diff --git a/docs/sources/vendor/Aruba/clearpass.md b/docs/sources/vendor/Aruba/clearpass.md index f91ad9292a..d4365eec6c 100644 --- a/docs/sources/vendor/Aruba/clearpass.md +++ b/docs/sources/vendor/Aruba/clearpass.md @@ -14,13 +14,25 @@ | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| aruba:clearpass | Dynamically Created | +| aruba:clearpass| Dynamically Created | + ### Index Configuration -| key | index | notes | -|----------------|--------|----------------| -| aruba_clearpass | netops | none | +| key | index | notes | +|-----------------------------------------|--------|----------------| +| aruba_clearpass | netops | none | +| aruba_clearpass_endpoint-profile | netops | none | +| aruba_clearpass_alert | netops | none | +| aruba_clearpass_endpoint-audit-record | netops | none | +| aruba_clearpass_policy-server-session | netops | none | +| aruba_clearpass_post-auth-monit-config | netops | none | +| aruba_clearpass_snmp-session-log | netops | none | +| aruba_clearpass_radius-session | netops | none | +| aruba_clearpass_system-event | netops | none | +| aruba_clearpass_tacacs-accounting-detail| netops | none | +| aruba_clearpass_tacacs-accounting-record| netops | none | + ## Parser Configuration diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf b/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf index 5533ed49a9..451a0c7fdf 100644 --- a/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf +++ b/package/etc/conf.d/conflib/netsource/app-netsource-aruba_clearpass.conf @@ -1,5 +1,5 @@ block parser app-netsource-aruba_clearpass() { - channel { + channel { rewrite { r_set_splunk_dest_default( index('netops') @@ -10,10 +10,79 @@ block parser app-netsource-aruba_clearpass() { ); }; + rewrite { + r_set_splunk_dest_update_v2( + class("endpoint-profile") + condition(program("CPPM_Endpoint_Profile", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("alert") + condition(program("CPPM_Alert", type(string) flags(ignore-case, prefix))) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + class("endpoint-audit-record") + condition(program("CPPM_Audit_Record", type(string) flags(ignore-case, prefix))) + ); + }; - }; + rewrite { + r_set_splunk_dest_update_v2( + class("policy-server-session") + condition(program("CPPM_Policy_Server_Session", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("post-auth-monit-config") + condition(program("CPPM_Post_Auth_Monit_Config", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("radius-session") + condition(program("CPPM_RADIUS_Session", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("snmp-session-log") + condition(program("CPPM_SNMP_Session_Log", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("system-event") + condition(program("CPPM_System_Event", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("tacacs-accounting-detail") + condition(program("CPPM_TACACS_Accounting_Detail", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("tacacs-accounting-record") + condition(program("CPPM_TACACS_Accouting_Record", type(string) flags(ignore-case, prefix))) + ); + }; + }; }; + + application app-netsource-aruba_clearpass[sc4s-network-source] { filter { not filter(f_is_source_identified) diff --git a/package/lite/etc/addons/aruba/app-netsource-aruba_clearpass.conf b/package/lite/etc/addons/aruba/app-netsource-aruba_clearpass.conf index 5533ed49a9..451a0c7fdf 100644 --- a/package/lite/etc/addons/aruba/app-netsource-aruba_clearpass.conf +++ b/package/lite/etc/addons/aruba/app-netsource-aruba_clearpass.conf @@ -1,5 +1,5 @@ block parser app-netsource-aruba_clearpass() { - channel { + channel { rewrite { r_set_splunk_dest_default( index('netops') @@ -10,10 +10,79 @@ block parser app-netsource-aruba_clearpass() { ); }; + rewrite { + r_set_splunk_dest_update_v2( + class("endpoint-profile") + condition(program("CPPM_Endpoint_Profile", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("alert") + condition(program("CPPM_Alert", type(string) flags(ignore-case, prefix))) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + class("endpoint-audit-record") + condition(program("CPPM_Audit_Record", type(string) flags(ignore-case, prefix))) + ); + }; - }; + rewrite { + r_set_splunk_dest_update_v2( + class("policy-server-session") + condition(program("CPPM_Policy_Server_Session", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("post-auth-monit-config") + condition(program("CPPM_Post_Auth_Monit_Config", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("radius-session") + condition(program("CPPM_RADIUS_Session", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("snmp-session-log") + condition(program("CPPM_SNMP_Session_Log", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("system-event") + condition(program("CPPM_System_Event", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("tacacs-accounting-detail") + condition(program("CPPM_TACACS_Accounting_Detail", type(string) flags(ignore-case, prefix))) + ); + }; + + rewrite { + r_set_splunk_dest_update_v2( + class("tacacs-accounting-record") + condition(program("CPPM_TACACS_Accouting_Record", type(string) flags(ignore-case, prefix))) + ); + }; + }; }; + + application app-netsource-aruba_clearpass[sc4s-network-source] { filter { not filter(f_is_source_identified) diff --git a/tests/test_aruba_clearpass.py b/tests/test_aruba_clearpass.py index b7a37f7fb3..5e67bc5e51 100644 --- a/tests/test_aruba_clearpass.py +++ b/tests/test_aruba_clearpass.py @@ -58,3 +58,58 @@ def test_aruba_clearpass_CPPM( record_property("message", message) assert result_count == 1 + + +test_data_cppm_classes = [ + ( + "{{ mark }}{{ aruba_time }} {{ host }} CPPM_System_Events 1 1 0 event_source=SnmpService,level=ERROR,category=Trap,description=Switch IP=10.17.8.67. Ignore v2c trap. Bad security name in trap,action_key=Failed,timestamp=2014-06-03 13:05:30.023+05:30", + "system-event", + ), + ( + "{{ mark }}{{ aruba_time }} {{ host }} CPPM_Alert 11315736 1 0 session_id=R,service_name=RADIUS,alert=MSCHAP: Authentication failed. will re-try based on config,timestamp=2024-01-04 11:37:53.649+01", + "alert", + ), + ( + "{{ mark }}{{ aruba_time }} {{ host }} CPPM_Endpoint_Profile 1 1 0 mac_address=1,ip_address=1.1.1.1,static_ip=1.1.1.1,hostname=1,mac_vendor=Intel Corporate,device_category=Computer,device_family=Windows,device_name=Windows 10,fingerprint={},updated_at=2024-01-04 11:39:51.602362+01,added_at=2023-12-11 11:20:42.876235+01", + "endpoint-profile" + ), + ( + "{{ mark }}{{ aruba_time }} {{ host }} CPPM_Policy_Server_Session 1 1 0 session_id=1,monitor_mode=Disabled,auth_type=,roles=No-Role, [User Authenticated],audit_apt=UNKNOWN,spt=UNKNOWN,enf_profiles=[Deny Access Profile],timestamp=2024-01-04 11:39:52.539+01", + "policy-server-session", + ), +] + + +@pytest.mark.addons("aruba") +@pytest.mark.parametrize("event", test_data_cppm_classes) +def test_aruba_clearpass_class( + record_property, setup_splunk, setup_sc4s, get_host_key, event +): + msg, sc4s_class = event + host = "aruba-cp-" + get_host_key + + dt = datetime.datetime.now() + _, bsd, _, date, _, _, epoch = time_operations(dt) + + aruba_time = dt.strftime("%Y-%m-%d %H:%M:%S,%f")[:-3] + epoch = epoch[:-3] + + mt = env.from_string(msg + "\n") + message = mt.render( + mark="<46>", bsd=bsd, host=host, date=date, aruba_time=aruba_time + ) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="aruba:clearpass" sc4s_class={{sc4s_class}}' + ) + search = st.render(epoch=epoch, host=host, sc4s_class=sc4s_class) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1