Skip to content

Commit

Permalink
fix: extend filtering for cohesity (#2234)
Browse files Browse the repository at this point in the history
  • Loading branch information
ikheifets-splunk authored Oct 13, 2023
1 parent 7c76896 commit b566305
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 8 deletions.
19 changes: 11 additions & 8 deletions docs/sources/vendor/Cohesity/cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,18 @@

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| cohesity:cluster:audit | None |
| cohesity:cluster:dataprotection | None |
| sourcetype | notes |
|----------------------------------------|---------------------------------------------------------------------------------|
| cohesity:cluster:audit | None |
| cohesity:cluster:dataprotection | None |
| cohesity:api:audit | None |


## Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| cohesity_cluster_audit | cohesity:cluster:audit | infraops | none |
| cohesity_cluster_dataprotection | cohesity:cluster:dataprotection | infraops | none |
| key | sourcetype | index | notes |
|--------------------------------|--------------------------------|----------------|----------------|
| cohesity_cluster_audit | cohesity:cluster:audit | infraops | none |
| cohesity_api_audit | cohesity:api:audit | infraops | none |
| cohesity_cluster_dataprotection| cohesity:cluster:dataprotection| infraops | none |

Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
block parser app-syslog-cohesity_api_audit() {
channel {
parser {
json-parser(
prefix('.values.')
);
};
rewrite {
r_set_splunk_dest_default(
index('infraops')
sourcetype('cohesity:api:audit')
vendor("cohesity")
product("api")
class('audit')
template('t_msg_only')
);
};

};
};
application app-syslog-cohesity_api_audit[sc4s-syslog-pgm] {
filter {
program("api_audit" type(string) flags(prefix));
};
parser { app-syslog-cohesity_api_audit(); };
};

37 changes: 37 additions & 0 deletions tests/test_cohesity.py
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,40 @@ def test_cohesity_dataprotection_events(
record_property("message", message)

assert result_count == 1


testdata_api_audit = [
'{{ mark }}{{ iso }} {{ host }} api_audit[{{ pid }}]: {"username":"admin","domain":"LOCAL","method":"GET","urlPath":"/","requestTimestamp":1696526790076,"statusCode":200,"responseHeader":{"Cache-Control":["no-cache, no-store, must-revalidate"],"Content-Encoding":["gzip"],"Content-Type":["application/json"],"Pragma":["no-cache"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Vary":["Accept-Encoding"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Ratelimit-Limit":["10000"],"X-Ratelimit-Remaining":["9998"],"X-Ratelimit-Reset":["1696526790"],"X-Xss-Protection":["1; mode=block"]},"responseTime":156705634}'
]


@pytest.mark.parametrize("event", testdata_api_audit)
def test_cohesity_api_audit(
record_property, get_host_key, get_pid, setup_splunk, setup_sc4s, event
):
host = get_host_key
pid = get_pid

dt = datetime.datetime.now()
iso, _, _, _, _, _, epoch = time_operations(dt)

# Tune time functions
epoch = epoch[:-3]

mt = env.from_string(event + "\n")
message = mt.render(mark="<14>", host=host, iso=iso, pid=pid)

sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])

st = env.from_string(
'search index=infraops _time={{ epoch }} sourcetype="cohesity:api:audit" (host="{{ host }}" OR "{{ host }}")'
)
search = st.render(epoch=epoch, host=host)

result_count, _ = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", result_count)
record_property("message", message)

assert result_count == 1

0 comments on commit b566305

Please sign in to comment.