diff --git a/Pipfile b/Pipfile new file mode 100644 index 0000000000..b9ba84f677 --- /dev/null +++ b/Pipfile @@ -0,0 +1,11 @@ +[[source]] +url = "https://pypi.org/simple" +verify_ssl = true +name = "pypi" + +[packages] + +[dev-packages] + +[requires] +python_version = "3.7" diff --git a/docs/sources/NetApp/index.md b/docs/sources/NetApp/index.md new file mode 100644 index 0000000000..2a8cd4ccdd --- /dev/null +++ b/docs/sources/NetApp/index.md @@ -0,0 +1,46 @@ +# Vendor - NetApp + + +## Product - OnTap + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3418/ | +| Product Manual | unknown | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| netapp:ems | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| netapp_ontap | netapp:ems | infraops | none | + +### Filter type + +MSG Parsing + +### Setup and Configuration + + + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_NETAPP_ONTAP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_NETAPP_ONTAP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_NETAPP_ONTAP | no | Enable archive to disk for this specific source | +| SC4S_DEST_NETAPP_ONTAP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +``` +index= sourcetype=netapp:ems | stats count by host +``` diff --git a/mkdocs.yml b/mkdocs.yml index 95d134c42e..4a8262aa82 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -64,6 +64,7 @@ nav: - McAfee: sources/McAfee/index.md - Microfocus: sources/Microfocus/index.md - Microsoft: sources/Microsoft/index.md + - NetApp: sources/NetApp/index.md - Netmotion: sources/Netmotion/index.md - Nix: sources/nix/index.md - OSSEC: sources/Ossec/index.md diff --git a/package/etc/conf.d/conflib/syslog/app-netapp_ontap.conf b/package/etc/conf.d/conflib/syslog/app-netapp_ontap.conf new file mode 100644 index 0000000000..d9fc86b69b --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-netapp_ontap.conf @@ -0,0 +1,41 @@ +block parser netapp_ontap-parser() { + channel { + filter { + message('^[a-z0-9-]+: [0-9]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] ([A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)' flags(store-matches)); + }; + rewrite { + set('$PROGRAM: $MESSAGE', value(MESSAGE)); + set('$PROGRAM', value(HOST)); + unset(value(PROGRAM)); + }; + parser { + date-parser-nofilter( + format( + '%a %d %Y %H:%M:%S %z', + ) + template("$1") + ); + }; + + rewrite { + r_set_splunk_dest_default( + index("infraops") + sourcetype('ontap:ems') + vendor_product("netapp_ontap") + ); + }; + + rewrite { + r_set_splunk_dest_update( + meta_key('netapp_ontap_ems') + ); + }; + + }; +}; +application netapp_ontap[sc4s-syslog] { + filter { + program('^[a-z0-9-]+$'); + }; + parser { netapp_ontap-parser(); }; +}; diff --git a/tests/test_netapp.py b/tests/test_netapp.py new file mode 100644 index 0000000000..748c2c30cc --- /dev/null +++ b/tests/test_netapp.py @@ -0,0 +1,53 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +import pytest + +env = Environment() + + +testdata = [ + "{{ mark }}{{ bsd }} {{ host }}: {{ host }}: 00000019.0794c163 055b6737 {{ device_time }} [kern_audit:info:2385] 8503ea0000ba6b71 :: nodea:ontapi :: 10.10.10.10:41464 :: nodea-esx:usera :: clone-create :: Error: Missing input: source-path; Missing input: volume", +] + + +@pytest.mark.parametrize("event", testdata) +def test_netapp( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): + host = get_host_key + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + # Wed Jun 23 2021 22:09:18 +10:00 + device_time = dt.strftime("%a %b %d %Y %H:%M:%S +00:00") + + mt = env.from_string(event + "\n") + message = mt.render(mark="<166>", bsd=bsd, host=host, device_time=device_time) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=infraops _time={{ epoch }} sourcetype="ontap:ems" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1