Skip to content

Commit

Permalink
feat: create parser for Aviatrix
Browse files Browse the repository at this point in the history 
fix: fix Cisco Meraki filters (#2369)
fix: update Bluecoat sourcetype to match TA 3.8.1 (#2370)
feat: create parser for Aviatrix (#2377)
fix: extend ZScaler LSS (#2388)
fix: fix app-almost-syslog-cisco_syslog (#2399)
  • Loading branch information
@mstopa-splunk
mstopa-splunk authored May 13, 2024
2 parents 99f1895 + 190d18a commit dec3d1e
Show file tree
Hide file tree
Showing 26 changed files with 685 additions and 301 deletions.
34 changes: 34 additions & 0 deletions docs/sources/vendor/Aviatrix/aviatrix.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Aviatrix

## Key facts
* MSG Format based filter
* Legacy BSD Format default port 514

## Product - Switches

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | -- |
| Product Manual | [Link](https://docs.aviatrix.com/documentation/latest/controller-platform-administration/aviatrix-logging.html?expand=true#log-management-system-formats) |

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| aviatrix:cloudx-cli | None |
| aviatrix:kernel | None |
| aviatrix:cloudxd | None |
| aviatrix:avx-nfq | None |
| aviatrix:avx-gw-state-sync | None |
| aviatrix:perfmon | None |

## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| aviatrix_cloudx-cli | aviatrix:cloudx-cli | netops | none |
| aviatrix_kernel | aviatrix:kernel | netops | none |
| aviatrix_cloudxd | aviatrix:cloudxd | netops | none |
| aviatrix_avx-nfq | aviatrix:avx-nfq | netops | none |
| aviatrix_avx-gw-state-sync | aviatrix:avx-gw-state-sync | netops | none |
| aviatrix_perfmon | aviatrix:perfmon | netops | none |
6 changes: 3 additions & 3 deletions docs/sources/vendor/Broadcom/proxy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@ Broadcom products are inclusive of products formerly marketed under Symantec and

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| bluecoat:proxysg:access:kv | Requires version TA 3.6 |
| bluecoat:proxysg:syslog | Requires version TA 3.6 |
| bluecoat:proxysg:access:kv | Requires version TA 3.8.1 |
| bluecoat:proxysg:access:syslog | Requires version TA 3.8.1 |

## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| bluecoat_proxy | bluecoat:proxysg:syslog | netops | none |
| bluecoat_proxy | bluecoat:proxysg:access:syslog | netops | none |
| bluecoat_proxy_splunkkv | bluecoat:proxysg:access:kv | netproxy | none |


Expand Down
111 changes: 71 additions & 40 deletions docs/sources/vendor/Cisco/cisco_meraki.md
View file
Original file line number Diff line number Diff line change
@@ -1,65 +1,96 @@
## Meraki (MR, MS, MX)

## Key facts
* In most cases, Cisco Meraki logs are general and require vendor product by source configuration.
* For distinctive log messages, filters are based on the appliance name and program value.
* Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message.
* Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices.
* [Splunk Add-on for Cisco Meraki 2.1.0](https://splunkbase.splunk.com/app/5580) doesn't support syslog. Use [TA-meraki](https://splunkbase.splunk.com/app/3018) instead. `TA-meraki 1.1.5` requires sourcetype `meraki`.

## Distinctive log messages
See samples in the [vendor documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples).

The two conjuncted conditions are required:

1. Program: `(events|urls|firewall|cellular_firewall|vpn_firewall|ids-alerts|flows)`

2. Appliance name:

| Sourcetype | Distinct element |
| --------- | -------------- |
| meraki:accesspoints | `host('MR' type(string) flags(ignore-case,prefix))` |
| meraki:securityappliances | `host('MX' type(string) flags(ignore-case,prefix))` |
| meraki:switches | `host('MS' type(string) flags(ignore-case,prefix))` |


## Links

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | <https://splunkbase.splunk.com/app/5580> |
| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> <https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples> |
| Splunk Add-on | <https://splunkbase.splunk.com/app/3018> |
| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> |

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| meraki:accesspoints | MR |
| meraki:securityappliances | MX |
| meraki:switches | MS |
| meraki | vendor product by source configuration |
| meraki:accesspoints | Not compliant with the Splunk Add-on |
| meraki:securityappliances | Not compliant with the Splunk Add-on |
| meraki:switches | Not compliant with the Splunk Add-on |
| meraki | For all Meraki devices. Compliant with the Splunk Add-on |

