From 554aa1ef2ee2a1a7b79631090cb135edce80da06 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Sun, 6 Feb 2022 11:32:05 -0500 Subject: [PATCH] doc: Refactor documentation wip wip fixup wip wip docs fixup --- docs/sources/Alcatel/index.md | 47 -- docs/sources/Alsid/index.md | 47 -- docs/sources/Avi_Networks/index.md | 47 -- docs/sources/Broadcom/index.md | 249 ------- docs/sources/Brocade/index.md | 47 -- docs/sources/Buffalo/index.md | 47 -- docs/sources/Checkpoint/index.md | 217 ------ docs/sources/Cisco/index.md | 683 ------------------ docs/sources/Citrix/index.md | 50 -- docs/sources/CyberArk/index.md | 89 --- docs/sources/Dell/index.md | 87 --- docs/sources/Dell_EMC/index.md | 50 -- docs/sources/Dell_RSA/index.md | 55 -- docs/sources/FireEye/index.md | 54 -- docs/sources/Forcepoint/index.md | 103 --- docs/sources/Fortinet/index.md | 212 ------ docs/sources/GitHub/index.md | 48 -- docs/sources/HAProxy/index.md | 49 -- docs/sources/HPe/index.md | 235 ------ docs/sources/IBM/index.md | 46 -- docs/sources/ISC/index.md | 90 --- docs/sources/Imperva/index.md | 107 --- docs/sources/InfoBlox/index.md | 57 -- docs/sources/Juniper/index.md | 111 --- docs/sources/Loggen/index.md | 42 -- docs/sources/McAfee/index.md | 186 ----- docs/sources/Microfocus/index.md | 105 --- docs/sources/Microsoft/index.md | 57 -- docs/sources/Mikrotik/index.md | 91 --- docs/sources/NetApp/index.md | 46 -- docs/sources/Netmotion/index.md | 48 -- docs/sources/Novell/index.md | 44 -- docs/sources/Ossec/index.md | 50 -- docs/sources/PaloaltoNetworks/index.md | 156 ---- docs/sources/Pfsense/index.md | 57 -- docs/sources/Polycom/index.md | 44 -- docs/sources/Proofpoint/index.md | 53 -- docs/sources/Pulse/index.md | 53 -- docs/sources/PureStorage/index.md | 52 -- docs/sources/Qumulo/index.md | 48 -- docs/sources/Radware/index.md | 48 -- docs/sources/Raritan/index.md | 48 -- docs/sources/Schneider/index.md | 48 -- docs/sources/Solace/index.md | 47 -- docs/sources/Sophos/index.md | 49 -- docs/sources/Spectracom/index.md | 51 -- docs/sources/Tanium/index.md | 52 -- docs/sources/Tenable/index.md | 83 --- docs/sources/Tintri/index.md | 50 -- docs/sources/Ubiquiti/index.md | 71 -- docs/sources/VMWare/index.md | 163 ----- docs/sources/Varonis/index.md | 49 -- docs/sources/Wallix/index.md | 42 -- docs/sources/Zscaler/index.md | 126 ---- .../index.md => base/cef.md} | 26 +- .../index.md => base/leef.md} | 28 +- docs/sources/{nix/index.md => base/nix.md} | 28 +- .../{Simple/index.md => base/simple.md} | 13 +- docs/sources/index.md | 25 +- docs/sources/vendor/AVI/index.md | 26 + docs/sources/vendor/Alcatel/Switch.md | 26 + docs/sources/vendor/Alsid/Alsid.md | 29 + docs/sources/{ => vendor}/Arista/index.md | 36 +- docs/sources/vendor/Aruba/ap.md | 43 ++ docs/sources/vendor/Aruba/clearpass.md | 44 ++ docs/sources/{ => vendor}/Avaya/index.md | 35 +- .../index.md => vendor/BeyondTrust/sra.md} | 37 +- docs/sources/vendor/Broadcom/brightmail.md | 33 + docs/sources/vendor/Broadcom/dlp.md | 27 + docs/sources/vendor/Broadcom/ep.md | 39 + docs/sources/vendor/Broadcom/proxy.md | 45 ++ docs/sources/vendor/Broadcom/sslva.md | 25 + docs/sources/vendor/Brocade/switch.md | 45 ++ docs/sources/vendor/Buffalo/index.md | 45 ++ docs/sources/vendor/Checkpoint/firewallos.md | 42 ++ .../vendor/Checkpoint/logexporter_5424.md | 79 ++ .../vendor/Checkpoint/logexporter_legacy.md | 63 ++ docs/sources/vendor/Cisco/cisco_ace.md | 24 + docs/sources/vendor/Cisco/cisco_acs.md | 35 + docs/sources/vendor/Cisco/cisco_asa.md | 46 ++ docs/sources/vendor/Cisco/cisco_esa.md | 63 ++ docs/sources/vendor/Cisco/cisco_imc.md | 24 + docs/sources/vendor/Cisco/cisco_ios.md | 68 ++ docs/sources/vendor/Cisco/cisco_ise.md | 25 + docs/sources/vendor/Cisco/cisco_meraki.md | 45 ++ docs/sources/vendor/Cisco/cisco_tvcs.md | 20 + docs/sources/vendor/Cisco/cisco_ucm.md | 25 + docs/sources/vendor/Cisco/cisco_ucshx.md | 26 + docs/sources/vendor/Cisco/cisco_wsa.md | 60 ++ docs/sources/vendor/Citrix/netscaler.md | 29 + .../index.md => vendor/Cohesity/cluster.md} | 37 +- docs/sources/vendor/CyberArk/epv.md | 26 + docs/sources/vendor/CyberArk/pta.md | 26 + .../index.md => vendor/Cylance/protect.md} | 35 +- docs/sources/vendor/Dell/cmc.md | 45 ++ docs/sources/vendor/Dell/emc_powerswitchn.md | 27 + docs/sources/vendor/Dell/idrac.md | 26 + docs/sources/vendor/Dell/rsa_secureid.md | 49 ++ .../{F5/index.md => vendor/F5/bigip.md} | 52 +- docs/sources/vendor/FireEye/cms.md | 24 + docs/sources/vendor/FireEye/emps.md | 24 + docs/sources/vendor/FireEye/etp.md | 24 + docs/sources/vendor/FireEye/hx.md | 25 + docs/sources/vendor/Forcepoint/index.md | 26 + docs/sources/vendor/Forcepoint/webprotect.md | 27 + .../{ => vendor}/Fortinet/FortiGate_event.png | Bin .../Fortinet/FortiGate_traffic.png | Bin .../{ => vendor}/Fortinet/FortiGate_utm.png | Bin docs/sources/vendor/Fortinet/fortios.md | 75 ++ docs/sources/vendor/Fortinet/fortiweb.md | 63 ++ docs/sources/vendor/GitHub/index.md | 26 + docs/sources/vendor/HAProxy/syslog.md | 26 + docs/sources/vendor/HPe/ilo.md | 21 + docs/sources/vendor/HPe/jedirect.md | 25 + docs/sources/vendor/HPe/procurve.md | 28 + docs/sources/vendor/IBM/datapower.md | 39 + docs/sources/vendor/ISC/bind.md | 27 + docs/sources/vendor/ISC/dhcpd.md | 46 ++ docs/sources/vendor/Imperva/incapusla.md | 34 + docs/sources/vendor/Imperva/waf.md | 29 + docs/sources/vendor/InfoBlox/index.md | 56 ++ docs/sources/vendor/Juniper/junos.md | 34 + docs/sources/vendor/Juniper/netscreen.md | 26 + docs/sources/vendor/McAfee/epo.md | 72 ++ docs/sources/vendor/McAfee/nsp.md | 35 + docs/sources/vendor/McAfee/wg.md | 25 + docs/sources/vendor/Microfocus/arcsight.md | 31 + docs/sources/vendor/Microfocus/windows.md | 35 + docs/sources/vendor/Microsoft/index.md | 32 + docs/sources/vendor/Mikrotik/routeros.md | 43 ++ docs/sources/vendor/NetApp/ontap.md | 26 + docs/sources/vendor/Netmotion/reporting.md | 26 + docs/sources/vendor/Novell/netiq.md | 26 + docs/sources/vendor/Ossec/ossec.md | 25 + .../vendor/PaloaltoNetworks/cortexxdr.md | 24 + docs/sources/vendor/PaloaltoNetworks/panos.md | 72 ++ docs/sources/vendor/PaloaltoNetworks/traps.md | 25 + docs/sources/vendor/Pfsense/firewall.md | 49 ++ docs/sources/vendor/Polycom/rprm.md | 25 + docs/sources/vendor/Proofpoint/index.md | 50 ++ docs/sources/vendor/Pulse/connectsecure.md | 28 + docs/sources/vendor/PureStorage/array.md | 28 + docs/sources/vendor/Qumulo/storage.md | 25 + docs/sources/vendor/Radware/defensepro.md | 26 + docs/sources/vendor/Raritan/dsx.md | 48 ++ .../{Ricoh/index.md => vendor/Ricoh/mfp.md} | 36 +- docs/sources/vendor/Schneider/apc.md | 48 ++ docs/sources/vendor/Solace/evenbroker.md | 25 + docs/sources/vendor/Sophos/webappliance.md | 47 ++ docs/sources/vendor/Spectracom/index.md | 47 ++ .../index.md => vendor/Splunk/sc4s.md} | 22 +- docs/sources/vendor/Tanium/platform.md | 28 + docs/sources/vendor/Tenable/ad.md | 25 + docs/sources/vendor/Tenable/nnm.md | 27 + .../Thycotic/secretserver.md} | 31 +- docs/sources/vendor/Tintri/syslog.md | 25 + .../index.md => vendor/Trend/deepsecurity.md} | 43 +- docs/sources/vendor/Ubiquiti/unifi.md | 59 ++ docs/sources/vendor/VMWare/carbonblack.md | 31 + docs/sources/vendor/VMWare/horizonview.md | 26 + docs/sources/vendor/VMWare/index.md | 54 ++ docs/sources/vendor/Varonis/datadvantage.md | 25 + .../index.md => vendor/Vectra/cognito.md} | 45 +- docs/sources/vendor/Wallix/bastion.md | 25 + docs/sources/vendor/Zscaler/lss.md | 36 + docs/sources/vendor/Zscaler/nss.md | 49 ++ docs/sources/vendor/syslog-ng/loggen.md | 26 + mkdocs.yml | 74 +- .../conflib/_splunk/netsourcefields.conf | 12 + .../app-vps-test-aruba_clearpass.conf | 21 +- .../app-vps-test-brocade_syslog.conf | 21 +- .../test_parsers/app-vps-test-cisco_esa.conf | 17 +- .../app-vps-test-cisco_meraki.conf | 17 +- .../test_parsers/app-vps-test-cisco_wsa.conf | 17 +- .../app-vps-test-cisco_wsa11_7.conf | 17 +- .../app-vps-test-cisco_wsa_recommended.conf | 17 +- .../test_parsers/app-vps-test-dell_cmc.conf | 17 +- .../app-vps-test-dell_rsa_secureid.conf | 17 +- .../test_parsers/app-vps-test-f5_bigip.conf | 17 +- .../app-vps-test-ibm_datapower.conf | 17 +- .../app-vps-test-infoblox_nios.conf | 17 +- .../app-vps-test-mikrotik_routeros.conf | 17 +- .../app-vps-test-pfsense_firewall.conf | 17 +- .../app-vps-test-proofpoint_pps.conf | 17 +- .../app-vps-test-schneider_apc.conf | 17 +- .../app-vps-test-sophos_webappliance.conf | 17 +- .../app-vps-test-spectracom_ntp.conf | 17 +- .../app-vps-test-symantec_dlp.conf | 17 +- .../app-vps-test-ubiquiti_unifi_fw.conf | 17 +- .../app-vps-test-vmware_vcenter.conf | 17 +- poetry.lock | 49 +- pyproject.toml | 1 + 192 files changed, 3727 insertions(+), 5573 deletions(-) delete mode 100644 docs/sources/Alcatel/index.md delete mode 100644 docs/sources/Alsid/index.md delete mode 100644 docs/sources/Avi_Networks/index.md delete mode 100644 docs/sources/Broadcom/index.md delete mode 100644 docs/sources/Brocade/index.md delete mode 100644 docs/sources/Buffalo/index.md delete mode 100644 docs/sources/Checkpoint/index.md delete mode 100644 docs/sources/Cisco/index.md delete mode 100644 docs/sources/Citrix/index.md delete mode 100644 docs/sources/CyberArk/index.md delete mode 100644 docs/sources/Dell/index.md delete mode 100644 docs/sources/Dell_EMC/index.md delete mode 100644 docs/sources/Dell_RSA/index.md delete mode 100644 docs/sources/FireEye/index.md delete mode 100644 docs/sources/Forcepoint/index.md delete mode 100644 docs/sources/Fortinet/index.md delete mode 100644 docs/sources/GitHub/index.md delete mode 100644 docs/sources/HAProxy/index.md delete mode 100644 docs/sources/HPe/index.md delete mode 100644 docs/sources/IBM/index.md delete mode 100644 docs/sources/ISC/index.md delete mode 100644 docs/sources/Imperva/index.md delete mode 100644 docs/sources/InfoBlox/index.md delete mode 100644 docs/sources/Juniper/index.md delete mode 100644 docs/sources/Loggen/index.md delete mode 100644 docs/sources/McAfee/index.md delete mode 100644 docs/sources/Microfocus/index.md delete mode 100644 docs/sources/Microsoft/index.md delete mode 100644 docs/sources/Mikrotik/index.md delete mode 100644 docs/sources/NetApp/index.md delete mode 100644 docs/sources/Netmotion/index.md delete mode 100644 docs/sources/Novell/index.md delete mode 100644 docs/sources/Ossec/index.md delete mode 100644 docs/sources/PaloaltoNetworks/index.md delete mode 100644 docs/sources/Pfsense/index.md delete mode 100644 docs/sources/Polycom/index.md delete mode 100644 docs/sources/Proofpoint/index.md delete mode 100644 docs/sources/Pulse/index.md delete mode 100644 docs/sources/PureStorage/index.md delete mode 100644 docs/sources/Qumulo/index.md delete mode 100644 docs/sources/Radware/index.md delete mode 100644 docs/sources/Raritan/index.md delete mode 100644 docs/sources/Schneider/index.md delete mode 100644 docs/sources/Solace/index.md delete mode 100644 docs/sources/Sophos/index.md delete mode 100644 docs/sources/Spectracom/index.md delete mode 100644 docs/sources/Tanium/index.md delete mode 100644 docs/sources/Tenable/index.md delete mode 100644 docs/sources/Tintri/index.md delete mode 100644 docs/sources/Ubiquiti/index.md delete mode 100644 docs/sources/VMWare/index.md delete mode 100644 docs/sources/Varonis/index.md delete mode 100644 docs/sources/Wallix/index.md delete mode 100644 docs/sources/Zscaler/index.md rename docs/sources/{CommonEventFormat/index.md => base/cef.md} (86%) rename docs/sources/{LogExtendedEventFormat/index.md => base/leef.md} (89%) rename docs/sources/{nix/index.md => base/nix.md} (77%) rename docs/sources/{Simple/index.md => base/simple.md} (94%) create mode 100644 docs/sources/vendor/AVI/index.md create mode 100644 docs/sources/vendor/Alcatel/Switch.md create mode 100644 docs/sources/vendor/Alsid/Alsid.md rename docs/sources/{ => vendor}/Arista/index.md (50%) create mode 100644 docs/sources/vendor/Aruba/ap.md create mode 100644 docs/sources/vendor/Aruba/clearpass.md rename docs/sources/{ => vendor}/Avaya/index.md (52%) rename docs/sources/{BeyondTrust/index.md => vendor/BeyondTrust/sra.md} (54%) create mode 100644 docs/sources/vendor/Broadcom/brightmail.md create mode 100644 docs/sources/vendor/Broadcom/dlp.md create mode 100644 docs/sources/vendor/Broadcom/ep.md create mode 100644 docs/sources/vendor/Broadcom/proxy.md create mode 100644 docs/sources/vendor/Broadcom/sslva.md create mode 100644 docs/sources/vendor/Brocade/switch.md create mode 100644 docs/sources/vendor/Buffalo/index.md create mode 100644 docs/sources/vendor/Checkpoint/firewallos.md create mode 100644 docs/sources/vendor/Checkpoint/logexporter_5424.md create mode 100644 docs/sources/vendor/Checkpoint/logexporter_legacy.md create mode 100644 docs/sources/vendor/Cisco/cisco_ace.md create mode 100644 docs/sources/vendor/Cisco/cisco_acs.md create mode 100644 docs/sources/vendor/Cisco/cisco_asa.md create mode 100644 docs/sources/vendor/Cisco/cisco_esa.md create mode 100644 docs/sources/vendor/Cisco/cisco_imc.md create mode 100644 docs/sources/vendor/Cisco/cisco_ios.md create mode 100644 docs/sources/vendor/Cisco/cisco_ise.md create mode 100644 docs/sources/vendor/Cisco/cisco_meraki.md create mode 100644 docs/sources/vendor/Cisco/cisco_tvcs.md create mode 100644 docs/sources/vendor/Cisco/cisco_ucm.md create mode 100644 docs/sources/vendor/Cisco/cisco_ucshx.md create mode 100644 docs/sources/vendor/Cisco/cisco_wsa.md create mode 100644 docs/sources/vendor/Citrix/netscaler.md rename docs/sources/{Cohesity/index.md => vendor/Cohesity/cluster.md} (54%) create mode 100644 docs/sources/vendor/CyberArk/epv.md create mode 100644 docs/sources/vendor/CyberArk/pta.md rename docs/sources/{Cylance/index.md => vendor/Cylance/protect.md} (79%) create mode 100644 docs/sources/vendor/Dell/cmc.md create mode 100644 docs/sources/vendor/Dell/emc_powerswitchn.md create mode 100644 docs/sources/vendor/Dell/idrac.md create mode 100644 docs/sources/vendor/Dell/rsa_secureid.md rename docs/sources/{F5/index.md => vendor/F5/bigip.md} (54%) create mode 100644 docs/sources/vendor/FireEye/cms.md create mode 100644 docs/sources/vendor/FireEye/emps.md create mode 100644 docs/sources/vendor/FireEye/etp.md create mode 100644 docs/sources/vendor/FireEye/hx.md create mode 100644 docs/sources/vendor/Forcepoint/index.md create mode 100644 docs/sources/vendor/Forcepoint/webprotect.md rename docs/sources/{ => vendor}/Fortinet/FortiGate_event.png (100%) rename docs/sources/{ => vendor}/Fortinet/FortiGate_traffic.png (100%) rename docs/sources/{ => vendor}/Fortinet/FortiGate_utm.png (100%) create mode 100644 docs/sources/vendor/Fortinet/fortios.md create mode 100644 docs/sources/vendor/Fortinet/fortiweb.md create mode 100644 docs/sources/vendor/GitHub/index.md create mode 100644 docs/sources/vendor/HAProxy/syslog.md create mode 100644 docs/sources/vendor/HPe/ilo.md create mode 100644 docs/sources/vendor/HPe/jedirect.md create mode 100644 docs/sources/vendor/HPe/procurve.md create mode 100644 docs/sources/vendor/IBM/datapower.md create mode 100644 docs/sources/vendor/ISC/bind.md create mode 100644 docs/sources/vendor/ISC/dhcpd.md create mode 100644 docs/sources/vendor/Imperva/incapusla.md create mode 100644 docs/sources/vendor/Imperva/waf.md create mode 100644 docs/sources/vendor/InfoBlox/index.md create mode 100644 docs/sources/vendor/Juniper/junos.md create mode 100644 docs/sources/vendor/Juniper/netscreen.md create mode 100644 docs/sources/vendor/McAfee/epo.md create mode 100644 docs/sources/vendor/McAfee/nsp.md create mode 100644 docs/sources/vendor/McAfee/wg.md create mode 100644 docs/sources/vendor/Microfocus/arcsight.md create mode 100644 docs/sources/vendor/Microfocus/windows.md create mode 100644 docs/sources/vendor/Microsoft/index.md create mode 100644 docs/sources/vendor/Mikrotik/routeros.md create mode 100644 docs/sources/vendor/NetApp/ontap.md create mode 100644 docs/sources/vendor/Netmotion/reporting.md create mode 100644 docs/sources/vendor/Novell/netiq.md create mode 100644 docs/sources/vendor/Ossec/ossec.md create mode 100644 docs/sources/vendor/PaloaltoNetworks/cortexxdr.md create mode 100644 docs/sources/vendor/PaloaltoNetworks/panos.md create mode 100644 docs/sources/vendor/PaloaltoNetworks/traps.md create mode 100644 docs/sources/vendor/Pfsense/firewall.md create mode 100644 docs/sources/vendor/Polycom/rprm.md create mode 100644 docs/sources/vendor/Proofpoint/index.md create mode 100644 docs/sources/vendor/Pulse/connectsecure.md create mode 100644 docs/sources/vendor/PureStorage/array.md create mode 100644 docs/sources/vendor/Qumulo/storage.md create mode 100644 docs/sources/vendor/Radware/defensepro.md create mode 100644 docs/sources/vendor/Raritan/dsx.md rename docs/sources/{Ricoh/index.md => vendor/Ricoh/mfp.md} (56%) create mode 100644 docs/sources/vendor/Schneider/apc.md create mode 100644 docs/sources/vendor/Solace/evenbroker.md create mode 100644 docs/sources/vendor/Sophos/webappliance.md create mode 100644 docs/sources/vendor/Spectracom/index.md rename docs/sources/{Splunk/index.md => vendor/Splunk/sc4s.md} (86%) create mode 100644 docs/sources/vendor/Tanium/platform.md create mode 100644 docs/sources/vendor/Tenable/ad.md create mode 100644 docs/sources/vendor/Tenable/nnm.md rename docs/sources/{Thycotic/index.md => vendor/Thycotic/secretserver.md} (61%) create mode 100644 docs/sources/vendor/Tintri/syslog.md rename docs/sources/{Trend/index.md => vendor/Trend/deepsecurity.md} (63%) create mode 100644 docs/sources/vendor/Ubiquiti/unifi.md create mode 100644 docs/sources/vendor/VMWare/carbonblack.md create mode 100644 docs/sources/vendor/VMWare/horizonview.md create mode 100644 docs/sources/vendor/VMWare/index.md create mode 100644 docs/sources/vendor/Varonis/datadvantage.md rename docs/sources/{Vectra/index.md => vendor/Vectra/cognito.md} (51%) create mode 100644 docs/sources/vendor/Wallix/bastion.md create mode 100644 docs/sources/vendor/Zscaler/lss.md create mode 100644 docs/sources/vendor/Zscaler/nss.md create mode 100644 docs/sources/vendor/syslog-ng/loggen.md create mode 100644 package/etc/conf.d/conflib/_splunk/netsourcefields.conf diff --git a/docs/sources/Alcatel/index.md b/docs/sources/Alcatel/index.md deleted file mode 100644 index 860b83f0ee..0000000000 --- a/docs/sources/Alcatel/index.md +++ /dev/null @@ -1,47 +0,0 @@ -# Vendor - Alcatel - - -## Product - Switches - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| alcatel:switch | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| alcatel_switch | alcatel:switch | netops | none | - -### Filter type - -MSG Parsing - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ALCATEL_SWITCH_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_ALCATEL_SWITCH_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ALCATEL_SWITCH | no | Enable archive to disk for this specific source | -| SC4S_DEST_ALCATEL_SWITCH_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=alcatel:switch | stats count by host -``` diff --git a/docs/sources/Alsid/index.md b/docs/sources/Alsid/index.md deleted file mode 100644 index 7d3aa7e7f5..0000000000 --- a/docs/sources/Alsid/index.md +++ /dev/null @@ -1,47 +0,0 @@ -# Vendor - Alsid Replaced by Tenable AD - - -## Product - AD - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/5173/ | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| alsid:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| alsid_syslog | alsid:syslog | oswinsec | none | - -### Filter type - -MSG Parsing - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ALSID_SYSLOG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_ALSID_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ALSID_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_ALSID_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=alsid:syslog | stats count by host -``` diff --git a/docs/sources/Avi_Networks/index.md b/docs/sources/Avi_Networks/index.md deleted file mode 100644 index b9e959650c..0000000000 --- a/docs/sources/Avi_Networks/index.md +++ /dev/null @@ -1,47 +0,0 @@ -# Vendor - Avi Networks - - -## Product - Switches - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | https://avinetworks.com/docs/latest/syslog-formats/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| avi:events | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| avi_vantage | avi:events | netops | none | - -### Filter type - -Must be identified by host or ip assignment. Update the filter `f_brocade_syslog` or configure a dedicated port as required - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_AVI_VANTAGE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_AVI_VANTAGE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_AVI_VANTAGE | no | Enable archive to disk for this specific source | -| SC4S_DEST_AVI_VANTAGE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=avi:events| stats count by host -``` diff --git a/docs/sources/Broadcom/index.md b/docs/sources/Broadcom/index.md deleted file mode 100644 index f0c805816d..0000000000 --- a/docs/sources/Broadcom/index.md +++ /dev/null @@ -1,249 +0,0 @@ - -# Vendor - Broadcom - -Broadcom products are inclusive of products formerly marketed under Symantec and Bluecoat brands. - -## Product - SSL Visibility Appliance - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | https://knowledge.broadcom.com/external/article/168879/when-sending-session-logs-from-ssl-visib.html | - - -### Sourcetypes - -| sourcetype | notes | -|--------------------------------|---------------------------------------------------------------------------------------------------------| -| broadcom:sslva | none | - - - - -## Product - Symantec Endpoint Protection - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2772/ | -| Product Manual | https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html | - - -### Index Configuration - -| key | index | notes | -|----------------|----------------|----------------| -| broadcom_sslva | netproxy | none | - - -### Filter type - -MSG Parse: This filter parses message content - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_EP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SYMANTEC_EP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SYMANTEC_EP | no | Enable archive to disk for this specific source | -| SC4S_DEST_SYMANTEC_EP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active server will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=symantec:ep:*:syslog | stats count by host -``` -### Sourcetypes - -| sourcetype | notes | -|--------------------------------|---------------------------------------------------------------------------------------------------------| -| symantec:ep:syslog | Warning the syslog method of accepting EP logs has been reported to show high data loss and is not Supported by Splunk | -| symantec:ep:admin:syslog | none | -| symantec:ep:agent:syslog | none | -| symantec:ep:agt:system:syslog | none | -| symantec:ep:behavior:syslog | none | -| symantec:ep:packet:syslog | none | -| symantec:ep:policy:syslog | none | -| symantec:ep:proactive:syslog | none | -| symantec:ep:risk:syslog | none | -| symantec:ep:scan:syslog | none | -| symantec:ep:scm:system:syslog | none | -| symantec:ep:security:syslog | none | -| symantec:ep:traffic:syslog | none | - -### Index Configuration - -| key | index | notes | -|----------------|----------------|----------------| -| symantec_ep | epav | none | - - -### Filter type - -MSG Parse: This filter parses message content - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_EP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SYMANTEC_EP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SYMANTEC_EP | no | Enable archive to disk for this specific source | -| SC4S_DEST_SYMANTEC_EP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active server will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=symantec:ep:*:syslog | stats count by host -``` - -## Product - ProxySG/ASG (Bluecoat) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | -| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| bluecoat:proxysg:access:kv | Requires version TA 3.6 | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| bluecoat_proxy | bluecoat:proxysg:access:kv | netproxy | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized as follows - -``` -<111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc) $(s-computername) bluecoat - splunk_format - c-ip=$(c-ip) rs-Content-Type=$(quot)$(rs(Content-Type))$(quot) cs-auth-groups=$(cs-auth-groups) cs-bytes=$(cs-bytes) cs-categories=$(cs-categories) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-port=$(cs-uri-port) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent))$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) s-action=$(s-action) s-ip=$(s-ip) service.name=$(service.name) service.group=$(service.group) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer))$(quot) c-cpu=$(c-cpu) connect-time=$(connect-time) cs-auth-groups=$(cs-auth-groups) cs-headerlength=$(cs-headerlength) cs-threat-risk=$(cs-threat-risk) r-ip=$(r-ip) r-supplier-ip=$(r-supplier-ip) rs-time-taken=$(rs-time-taken) rs-server=$(rs(server)) s-connect-type=$(s-connect-type) s-icap-status=$(s-icap-status) s-sitename=$(s-sitename) s-source-port=$(s-source-port) s-supplier-country=$(s-supplier-country) sc-Content-Encoding=$(sc(Content-Encoding)) sr-Accept-Encoding=$(sr(Accept-Encoding)) x-auth-credential-type=$(x-auth-credential-type) x-cookie-date=$(x-cookie-date) x-cs-certificate-subject=$(x-cs-certificate-subject) x-cs-connection-negotiated-cipher=$(x-cs-connection-negotiated-cipher) x-cs-connection-negotiated-cipher-size=$(x-cs-connection-negotiated-cipher-size) x-cs-connection-negotiated-ssl-version=$(x-cs-connection-negotiated-ssl-version) x-cs-ocsp-error=$(x-cs-ocsp-error) x-cs-Referer-uri=$(x-cs(Referer)-uri) x-cs-Referer-uri-address=$(x-cs(Referer)-uri-address) x-cs-Referer-uri-extension=$(x-cs(Referer)-uri-extension) x-cs-Referer-uri-host=$(x-cs(Referer)-uri-host) x-cs-Referer-uri-hostname=$(x-cs(Referer)-uri-hostname) x-cs-Referer-uri-path=$(x-cs(Referer)-uri-path) x-cs-Referer-uri-pathquery=$(x-cs(Referer)-uri-pathquery) x-cs-Referer-uri-port=$(x-cs(Referer)-uri-port) x-cs-Referer-uri-query=$(x-cs(Referer)-uri-query) x-cs-Referer-uri-scheme=$(x-cs(Referer)-uri-scheme) x-cs-Referer-uri-stem=$(x-cs(Referer)-uri-stem) x-exception-category=$(x-exception-category) x-exception-category-review-message=$(x-exception-category-review-message) x-exception-company-name=$(x-exception-company-name) x-exception-contact=$(x-exception-contact) x-exception-details=$(x-exception-details) x-exception-header=$(x-exception-header) x-exception-help=$(x-exception-help) x-exception-last-error=$(x-exception-last-error) x-exception-reason=$(x-exception-reason) x-exception-sourcefile=$(x-exception-sourcefile) x-exception-sourceline=$(x-exception-sourceline) x-exception-summary=$(x-exception-summary) x-icap-error-code=$(x-icap-error-code) x-rs-certificate-hostname=$(x-rs-certificate-hostname) x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category) x-rs-certificate-observed-errors=$(x-rs-certificate-observed-errors) x-rs-certificate-subject=$(x-rs-certificate-subject) x-rs-certificate-validate-status=$(x-rs-certificate-validate-status) x-rs-connection-negotiated-cipher=$(x-rs-connection-negotiated-cipher) x-rs-connection-negotiated-cipher-size=$(x-rs-connection-negotiated-cipher-size) x-rs-connection-negotiated-ssl-version=$(x-rs-connection-negotiated-ssl-version) x-rs-ocsp-error=$(x-rs-ocsp-error) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-query=$(quot)$(cs-uri-query)$(quot) c-uri-pathquery=$(c-uri-pathquery) -``` - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SYMANTEC_PROXY | no | Enable archive to disk for this specific source | -| SC4S_DEST_SYMANTEC_PROXY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=bluecoat:proxysg:access:kv | stats count by host -``` - -## Product - Mail Gateway (Brightmail) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | TBD | -| Product Manual | https://support.symantec.com/us/en/article.howto38250.