Merge pull request #2652 from splunk/juniper_logs_parsing

Added juniper log parsing
splunk · Dec 9, 2024 · 3073122 · 3073122
2 parents 56f9bf4 + df5f7d0
commit 3073122
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 12 deletions.
diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-juniper_junos_unstructured.conf b/package/etc/conf.d/conflib/syslog/app-syslog-juniper_junos_unstructured.conf
@@ -74,6 +74,7 @@ application app-syslog-juniper_junos_unstructured-pgm[sc4s-syslog-pgm] {
         or program('RT_FLOW' type(string) flags(prefix))
         or program('RT_IDS' type(string) flags(prefix))
         or program('RT_UTM' type(string) flags(prefix))
+        or program('RT_SYSTEM' type(string) flags(prefix))
         or program('Juniper' type(string) flags(prefix))
         or program('rpd' type(string) flags(prefix))
         or program('eswd' type(string) flags(prefix))

diff --git a/package/lite/etc/addons/juniper/app-syslog-juniper_junos_unstructured.conf b/package/lite/etc/addons/juniper/app-syslog-juniper_junos_unstructured.conf
@@ -74,6 +74,7 @@ application app-syslog-juniper_junos_unstructured-pgm[sc4s-syslog-pgm] {
         or program('RT_FLOW' type(string) flags(prefix))
         or program('RT_IDS' type(string) flags(prefix))
         or program('RT_UTM' type(string) flags(prefix))
+        or program('RT_SYSTEM' type(string) flags(prefix))
         or program('Juniper' type(string) flags(prefix))
         or program('rpd' type(string) flags(prefix))
         or program('eswd' type(string) flags(prefix))

diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py
@@ -6,7 +6,7 @@
 
 from jinja2 import Environment, select_autoescape
 from .sendmessage import sendsingle
-from .splunkutils import  splunk_single
+from .splunkutils import splunk_single
 from .timeutils import time_operations
 import datetime
 import pytest
@@ -15,9 +15,7 @@
 
 # <23> Mar 18 17:56:52 RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.32.1(62054)->1.1.1.1(443) CATEGORY="Enhanced_Information_Technology" REASON="BY_PRE_DEFINED" PROFILE="UTM-Wireless-Profile" URL=ent-shasta-rrs.symantec.com OBJ=/ username N/A roles N/A
 @pytest.mark.addons("juniper")
-def test_juniper_utm_standard(
-    record_property,  get_host_key, setup_splunk, setup_sc4s
-):
+def test_juniper_utm_standard(record_property, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
     dt = datetime.datetime.now()
@@ -50,7 +48,7 @@ def test_juniper_utm_standard(
 # <23> Nov 18 09:56:58  INTERNET-ROUTER RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.102/58662->8.8.8.8/53 junos-dns-udp 68.144.1.1/55893->8.8.8.8/53 TRUST-INET-ACCESS None 17 OUTBOUND-INTERNET-ACCESS TRUST INTERNET 6316 N/A(N/A) vlan.192
 @pytest.mark.addons("juniper")
 def test_juniper_firewall_standard(
-    record_property,  get_host_key, setup_splunk, setup_sc4s
+    record_property, get_host_key, setup_splunk, setup_sc4s
 ):
     host = get_host_key
 
@@ -82,9 +80,7 @@ def test_juniper_firewall_standard(
 
 
 @pytest.mark.addons("juniper")
-def test_juniper_idp_standard(
-    record_property,  get_host_key, setup_splunk, setup_sc4s
-):
+def test_juniper_idp_standard(record_property, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
     dt = datetime.datetime.now()
@@ -123,7 +119,7 @@ def test_juniper_idp_standard(
 @pytest.mark.addons("juniper")
 @pytest.mark.parametrize("event", testdata_junos_snmp)
 def test_juniper_junos_snmp(
-    record_property,  get_host_key, setup_splunk, setup_sc4s, event
+    record_property, get_host_key, setup_splunk, setup_sc4s, event
 ):
     host = get_host_key
 
@@ -160,7 +156,7 @@ def test_juniper_junos_snmp(
 @pytest.mark.addons("juniper")
 @pytest.mark.parametrize("event", testdata_junos_firewall_switch)
 def test_juniper_junos_switch(
-    record_property,  get_host_key, setup_splunk, setup_sc4s, event
+    record_property, get_host_key, setup_splunk, setup_sc4s, event
 ):
     host = get_host_key
 
@@ -198,7 +194,7 @@ def test_juniper_junos_switch(
 @pytest.mark.parametrize("event", testdata_junos_firewall_router)
 @pytest.mark.addons("juniper")
 def test_juniper_junos_router(
-    record_property,  get_host_key, setup_splunk, setup_sc4s, event
+    record_property, get_host_key, setup_splunk, setup_sc4s, event
 ):
     host = get_host_key
 
@@ -235,7 +231,7 @@ def test_juniper_junos_router(
 @pytest.mark.addons("juniper")
 @pytest.mark.parametrize("event", testdata_junos_switch_rpd)
 def test_juniper_junos_switch_rpd(
-    record_property,  get_host_key, setup_splunk, setup_sc4s, event
+    record_property, get_host_key, setup_splunk, setup_sc4s, event
 ):
     host = get_host_key
 
@@ -263,3 +259,37 @@ def test_juniper_junos_switch_rpd(
     record_property("message", message)
 
     assert result_count == 1
+
+
+# <161>Mar 18 17:56:52 host RT_SYSTEM: RTLOG_CONN_ERROR: Connection error tcp_10.181.123.45 Error code: major 3 minor 1 code 110, description:TCP timed out after SYN is sent out
+@pytest.mark.addons("juniper")
+def test_juniper_system_standard(
+    record_property, get_host_key, setup_splunk, setup_sc4s
+):
+    host = get_host_key
+
+    dt = datetime.datetime.now()
+    _, bsd, _, _, _, _, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} RT_SYSTEM: RTLOG_CONN_ERROR: Connection error tcp_10.181.123.45 Error code: major 3 minor 1 code 110, description:TCP timed out after SYN is sent out "
+    )
+    message = mt.render(mark="<161>", bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="juniper:legacy"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
+    assert result_count == 1