fix: Non pri cef fix (#2641)

* chore(deps): update dependency mkdocs-material to v9.5.42 (#2624) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update splunk/addonfactory-test-matrix-action action to v2.1.9 (#2620) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix: fix CISE_Alarm messages parsing (#2609) * fix: improve SC4S Dashboard performance (#2592) * docs: Removed reference of Cisco eStreamer for Splunk app from ASA/FTD doc (#2629) * docs: Removed reference of Cisco eStreamer for Splunk app * fix: Updated the regex for non pri cef formated logs such that a '<space>digit' date will be accepted * Updated the regex with some more constraints --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: wojtekzyla <[email protected]> Co-authored-by: mstopa-splunk <[email protected]>
splunk · Nov 26, 2024 · c2f901a · c2f901a
1 parent 6da3060
commit c2f901a
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf
@@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() {
 };
 application app-raw-bsd_nopri[sc4s-raw-syslog] {
     filter {
-        message('^\w\w\w \d\d \d\d:\d\d:\d\d ');
+        message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) ');
     };
     parser { app-raw-bsd_nopri(); };
 };
diff --git a/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf
@@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() {
 };
 application app-raw-bsd_nopri[sc4s-raw-syslog] {
     filter {
-        message('^\w\w\w \d\d \d\d:\d\d:\d\d ');
+        message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) ');
     };
     parser { app-raw-bsd_nopri(); };
 };
diff --git a/tests/test_trellix.py b/tests/test_trellix.py
@@ -67,3 +67,37 @@ def test_trellix_cms(
     record_property("message", message)
 
     assert result_count == 1
+
+
+# Nov  2 00:00:00 trellix-host-xxxx CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt=1030482923264 cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects.
+@pytest.mark.addons("trellix")
+def test_trellix_cef(record_property, get_host_key, setup_splunk, setup_sc4s):
+    host = "trellix-host-" + get_host_key
+
+    dt = datetime.datetime(2024, 11, 2, 0, 0)
+    _, bsd, _, _, _, _, epoch = time_operations(dt)
+
+    # hard coding the bsd to test single digit date (Nov <space>2 00:00:00)
+    bsd = "Nov  2 00:00:00"
+    # Tune time functions
+    epoch = epoch[:-3]
+
+    mt = env.from_string(
+        "{{ bsd }} {{ host }} CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt={{ epoch }} cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects."
+    )
+    message = mt.render(bsd=bsd, host=host, epoch=epoch)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="cef"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    result_count, _ = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", result_count)
+    record_property("message", message)
+
+    assert result_count == 1