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| symantec:smg | Requires version TA 3.6 | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| symantec_brightmail | symantec:smg | email | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* No TA available -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL | no | Enable archive to disk for this specific source | -| SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG | yes | Email processing events generated by the bmserver process will be grouped by host+program+pid+msg ID into a single event | -### Verification - -An active mail server will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=symantec:smg | stats count by host -``` - -## Product - Data Loss Prevention - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on Symatec DLP | https://splunkbase.splunk.com/app/3029/ | -| Add-on Manual | http://docs.splunk.com/Documentation/AddOns/latest/SymantecDLP/About | - - -### Sourcetypes - -| sourcetype | notes | -|----------------------|---------------------------------------------------------------------------------------------------------| -| symantec:dlp:syslog | None | - -### Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| symantec_dlp | symantec:dlp:syslog | netauth | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYMANTEC_DLP_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SYMANTEC_DLP_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SYMANTEC_DLP | no | Enable archive to disk for this specific source | -| SC4S_DEST_SYMANTEC_DLP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active mail server will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=symantec:dlp:syslog | stats count by host -``` diff --git a/docs/sources/Brocade/index.md b/docs/sources/Brocade/index.md deleted file mode 100644 index a9ef70d354..0000000000 --- a/docs/sources/Brocade/index.md +++ /dev/null @@ -1,47 +0,0 @@ -# Vendor - Brocade - - -## Product - Switches - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| brocade:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| brocade_syslog | brocade:syslog | netops | none | - -### Filter type - -Must be identified by host or ip assignment. Update the filter `f_brocade_syslog` or configure a dedicated port as required - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_BROCADE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_BROCADE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_BROCADE | no | Enable archive to disk for this specific source | -| SC4S_DEST_BROCADE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=brocade:syslog| stats count by host -``` diff --git a/docs/sources/Buffalo/index.md b/docs/sources/Buffalo/index.md deleted file mode 100644 index 67894afef7..0000000000 --- a/docs/sources/Buffalo/index.md +++ /dev/null @@ -1,47 +0,0 @@ -# Vendor - Buffalo - - -## Product - Terastation - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| buffalo:terastation | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| buffalo_terastation | buffalo:terastation | infraops | none | - -### Filter type - -Vendor product by source - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_BUFFALO_TERASTATION_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_BUFFALO_TERASTATION_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_BUFFALO_TERASTATION | no | Enable archive to disk for this specific source | -| SC4S_DEST_BUFFALO_TERASTATION_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=buffalo:terastation | stats count by host -``` diff --git a/docs/sources/Checkpoint/index.md b/docs/sources/Checkpoint/index.md deleted file mode 100644 index 92619579a2..0000000000 --- a/docs/sources/Checkpoint/index.md +++ /dev/null @@ -1,217 +0,0 @@ -# Vendor - Checkpoint -## Product - Log Exporter (Splunk) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4293/ | -| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cp_log | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk | cp_log | netops | none | - -### Source and Index Configuration - -Checkpoint Software blades with CIM mapping have been sub-grouped into sources -to allow routing to appropriate indexes. All other source meta data is left at default - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk_dlp | dlp | netdlp | none | -| checkpoint_splunk_email | email | email | none | -| checkpoint_splunk_firewall | firewall | netfw | none | -| checkpoint_splunk_os | program:${program} | netops | none | -| checkpoint_splunk_sessions | sessions | netops | none | -| checkpoint_splunk_web | web | netproxy | none | -| checkpoint_splunk_audit | audit | netops | none | -| checkpoint_splunk_endpoint | endpoint | netops | none | -| checkpoint_splunk_network | network | netops | -| checkpoint_splunk_ids | ids | netids | -| checkpoint_splunk_ids_malware | ids_malware | netids | - - -### Filter type - -MSG Parse: This filter parses message content - -The Splunk `host` field will be derived as follows using the first match - -* Use the hostname field -* Use the first CN component of origin_sic_name/originsicname -* If host is not set from CN use the `hostname` field -* If host is not set use the BSD syslog header host - -If the host is in the format `-v_` use `bladename` for host - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CHECKPOINT_SPLUNK_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | -| SC4S_LISTEN_CHECKPOINT_SPLUNK_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | -| SC4S_ARCHIVE_CHECKPOINT_SPLUNK | no | Enable archive to disk for this specific source | -| SC4S_DEST_CHECKPOINT_SPLUNK_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL | no | Suppress any duplicate product+loguid pairs processed within 2 seconds of the last matching event | -| SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES | empty string | when set to `yes` reverts host name selection order to originsicname-->origin_sic_name-->hostname | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cp_log -``` - -Verify timestamp, and host values match as expected - -## Product - Log Exporter (Syslog) - -* This is an alpha release not for production use. -* The syslog format from the log_exporter is the recommended format to collect checkpoint logs as it is more performant and efficient than its other default formats. - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cp_log:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk | cp_log:syslog | netops | none | - -### Source and Index Configuration - -Checkpoint Software blades with CIM mapping have been sub-grouped into sources -to allow routing to appropriate indexes. All other source meta data is left at default - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_splunk_dlp | dlp | netdlp | none | -| checkpoint_splunk_email | email | email | none | -| checkpoint_splunk_firewall | firewall | netfw | none | -| checkpoint_splunk_sessions | sessions | netops | none | -| checkpoint_splunk_web | web | netproxy | none | -| checkpoint_splunk_audit | audit | netops | none | -| checkpoint_splunk_endpoint | endpoint | netops | none | -| checkpoint_splunk_network | network | netops | -| checkpoint_splunk_ids | ids | netids | -| checkpoint_splunk_ids_malware | ids_malware | netids | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* To configure the valid syslog format in Checkpoint, follow the steps below -* Go to the cp terminal -* Enter expert command for login in expert mode -* Enter cd $EXPORTERDIR -* Then navigate to conf directory -* Execute cp SyslogFormatDefination.xml SplunkRecommendedFormatDefinition.xml -* Open SplunkRecommendedFormatDefinition.xml in edit mode and modify the start_message_body,fields_seperatator,field_value_seperatator as shown below. -``` -[sc4s@2620 -``` -``` - -``` -``` -= -``` -* Copy SplunkRecommendedFormatDefinition.xml into $EXPORTERDIR/targets//conf -* Navigate to the configuration file $EXPORTERDIR/targets//conf/targetConfigurationSample.xml and open it in edit mode. -* Add the reference to the SplunkRecommendedFormatDefinition.xml under the key . For example, if $EXPORTERDIR=/opt/CPrt-R81/log_exporter, the absolute path will become: -``` -/opt/CPrt-R81/log_exporter/targets//conf/SplunkRecommendedFormatDefinition.xml -``` -* Restart cp_log_exporter by executing the command cp_log_export restart name - -* Warning: Make sure if you migrating to different format, the earlier format is disabled or else it would lead to data duplication. - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CHECKPOINT_SYSLOG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | -| SC4S_LISTEN_CHECKPOINT_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | -| SC4S_ARCHIVE_CHECKPOINT_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_CHECKPOINT_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cp_log:syslog -``` - -Verify timestamp, and host values match as expected - -## Product - Firewall OS - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | na | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cp_log:fw:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| checkpoint_fw | cp_log:fw:syslog | netops | none | - - -### Filter type - -Custom port or vendor_product_by_source configuration required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CHECKPOINT_FW_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | -| SC4S_LISTEN_CHECKPOINT_FW_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | -| SC4S_ARCHIVE_CHECKPOINT_FW | no | Enable archive to disk for this specific source | -| SC4S_DEST_CHECKPOINT_FW_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cp_log:fw:syslog \ No newline at end of file diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md deleted file mode 100644 index d4c86bfddb..0000000000 --- a/docs/sources/Cisco/index.md +++ /dev/null @@ -1,683 +0,0 @@ -# Vendor - Cisco - -## Product - Application Control Engine (ACE) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ace | This source type is also used for ACE | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ace | cisco:ace | netops | none | - -### Filter type - -* Cisco ACE products can be identified by message parsing alone - -### Setup and Configuration - -Unknown this product is unsupported by Cisco - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ACE_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_ACE_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_ACE | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_ACE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ace | stats count by host -``` - -## Product - Cisco Access Control System (ACS) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:acs | Aggregation used | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_acs | cisco:acs | netauth | None | - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* Replace the following extract using Splunk local configuration. Impacts version 1.5.0 of the addond - -``` -EXTRACT-AA-signature = CSCOacs_(?\S+):? -# Note the value of this config is empty to disable -EXTRACT-AA-syslog_message = -EXTRACT-acs_message_header2 = ^CSCOacs_\S+\s+(?\S+)\s+(?\d+)\s+(?\d+)\s+(?.*) -``` - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ACS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_ACS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_ACS | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_ACS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:acs -``` - -Verify timestamp, and host values match as expected - -## Product - ASA AND FTD (Firepower) - -Including Legacy FWSM and PIX - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on for ASA (No long supports FWSM and PIX) | | -| Cisco eStreamer for Splunk | | -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:asa | cisco FTD Firepower will also use this source type except those noted below | -| cisco:ftd | cisco FTD Firepower will also use this source type except those noted below | -| cisco:fwsm | Splunk has | -| cisco:pix | cisco PIX will also use this source type except those noted below | -| cisco:firepower:syslog | FTD Unified events see | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_asa | cisco:asa | netfw | none | -| cisco_fwsm | cisco:fwsm | netfw | none | -| cisco_pix | cisco:pix | netfw | none | -| cisco_firepower | cisco:firepower:syslog | netids | none | -| cisco_ftd | cisco:ftd | netfw | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above ensure: - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ASA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_ASA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_ASA | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_ASA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:asa -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco Email Security Appliance (ESA) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:esa:http | The HTTP logs of Cisco IronPort ESA record information about the secure HTTP services enabled on the interface. | -| cisco:esa:textmail | Text mail logs of Cisco IronPort ESA record email information and status. | -| cisco:esa:amp | Advanced Malware Protection (AMP) of Cisco IronPort ESA records malware detection and blocking, continuous analysis, and retrospective alerting details. | -| cisco:esa:authentication | These logs record successful user logins and unsuccessful login attempts. | -| cisco:esa:cef | The Consolidated Event Logs summarizes each message event in a single log line. | -| cisco:esa:error_logs | Error logs of Cisco IronPort ESA records error that occured for ESA configurations or internal issues. | -| cisco:esa:content_scanner | Content scanner logs of Cisco IronPort ESA scans messages that contain password-protected attachments for -malicious activity and data privacy. | -| cisco:esa:antispam | Anti-spam logs record the status of the anti-spam scanning feature of your system, including the status on receiving updates of the latest anti-spam rules. Also, any logs related to the Context Adaptive Scanning Engine are logged here. | -| cisco:esa:system_logs | System logs record the boot information, virtual appliance license expiration alerts, DNS status information, and comments users typed using commit command. | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_esa | cisco:esa:http | email | None | -| cisco_esa | cisco:esa:textmail | email | None | -| cisco_esa | cisco:esa:amp | email | None | -| cisco_esa | cisco:esa:authentication | email | None | -| cisco_esa | cisco:esa:cef | email | None | -| cisco_esa | cisco:esa:error_logs | email | None | -| cisco_esa | cisco:esa:content_scanner | email | None | -| cisco_esa | cisco:esa:antispam | email | None | -| cisco_esa | cisco:esa:system_logs | email | None | - -### Filter type - -IP, Netmask or Host - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* ESA Follow vendor configuration steps per Product Manual. -* Ensure host and timestamp are included. -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf`` update the host or ip mask for ``f_cisco_esa`` to identiy the esa events. - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ESA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_ESA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_ESA | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_ESA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index=email sourcetype=cisco:esa:* -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco