From 53b98e3d15ee28dbb26cb3b230e0080e0d59e67b Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Wed, 20 Oct 2021 14:23:50 -0400
Subject: [PATCH] feat(raritan): Support DSX Product

fixes #1299
---
 .github/workflows/ci-main.yaml                |  1 +
 docs/sources/Raritan/index.md                 | 48 +++++++++++++++++++
 mkdocs.yml                                    |  1 +
 .../conflib/net_source/app-raritan_dsx.conf   | 19 ++++++++
 tests/conftest.py                             |  3 +-
 tests/docker-compose.yml                      |  2 +
 tests/test_raritan.py                         | 41 ++++++++++++++++
 7 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 docs/sources/Raritan/index.md
 create mode 100644 package/etc/conf.d/conflib/net_source/app-raritan_dsx.conf
 create mode 100644 tests/test_raritan.py

diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml
index de414ecce1..9d0987910a 100644
--- a/.github/workflows/ci-main.yaml
+++ b/.github/workflows/ci-main.yaml
@@ -185,6 +185,7 @@ jobs:
           SC4S_LISTEN_SIMPLE_TEST_TWO_TCP_PORT: 5601
           SC4S_LISTEN_SPECTRACOM_NTP_TCP_PORT: 6002
           SC4S_LISTEN_CISCO_ESA_TCP_PORT: 9000
+          SC4S_LISTEN_RARITAN_DSX_TCP_PORT: 9001
           SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL: "yes"
           SC4S_SOURCE_RICOH_SYSLOG_FIXHOST: "yes"
           TEST_SC4S_ACTIVATE_EXAMPLES: "yes"
diff --git a/docs/sources/Raritan/index.md b/docs/sources/Raritan/index.md
new file mode 100644
index 0000000000..873542dbe9
--- /dev/null
+++ b/docs/sources/Raritan/index.md
@@ -0,0 +1,48 @@
+# Vendor - Raritan
+
+
+## Product - DSX
+
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | none                                     |
+| Product Manual | https://www.raritan.com/products/kvm-serial/serial-console-servers/serial-over-ip-console-server |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| raritan:dsx  | Note events do not contain host |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| raritan_dsx      | raritan:dsx     | infraops          | none          |
+
+### Filter type
+
+Requires port or vendor product by source config
+
+### Setup and Configuration
+
+unknown
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_RARITAN_DSX_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_RARITAN_DSX_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_RARITAN_DSX | no | Enable archive to disk for this specific source |
+| SC4S_DEST_RARITAN_DSX_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active proxy will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=raritan:dsx | stats count by host
+```
diff --git a/mkdocs.yml b/mkdocs.yml
index fd5befda0a..0ed1ec9c5d 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -76,6 +76,7 @@ nav:
       - Pulse: sources/Pulse/index.md
       - Proofpoint: sources/Proofpoint/index.md
       - Radware: sources/Radware/index.md
+      - Raritan: sources/Raritan/index.md
       - Ricoh: sources/Ricoh/index.md
       - Schneider: sources/Schneider/index.md
       - "Simple Sources": sources/Simple/index.md
diff --git a/package/etc/conf.d/conflib/net_source/app-raritan_dsx.conf b/package/etc/conf.d/conflib/net_source/app-raritan_dsx.conf
new file mode 100644
index 0000000000..ab399567f7
--- /dev/null
+++ b/package/etc/conf.d/conflib/net_source/app-raritan_dsx.conf
@@ -0,0 +1,19 @@
+block parser raritan_dsx-parser() {    
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('infraops')
+                sourcetype('raritan:dsx')
+                vendor_product("raritan_dsx")
+                template('t_hdr_msg')
+            );
+        };
+    };
+};
+application raritan_dsx[sc4s-network-source] {
+	filter { 
+        "${.netsource.sc4s_vendor_product}" eq "raritan_dsx"
+        or "${SOURCE}" eq "s_RARITAN_DSX"
+    };	
+    parser { raritan_dsx-parser(); };   
+};
diff --git a/tests/conftest.py b/tests/conftest.py
index be058541f4..a6d7e72b34 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -207,7 +207,7 @@ def sc4s_docker(docker_services):
     # ports.update({6001: docker_services.port_for("sc4s", 6001)})
     ports.update({6002: docker_services.port_for("sc4s", 6002)})
     ports.update({9000: docker_services.port_for("sc4s", 9000)})
-    
+    ports.update({9001: docker_services.port_for("sc4s", 9001)})
 
     return docker_services.docker_ip, ports
 
@@ -223,6 +223,7 @@ def sc4s_external(request):
         6001: 6001,
         6002: 6002,
         9000: 9000,
+        9001: 9001,
     }
 
     return request.config.getoption("sc4s_host"), ports
diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
index 1a72ed54e2..90c26f2492 100644
--- a/tests/docker-compose.yml
+++ b/tests/docker-compose.yml
@@ -26,6 +26,7 @@ services:
       - "6001"
       - "6002"
       - "9000"
+      - "9001"
     stdin_open: true
     tty: true
     links:
@@ -38,6 +39,7 @@ services:
       - SC4S_LISTEN_PFSENSE_TCP_PORT=6000
       - SC4S_LISTEN_SPECTRACOM_NTP_TCP_PORT=6002
       - SC4S_LISTEN_CISCO_ESA_TCP_PORT=9000
+      - SC4S_LISTEN_RARITAN_DSX_TCP_PORT=9001
       - SC4S_LISTEN_SIMPLE_TEST_ONE_TCP_PORT=5514
       - SC4S_LISTEN_SIMPLE_TEST_ONE_UDP_PORT=5514
       - SC4S_LISTEN_SIMPLE_TEST_TWO_TCP_PORT=5601
diff --git a/tests/test_raritan.py b/tests/test_raritan.py
new file mode 100644
index 0000000000..300a2686a4
--- /dev/null
+++ b/tests/test_raritan.py
@@ -0,0 +1,41 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+# <110>M_00796:  User radware Session with client radware was terminated due to Inactivity.
+def test_raritan_dsx(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{mark}}[Login Failed]: Authentication failed for user 'cartertest' from host '{{ key }}'\n"
+    )
+    message = mt.render(mark="<27>", key=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][9001])
+
+    st = env.from_string('search index=infraops sourcetype=raritan:dsx "{{key}}"')
+    search = st.render(epoch=epoch, key=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1