Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SC4Sv3.25.0 #2461

Merged
merged 6 commits into from
May 13, 2024
Merged

SC4Sv3.25.0 #2461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
17d7718
fix: fix Cisco Meraki filters (#2369)
mstopa-splunk May 13, 2024
9790b58
fix: update Bluecoat sourcetype to match TA 3.8.1 (#2370)
mstopa-splunk May 13, 2024
a4bed63
feat: create parser for Aviatrix (#2377)
mstopa-splunk May 13, 2024
7ccd276
fix: extend ZScaler LSS (#2388)
mstopa-splunk May 13, 2024
df6875e
fix: fix app-almost-syslog-cisco_syslog (#2399)
mstopa-splunk May 13, 2024
190d18a
Merge branch 'main' into develop
mstopa-splunk May 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions docs/sources/vendor/Aviatrix/aviatrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Aviatrix

## Key facts
* MSG Format based filter
* Legacy BSD Format default port 514

## Product - Switches

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | -- |
| Product Manual | [Link](https://docs.aviatrix.com/documentation/latest/controller-platform-administration/aviatrix-logging.html?expand=true#log-management-system-formats) |

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| aviatrix:cloudx-cli | None |
| aviatrix:kernel | None |
| aviatrix:cloudxd | None |
| aviatrix:avx-nfq | None |
| aviatrix:avx-gw-state-sync | None |
| aviatrix:perfmon | None |

## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| aviatrix_cloudx-cli | aviatrix:cloudx-cli | netops | none |
| aviatrix_kernel | aviatrix:kernel | netops | none |
| aviatrix_cloudxd | aviatrix:cloudxd | netops | none |
| aviatrix_avx-nfq | aviatrix:avx-nfq | netops | none |
| aviatrix_avx-gw-state-sync | aviatrix:avx-gw-state-sync | netops | none |
| aviatrix_perfmon | aviatrix:perfmon | netops | none |
6 changes: 3 additions & 3 deletions docs/sources/vendor/Broadcom/proxy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@ Broadcom products are inclusive of products formerly marketed under Symantec and

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| bluecoat:proxysg:access:kv | Requires version TA 3.6 |
| bluecoat:proxysg:syslog | Requires version TA 3.6 |
| bluecoat:proxysg:access:kv | Requires version TA 3.8.1 |
| bluecoat:proxysg:access:syslog | Requires version TA 3.8.1 |

## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| bluecoat_proxy | bluecoat:proxysg:syslog | netops | none |
| bluecoat_proxy | bluecoat:proxysg:access:syslog | netops | none |
| bluecoat_proxy_splunkkv | bluecoat:proxysg:access:kv | netproxy | none |


Expand Down
111 changes: 71 additions & 40 deletions docs/sources/vendor/Cisco/cisco_meraki.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,65 +1,96 @@
## Meraki (MR, MS, MX)

## Key facts
* In most cases, Cisco Meraki logs are general and require vendor product by source configuration.
* For distinctive log messages, filters are based on the appliance name and program value.
* Cisco Meraki messages are not distinctive, which means that it's impossible to parse the sourcetype based on the log message.
* Because of the above you should either configure known Cisco Meraki hosts in SC4S, or open unique ports for Cisco Meraki devices.
* [Splunk Add-on for Cisco Meraki 2.1.0](https://splunkbase.splunk.com/app/5580) doesn't support syslog. Use [TA-meraki](https://splunkbase.splunk.com/app/3018) instead. `TA-meraki 1.1.5` requires sourcetype `meraki`.

## Distinctive log messages
See samples in the [vendor documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples).

The two conjuncted conditions are required:

1. Program: `(events|urls|firewall|cellular_firewall|vpn_firewall|ids-alerts|flows)`

2. Appliance name:

| Sourcetype | Distinct element |
| --------- | -------------- |
| meraki:accesspoints | `host('MR' type(string) flags(ignore-case,prefix))` |
| meraki:securityappliances | `host('MX' type(string) flags(ignore-case,prefix))` |
| meraki:switches | `host('MS' type(string) flags(ignore-case,prefix))` |


## Links

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | <https://splunkbase.splunk.com/app/5580> |
| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> <https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples> |
| Splunk Add-on | <https://splunkbase.splunk.com/app/3018> |
| Product Manual | <https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration> |

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| meraki:accesspoints | MR |
| meraki:securityappliances | MX |
| meraki:switches | MS |
| meraki | vendor product by source configuration |
| meraki:accesspoints | Not compliant with the Splunk Add-on |
| meraki:securityappliances | Not compliant with the Splunk Add-on |
| meraki:switches | Not compliant with the Splunk Add-on |
| meraki | For all Meraki devices. Compliant with the Splunk Add-on |

