feat: add syslog format for a10networks (#2153)

docs/sources/vendor/a10networks/vthunder.md

@@ -16,9 +16,10 @@
 
 ## Sourcetypes
 
-| sourcetype               | notes                                                                                         |
-|--------------------------|-----------------------------------------------------------------------------------------------|
-| a10networks:vThunder:cef | None                                                                                          |
+| sourcetype                  | notes                                                                                      |
+|-----------------------------|--------------------------------------------------------------------------------------------|
+| a10networks:vThunder:cef    | CEF                                                                                        |
+| a10networks:vThunder:syslog | Syslog                                                                                     |
 
 ## Source
 
@@ -28,6 +29,6 @@
 
 ### Index Configuration
 
-| key                | source              | index          | notes          |
-|--------------------|---------------------|----------------|----------------|
-|a10networks_vThunder| a10networks:vThunder| netwaf         | none           |
+| key                | source              | index                  | notes          |
+|--------------------|---------------------|------------------------|----------------|
+|a10networks_vThunder| a10networks:vThunder| netwaf, netops         | none           |

package/etc/conf.d/conflib/syslog/app-syslog-a10.conf

@@ -0,0 +1,32 @@
+block parser app-syslog-a10() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops')
+                source('a10networks:vThunder')
+                sourcetype('a10networks:vThunder:syslog')
+                vendor('a10networks')
+                product('vThunder')
+            );
+        };
+    };
+};
+
+application app-syslog-a10[sc4s-syslog-pgm] {
+    filter {
+        program('a10logd' type(string) flags(prefix)) or
+        program('a10timer' type(string) flags(prefix)) or
+        program('a10stat' type(string) flags(prefix)) or
+        program('a10switch' type(string) flags(prefix)) or
+        program('a10hm' type(string) flags(prefix)) or
+        program('a10rt' type(string) flags(prefix)) or
+        program('a10rip' type(string) flags(prefix)) or
+        program('a10ospf' type(string) flags(prefix)) or
+        program('a10snmpd' type(string) flags(prefix)) or
+        program('a10wa' type(string) flags(prefix)) or
+        program('a10gmpd' type(string) flags(prefix)) or
+        program('a10snpm_trapd' type(string) flags(prefix)) or
+        program('a10lb' type(string) flags(prefix))
+    };
+    parser { app-syslog-a10(); };
+};

tests/test_a10.py

@@ -39,4 +39,31 @@ def test_a10_vthunder(
     record_property("resultCount", resultCount)
     record_property("message", message)
 
-    assert resultCount == 1
+    assert resultCount == 1
+
+
+def test_a10_vthunder_syslog(
+    record_property, setup_splunk, setup_sc4s, get_host_key
+):
+    host = get_host_key
+    mt = env.from_string(
+        "{{mark}} {{bsd}} {{host}} a10logd: [audit log]{{mark}} Partition: shared,  [admin] web: [222:1.1.1.1:22222] RESP HTTP status 200 OK"
+    )
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    _, bsd, _, _, _, _, epoch = time_operations(dt)
+    message = mt.render(mark="<6>", bsd=bsd, host=host)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+    st = env.from_string(
+        f'search index=netops sourcetype="a10networks:vThunder:syslog" earliest={epoch}'
+    )
+    search = st.render(epoch=epoch)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
+    assert result_count == 1