Skip to content

Commit

Permalink
Merge pull request #1198 from splunk/develop
Browse files Browse the repository at this point in the history
Release
  • Loading branch information
Ryan Faircloth authored Jul 13, 2021
2 parents eabc3dd + 8a19f49 commit 1ab884e
Show file tree
Hide file tree
Showing 23 changed files with 372 additions and 29 deletions.
12 changes: 11 additions & 1 deletion docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,16 @@ syslog.
(typically a caching nameserver) is not performant. If you notice events being indexed far later than their actual timestamp
in the event (latency between `_indextime` and `_time`), this is the first place to check.

## Configure use of external http proxy

Warning: Many http proxies are not provisioned with application traffic in mind. Ensure adequate capacity is available to avoid data
loss and or proxy outages. Note: the follow vairables are lower case


| Variable | Values | Description |
|----------|---------------|-------------|
| http_proxy | undefined | Use libcurl format proxy string "http://username:[email protected]:port" |
| https_proxy | undefined | Use libcurl format proxy string "http://username:[email protected]:port" |

## Splunk HEC Destination Configuration

Expand Down Expand Up @@ -90,7 +100,7 @@ for a given data source.
## Creation of Additional Splunk HEC Destinations

Additional Splunk HEC destinations can be dynamically created through environment variables. When set, the destinations will be
created with the `DESTID` appended, for example: `d_hec_FOO`. These destinations can then be specified for use (along with any other
created with the `DESTID` appended, for example: `d_hec_fmt_FOO`. These destinations can then be specified for use (along with any other
destinations created locally) either globally or per source. See the "Alternate Destination Use" in the next section for details.

| Variable | Values | Description |
Expand Down
4 changes: 1 addition & 3 deletions docs/gettingstarted/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes

Install the following:

* [Splunk App for Infrastructure](https://splunkbase.splunk.com/app/3975/)
* [Splunk Add-on for Infrastructure](https://splunkbase.splunk.com/app/4217/)
* [Splunk Metrics Workspace](https://splunkbase.splunk.com/app/4192/) *NOTE Included in Splunk 7.3.0 and above*
* [IT Essentials Work](https://splunkbase.splunk.com/app/5403/)

#### Configure the Splunk HTTP Event Collector

Expand Down
43 changes: 43 additions & 0 deletions docs/sources/Dell/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Vendor - Dell

## Product - EPV

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | na |
| Add-on Manual | https://www.dell.com/support/manuals/en-au/dell-opnmang-sw-v8.1/eemi_13g_v1.2-v1/introduction?guid=guid-8f22a1a9-ac01-43d1-a9d2-390ca6708d5e&lang=en-us |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| dell:poweredge:idrac:syslog | None |

### Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| dell_poweredge_idrac | dell:poweredge:idrac:syslog | infraops | none |

### Filter type

MSG Parse: This filter parses message content

### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_DELL_POWEREDGE_IDRAC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_LISTEN_DELL_POWEREDGE_IDRAC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |


### Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

```
index=<asconfigured> (sourcetype=cef sourcetype="UDP")
```
44 changes: 44 additions & 0 deletions docs/sources/Polycom/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Vendor - Polycom

## Product - RPRM

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | none |
| Product Manual | unknown |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| polycom:rprm:syslog | |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| polycom_rprm | polycom:rprm:syslog | netops | none |


### Filter type

MSG Parse: This filter parses message content


### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_POLYCOM_RPRM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. |
| SC4S_POLYCOM_RPRM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. |
| SC4S_ARCHIVE_POLYCOM_RPRM | no | Enable archive to disk for this specific source |
| SC4S_DEST_POLYCOM_RPRM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

### Verification

One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them:

```
index=<asconfigured> sourcetype=polycom:rprm:syslog| stats count by host
```
39 changes: 39 additions & 0 deletions docs/sources/Thycotic/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Vendor - Tenable


## Product - Tenable.nnm

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ |
| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| thycotic:syslog | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| Thycotic Software_Secret Server | thycotic:syslog | netauth | none |

### Filter type

CEF

### Options

| Variable | default | description |
|----------------|----------------|----------------|

