feat(raritan): Support DSX Product

fixes #1299

.github/workflows/ci-main.yaml

@@ -185,6 +185,7 @@ jobs:
           SC4S_LISTEN_SIMPLE_TEST_TWO_TCP_PORT: 5601
           SC4S_LISTEN_SPECTRACOM_NTP_TCP_PORT: 6002
           SC4S_LISTEN_CISCO_ESA_TCP_PORT: 9000
+          SC4S_LISTEN_RARITAN_DSX_TCP_PORT: 9001
           SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL: "yes"
           SC4S_SOURCE_RICOH_SYSLOG_FIXHOST: "yes"
           TEST_SC4S_ACTIVATE_EXAMPLES: "yes"

docs/sources/Raritan/index.md

@@ -0,0 +1,48 @@
+# Vendor - Raritan
+
+
+## Product - DSX
+
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | none                                     |
+| Product Manual | https://www.raritan.com/products/kvm-serial/serial-console-servers/serial-over-ip-console-server |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| raritan:dsx  | Note events do not contain host |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| raritan_dsx      | raritan:dsx     | infraops          | none          |
+
+### Filter type
+
+Requires port or vendor product by source config
+
+### Setup and Configuration
+
+unknown
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_RARITAN_DSX_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_RARITAN_DSX_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_RARITAN_DSX | no | Enable archive to disk for this specific source |
+| SC4S_DEST_RARITAN_DSX_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active proxy will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=raritan:dsx | stats count by host
+```

mkdocs.yml

@@ -76,6 +76,7 @@ nav:
       - Pulse: sources/Pulse/index.md
       - Proofpoint: sources/Proofpoint/index.md
       - Radware: sources/Radware/index.md
+      - Raritan: sources/Raritan/index.md
       - Ricoh: sources/Ricoh/index.md
       - Schneider: sources/Schneider/index.md
       - "Simple Sources": sources/Simple/index.md

package/etc/conf.d/conflib/net_source/app-raritan_dsx.conf

@@ -0,0 +1,19 @@
+block parser raritan_dsx-parser() {    
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('infraops')
+                sourcetype('raritan:dsx')
+                vendor_product("raritan_dsx")
+                template('t_hdr_msg')
+            );
+        };
+    };
+};
+application raritan_dsx[sc4s-network-source] {
+	filter { 
+        "${.netsource.sc4s_vendor_product}" eq "raritan_dsx"
+        or "${SOURCE}" eq "s_RARITAN_DSX"
+    };	
+    parser { raritan_dsx-parser(); };   
+};

tests/conftest.py

@@ -207,7 +207,7 @@ def sc4s_docker(docker_services):
     # ports.update({6001: docker_services.port_for("sc4s", 6001)})
     ports.update({6002: docker_services.port_for("sc4s", 6002)})
     ports.update({9000: docker_services.port_for("sc4s", 9000)})
-
+    ports.update({9001: docker_services.port_for("sc4s", 9001)})
 
     return docker_services.docker_ip, ports
 
@@ -223,6 +223,7 @@ def sc4s_external(request):
         6001: 6001,
         6002: 6002,
         9000: 9000,
+        9001: 9001,
     }
 
     return request.config.getoption("sc4s_host"), ports

tests/docker-compose.yml

@@ -26,6 +26,7 @@ services:
       - "6001"
       - "6002"
       - "9000"
+      - "9001"
     stdin_open: true
     tty: true
     links:
@@ -38,6 +39,7 @@ services:
       - SC4S_LISTEN_PFSENSE_TCP_PORT=6000
       - SC4S_LISTEN_SPECTRACOM_NTP_TCP_PORT=6002
       - SC4S_LISTEN_CISCO_ESA_TCP_PORT=9000
+      - SC4S_LISTEN_RARITAN_DSX_TCP_PORT=9001
       - SC4S_LISTEN_SIMPLE_TEST_ONE_TCP_PORT=5514
       - SC4S_LISTEN_SIMPLE_TEST_ONE_UDP_PORT=5514
       - SC4S_LISTEN_SIMPLE_TEST_TWO_TCP_PORT=5601

tests/test_raritan.py

@@ -0,0 +1,41 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+# <110>M_00796:  User radware Session with client radware was terminated due to Inactivity.
+def test_raritan_dsx(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{mark}}[Login Failed]: Authentication failed for user 'cartertest' from host '{{ key }}'\n"
+    )
+    message = mt.render(mark="<27>", key=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][9001])
+
+    st = env.from_string('search index=infraops sourcetype=raritan:dsx "{{key}}"')
+    search = st.render(epoch=epoch, key=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1