Integrated Management Controller (IMC) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | na | -| Product Manual | multiple | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ucm | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_cimc | cisco:infraops | infraops | None | - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* Refer to Cisco support web site - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_CIMC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_CIMC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_CIMC | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_CIMC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:cimc -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco Networking (IOS and flavors) - -Cisco Network Products of multiple types share common logging characteristics the following types are known to be compatible: - -* Cisco AireOS (AP & WLC) -* Cisco APIC/ACI -* Cisco IOS -* Cisco IOS-XR -* Cisco IOS-XE -* Cisco NX-OS -* Cisco FX-OS - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| IOS Manual | | -| NX-OS Manual | | -| Cisco ACI | | -| Cisco WLC & AP | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ios | cisco:ios | netops | none | - -### Filter type - -* Cisco IOS products can be identified by message parsing alone -* Cisco WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_ios` as required - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* IOS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" - * Protocol is TCP/IP - * permit-hostdown is on - * device-id is hostname and included - * timestamp is included -* NX-OS Follow vendor configuration steps per Product Manual above ensure: - * Ensure a reliable NTP server is set and synced - * Log Level is 6 "Informational" user may select alternate levels by module based on use cases - * Protocol is TCP/IP - * device-id is hostname and included - * timestamp is included and milisecond accuracy selected -* ACI Logging configuration of the ACI product often varies by use case. - * Ensure NTP sync is configured and active - * Ensure proper host names are configured -* WLC - * Ensure NTP sync is configured and active - * Ensure proper host names are configured - * For security use cases per AP logging is required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_IOS_UDP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_IOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_IOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present, for NX-OS, WLC and ACI products ensure each host filter condition is verified - -``` -index= sourcetype=cisco:ios | stats count by host -``` - -## Product - Cisco Identity Services Engine (ISE) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ise:syslog | Aggregation used | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ise | cisco:ise:syslog | netauth | None | - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* No special steps required - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_ISE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | -| SC4S_LISTEN_CISCO_ISE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | -| SC4S_ARCHIVE_CISCO_ISE | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_ISE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ise:syslog -``` - -Verify timestamp, and host values match as expected - -## Product - Meraki Product Line (MR, MS, MX, MV) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| meraki | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | - -### Filter type - -IP, Netmask, Host or Port - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_MERAKI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | -| SC4S_LISTEN_CISCO_MERAKI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers expecting RFC5424 format | -| SC4S_ARCHIVE_CISCO_MERAKI | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_MERAKI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=merkai -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco TelePresence Video Communication Server (TVCS) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:vcs | none | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_tvcs | cisco:tvcs | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -Source side unknown -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_TVCS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_TVCS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_TVCS | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_TVCS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_LISTEN_CISCO_TVCS_LEGACY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers expecting RFC3164 format | -| SC4S_LISTEN_CISCO_TVCS_LEGACY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers expecting RFC3164 format | -| SC4S_ARCHIVE_CISCO_TVCS_LEGACY | no | Enable archive to disk for this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:tvcs -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco Unified Communications Manager (UCM) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | na | -| Product Manual | multiple | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ucm | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ucm | cisco:ucm | ucm | None | - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* Refer to Cisco support web site - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_UCM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_UCM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_UCM | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_UCM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ucm -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco Unified Computing System (UCS) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | na | -| Product Manual | multiple | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ucs | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ucs | cisco:ucs | infraops | None | - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* Refer to Cisco support web site - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_UCS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_UCS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_UCS | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_UCS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ucs -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco UCS Hyperflex - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | na | -| Product Manual | multiple | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cisco:ucs:hx | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_ucs_hx | cisco:ucs:hx | infraops | None | - -### Filter type - -PATTERN MATCH - -### Setup and Configuration - -* Refer to Cisco support web site - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_UCS_HX_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_UCS_HX_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_UCS_HX | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_UCS_HX_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cisco:ucs:hx -``` - -Verify timestamp, and host values match as expected - -## Product - Cisco Web Security Appliance (WSA) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | - -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf`` update the host or ip mask for ``f_cisco_wsa`` to identiy the wsa squid events prior to WSA v11.7 and ``f_cisco_wsa11-7`` to identify the squid events since WSA v11.7. Update the host or ip mask for ``f_cisco_wsa_w3crecommended`` to identify the wsa w3c events since WSA v12.5. - -### Sourcetypes - -| cisco:wsa:l4tm | The L4TM logs of Cisco IronPort WSA record sites added to the L4TM block and allow lists. | -| cisco:wsa:squid | The access logs of Cisco IronPort WSA version prior to 11.7 record Web Proxy client history in squid. | -| cisco:wsa:squid:new | The access logs of Cisco IronPort WSA version since 11.7 record Web Proxy client history in squid. | -| cisco:wsa:w3c:recommended | The access logs of Cisco IronPort WSA version since 12.5 record Web Proxy client history in W3C. | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cisco_wsa | cisco:wsa:l4tm | netproxy | None | -| cisco_wsa | cisco:wsa:squid | netproxy | None | -| cisco_wsa | cisco:wsa:squid:new | netproxy | None | -| cisco_wsa | cisco:wsa:w3c:recommended | netproxy | None | - -### Filter type - -IP, Netmask or Host - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* WSA Follow vendor configuration steps per Product Manual. -* Ensure host and timestamp are included. - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CISCO_WSA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CISCO_WSA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CISCO_WSA | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_WSA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index=netops sourcetype=cisco:wsa:* -``` - -Verify timestamp, and host values match as expected diff --git a/docs/sources/Citrix/index.md b/docs/sources/Citrix/index.md deleted file mode 100644 index 8e45ea590b..0000000000 --- a/docs/sources/Citrix/index.md +++ /dev/null @@ -1,50 +0,0 @@ -# Vendor - Citrix - -## Product - Netscaler ADC/SDX - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2770/ | -| Product Manual | https://docs.citrix.com/en-us/citrix-adc/12-1/system/audit-logging/configuring-audit-logging.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| citrix:netscaler:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| citrix_netscaler | citrix:netscaler:syslog | netfw | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per Product Manual above. Ensure the data format selected is "DDMMYYYY" - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CITRIX_NETSCALER_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the port number defined | -| SC4S_LISTEN_CITRIX_NETSCALER_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the port number defined | -| SC4S_DEST_CITRIX_NETSCALER_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=cp_log -``` - -Verify timestamp, and host values match as expected diff --git a/docs/sources/CyberArk/index.md b/docs/sources/CyberArk/index.md deleted file mode 100644 index dfe0bf07f0..0000000000 --- a/docs/sources/CyberArk/index.md +++ /dev/null @@ -1,89 +0,0 @@ -# Vendor - CyberArk - -## Product - EPV - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CyberArk | https://splunkbase.splunk.com/app/2891/ | -| Add-on Manual | https://docs.splunk.com/Documentation/AddOns/latest/CyberArk/About | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cyberark:epv:cef | None | - -### Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| CyberArk_Vault | cyberark:epv:cef | netauth | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef sourcetype="cyberark:epv:cef") -``` - -## Product - PTA - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CyberArk | https://splunkbase.splunk.com/app/2891/ | -| Add-on Manual | https://docs.splunk.com/Documentation/AddOns/latest/CyberArk/About | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cyberark:pta:cef | None | - -### Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| Cyber-Ark_Vault | cyberark:pta:cef | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef sourcetype="cyberark:pta:cef") -``` diff --git a/docs/sources/Dell/index.md b/docs/sources/Dell/index.md deleted file mode 100644 index 24f7ff36de..0000000000 --- a/docs/sources/Dell/index.md +++ /dev/null @@ -1,87 +0,0 @@ -# Vendor - Dell - -## Product - iDrac - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | na | -| Add-on Manual | https://www.dell.com/support/manuals/en-au/dell-opnmang-sw-v8.1/eemi_13g_v1.2-v1/introduction?guid=guid-8f22a1a9-ac01-43d1-a9d2-390ca6708d5e&lang=en-us | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| dell:poweredge:idrac:syslog | None | - -### Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| dell_poweredge_idrac | dell:poweredge:idrac:syslog | infraops | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_DELL_POWEREDGE_IDRAC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_DELL_POWEREDGE_IDRAC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=dell:poweredge:idrac:syslog sourcetype="UDP") -``` - - -## Product - CMC (VRTX) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | na | -| Add-on Manual | https://www.dell.com/support/manuals/en-us/dell-chassis-management-controller-v3.10-dell-poweredge-vrtx/cmcvrtx31ug/overview?guid=guid-84595265-d37c-4765-8890-90f629737b17 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| dell:poweredge:cmc:syslog | None | - -### Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| dell_poweredge_cmc | dell:poweredge:cmc:syslog | infraops | none | - -### Filter type - -host or port -Note: CMC devices will also forward idrac events which will be matched using the MSG parser above. - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_DELL_POWEREDGE_CMC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_DELL_POWEREDGE_CMC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=dell:poweredge:cmc:syslog sourcetype="UDP") -``` diff --git a/docs/sources/Dell_EMC/index.md b/docs/sources/Dell_EMC/index.md deleted file mode 100644 index 1a87367d31..0000000000 --- a/docs/sources/Dell_EMC/index.md +++ /dev/null @@ -1,50 +0,0 @@ -# Vendor - Dell EMC - - -## Product - Powerswitch N Series - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| dell:emc:powerswitch:n | None | -| nix:syslog | Non conforming messages | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| dellemc_powerswitch_n | all | netops | none | - -### Filter type - -Message Format - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_DELLEMC_POWERSWITCH_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_DELLEMC_POWERSWITCH_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_DELLEMC_POWERSWITCH | no | Enable archive to disk for this specific source | -| SC4S_DEST_DELLEMC_POWERSWITCH_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=dell:emc:powerswitch:n | stats count by host -``` diff --git a/docs/sources/Dell_RSA/index.md b/docs/sources/Dell_RSA/index.md deleted file mode 100644 index e89e1fbc09..0000000000 --- a/docs/sources/Dell_RSA/index.md +++ /dev/null @@ -1,55 +0,0 @@ -# Vendor - Dell RSA - - -## Product - SecureID - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2958/ | -| Product Manual | http://docs.splunk.com/Documentation/AddOns/latest/RSASecurID/About | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| rsa:securid:syslog | Catchall; used if a more specific source type can not be identified | -| rsa:securid:admin:syslog | None | -| rsa:securid:runtime:syslog | None | rsa:securid:system:syslog | None | -| nix:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| dell_rsa_secureid | all | netauth | none | -| dell_rsa_secureid | nix:syslog | osnix | uses os_nix key of not configured bye host/ip/port | - -### Filter type - -Must be identified by host or ip assignment. Update the filter `f_dell_rsa_secureid` or configure a dedicated port as required - -NOTE: Java trace and exception will default to sc4s:fallback if the host/ip filter or port is not configured - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_DELL_RSA_SECUREID_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_DELL_RSA_SECUREID_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_DELL_RSA_SECUREID | no | Enable archive to disk for this specific source | -| SC4S_DEST_DELL_RSA_SECUREID_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=DELL_RSA_SECUREID:*| stats count by host -``` diff --git a/docs/sources/FireEye/index.md b/docs/sources/FireEye/index.md deleted file mode 100644 index a275dfd667..0000000000 --- a/docs/sources/FireEye/index.md +++ /dev/null @@ -1,54 +0,0 @@ -# Vendor - FireEye - -## Product - CMS,eMPS, hx, etp - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Technology Add-On for FireEye | https://splunkbase.splunk.com/app/1904/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| fe_cef_syslog || -| hx_cef_syslog || -| fe_etp | source does not provide host name constant "etp.fireeye.com" is use regardless of region | - -### Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| FireEye_CMS |fe_cef_syslog |fireeye| -| FireEye_ETP | fe_etp | fireeye | -| FireEye_eMPS |fe_cef_syslog |fireeye| -| fireeye_hx |hx_cef_syslog |fireeye| - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype="fe_cef_syslog") -``` diff --git a/docs/sources/Forcepoint/index.md b/docs/sources/Forcepoint/index.md deleted file mode 100644 index 4551ad2237..0000000000 --- a/docs/sources/Forcepoint/index.md +++ /dev/null @@ -1,103 +0,0 @@ -# Vendor - Forcepoint - -## Product - Email Security - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | none | -| Product Manual | none | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| forcepoint:email:kv | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| forcepoint_email | forcepoint:email:kv | email | none | -| - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORCEPOINT_EMAIL_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_FORCEPOINT_EMAIL_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_FORCEPOINT_EMAIL| no | Enable archive to disk for this specific source | -| SC4S_DEST_FORCEPOINT_EMAIL_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command - - -``` -index= sourcetype=forcepoint:email:kv -``` - -## Product - Webprotect (Websense) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ | -| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| websense:cg:kv | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| forcepoint_webprotect | websense:cg:kv | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_FORCEPOINT_WEBPROTECT | no | Enable archive to disk for this specific source | -| SC4S_DEST_FORCEPOINT_WEBPROTECT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command - - -``` -index= sourcetype=websense:cg:kv -``` - diff --git a/docs/sources/Fortinet/index.md b/docs/sources/Fortinet/index.md deleted file mode 100644 index 245a5f5ca5..0000000000 --- a/docs/sources/Fortinet/index.md +++ /dev/null @@ -1,212 +0,0 @@ -# Vendor - Fortinet - -Fortinet uses incorrect descriptions for syslog destinations in their documentation (conflicting with RFC standard definitions). -When configuring a fortigate fortios device for TCP syslog, port 601 or an RFC6587 custom port must be used. -UDP syslog should use the default port of 514. - -WARNING: Legacy Reliable (RFC3195) is not supported; this protocol is obsolete. - -## Product - Fortigate - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2846/ | -| Product Manual | https://docs.fortinet.com/product/fortigate/6.2 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| fgt_log | Catch-all sourcetype; not used by the TA | -| fgt_traffic | None | -| fgt_utm | None | -| fgt_event | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| fortinet_fortios_traffic | fgt_traffic | netfw | none | -| fortinet_fortios_utm | fgt_utm | netfw | none | -| fortinet_fortios_event | fgt_event | netops | none | -| fortinet_fortios_log | fgt_log | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - -``` -config log memory filter - -set forward-traffic enable - -set local-traffic enable - -set sniffer-traffic disable - -set anomaly enable - -set voip disable - -set multicast-traffic enable - -set dns enable - -end - -config system global - -set cli-audit-log enable - -end - -config log setting - -set neighbor-event enable - -end - -``` - -### Options - -* NOTE: Remember to set the variable(s) below only _once_, regardless of how many unique ports and/or Fortinet device types -are in use. See the introductory note above for more details. - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORTINET_RFC6587_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_FORTINET_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_FORTINET | no | Enable archive to disk for this specific source | -| SC4S_DEST_FORTINET_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX | fgt | Notice starting with version 1.6 of the fortinet add-on and app the sourcetype required changes from `fgt_*` to `fortinet_*` this is a breaking change to use the new sourcetype set this variable to `fortigate` in the env_file | - - -### Verification - -An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command - -``` -diag log test -``` - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=fgt_log OR sourcetype=fgt_traffic OR sourcetype=fgt_utm) -``` - -### UTM Message type - -![FortiGate UTM message](FortiGate_utm.png) - -### Traffic Message Type - -![FortiGate Traffic message](FortiGate_traffic.png) - -###Event Message Type -![FortiGate Event message](FortiGate_event.png) - -Verify timestamp, and host values match as expected - -## Product - FortiWeb - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4679/ | -| Product Manual | https://docs.fortinet.com/product/fortiweb/6.3 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| fgt_log | Catch-all sourcetype; not used by the TA | -| fwb_traffic | None | -| fwb_attack | None | -| fwb_event | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| fortinet_fortiweb_traffic | fwb_traffic | netfw | none | -| fortinet_fortiweb_attack | fwb_attack | netids | none | -| fortinet_fortiweb_event | fwb_event | netops | none | -| fortinet_fortiweb_log | fwb_log | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. - -``` -config log syslog-policy - -edit splunk - -config syslog-server-list - -edit 1 - -set server x.x.x.x - -set port 514 (Example. Should be the same as default or dedicated port selected for sc4s) - -end - -end - -config log syslogd - -set policy splunk - -set status enable - -end - -``` - -### Options - -* NOTE: Remember to set the variable(s) below only _once_, regardless of how many unique ports and/or Fortinet device types -are in use. See the introductory note above for more details. - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_FORTINET_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_FORTINET_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_FORTINET | no | Enable archive to disk for this specific source | -| SC4S_DEST_FORTINET_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active firewall will generate frequent events, in addition fortigate has the ability to test logging functionality using a built in command - -``` -diag log test -``` - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=fwb_log OR sourcetype=fwb_traffic OR sourcetype=fwb_attack OR sourcetype=fwb_event) -``` - -Verify timestamp, and host values match as expected diff --git a/docs/sources/GitHub/index.md b/docs/sources/GitHub/index.md deleted file mode 100644 index 23b3b6069e..0000000000 --- a/docs/sources/GitHub/index.md +++ /dev/null @@ -1,48 +0,0 @@ -## Product - GitHub Enterprise Server - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| github:enterprise:audit | The audit logs of GitHub Enterprise server have information about audites actions performed by github user. | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| github_ent | github:enterprise:audit | gitops | None | - -### Filter type - -IP, Netmask or Host - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* GitHub Follow vendor configuration steps per Product Manual. -* Ensure host and timestamp are included. -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_github_ent`` to identiy the github events. - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_GITHUB_ENT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_GITHUB_ENT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_GITHUB_ENT | no | Enable archive to disk for this specific source | -| SC4S_DEST_GITHUB_ENT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index=gitops sourcetype=github:enterprise:audit -``` - -Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/HAProxy/index.md b/docs/sources/HAProxy/index.md deleted file mode 100644 index 3c89183ffe..0000000000 --- a/docs/sources/HAProxy/index.md +++ /dev/null @@ -1,49 +0,0 @@ -# Vendor - HAProxy - -## Product - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3135/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| haproxy:tcp | Default syslog format | -| haproxy:splunk:http | Splunk's documented custom format. Note: detection is based on `client_ip` prefix in message | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| haproxy_syslog | netlb | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_HAPROXY_SYSLOG_RFC6587_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_HAPROXY_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_HAPROXY_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_HAPROXY_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=haproxy*") -``` diff --git a/docs/sources/HPe/index.md b/docs/sources/HPe/index.md deleted file mode 100644 index f1b508c070..0000000000 --- a/docs/sources/HPe/index.md +++ /dev/null @@ -1,235 +0,0 @@ -# Vendor - HPE -## Product - Aruba devices - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| aruba:syslog | Dynamically Created | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| aruba_ap | netops | none | - -### Filter type - -Partial MSG Parse for BSD-style (non-CEF) messages: This filter parses message content for events that use the traditional aruba (BSD) message -format that have `program` values of `authmgr`, `sapd`, `stm`, or `wms`. Additional `os:nix` logs for generic services such as `dnsmasq` will follow -the `os:nix` rules. - -### Options - - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ARUBA_AP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_ARUBA_AP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ARUBA_AP| no | Enable archive to disk for this specific source | -| SC4S_DEST_ARUBA_AP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=aruba:syslog") -``` -## Product - Aruba Clearpass - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| aruba:clearpass | Dynamically Created | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| aruba_clearpass | print | none | - -### Filter type - -Partial MSG Parse: This filter parses message content for events with a syslog "program" prefix "CPPM_". For complete parsing a dedicated port or -`vendor_product_by_source` entry must be added. - - -### Options - - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ARUBA_CLEARPASS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_ARUBA_CLEARPASS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ARUBA_CLEARPASS | no | Enable archive to disk for this specific source | -| SC4S_DEST_ARUBA_CLEARPASS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=aruba:clearpass") -``` - - -## Product - ILO (4+) - -HP ILO management syslog - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| hpe:ilo | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| hpe_ilo | infraops | none | - -### Filter type - -MSG Parse: This filter parses message content - - -### Options - -Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_HPE_ILO_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_HPE_ILO_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ILO | no | Enable archive to disk for this specific source | -| SC4S_DEST_ILO| no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=hpe:ilo") -``` - - -## Product - JetDirect - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| hpe:jetdirect | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| hpe_jetdirect | print | none | - -### Filter type - -MSG Parse: This filter parses message content - - -### Options - -Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_HPE_JETDIRECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_HPE_JETDIRECT_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_HPE_JETDIRECT | no | Enable archive to disk for this specific source | -| SC4S_DEST_HPE_JETDIRECT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=hpe:jetdirect") -``` - -## Product - Procurve Switch - -HP Procurve switches have multiple log formats used. - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Switch | https://support.hpe.com/hpesc/public/docDisplay?docId=a00091844en_us | -| Switch (A Series) (Flex) | https://techhub.hpe.com/eginfolib/networking/docs/switches/12500/5998-4870_nmm_cg/content/378584395.