### Verification

An active device will generate frequent events. Use the following search to validate events are present per source device

```
index=<asconfigured> sourcetype=thycotic:syslog | stats count by host
```
4 changes: 2 additions & 2 deletions docs/troubleshooting/troubleshoot_SC4S_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,8 @@ The kernel refused to set the receive buffer (SO_RCVBUF) to the requested size,
Make changes to /etc/sysctl.conf. Changing receive buffer values here to 16 MB:

```
net.core.rmem_default = 1703936
net.core.rmem_max = 1703936.
net.core.rmem_default = 17039360
net.core.rmem_max = 17039360
```
Run following commands for changes to be affected.
```
Expand Down
3 changes: 3 additions & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ nav:
- Citrix: sources/Citrix/index.md
- "Common Event Format": sources/CommonEventFormat/index.md
- CyberArk: sources/CyberArk/index.md
- Dell: sources/Dell/index.md
- "Dell RSA": sources/Dell_RSA/index.md
- "Dell EMC": sources/Dell_EMC/index.md
- F5: sources/F5/index.md
Expand All @@ -46,6 +47,7 @@ nav:
- Nix: sources/nix/index.md
- "Palo Alto Networks": sources/PaloaltoNetworks/index.md
- "pfSense": sources/Pfsense/index.md
- Polycom: sources/Polycom/index.md
- Pulse: sources/Pulse/index.md
- Proofpoint: sources/Proofpoint/index.md
- Radware: sources/Radware/index.md
Expand All @@ -58,6 +60,7 @@ nav:
- Broadcom: sources/Broadcom/index.md
- Tanium: sources/Tanium/index.md
- Tenable: sources/Tenable/index.md
- Thycotic: sources/Thycotic/index.md
- Tintri: sources/Tintri/index.md
- Trend: sources/Trend/index.md
- Ubiquiti: sources/Ubiquiti/index.md
Expand Down
18 changes: 18 additions & 0 deletions package/etc/conf.d/conflib/cef/app-cef-thycotic_secret_server.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
block parser cef-thycotic_secret_server-parser() {
channel {
rewrite {
r_set_splunk_dest_default(
index('netauth'),
sourcetype('thycotic:syslog')
);
};

};
};
application cef-thycotic_secret_server[cef] {
filter{
match("Thycotic Software" value("fields.cef_device_vendor"))
and match("Secret Server" value("fields.cef_device_product"));
};
parser { cef-thycotic_secret_server-parser(); };
};
2 changes: 1 addition & 1 deletion package/etc/conf.d/conflib/fallback/app-nix_syslog.conf
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ block parser nix_syslog_fallback-parser() {
subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
r_set_splunk_dest_update(
source('program:${.PROGRAM}')
meta_key('${.netsource.sc4s_vendor_product}_nix_syslog')
);
};

};
};
application nix_syslog_fallback[fallback] {
Expand Down
9 changes: 1 addition & 8 deletions package/etc/conf.d/conflib/net_source/app-nix_syslog.conf
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,7 @@ block parser nix_syslog-parser() {
);

};


rewrite {
r_set_splunk_dest_update(
meta_key('${.netsource.sc4s_vendor_product}_nix_syslog')

);
};

};
};
application nix_syslog[sc4s-network-source] {
Expand Down
2 changes: 1 addition & 1 deletion package/etc/conf.d/conflib/raw/app-citrix_netscaler.conf
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ block parser citrix_netscaler-parser() {
);
set("citrix_netscaler", value("fields.sc4s_syslog_format"));
r_set_splunk_dest_update(
sourcetype('sourcetype::citrix:netscaler:appfw') condition(message('[^|]APPFW[^|]'))
sourcetype('citrix:netscaler:appfw') condition(message('[^|]APPFW[^|]'))
);
};

Expand Down
42 changes: 42 additions & 0 deletions package/etc/conf.d/conflib/syslog/app-dell_poweredge_idrac.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
block parser dell_poweredge_idrac-parser() {
channel {

parser {
kv-parser(
value-separator(":")
prefix(".idrac.")
template("${PROGRAM}: ${MESSAGE}")
);

};

filter {
"${.idrac.Severity}" ne ""
and "${.idrac.Category}" ne ""
and "${.idrac.MessageID}" ne ""
and "${.idrac.Message}" ne ""
and match('[A-Z]{1,3}\d{1,4}' , value(".idrac.MessageID"))
};

rewrite {
r_set_splunk_dest_default(
index('infraops')
sourcetype('dell:poweredge:idrac:syslog')
vendor_product("dell_poweredge_idrac")
);
};
rewrite{
set("${PROGRAM}: $MSG" value("MSG"));
unset(value('PROGRAM'));
};


};
};
application dell_poweredge_idrac[sc4s-syslog] {
filter {
program('Severity');
};
parser { dell_poweredge_idrac-parser(); };
};

21 changes: 21 additions & 0 deletions package/etc/conf.d/conflib/syslog/app-polycom_rprm.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
block parser polycom_rprm-parser() {
channel {
rewrite {
r_set_splunk_dest_default(
index('netops')
sourcetype('polycom:rprm:syslog')
vendor_product("polycom_rprm")
template('t_5424_hdr_sdata_msg')
);
};


};
};
application polycom_rprm[sc4s-syslog] {
filter {
program('RPRM');
};
parser { polycom_rprm-parser(); };
};

Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ log{
"${.dest_key}" eq "{{ dest_key }}"

};
{%- for f in filters %}
{% for f in filters %}
log {
filter({{ f }});
{%- for destination in filters[f] %}
destination({{ destination }});
{%- endfor %}
};
{%- endfor %}
{% endfor %}
flags(catchall,flow-control, final);
};
17 changes: 9 additions & 8 deletions package/etc/conf.d/sc4slib/source_syslog/plugin.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,10 @@ source s_{{ port_id }} {

rewrite(r_set_splunk_default);


if {
parser {
app-parser(topic(sc4s-raw-syslog));
app-parser(topic({{ topic }}-raw-syslog));
};
} elif {
filter{
Expand Down Expand Up @@ -117,9 +118,10 @@ source s_{{ port_id }} {

if {
parser {
app-parser(topic(sc4s-syslog));
app-parser(topic({{ topic }}-syslog));
};
};
};


if {
parser(p_add_context_host);
Expand All @@ -137,10 +139,9 @@ source s_{{ port_id }} {
parser(vendor_product_by_source);
if {
parser {
app-parser(topic(sc4s-network-source));
app-parser(topic({{ topic }}-network-source));
};
};

};
if {
filter {
"${fields.sc4s_vendor_product}" eq ""
Expand Down Expand Up @@ -257,7 +258,7 @@ source s_{{ port_id }} {
};
if {
parser {
app-parser(topic(sc4s-syslog));
app-parser(topic({{ topic }}-syslog));
};
};

Expand All @@ -275,7 +276,7 @@ source s_{{ port_id }} {
parser(vendor_product_by_source);
if {
parser {
app-parser(topic(sc4s-network-source));
app-parser(topic({{ topic }}-network-source));
};
};

Expand Down
Loading

0 comments on commit 1ab884e

Please sign in to comment.