## Sourcetype and Index Configuration
## Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| cisco_meraki_accesspoints | meraki:accesspoints | netfw | Filtered on the message format |
| cisco_meraki_securityappliances | meraki:securityappliances | netfw | Filtered on the message format |
| cisco_meraki_switches | meraki:switches | netfw | Filtered on the message format |
| cisco_meraki | meraki | netfw | Filtered on vendor product by source configuration |
| meraki_accesspoints | meraki:accesspoints | netfw | |
| meraki_securityappliances | meraki:securityappliances | netfw | |
| meraki_switches | meraki:switches | netfw | |
| cisco_meraki | meraki | netfw | |

## Parser Configuration

## Parser Configuration
1. Either by defining Cisco Meraki hosts:
```c
#/opt/sc4s/local/config/app-parsers/app-vps-cisco_meraki.conf
#/opt/sc4s/local/config/app_parsers/app-vps-cisco_meraki.conf
#File name provided is a suggestion it must be globally unique

application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^testcm-")
block parser app-vps-test-cisco_meraki() {
channel {
if {
filter { host("^test-mx-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('securityappliances')
);
};
} elif {
filter { host("^test-mr-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('accesspoints')
);
};
} elif {
filter { host("^test-ms-") };
parser {
p_set_netsource_fields(
vendor('meraki')
product('switches')
);
};
} else {
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};
};
parser {
p_set_netsource_fields(
vendor('cisco')
product('meraki')
);
};
};


application app-vps-test-cisco_meraki[sc4s-vps] {
filter {
host("^test-meraki-")
or host("^test-mx-")
or host("^test-mr-")
or host("^test-ms-")
};
parser { app-vps-test-cisco_meraki(); };
};
```

2. Or by a unique port:
```
# /opt/sc4s/env_file
SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5004
SC4S_LISTEN_MERAKI_SECURITYAPPLIANCES_UDP_PORT=5005
SC4S_LISTEN_MERAKI_ACCESSPOINTS_UDP_PORT=5006
SC4S_LISTEN_MERAKI_SWITCHES_UDP_PORT=5007
```
14 changes: 6 additions & 8 deletions docs/sources/vendor/Zscaler/lss.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,15 @@ the IP or host name of the SC4S instance and port 514

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| zscaler_lss-app | None |
| zscaler_lss-auth | None |
| zscaler_lss-bba | None |
| zscaler_lss-connector | None |
| zscalerlss-zpa-app | None |
| zscalerlss-zpa-bba | None |
| zscalerlss-zpa-connector | None |
| zscalerlss-zpa-auth | None |
| zscalerlss-zpa-audit | None |

## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|--------------------------|------------|---------|
| zscaler_lss | zscalerlss_zpa-app | netproxy | none |
| zscaler_lss | zscalerlss_zpa_auth | netproxy | none |
| zscaler_lss | zscalerlss_zpa_auth | netproxy | none |
| zscaler_lss | zscalerlss_zpa_connector | netproxy | none |
| zscaler_lss |zscalerlss-zpa-app, zscalerlss-zpa-bba, zscalerlss-zpa-connector, zscalerlss-zpa-auth, zscalerlss-zpa-audit | netproxy | none |

28 changes: 0 additions & 28 deletions package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_syslog.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ block parser app-almost-syslog-cisco_syslog() {
parser {
regexp-parser(
prefix(".tmp.")
patterns('(?:[ ]|^(?<pri>\<\d+\>)|^)(?<host>(?<!\*)(?!\d{4,})(?:[0-9A-Za-z\-]{4,}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))')
patterns('(?:[ ]|^(?<pri>\<\d+\>)|^)(?<host>(?<!\*)(?!\d{4,})(?!\w+\[)(?:[0-9A-Za-z\-_]{4,}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))')
template('${.tmp.header}')
);
};
Expand Down
41 changes: 37 additions & 4 deletions package/etc/conf.d/conflib/json/app-json-zscaler_lss.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
block parser app-json-zscaler_lss() {
channel {

if {
filter {
match('.' value('.values.ClientZEN'))
Expand Down Expand Up @@ -75,11 +74,45 @@ block parser app-json-zscaler_lss() {
flags(guess-timezone)
);
};
};
};


block parser app-json-zscaler_lss_audit() {
channel {
if {
filter {
match('.' value('.values.ClientAuditUpdate'))
};
rewrite {
r_set_splunk_dest_default(
index("netproxy")
sourcetype('zscalerlss-zpa-audit')
vendor('zscaler')
product('lss')
);
};
};
parser {
date-parser(
format('%Y-%m-%dT%H:%M:%S.%fZ',
'%a %b %d %k:%M:%S %Y')
template("${.values.CreationTime}")
flags(guess-timezone)
);
};
};
};
application app-json-zscaler_lss[json] {
parser { app-json-zscaler_lss(); };

block parser app-json-zscaler() {
channel {
if {
parser { app-json-zscaler_lss(); };
} else {
parser { app-json-zscaler_lss_audit(); };
};
};
};

application app-json-zscaler_lss[json] {
parser { app-json-zscaler(); };
};
Loading
Loading