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| hpe:procurve | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| hpe_procurve | netops | none | - -### Filter type - -MSG Parse: This filter parses message content - - -### Options - -Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_HPE_PROCURVE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_HPE_PROCURVE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_HPE_PROCURVE | no | Enable archive to disk for this specific source | -| SC4S_DEST_HPE_PROCURVE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=hpe:procurve") -``` diff --git a/docs/sources/IBM/index.md b/docs/sources/IBM/index.md deleted file mode 100644 index 47693a1256..0000000000 --- a/docs/sources/IBM/index.md +++ /dev/null @@ -1,46 +0,0 @@ -# Vendor - IBM - -## Product - Data power - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4662/ | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ibm:datapower:syslog | Common sourcetype | -| ibm:datapower:* | * is taken from the event sourcetype | - | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| ibm_datapower | na | inifraops | none | - -### Filter type - -Requires dedicated port or vendor_product_by_source configuration - -### Options - - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_IBM_DATAPOWER_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_IBM_DATAPOWER_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_IBM_DATAPOWER | no | Enable archive to disk for this specific source | -| SC4S_DEST_IBM_DATAPOWER_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="ibm:datapower*") -``` diff --git a/docs/sources/ISC/index.md b/docs/sources/ISC/index.md deleted file mode 100644 index 5e51e07e39..0000000000 --- a/docs/sources/ISC/index.md +++ /dev/null @@ -1,90 +0,0 @@ -# Vendor - ISC - -## Product - dns - -This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired -see that source documentation for instructions - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2876/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| isc:dhcp | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| isc_dhcp | isc:dhcp | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -None - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=isc:dhcp") -``` - - - -## Product - DHCPD - -This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired -see that source documentation for instructions - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3010/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| isc:dhcp | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| isc_dhcp | isc:dhcp | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -None - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=isc:dhcp") -``` - diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md deleted file mode 100644 index c84f571130..0000000000 --- a/docs/sources/Imperva/index.md +++ /dev/null @@ -1,107 +0,0 @@ -# Vendor - Imperva - -## Product - Incapsula - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| Imperva:Incapsula | Common sourcetype | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="Imperva:Incapsula") -``` - ---- - -## Product - On-Premises WAF (SecureSphere WAF) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2874/ | -| Product Manual | https://community.microfocus.com/dcvta86296/attachments/dcvta86296/partner-documentation-h-o/22/2/Imperva_SecureSphere_11_5_CEF_Config_Guide_2018.pdf | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|-------| -| imperva:waf | none | -| imperva:waf:firewall:cef | none | -| imperva:waf:security:cef | none | - -### Index Configuration - -| key | index | notes | -|----------------------------|----------|----------------| -| Imperva Inc._SecureSphere | netwaf | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=imperva:waf*) -``` diff --git a/docs/sources/InfoBlox/index.md b/docs/sources/InfoBlox/index.md deleted file mode 100644 index cbf8701e4f..0000000000 --- a/docs/sources/InfoBlox/index.md +++ /dev/null @@ -1,57 +0,0 @@ -# Vendor - Infoblox - -Warning: Despite the TA indication this data source is CIM compliant the all versions of NIOS including the most recent available as of 2019-12-17 do not support the DNS data model correctly. For DNS security use cases use Splunk Stream instead. - -## Product - NIOS - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2934/ | -| Product Manual | https://docs.infoblox.com/display/ILP/NIOS?preview=/8945695/43728387/NIOS_8.4_Admin_Guide.pdf | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| infoblox:dns | None | -| infoblox:dhcp | None | -| infoblox:threat | None | -| nix:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| infoblox_nios_dns | infoblox:dns | netdns | none | -| infoblox_nios_dhcp | infoblox:dhcp | netipam | none | -| infoblox_nios_threat | infoblox:threatprotect | netids | none | -| infoblox_nios_audit | infoblox:audit | netops | none | -| infoblox_nios_fallback | infoblox:port | netops | none | - -### Filter type - -Must be identified by host or ip assignment. Update the filter `f_infoblox` or configure a dedicated port as required - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_INFOBLOX_NIOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_INFOBLOX_NIOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_INFOBLOX_NIOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_INFOBLOX_NIOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=infoblox:*| stats count by host -``` diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md deleted file mode 100644 index ef9585773e..0000000000 --- a/docs/sources/Juniper/index.md +++ /dev/null @@ -1,111 +0,0 @@ -# Vendor - Juniper - -## Product - Juniper JunOS - -| Ref | Link | -|-------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| JunOS TechLibrary | https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-messages-configuring-qfx-series.html | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|------------------------------------------------------------------| -| juniper:junos:firewall | None | -| juniper:junos:firewall:structured | None | -| juniper:junos:idp | None | -| juniper:junos:idp:structured | None | -| juniper:junos:aamw:structured | None | -| juniper:junos:secintel:structured | None | -| juniper:junos:snmp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------------------|------------------------|----------------|---------------| -| juniper_junos_flow | juniper:junos:firewall | netfw | none | -| juniper_junos_idp | juniper:junos:idp | netids | none | -| juniper_junos_utm | juniper:junos:firewall | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| -| SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers using 5424 format | -| SC4S_LISTEN_JUNIPER_JUNOS_STRUCTURED_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers using 5424 format || SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present; for Juniper JunOS ensure each host filter condition is verified - -``` -index= sourcetype=juniper:junos:firewall | stats count by host -index= sourcetype=juniper:junos:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper Netscreen - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Netscreen Manual | http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759 | - -### Sourcetypes - -| sourcetype | notes | -|-------------------------|------------------------------------------------------------------------------------------------| -| netscreen:firewall | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_netscreen | netscreen:firewall | netfw | none | - -### Filter type - -* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_JUNIPER_NETSCREEN_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_JUNIPER_NETSCREEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_JUNIPER_NETSCREEN | no | Enable archive to disk for this specific source | -| SC4S_DEST_JUNIPER_NETSCREEN_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present; for Juniper Netscreen products ensure each host filter condition is verified - -``` -index= sourcetype=netscreen:firewall | stats count by host -``` - -Verify timestamp, and host values match as expected diff --git a/docs/sources/Loggen/index.md b/docs/sources/Loggen/index.md deleted file mode 100644 index 44c1623631..0000000000 --- a/docs/sources/Loggen/index.md +++ /dev/null @@ -1,42 +0,0 @@ -# Vendor - Syslog-ng - -## Product - syslog-ng loggen - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Product Manual | https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.26/administration-guide/96#loggen.1 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| syslogng:loggen | By default, loggen uses the legacy BSD-syslog message format.
BSD example:
`loggen --inet --dgram --number 1 `
RFC5424 example:
`loggen --inet --dgram -PF --number 1 `
Refer to above manual link for more examples. | - - -### Index Configuration - -| key | index | notes | -|----------------|----------------|----------------| -| syslogng_loggen | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SYSLOGNG_LOGGEN_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SYSLOGNG_LOGGEN_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SYSLOGNG_LOGGEN | no | Enable archive to disk for this specific source | -| SC4S_DEST_SYSLOGNG_LOGGEN_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index=main sourcetype="syslogng:loggen"| stats count by host -``` diff --git a/docs/sources/McAfee/index.md b/docs/sources/McAfee/index.md deleted file mode 100644 index 531d88b04e..0000000000 --- a/docs/sources/McAfee/index.md +++ /dev/null @@ -1,186 +0,0 @@ -# Vendor - McAfee - -## Product - EPO - -This source requires a TLS connection; in most cases enabling TLS and using the default port 6514 is adequate. -The source is understood to require a valid certificate. - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/5085/ | -| Product Manual | https://kc.mcafee.com/corporate/index?page=content&id=KB87927 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| mcafee:epo:syslog | none | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| policy_auditor_vulnerability_assessment | Policy Auditor Vulnerability Assessment events | -| mcafee_agent | McAfee Agent events | -| mcafee_endpoint_security | McAfee Endpoint Security events | - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| mcafee_epo | epav | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MCAFEE_EPO_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_MCAFEE_EPO | no | Enable archive to disk for this specific source | -| SC4S_DEST_MCAFEE_EPO_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_SOURCE_TLS_ENABLE | no | This must be set to yes so that SC4S listens for encrypted syslog from ePO - -### Additional setup -You must create a certificate for the SC4S server to receive encrypted syslog from ePO. A self-signed certificate is fine. Generate a self-signed certificate on the SC4S host: - -`openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /opt/sc4s/tls/server.key -out /opt/sc4s/tls/server.pem` - -Uncomment the following line in `/lib/systemd/system/sc4s.service` to allow the docker container to use the certificate: - -`Environment="SC4S_TLS_DIR=-v :/etc/syslog-ng/tls:z"` - -### Troubleshooting -from the command line of the SC4S host, run this: `openssl s_client -connect localhost:6514` - -The message: -``` -socket: Bad file descriptor -connect:errno=9 -``` - -indicates that SC4S is not listening for encrypted syslog. Note that a `netstat` may show the port open, but it is not accepting encrypted traffic as configured. - -It may take several minutes for the syslog option to be available in the `registered servers` dropdown. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=mcafee:epo:syslog") -``` - -## Product - Web Gateway - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3009/ | -| Product Manual | https://kc.mcafee.com/corporate/index?page=content&id=KB77988&actp=RSS | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| mcafee:wg:kv | none | - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| mcafee_wg | netproxy | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_MCAFEE_WG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_MCAFEE_WG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_MCAFEE_WG | no | Enable archive to disk for this specific source | -| SC4S_DEST_MCAFEE_WG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_SOURCE_TLS_ENABLE | no | This must be set to yes so that SC4S listens for encrypted syslog from Mcafee Web Gateway | -| - - -### Troubleshooting -from the command line of the SC4S host, run this: `openssl s_client -connect localhost:6514` - -The message: -``` -socket: Bad file descriptor -connect:errno=9 -``` - -indicates that SC4S is not listening for encrypted syslog. Note that a `netstat` may show the port open, but it is not accepting encrypted traffic as configured. - -It may take several minutes for the syslog option to be available in the `registered servers` dropdown. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=mcafee:wg:kv") -``` -## Product - Network Security Platform - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Product Manual | https://docs.mcafee.com/bundle/network-security-platform-10.1.x-product-guide/page/GUID-373C1CA6-EC0E-49E1-8858-749D1AA2716A.html | - -### Sourcetypes - -| sourcetype | notes | -| ---------- | ----- | -| mcafee:nsp | none | - -### Source - -| source | notes | -| ------------------- | ----------------------------------- | -| mcafee:nsp:alert | Alert/Attack Events | -| mcafee:nsp:audit | Audit Event or User Activity Events | -| mcafee:nsp:fault | Fault Events | -| mcafee:nsp:firewall | Firewall Events | - -### Index Configuration - -| key | index | notes | -| ---------- | ---------- | ----- | -| mcafee_nsp | netids | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -| ------------------------------- | ------------ | ----------------------------------------------------------------------------------------------- | -| SC4S_LISTEN_MCAFEE_NSP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_MCAFEE_NSP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_MCAFEE_NSP | no | Enable archive to disk for this specific source | -| SC4S_DEST_MCAFEE_NSP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index=netids sourcetype=mcafee:nsp -``` diff --git a/docs/sources/Microfocus/index.md b/docs/sources/Microfocus/index.md deleted file mode 100644 index 9446f2ce41..0000000000 --- a/docs/sources/Microfocus/index.md +++ /dev/null @@ -1,105 +0,0 @@ -# Vendor - MicroFocus Arcsight - -## Product - Arcsight Internal Agent - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://github.com/splunk/splunk-add-on-for-cefdownloads/ | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ArcSight:ArcSight | Internal logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| ArcSight_ArcSight | ArcSight:ArcSight | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="ArcSight:ArcSight") -``` - -## Product - Arcsight Microsoft Windows (CEF) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| CEFEventLog:System or Application Event | Windows Application and System Event Logs | -| CEFEventLog:Microsoft Windows | Windows Security