-
Notifications
You must be signed in to change notification settings - Fork 108
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1198 from splunk/develop
Release
- Loading branch information
Showing
23 changed files
with
372 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,6 +20,16 @@ syslog. | |
(typically a caching nameserver) is not performant. If you notice events being indexed far later than their actual timestamp | ||
in the event (latency between `_indextime` and `_time`), this is the first place to check. | ||
|
||
## Configure use of external http proxy | ||
|
||
Warning: Many http proxies are not provisioned with application traffic in mind. Ensure adequate capacity is available to avoid data | ||
loss and or proxy outages. Note: the follow vairables are lower case | ||
|
||
|
||
| Variable | Values | Description | | ||
|----------|---------------|-------------| | ||
| http_proxy | undefined | Use libcurl format proxy string "http://username:[email protected]:port" | | ||
| https_proxy | undefined | Use libcurl format proxy string "http://username:[email protected]:port" | | ||
|
||
## Splunk HEC Destination Configuration | ||
|
||
|
@@ -90,7 +100,7 @@ for a given data source. | |
## Creation of Additional Splunk HEC Destinations | ||
|
||
Additional Splunk HEC destinations can be dynamically created through environment variables. When set, the destinations will be | ||
created with the `DESTID` appended, for example: `d_hec_FOO`. These destinations can then be specified for use (along with any other | ||
created with the `DESTID` appended, for example: `d_hec_fmt_FOO`. These destinations can then be specified for use (along with any other | ||
destinations created locally) either globally or per source. See the "Alternate Destination Use" in the next section for details. | ||
|
||
| Variable | Values | Description | | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Vendor - Dell | ||
|
||
## Product - EPV | ||
|
||
| Ref | Link | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| Splunk Add-on | na | | ||
| Add-on Manual | https://www.dell.com/support/manuals/en-au/dell-opnmang-sw-v8.1/eemi_13g_v1.2-v1/introduction?guid=guid-8f22a1a9-ac01-43d1-a9d2-390ca6708d5e&lang=en-us | | ||
|
||
|
||
### Sourcetypes | ||
|
||
| sourcetype | notes | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| dell:poweredge:idrac:syslog | None | | ||
|
||
### Index Configuration | ||
|
||
| key | sourcetype | index | notes | | ||
|----------------|----------------|----------------|----------------| | ||
| dell_poweredge_idrac | dell:poweredge:idrac:syslog | infraops | none | | ||
|
||
### Filter type | ||
|
||
MSG Parse: This filter parses message content | ||
|
||
### Options | ||
|
||
| Variable | default | description | | ||
|----------------|----------------|----------------| | ||
| SC4S_LISTEN_DELL_POWEREDGE_IDRAC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | | ||
| SC4S_LISTEN_DELL_POWEREDGE_IDRAC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | | ||
|
||
|
||
### Verification | ||
|
||
An active site will generate frequent events use the following search to check for new events | ||
|
||
Verify timestamp, and host values match as expected | ||
|
||
``` | ||
index=<asconfigured> (sourcetype=cef sourcetype="UDP") | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# Vendor - Polycom | ||
|
||
## Product - RPRM | ||
|
||
| Ref | Link | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| Splunk Add-on | none | | ||
| Product Manual | unknown | | ||
|
||
|
||
### Sourcetypes | ||
|
||
| sourcetype | notes | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| polycom:rprm:syslog | | | ||
|
||
### Sourcetype and Index Configuration | ||
|
||
| key | sourcetype | index | notes | | ||
|----------------|----------------|----------------|----------------| | ||
| polycom_rprm | polycom:rprm:syslog | netops | none | | ||
|
||
|
||
### Filter type | ||
|
||
MSG Parse: This filter parses message content | ||
|
||
|
||
### Options | ||
|
||
| Variable | default | description | | ||
|----------------|----------------|----------------| | ||
| SC4S_POLYCOM_RPRM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. | | ||
| SC4S_POLYCOM_RPRM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. | | ||
| SC4S_ARCHIVE_POLYCOM_RPRM | no | Enable archive to disk for this specific source | | ||
| SC4S_DEST_POLYCOM_RPRM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | ||
|
||
### Verification | ||
|
||
One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: | ||
|
||
``` | ||
index=<asconfigured> sourcetype=polycom:rprm:syslog| stats count by host | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Vendor - Tenable | ||
|
||
|
||
## Product - Tenable.nnm | ||
|
||
| Ref | Link | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ | | ||
| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm | | ||
|
||
|
||
### Sourcetypes | ||
|
||
| sourcetype | notes | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| thycotic:syslog | None | | ||
|
||
### Sourcetype and Index Configuration | ||
|
||
| key | sourcetype | index | notes | | ||
|----------------|----------------|----------------|----------------| | ||
| Thycotic Software_Secret Server | thycotic:syslog | netauth | none | | ||
|
||
### Filter type | ||
|
||
CEF | ||
|
||
### Options | ||
|
||
| Variable | default | description | | ||
|----------------|----------------|----------------| | ||
|
||
### Verification | ||
|
||
An active device will generate frequent events. Use the following search to validate events are present per source device | ||
|
||
``` | ||
index=<asconfigured> sourcetype=thycotic:syslog | stats count by host | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
package/etc/conf.d/conflib/cef/app-cef-thycotic_secret_server.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
block parser cef-thycotic_secret_server-parser() { | ||
channel { | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netauth'), | ||
sourcetype('thycotic:syslog') | ||
); | ||
}; | ||
|
||
}; | ||
}; | ||
application cef-thycotic_secret_server[cef] { | ||
filter{ | ||
match("Thycotic Software" value("fields.cef_device_vendor")) | ||
and match("Secret Server" value("fields.cef_device_product")); | ||
}; | ||
parser { cef-thycotic_secret_server-parser(); }; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
package/etc/conf.d/conflib/syslog/app-dell_poweredge_idrac.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
block parser dell_poweredge_idrac-parser() { | ||
channel { | ||
|
||
parser { | ||
kv-parser( | ||
value-separator(":") | ||
prefix(".idrac.") | ||
template("${PROGRAM}: ${MESSAGE}") | ||
); | ||
|
||
}; | ||
|
||
filter { | ||
"${.idrac.Severity}" ne "" | ||
and "${.idrac.Category}" ne "" | ||
and "${.idrac.MessageID}" ne "" | ||
and "${.idrac.Message}" ne "" | ||
and match('[A-Z]{1,3}\d{1,4}' , value(".idrac.MessageID")) | ||
}; | ||
|
||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('infraops') | ||
sourcetype('dell:poweredge:idrac:syslog') | ||
vendor_product("dell_poweredge_idrac") | ||
); | ||
}; | ||
rewrite{ | ||
set("${PROGRAM}: $MSG" value("MSG")); | ||
unset(value('PROGRAM')); | ||
}; | ||
|
||
|
||
}; | ||
}; | ||
application dell_poweredge_idrac[sc4s-syslog] { | ||
filter { | ||
program('Severity'); | ||
}; | ||
parser { dell_poweredge_idrac-parser(); }; | ||
}; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
block parser polycom_rprm-parser() { | ||
channel { | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netops') | ||
sourcetype('polycom:rprm:syslog') | ||
vendor_product("polycom_rprm") | ||
template('t_5424_hdr_sdata_msg') | ||
); | ||
}; | ||
|
||
|
||
}; | ||
}; | ||
application polycom_rprm[sc4s-syslog] { | ||
filter { | ||
program('RPRM'); | ||
}; | ||
parser { polycom_rprm-parser(); }; | ||
}; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.