## Sourcetype and Index Configuration
## Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| cisco_meraki_accesspoints | meraki:accesspoints | netfw | Filtered on the message format |
| cisco_meraki_securityappliances | meraki:securityappliances | netfw | Filtered on the message format |
| cisco_meraki_switches | meraki:switches | netfw | Filtered on the message format |
| cisco_meraki | meraki | netfw | Filtered on vendor product by source configuration |
| meraki_accesspoints | meraki:accesspoints | netfw | |
| meraki_securityappliances | meraki:securityappliances | netfw | |
| meraki_switches | meraki:switches | netfw | |
| cisco_meraki | meraki | netfw | |

## Parser Configuration

## Parser Configuration
1. Either by defining Cisco Meraki hosts:
```c
#/opt/sc4s/local/config/app-parsers/app-vps-cisco_meraki.conf
#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf
#File name provided is a suggestion it must be globally unique

application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^testcm-")
block parser app-vps-test-cisco_meraki() {
channel {
if {
filter { host("^test-mx-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('securityappliances')
);
};
} elif {
filter { host("^test-mr-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('accesspoints')
);
};
} elif {
filter { host("^test-ms-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('switches')
);
};
} else {
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};
};
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};


application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^test-meraki-")
or host("^test-mx-")
or host("^test-mr-")
or host("^test-ms-")
};
parser { app-vps-test-cisco_meraki(); };
};
```

2. Or by a unique port:
```
# /opt/sc4s/env_file
SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004
SC4S_LISTEN_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005
SC4S_LISTEN_MERAKI_ACCESSPOINTS_UDP_PORT=5006
SC4S_LISTEN_MERAKI_SWITCHES_UDP_PORT=5007
```
14 changes: 6 additions & 8 deletions docs/sources/vendor/Zscaler/lss.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,15 @@ the IP or host name of the SC4S instance and port 514

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| zscaler_lss-app | None |
| zscaler_lss-auth | None |
| zscaler_lss-bba | None |
| zscaler_lss-connector | None |
| zscalerlss-zpa-app | None |
| zscalerlss-zpa-bba | None |
| zscalerlss-zpa-connector | None |
| zscalerlss-zpa-auth | None |
| zscalerlss-zpa-audit | None |

## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|--------------------------|------------|---------|
| zscaler_lss | zscalerlss_zpa-app | netproxy | none |
| zscaler_lss | zscalerlss_zpa_auth | netproxy | none |
| zscaler_lss | zscalerlss_zpa_auth | netproxy | none |
| zscaler_lss | zscalerlss_zpa_connector | netproxy | none |
| zscaler_lss |zscalerlss-zpa-app, zscalerlss-zpa-bba, zscalerlss-zpa-connector, zscalerlss-zpa-auth, zscalerlss-zpa-audit | netproxy | none |

28 changes: 0 additions & 28 deletions package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf
View file

This file was deleted.

2 changes: 1 addition & 1 deletion package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_syslog.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ block parser app-almost-syslog-cisco_syslog() {
parser {
regexp-parser(
prefix(".tmp.")
patterns('(?:[ ]|^(?<pri>\<\d+\>)|^)(?<host>(?<!\*)(?!\d{4,})(?:[0-9A-Za-z\-]{4,}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))')
patterns('(?:[ ]|^(?<pri>\<\d+\>)|^)(?<host>(?<!\*)(?!\d{4,})(?!\w+\[)(?:[0-9A-Za-z\-_]{4,}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))')
template('${.tmp.header}')
);
};
Expand Down
41 changes: 37 additions & 4 deletions package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
block parser app-json-zscaler_lss() {
channel {

if {
filter {
match('.' value('.values.ClientZEN'))
Expand Down Expand Up @@ -75,11 +74,45 @@ block parser app-json-zscaler_lss() {
flags(guess-timezone)
);
};
};
};


block parser app-json-zscaler_lss_audit() {
channel {
if {
filter {
match('.' value('.values.ClientAuditUpdate'))
};
rewrite {
r_set_splunk_dest_default(
index("netproxy")
sourcetype('zscalerlss-zpa-audit')
vendor('zscaler')
product('lss')
);
};
};
parser {
date-parser(
format('%Y-%m-%dT%H:%M:%S.%fZ',
'%a %b %d %k:%M:%S %Y')
template("${.values.CreationTime}")
flags(guess-timezone)
);
};
};
};
application app-json-zscaler_lss[json] {
parser { app-json-zscaler_lss(); };

block parser app-json-zscaler() {
channel {
if {
parser { app-json-zscaler_lss(); };
} else {
parser { app-json-zscaler_lss_audit(); };
};
};
};

application app-json-zscaler_lss[json] {
parser { app-json-zscaler(); };
};
Loading

0 comments on commit dec3d1e

Please sign in to comment.