fix: extend aruba clearpass parser (#2334)

splunk · Feb 7, 2024 · afcabb4 · afcabb4
1 parent c7e919a
commit afcabb4
Show file tree

Hide file tree

Showing 4 changed files with 213 additions and 8 deletions.
diff --git a/docs/sources/vendor/Aruba/clearpass.md b/docs/sources/vendor/Aruba/clearpass.md
@@ -14,13 +14,25 @@
 
 | sourcetype     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| aruba:clearpass | Dynamically  Created |
+| aruba:clearpass| Dynamically  Created                                                                                    |
+
 
 ### Index Configuration
 
-| key            | index  | notes          |
-|----------------|--------|----------------|
-| aruba_clearpass     | netops | none          |
+| key                                     | index  | notes          |
+|-----------------------------------------|--------|----------------|
+| aruba_clearpass                         | netops | none           |
+| aruba_clearpass_endpoint-profile        | netops | none           |
+| aruba_clearpass_alert                   | netops | none           |
+| aruba_clearpass_endpoint-audit-record   | netops | none           |
+| aruba_clearpass_policy-server-session   | netops | none           |
+| aruba_clearpass_post-auth-monit-config  | netops | none           |
+| aruba_clearpass_snmp-session-log        | netops | none           |
+| aruba_clearpass_radius-session          | netops | none           |
+| aruba_clearpass_system-event            | netops | none           |
+| aruba_clearpass_tacacs-accounting-detail| netops | none           |
+| aruba_clearpass_tacacs-accounting-record| netops | none           |
+
 
 ## Parser Configuration
 

diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf b/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf
@@ -1,5 +1,5 @@
 block parser app-netsource-aruba_clearpass() {
- channel {
+    channel {
         rewrite {
             r_set_splunk_dest_default(
                 index('netops')
@@ -10,10 +10,79 @@ block parser app-netsource-aruba_clearpass() {
             );
         };
 
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("endpoint-profile")
+                condition(program("CPPM_Endpoint_Profile", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("alert")
+                condition(program("CPPM_Alert", type(string) flags(ignore-case, prefix)))
+            );
+        };
 
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("endpoint-audit-record")
+                condition(program("CPPM_Audit_Record", type(string) flags(ignore-case, prefix)))
+            );
+        };
 
-   };
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("policy-server-session")
+                condition(program("CPPM_Policy_Server_Session", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("post-auth-monit-config")
+                condition(program("CPPM_Post_Auth_Monit_Config", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("radius-session")
+                condition(program("CPPM_RADIUS_Session", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("snmp-session-log")
+                condition(program("CPPM_SNMP_Session_Log", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("system-event")
+                condition(program("CPPM_System_Event", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("tacacs-accounting-detail")
+                condition(program("CPPM_TACACS_Accounting_Detail", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("tacacs-accounting-record")
+                condition(program("CPPM_TACACS_Accouting_Record", type(string) flags(ignore-case, prefix)))
+            );
+        };
+    };
 };
+
+
 application app-netsource-aruba_clearpass[sc4s-network-source] {
 	filter {
         not filter(f_is_source_identified)

diff --git a/package/lite/etc/addons/aruba/app-netsource-aruba_clearpass.conf b/package/lite/etc/addons/aruba/app-netsource-aruba_clearpass.conf
@@ -1,5 +1,5 @@
 block parser app-netsource-aruba_clearpass() {
- channel {
+    channel {
         rewrite {
             r_set_splunk_dest_default(
                 index('netops')
@@ -10,10 +10,79 @@ block parser app-netsource-aruba_clearpass() {
             );
         };
 
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("endpoint-profile")
+                condition(program("CPPM_Endpoint_Profile", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("alert")
+                condition(program("CPPM_Alert", type(string) flags(ignore-case, prefix)))
+            );
+        };
 
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("endpoint-audit-record")
+                condition(program("CPPM_Audit_Record", type(string) flags(ignore-case, prefix)))
+            );
+        };
 
