetime
+
+import pytest
+
+env = Environment(autoescape=select_autoescape(default_for_string=False))
+
+
+test_cases = [
+    '{{ mark }} {{ bsd }} {{ host }}: <Code> 22555 <Type> AUDIT <Severity> PROCESS <Category> SECURITY <User> email@my.com <HwSource> {{ host }} <Summary> Changed backup expiration. <path> /clients/Dev-Cert/Windows/test.com <createtime> 2024-02-03 02:32:09 CST <plugin> 3001 <labelnum> 388 <expiration> 2024-02-16 <requestor> <requestor domain="/" host="1.1.1.1" product="MCGUI" role="Administrator" user="email@my.com"/>',
+]
+
+
+@pytest.mark.parametrize("case", test_cases)
+@pytest.mark.addons("dell")
+def test_dell_avamar(
+    record_property, setup_splunk, setup_sc4s, case
+):
+    host = 'amavar'
+
+    dt = datetime.datetime.now()
+    _, bsd, _, date, _, _, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(case + "\n")
+    message = mt.render(mark="<141>", bsd=bsd, host=host, date=date)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search index=netops _time={{ epoch }} sourcetype="dell:avamar:msc" (host="{{ host }}" OR "{{ host }}")'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
+    assert result_count == 1