feat: Support Arista Switches (#1411)

fixup

docs/sources/Arista/index.md

@@ -0,0 +1,48 @@
+# Vendor - Arista
+
+
+## Product - EOS Switch
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | None                                    |
+| Product Manual | unknown   |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| arista:eos:*        | None                                                                                                    |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| alcatel_switch      | alcatel:switch       | netops          | none          |
+| alcatel_switch_$PROCESSNAME      | alcatel:switch       | netops          | The "process" field is used from the event          |
+
+### Filter type
+
+MSG Parsing
+
+### Setup and Configuration
+
+Device setup unknown 
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_ARISTA_EOS_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_ARISTA_EOS_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_ARISTA_EOS | no | Enable archive to disk for this specific source |
+| SC4S_DEST_ARISTA_EOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active device will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=arista:eos:* | stats count by host
+```

mkdocs.yml

@@ -38,6 +38,7 @@ nav:
       - About: sources/index.md
       - Alcatel: sources/Alcatel/index.md
       - Alsid: sources/Alsid/index.md
+      - Arista: sources/Arista/index.md
       - Avaya: sources/Avaya/index.md
       - "Avi Networks": sources/Avi_Networks/index.md
       - Brocade: sources/Brocade/index.md

package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-arista_eos.conf

@@ -0,0 +1,37 @@
+block parser app-almost-syslog-arista_eos() {    
+    channel {
+        #
+        parser {
+            regexp-parser(
+                prefix(".tmp.")
+                patterns('^(?<pri>\<\d+\>) ?(?<timestamp>[^ ]+) (?<host>[^ ]+) (?<program>aaa|accounting|acl|agent|ale|arp|bfd|bgp|bmp|capacity|capi|clear|cvx|dataplane|dhcp|dot1x|dscp|envmon|eth):(?: (?<seq>\d+):)? (?<message>%[A-Z]+-\d+-[^: ]+: .*)')
+                flags(ignore-case)
+            );
+            syslog-parser(
+                flags(assume-utf8)
+                template("${.tmp.pri} ${.tmp.timestamp} ${.tmp.host} ${.tmp.program}: ${.tmp.message}")
+            );
+        };    
+        rewrite {
+            set('${.tmp.seq}' value('fields.seq') condition("${.tmp.seq}" ne ""));
+            r_set_splunk_dest_default(
+                index('netops')
+                sourcetype('arista:eos:$(lowercase ${.tmp.program})')
+                vendor_product("arista_eos")
+                meta_key('arista_eos_$(lowercase ${.tmp.program})')
+            ); 
+        };
+        rewrite {
+            set('${.tmp.seq}' value('fields.seq') condition("${.tmp.seq}" ne ""));
+                    set("rfc_arista_eos", value("fields.sc4s_syslog_format"));
+        }; 
+    };
+};
+
+application app-almost-syslog-arista_eos[sc4s-almost-syslog] {
+	filter { 
+        message(': %' type(string) flags(substring));        
+    };	
+
+    parser { app-almost-syslog-arista_eos(); };      
+};

tests/test_arista.py

@@ -0,0 +1,49 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+
+# <111>2021-11-25T16:52:18+01:00 SWITCHNAME.domain.com Acl: %ACL-6-IPACCESS: list acl-internet Ethernet1 denied tcp xxx.xx.xx.xx(63751) -> xxx.xx.xx.xx(445)
+# <111>2021-11-25T16:52:18+01:00 SWITCHNAME.domain.com Acl: 100: %ACL-6-IPACCESS: list acl-internet Ethernet1 denied tcp xxx.xx.xx.xx(63751) -> xxx.xx.xx.xx(445)
+def test_arista_switch(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    #   Get UTC-based 'dt' time structure
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    # iso from included timeutils is from local timezone; need to keep iso as UTC
+    iso = dt.isoformat()[0:19]
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ iso }}Z {{ host }} Acl: %ACL-6-IPACCESS: list acl-internet Ethernet1 denied tcp xxx.xx.xx.xx(63751) -> xxx.xx.xx.xx(445)\n"
+    )
+    message = mt.render(mark="<166>", iso=iso, epoch=epoch, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="arista:eos:acl" "Acl: %ACL-6-IPACCESS"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1