From 75f41be9e46a53c91bd9f7a84b53528c6c009f9d Mon Sep 17 00:00:00 2001 From: Ilya <138466237+ikheifets-splunk@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:12:18 +0100 Subject: [PATCH] feat: extend cohesity parser (#2249) * feat: extend cohesity parser * backward extended parser to lite --- docs/sources/vendor/Cohesity/cluster.md | 2 + .../syslog/app-syslog-cohesity_alerts.conf | 26 +++++++++++++ .../cohesity/app-syslog-cohesity_alerts.conf | 26 +++++++++++++ tests/test_cohesity.py | 37 +++++++++++++++++++ 4 files changed, 91 insertions(+) create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-cohesity_alerts.conf create mode 100644 package/lite/etc/addons/cohesity/app-syslog-cohesity_alerts.conf diff --git a/docs/sources/vendor/Cohesity/cluster.md b/docs/sources/vendor/Cohesity/cluster.md index 7ca776c2f9..a597e31ff1 100644 --- a/docs/sources/vendor/Cohesity/cluster.md +++ b/docs/sources/vendor/Cohesity/cluster.md @@ -19,6 +19,7 @@ | cohesity:cluster:audit | None | | cohesity:cluster:dataprotection | None | | cohesity:api:audit | None | +| cohesity:alerts | None | ## Sourcetype and Index Configuration @@ -28,4 +29,5 @@ | cohesity_cluster_audit | cohesity:cluster:audit | infraops | none | | cohesity_api_audit | cohesity:api:audit | infraops | none | | cohesity_cluster_dataprotection| cohesity:cluster:dataprotection| infraops | none | +| cohesity_alerts | cohesity:alerts | infraops | none | diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_alerts.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_alerts.conf new file mode 100644 index 0000000000..af4680465f --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_alerts.conf @@ -0,0 +1,26 @@ +block parser app-syslog-cohesity_alerts() { + channel { + parser { + json-parser( + prefix('.values.') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('infraops') + sourcetype('cohesity:alerts') + vendor("cohesity") + product("alerts") + template('t_msg_only') + ); + }; + }; +}; + +application app-syslog-cohesity_alerts[sc4s-syslog-pgm] { + filter { + program("cohesity_alerts" type(string) flags(prefix)); + }; + parser { app-syslog-cohesity_alerts(); }; +}; + diff --git a/package/lite/etc/addons/cohesity/app-syslog-cohesity_alerts.conf b/package/lite/etc/addons/cohesity/app-syslog-cohesity_alerts.conf new file mode 100644 index 0000000000..af4680465f --- /dev/null +++ b/package/lite/etc/addons/cohesity/app-syslog-cohesity_alerts.conf @@ -0,0 +1,26 @@ +block parser app-syslog-cohesity_alerts() { + channel { + parser { + json-parser( + prefix('.values.') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('infraops') + sourcetype('cohesity:alerts') + vendor("cohesity") + product("alerts") + template('t_msg_only') + ); + }; + }; +}; + +application app-syslog-cohesity_alerts[sc4s-syslog-pgm] { + filter { + program("cohesity_alerts" type(string) flags(prefix)); + }; + parser { app-syslog-cohesity_alerts(); }; +}; + diff --git a/tests/test_cohesity.py b/tests/test_cohesity.py index 9486dbfb4d..f1f750b2e7 100644 --- a/tests/test_cohesity.py +++ b/tests/test_cohesity.py @@ -127,3 +127,40 @@ def test_cohesity_api_audit( record_property("message", message) assert result_count == 1 + + +testdata_alerts = [ + '{{ mark }}{{ iso }} {{ host }} cohesity_alerts: {"ClusterName": "{{ host }}", "AlertCode": "1", "AlertName": "ProtectionGroupFailed", "AlertSeverity": "CRITICAL", "AlertDescription": "Backup run of protection group PostgreSQL of type 1 failed", "AlertCause": "Backup run of protection group PostgreSQL of type kUDA failed with error [kUdaBackupError]: Agent is not reachable on any control node. Control nodes 11. Check logs on UI for errors.. ID of the failed run: 1. Run url: https://1.1.1.1. Run start time is 1970.01.01 13:23:12 Eastern Time. Cluster name is {{ host }}. Cluster Id is 1., failed objects: Failed for 1 objects : 1111"}', +] + + +@pytest.mark.addons("cohesity") +@pytest.mark.parametrize("event", testdata_alerts) +def test_cohesity_alerts( + record_property, get_host_key, setup_splunk, setup_sc4s, event +): + host = get_host_key + + dt = datetime.datetime.now() + iso, _, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-3] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<11>", host=host, iso=iso) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=infraops _time={{ epoch }} sourcetype="cohesity:alerts" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1