From 72f35c2379f26c40ee11aed5fbb06a9d11a667ac Mon Sep 17 00:00:00 2001 From: Ilya <138466237+ikheifets-splunk@users.noreply.github.com> Date: Tue, 14 Nov 2023 15:16:07 +0100 Subject: [PATCH] feat: create semperis dsp parser (#2259) * feat: create semperis dsp parser * add parsing of strange message body * create pluggable module for semperis --- docs/sources/vendor/Semperis/DSP.md | 24 ++++++++++ .../syslog/app-syslog-semperis_dsp.conf | 35 ++++++++++++++ .../etc/addons/semperis/addon_metadata.yaml | 2 + .../semperis/app-syslog-semperis_dsp.conf | 35 ++++++++++++++ package/lite/etc/config.yaml | 1 + tests/test_semperis.py | 48 +++++++++++++++++++ 6 files changed, 145 insertions(+) create mode 100644 docs/sources/vendor/Semperis/DSP.md create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-semperis_dsp.conf create mode 100644 package/lite/etc/addons/semperis/addon_metadata.yaml create mode 100644 package/lite/etc/addons/semperis/app-syslog-semperis_dsp.conf create mode 100644 tests/test_semperis.py diff --git a/docs/sources/vendor/Semperis/DSP.md b/docs/sources/vendor/Semperis/DSP.md new file mode 100644 index 0000000000..0999ced2a7 --- /dev/null +++ b/docs/sources/vendor/Semperis/DSP.md @@ -0,0 +1,24 @@ +# Semperis DSP + +## Key facts + +* MSG Format based filter + + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | + +## Sourcetypes + +| sourcetype | notes | +|-----------------|---------------------------------------------------------------------------------------------------------| +| semperis:dsp | none | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|-----------------|----------------|--------|----------------| +| semperis_dsp | semperis:dsp | netops | None | \ No newline at end of file diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-semperis_dsp.conf b/package/etc/conf.d/conflib/syslog/app-syslog-semperis_dsp.conf new file mode 100644 index 0000000000..ed6e8b91db --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-semperis_dsp.conf @@ -0,0 +1,35 @@ +block parser app-syslog-semperis_dsp() { + channel { + rewrite { + r_set_splunk_dest_default( + index("netops") + sourcetype("semperis:dsp") + vendor("semperis") + product("dsp") + template("t_kv_values") + ); + }; + + parser { + regexp-parser( + template("${MESSAGE}") + prefix(".tmp.") + patterns('\[(?.*)') + ); + kv-parser( + prefix(".values.") + pair-separator("[") + value-separator("]") + template("${.tmp.message}") + ); + }; + }; +}; + + +application app-syslog-semperis_dsp[sc4s-syslog-pgm] { + filter { + program('Semperis.DSP' type(string) flags(ignore-case,prefix)); + }; + parser { app-syslog-semperis_dsp(); }; +}; diff --git a/package/lite/etc/addons/semperis/addon_metadata.yaml b/package/lite/etc/addons/semperis/addon_metadata.yaml new file mode 100644 index 0000000000..b47ecb2c96 --- /dev/null +++ b/package/lite/etc/addons/semperis/addon_metadata.yaml @@ -0,0 +1,2 @@ +--- +name: "semperis" diff --git a/package/lite/etc/addons/semperis/app-syslog-semperis_dsp.conf b/package/lite/etc/addons/semperis/app-syslog-semperis_dsp.conf new file mode 100644 index 0000000000..ed6e8b91db --- /dev/null +++ b/package/lite/etc/addons/semperis/app-syslog-semperis_dsp.conf @@ -0,0 +1,35 @@ +block parser app-syslog-semperis_dsp() { + channel { + rewrite { + r_set_splunk_dest_default( + index("netops") + sourcetype("semperis:dsp") + vendor("semperis") + product("dsp") + template("t_kv_values") + ); + }; + + parser { + regexp-parser( + template("${MESSAGE}") + prefix(".tmp.") + patterns('\[(?.*)') + ); + kv-parser( + prefix(".values.") + pair-separator("[") + value-separator("]") + template("${.tmp.message}") + ); + }; + }; +}; + + +application app-syslog-semperis_dsp[sc4s-syslog-pgm] { + filter { + program('Semperis.DSP' type(string) flags(ignore-case,prefix)); + }; + parser { app-syslog-semperis_dsp(); }; +}; diff --git a/package/lite/etc/config.yaml b/package/lite/etc/config.yaml index 37a406c305..5cde15da6e 100644 --- a/package/lite/etc/config.yaml +++ b/package/lite/etc/config.yaml @@ -78,3 +78,4 @@ addons: - wallix - thycotic - tim + - semperis diff --git a/tests/test_semperis.py b/tests/test_semperis.py new file mode 100644 index 0000000000..577a602594 --- /dev/null +++ b/tests/test_semperis.py @@ -0,0 +1,48 @@ +# Copyright 2023 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import shortuuid +import pytest +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations +import datetime + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + + +@pytest.mark.addons("semperis") +def test_semperis(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }} {{ bsd }} {{ host }} Semperis.DSP [AdChanges@51802] [ForestId] 1111 [ChangeId] 1111 [PartitionNamingContext] DC=corpcert,DC=heb,DC=com [DistinguishedName] CN=krbtgt,CN=Users,DC=corpcert,DC=heb,DC=com [ClassName] user [AttributeName] msDS-SupportedEncryptionTypes [ObjectModificationType] ModifyObject [AttributeModificationType] Modify [LinkedValueDN] [ValidUntil] {{ iso }} [OriginatingServer] {{ host }} [OriginatingTime] {{ iso }} [OriginatingUsers] [OriginatingUserWorkstations] [StringValueFrom] 327680 [StringValueTo] 327680 ' + ) + + message = mt.render(mark="<110>", bsd=bsd, host=host, date=date, time=time, iso=iso) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=netops host={{ host }} sourcetype="semperis:dsp"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1