-   };
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("policy-server-session")
+                condition(program("CPPM_Policy_Server_Session", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("post-auth-monit-config")
+                condition(program("CPPM_Post_Auth_Monit_Config", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("radius-session")
+                condition(program("CPPM_RADIUS_Session", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("snmp-session-log")
+                condition(program("CPPM_SNMP_Session_Log", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("system-event")
+                condition(program("CPPM_System_Event", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("tacacs-accounting-detail")
+                condition(program("CPPM_TACACS_Accounting_Detail", type(string) flags(ignore-case, prefix)))
+            );
+        };
+
+        rewrite {            
+            r_set_splunk_dest_update_v2(
+                class("tacacs-accounting-record")
+                condition(program("CPPM_TACACS_Accouting_Record", type(string) flags(ignore-case, prefix)))
+            );
+        };
+    };
 };
+
+
 application app-netsource-aruba_clearpass[sc4s-network-source] {
 	filter {
         not filter(f_is_source_identified)

diff --git a/tests/test_aruba_clearpass.py b/tests/test_aruba_clearpass.py
@@ -58,3 +58,58 @@ def test_aruba_clearpass_CPPM(
     record_property("message", message)
 
     assert result_count == 1
+
+
+test_data_cppm_classes = [
+    (
+        "{{ mark }}{{ aruba_time }} {{ host }} CPPM_System_Events 1 1 0 event_source=SnmpService,level=ERROR,category=Trap,description=Switch IP=10.17.8.67. Ignore v2c trap. Bad    security name in   trap,action_key=Failed,timestamp=2014-06-03 13:05:30.023+05:30",
+        "system-event",
+    ),
+    (
+        "{{ mark }}{{ aruba_time }} {{ host }} CPPM_Alert 11315736 1 0 session_id=R,service_name=RADIUS,alert=MSCHAP: Authentication failed. will re-try based on config,timestamp=2024-01-04 11:37:53.649+01",
+        "alert",
+    ),
+    (
+        "{{ mark }}{{ aruba_time }} {{ host }} CPPM_Endpoint_Profile 1 1 0 mac_address=1,ip_address=1.1.1.1,static_ip=1.1.1.1,hostname=1,mac_vendor=Intel Corporate,device_category=Computer,device_family=Windows,device_name=Windows 10,fingerprint={},updated_at=2024-01-04 11:39:51.602362+01,added_at=2023-12-11 11:20:42.876235+01",
+        "endpoint-profile"
+    ),
+    (
+        "{{ mark }}{{ aruba_time }} {{ host }} CPPM_Policy_Server_Session 1 1 0 session_id=1,monitor_mode=Disabled,auth_type=,roles=No-Role, [User Authenticated],audit_apt=UNKNOWN,spt=UNKNOWN,enf_profiles=[Deny Access Profile],timestamp=2024-01-04 11:39:52.539+01",
+        "policy-server-session",
+    ),
+]
+
+
+@pytest.mark.addons("aruba")
+@pytest.mark.parametrize("event", test_data_cppm_classes)
+def test_aruba_clearpass_class(
+    record_property,  setup_splunk, setup_sc4s, get_host_key, event
+):
+    msg, sc4s_class = event
+    host = "aruba-cp-" + get_host_key
+
+    dt = datetime.datetime.now()
+    _, bsd, _, date, _, _, epoch = time_operations(dt)
+
+    aruba_time = dt.strftime("%Y-%m-%d %H:%M:%S,%f")[:-3]
+    epoch = epoch[:-3]
+
+    mt = env.from_string(msg + "\n")
+    message = mt.render(
+        mark="<46>", bsd=bsd, host=host, date=date, aruba_time=aruba_time
+    )
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="aruba:clearpass" sc4s_class={{sc4s_class}}'
+    )
+    search = st.render(epoch=epoch, host=host, sc4s_class=sc4s_class)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
+    assert result_count == 1