Event Logs | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | -| Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event")) -``` diff --git a/docs/sources/Microsoft/index.md b/docs/sources/Microsoft/index.md deleted file mode 100644 index fd562b6186..0000000000 --- a/docs/sources/Microsoft/index.md +++ /dev/null @@ -1,57 +0,0 @@ -# Vendor - Microsoft - -## Product - Cloud App Security (MCAS) - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Splunk Add-on Source Specific | none | -| Product Manual | https://docs.microsoft.com/en-us/cloud-app-security/siem | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| microsoft:cas | Common sourcetype | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| MCAS_SIEM_Agent | microsoft:cas | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="microsoft:cas") -``` diff --git a/docs/sources/Mikrotik/index.md b/docs/sources/Mikrotik/index.md deleted file mode 100644 index 1d155e19ee..0000000000 --- a/docs/sources/Mikrotik/index.md +++ /dev/null @@ -1,91 +0,0 @@ -# Vendor - Mikrotik - -## Product - dns - -This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired -see that source documentation for instructions - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3845/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| routeros | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| mikrotik_routeros | netops | none | -| mikrotik_routeros_fw | netfw | Used for events with forward: | - -### Filter type - -Vendor Product by source configuration required - -### Options - -None - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=routeros") -``` - - - -## Product - DHCPD - -This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired -see that source documentation for instructions - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3010/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| isc:dhcp | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| isc_dhcp | isc:dhcp | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -None - - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=isc:dhcp") -``` - diff --git a/docs/sources/NetApp/index.md b/docs/sources/NetApp/index.md deleted file mode 100644 index 2a8cd4ccdd..0000000000 --- a/docs/sources/NetApp/index.md +++ /dev/null @@ -1,46 +0,0 @@ -# Vendor - NetApp - - -## Product - OnTap - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3418/ | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| netapp:ems | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| netapp_ontap | netapp:ems | infraops | none | - -### Filter type - -MSG Parsing - -### Setup and Configuration - - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_NETAPP_ONTAP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_NETAPP_ONTAP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_NETAPP_ONTAP | no | Enable archive to disk for this specific source | -| SC4S_DEST_NETAPP_ONTAP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -``` -index= sourcetype=netapp:ems | stats count by host -``` diff --git a/docs/sources/Netmotion/index.md b/docs/sources/Netmotion/index.md deleted file mode 100644 index fc4a900586..0000000000 --- a/docs/sources/Netmotion/index.md +++ /dev/null @@ -1,48 +0,0 @@ -# Vendor - Netmotion - - -## Product - Reporting - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | none | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| netmotion:reporting | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| netmotion_reporting | netmotion:reporting | netops | none | - -### Filter type - -MSG Parsing - -### Setup and Configuration - - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_NETMOTION_REPORTING_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_NETMOTION_REPORTING_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_NETMOTION_REPORTING | no | Enable archive to disk for this specific source | -| SC4S_DEST_NETMOTION_REPORTING_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=netmotion:reporting | stats count by host -``` diff --git a/docs/sources/Novell/index.md b/docs/sources/Novell/index.md deleted file mode 100644 index 1291550dbc..0000000000 --- a/docs/sources/Novell/index.md +++ /dev/null @@ -1,44 +0,0 @@ -# Vendor - Novell - -## Product - NetIQ - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| novell:netiq | none | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| novell_netiq | novell_netiq | netauth | None | - -### Filter type - -MSGParser - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_NOVELL_NETIQ_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_NOVELL_NETIQ_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_NOVELL_NETIQ | no | Enable archive to disk for this specific source | -| SC4S_DEST_NOVELL_NETIQ_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index=netauth sourcetype=novel:netiq -``` - -Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Ossec/index.md b/docs/sources/Ossec/index.md deleted file mode 100644 index c0b9fd826a..0000000000 --- a/docs/sources/Ossec/index.md +++ /dev/null @@ -1,50 +0,0 @@ -# Vendor - Ossec - -## Product - Ossec - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2808/ | -| Product Manual | https://www.ossec.net/docs/index.html | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ossec | The add-on supports data from the following sources: File Integrity Management (FIM) data, FTP data, su data, ssh data, Windows data, including audit and logon information | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| ossec_ossec | ossec | main | None | - -### Filter type - -IP, Netmask or Host - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Ossec Follow vendor configuration steps per Product Manual. -* Ensure host and timestamp are included. -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ossec`` to identiy the ossec events. - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_OSSEC_OSSEC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_OSSEC_OSSEC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_OSSEC_OSSEC | no | Enable archive to disk for this specific source | -| SC4S_DEST_OSSEC_OSSEC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index=main sourcetype=ossec -``` - -Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md deleted file mode 100644 index 93050ff141..0000000000 --- a/docs/sources/PaloaltoNetworks/index.md +++ /dev/null @@ -1,156 +0,0 @@ -# Vendor - PaloAlto - -## Product - NGFW - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | -| Product Manual | https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pan:log | None | -| pan:pan_globalprotect | none | -| pan:traffic | None | -| pan:threat | None | -| pan:system | None | -| pan:config | None | -| pan:hipmatch | None | -| pan:correlation | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| pan_panos_log | pan:log | netops | none | -| pan_panos_globalprotect | pan:pan_globalprotect | netfw | none | -| pan_tpanos_raffic | pan:traffic | netfw | none | -| pan_panos_threat | pan:threat | netproxy | none | -| pan_panos_system | pan:system | netops | none | -| pan_panos_config | pan:config | netops | none | -| pan_panos_hipmatch | pan:hipmatch | netops | none | -| pan_panos_correlation | pan:correlation | netops | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration - * Select TCP or SSL transport option - * Select IETF Format - * Ensure the format of the event is not customized - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_PULSE_PAN_PANOS_RFC6587_PORT | empty string | Enable a TCP using IETF Framing (RFC6587) port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_PAN_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_PAN_PANOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_PAN_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active firewall will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=pan:*| stats count by host -``` -## Product - Cortext - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|-------| -| pan:*| | Sourcetypes and keys compatible with NGFW are supported | -| pan:xsoar | none | - -### Index Configuration - -| key | index | notes | -|----------------------------|----------|----------------| -| Palo Alto Networks_Palo Alto Networks Cortex XSOAR | epintel | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=pan:xsoar) -``` - - -## Product - TRAPS - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2757/ | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|-------| -| pan:traps4 | none | - -### Index Configuration - -| key | index | notes | -|----------------------------|----------|----------------| -| Palo Alto Networks_Traps Agent | epintel | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=pan:traps4) -``` diff --git a/docs/sources/Pfsense/index.md b/docs/sources/Pfsense/index.md deleted file mode 100644 index 32ca87873a..0000000000 --- a/docs/sources/Pfsense/index.md +++ /dev/null @@ -1,57 +0,0 @@ -# Vendor - pfSense - -All pfSense based firewalls - - -## Product - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/1527/ | -| Product Manual | https://docs.netgate.com/pfsense/en/latest/monitoring/copying-logs-to-a-remote-host-with-syslog.html?highlight=syslog | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pfsense:filterlog | None | -| pfsense:* | All programs other than filterlog | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| pfsense | pfsense | netops | none | -| pfsense_filterlog | pfsense:filterlog | netfw | none | - -### Filter type - -Source does not provide a hostname, port or IP based filter is required - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Configure a dedicated SC4S port OR configure IP filter -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_PFSENSE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_PFSENSE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_PFSENSE | no | Enable archive to disk for this specific source | -| SC4S_DEST_PFSENSE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=pfsense:filterlog | stats count by host -``` diff --git a/docs/sources/Polycom/index.md b/docs/sources/Polycom/index.md deleted file mode 100644 index 6624f68742..0000000000 --- a/docs/sources/Polycom/index.md +++ /dev/null @@ -1,44 +0,0 @@ -# Vendor - Polycom - -## Product - RPRM - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | none | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| polycom:rprm:syslog | | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| polycom_rprm | polycom:rprm:syslog | netops | none | - - -### Filter type - -MSG Parse: This filter parses message content - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_POLYCOM_RPRM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. | -| SC4S_POLYCOM_RPRM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. | -| SC4S_ARCHIVE_POLYCOM_RPRM | no | Enable archive to disk for this specific source | -| SC4S_DEST_POLYCOM_RPRM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: - -``` -index= sourcetype=polycom:rprm:syslog| stats count by host -``` diff --git a/docs/sources/Proofpoint/index.md b/docs/sources/Proofpoint/index.md deleted file mode 100644 index 1008578a91..0000000000 --- a/docs/sources/Proofpoint/index.md +++ /dev/null @@ -1,53 +0,0 @@ -# Vendor - Proofpoint - -## Product - Proofpoint Protection Server - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3080/ | -| Product Manual | https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| pps_filter_log | | -| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| proofpoint_pps_filter | pps_filter_log | email | none | -| proofpoint_pps_sendmail | pps_mail_log | email | none | - - -### Filter type - -MSG Parse: This filter parses message content -* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related -messages to create meaningful final output. This will require follow-on processing in Splunk. - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_PROOFPOINT_PPS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. | -| SC4S_PROOFPOINT_PPS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. | -| SC4S_ARCHIVE_PROOFPOINT_PPS | no | Enable archive to disk for this specific source | -| SC4S_DEST_PROOFPOINT_PPS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: - -``` -index= sourcetype=pps_*_log | stats count by host -``` diff --git a/docs/sources/Pulse/index.md b/docs/sources/Pulse/index.md deleted file mode 100644 index 4ab26ed31d..0000000000 --- a/docs/sources/Pulse/index.md +++ /dev/null @@ -1,53 +0,0 @@ -# Vendor - Pulse - -## Product - Secure Connect - -| Ref | Link | -|-------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3852/ | -| JunOS TechLibrary | https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/Configuring%20Syslog.htm | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|------------------------------------------------------------------| -| pulse:connectsecure | None | -| pulse:connectsecure:web | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------------------|------------------------|----------------|---------------| -| pulse_connect_secure | pulse:connectsecure | netfw | none | -| pulse_connect_secure_web | pulse:connectsecure:web | netproxy | none | - -### Filter type - -* MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options -Note RFC6587 framing is not supported over TLS at this time - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_PULSE_CONNECT_SECURE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| -| SC4S_LISTEN_PULSE_CONNECT_SECURE_RFC6587_PORT | empty string | Enable a TCP using IETF Framing (RFC6587) port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_PULSE_CONNECT_SECURE | no | Enable archive to disk for this specific source | -| SC4S_DEST_PULSE_CONNECT_SECURE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=pulse:connectsecure* | stats count by host -``` - -Verify the timestamp and host values match as expected - diff --git a/docs/sources/PureStorage/index.md b/docs/sources/PureStorage/index.md deleted file mode 100644 index 786352570e..0000000000 --- a/docs/sources/PureStorage/index.md +++ /dev/null @@ -1,52 +0,0 @@ -# Vendor - Pure Storage - -## Product - Array - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None note TA published on Splunk base does not include syslog extractions | -| Product Manual | | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| purestorage:array | | -| purestorage:array:${class} | This type is generated from the message | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| purestorage_array | purestorage:array | infraops | None | -| purestorage_array_${class} | purestorage:array:class | infraops | class is extracted as the string following "purity." | - -### Filter type - -MSG Parsing - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Pure Storage Follow vendor configuration steps per Product Manual. -* Ensure host and timestamp are included. - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_PURESTORAGE_ARRAY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_PURESTORAGE_ARRAY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_PURESTORAGE_ARRAY | no | Enable archive to disk for this specific source | -| SC4S_DEST_PURESTORAGE_ARRAY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index=infraops sourcetype=purestorage:array* -``` - -Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/docs/sources/Qumulo/index.md b/docs/sources/Qumulo/index.md deleted file mode 100644 index b632835e6a..0000000000 --- a/docs/sources/Qumulo/index.md +++ /dev/null @@ -1,48 +0,0 @@ -# Vendor - Qumulo - -## Product - Storage - -| Ref | Link | -|-------------------|-------------------------------------------------------------------------| -| Splunk Add-on | none | - -### Sourcetypes - -| sourcetype | notes | -|--------------------------|------------------------------------------------------------------| -| qumulo:storage | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------------------|------------------------|----------------|---------------| -| qumulo_storage | qumulo:storage | infraops | none | - -### Filter type - -* MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_QUMULO_STORAGE_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format| -| SC4S_ARCHIVE_QUMULO_STORAGE | no | Enable archive to disk for this specific source | -| SC4S_DEST_QUMULO_STORAGE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present - -``` -index= sourcetype=qumulo:storage* | stats count by host -``` - -Verify the timestamp and host values match as expected - diff --git a/docs/sources/Radware/index.md b/docs/sources/Radware/index.md deleted file mode 100644 index ebe99e7ec6..0000000000 --- a/docs/sources/Radware/index.md +++ /dev/null @@ -1,48 +0,0 @@ -# Vendor - Radware - - -## Product - DefensePro - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | Note this add-on does not provide functional extractions https://splunkbase.splunk.com/app/4480/ | -| Product Manual | https://www.radware.com/products/defensepro/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| radware:defensepro | Note some events do not contain host | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| radware_defensepro | radware:defensepro | netops | none | - -### Filter type - -MSG Parsing - -### Setup and Configuration - - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_RADWARE_DEFENSEPRO_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_RADWARE_DEFENSEPRO_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_RADWARE_DEFENSEPRO | no | Enable archive to disk for this specific source | -| SC4S_DEST_RADWARE_DEFENSEPRO_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=radware:defensepro | stats count by host -``` diff --git a/docs/sources/Raritan/index.md b/docs/sources/Raritan/index.md deleted file mode 100644 index 873542dbe9..0000000000 --- a/docs/sources/Raritan/index.md +++ /dev/null @@ -1,48 +0,0 @@ -# Vendor - Raritan - - -## Product - DSX - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | none | -| Product Manual | https://www.raritan.com/products/kvm-serial/serial-console-servers/serial-over-ip-console-server | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| raritan:dsx | Note events do not contain host | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| raritan_dsx | raritan:dsx | infraops | none | - -### Filter type - -Requires port or vendor product by source config - -### Setup and Configuration - -unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_RARITAN_DSX_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_RARITAN_DSX_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_RARITAN_DSX | no | Enable archive to disk for this specific source | -| SC4S_DEST_RARITAN_DSX_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=raritan:dsx | stats count by host -``` diff --git a/docs/sources/Schneider/index.md b/docs/sources/Schneider/index.md deleted file mode 100644 index 0cf1cc1dfe..0000000000 --- a/docs/sources/Schneider/index.md +++ /dev/null @@ -1,48 +0,0 @@ -# Vendor - Schneider - - -## Product - APC Power systems - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | none | -| Product Manual | multiple | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| apc:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| schneider_apc | apc:syslog | main | none | - -### Filter type - -Port or IP based filter is required - -### Setup and Configuration - - - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SCHNEIDER_APC_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SCHNEIDER_APC_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SCHNEIDER_APC | no | Enable archive to disk for this specific source | -| SC4S_DEST_SCHNEIDER_APC_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=apc:syslog | stats count by host -``` diff --git a/docs/sources/Solace/index.md b/docs/sources/Solace/index.md deleted file mode 100644 index 85d3697fb1..0000000000 --- a/docs/sources/Solace/index.md +++ /dev/null @@ -1,47 +0,0 @@ -# Vendor - Solace - - -## Product - EventBroker - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| solace:eventbroker | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| solace_eventbroker | solace:eventbroker | main | none | - -### Filter type - -MSGPARSE: - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SOLACE_EVENTBROKER_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SOLACE_EVENTBROKER_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SOLACE_EVENTBROKER | no | Enable archive to disk for this specific source | -| SC4S_DEST_SOLACE_EVENTBROKER_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=solace:eventbroker | stats count by host -``` diff --git a/docs/sources/Sophos/index.md b/docs/sources/Sophos/index.md deleted file mode 100644 index 50534a753f..0000000000 --- a/docs/sources/Sophos/index.md +++ /dev/null @@ -1,49 +0,0 @@ -# Vendor - Sophos - - -## Product - Web Appliance - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| sophos:webappliance | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| sophos_webappliance | sophos:webappliance | netproxy | none | - -### Filter type - -Must use port or NETMASK/host - -Configure vendor_product_by_source - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SOPHOS_WEBAPPLIANCE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SOPHOS_WEBAPPLIANCE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SOPHOS_WEBAPPLIANCE | no | Enable archive to disk for this specific source | -| SC4S_DEST_SOPHOS_WEBAPPLIANCE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=sophos:webappliance | stats count by host -``` diff --git a/docs/sources/Spectracom/index.md b/docs/sources/Spectracom/index.md deleted file mode 100644 index 3b77f70783..0000000000 --- a/docs/sources/Spectracom/index.md +++ /dev/null @@ -1,51 +0,0 @@ -# Vendor - Spectracom - - -## Product - NTP Appliance - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Product Manual | unknown | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| spectracom:ntp | None | -| nix:syslog | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| spectracom_ntp | spectracom:ntp | netops | none | - -### Filter type - -Must use port or NETMASK and MSG Parsing - -This appliance is a general purpose linux based OS providing time services. the time server application will be source typed as above while the OS level logs will be -processed as nix:syslog - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_SPECTRACOM_NTP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_SPECTRACOM_NTP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_SPECTRACOM_NTP | no | Enable archive to disk for this specific source | -| SC4S_DEST_SPECTRACOM_NTP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=spectracom:ntp | stats count by host -``` diff --git a/docs/sources/Tanium/index.md b/docs/sources/Tanium/index.md deleted file mode 100644 index a38210067e..0000000000 --- a/docs/sources/Tanium/index.md +++ /dev/null @@ -1,52 +0,0 @@ -# Vendor - Tanium - -## Product - All - -This source requires a TLS connection; in most cases enabling TLS and using the default port 6514 is adequate. -The source is understood to require a valid certificate. - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4439/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| tanium | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| tanium_syslog | epintel | none | - -### Filter type - -MSG Parse: This filter parses message content -timestamp: When present the field ``Client-Time-UTC`` will be used as the time source - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_ARCHIVE_TANIUM_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_TANIUM_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_SOURCE_TLS_ENABLE | no | This must be set to yes so that SC4S listens for encrypted syslog from ePO - -### Additional setup - -NOTE: Tanium requires the use of IETF framing and should be configured to use port 601 (DEFAULT) or locally configured RFC6587 port. Use of any other port configuration will cause -data corruption. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=tanium*") -``` diff --git a/docs/sources/Tenable/index.md b/docs/sources/Tenable/index.md deleted file mode 100644 index c003d8726d..0000000000 --- a/docs/sources/Tenable/index.md +++ /dev/null @@ -1,83 +0,0 @@ -# Vendor - Tenable - -## Product - Tenable.ad - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ | -| Product Manual | | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| tenable:ad:alerts | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| tenable_ad | tenable:ad:alerts | oswinsec | none | - -### Filter type - -MSG Parsing - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_TENABLE_AD_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_TENABLE_AD_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_TENABLE_AD | no | Enable archive to disk for this specific source | -| SC4S_DEST_TENABLE_AD_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=tenable:ad | stats count by host -``` - -## Product - Tenable.nnm - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ | -| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| tenable:nnm:vuln | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| tenable_nnm | tenable:nnm:vuln | netfw | none | - -### Filter type - -MSG Parsing - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_TENABLE_SYSLOG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_TENABLE_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_TENABLE_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_TENABLE_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=tenable:nnm:vuln | stats count by host -``` \ No newline at end of file diff --git a/docs/sources/Tintri/index.md b/docs/sources/Tintri/index.md deleted file mode 100644 index 5a14059de6..0000000000 --- a/docs/sources/Tintri/index.md +++ /dev/null @@ -1,50 +0,0 @@ -# Vendor - TINTRI - -## Product - All - -This source requires a TLS connection; in most cases enabling TLS and using the default port 6514 is adequate. -The source is understood to require a valid certificate. - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| tintri | none | - - -### Index Configuration - -| key | index | notes | -|----------------|------------|----------------| -| tintri_syslog | infraops | none | - -### Filter type - -MSG Parse: This filter parses message content generic linux logs will use the os:nix sourcetype - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_ARCHIVE_TINTRI_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_TINTRI_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Additional setup - -NOTE: TINTRI requires the use of IETF framing and should be configured to use port 601 (DEFAULT) or locally configured RFC6587 port. Use of any other port configuration will cause -data corruption. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=tintri*") -``` diff --git a/docs/sources/Ubiquiti/index.md b/docs/sources/Ubiquiti/index.md deleted file mode 100644 index 18edc4c80b..0000000000 --- a/docs/sources/Ubiquiti/index.md +++ /dev/null @@ -1,71 +0,0 @@ -# Vendor - Ubiquiti - Unifi - -All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. - - -* Login to NMS -* Navigate to settings -* Navigate to Site -* Enable Remote syslog server -* Enter hostname and port -* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf `` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls - -## Product - Unifi Switch and Access Points - -Unifi devices are managed using the Network Management Controller - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4107/ | -| Product Manual | https://https://help.ubnt.com/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| ubnt | Used when no sub source type is required by add on | -| ubnt:fw | USG events | -| ubnt:threat | USG IDS events | -| ubnt:switch | Unifi Switches | -| ubnt:wireless | Access Point logs | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| ubiquiti_unifi | ubnt | netops | none | -| ubiquiti_unifi_fw | ubnt:fw | netfw | none | - -### Filter type - -MSG Parse: This filter parses message content. Some unifi devices do not have the ability to send host name in the syslog message. -When host name is provided if the hostname begins with an upper case U it will be discarded as a "model" number when configuring device names in the -NMS use valid RFC dns names (lower case a-z numbers 0-9 and dash). - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_UBIQUITI_UNIFI_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_UBIQUITI_UNIFI_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_UBIQUITI_UNIFI | no | Enable archive to disk for this specific source | -| SC4S_DEST_UBIQUITI_UNIFI_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` diff --git a/docs/sources/VMWare/index.md b/docs/sources/VMWare/index.md deleted file mode 100644 index c3882062e7..0000000000 --- a/docs/sources/VMWare/index.md +++ /dev/null @@ -1,163 +0,0 @@ -# Vendor - Dell - VMware - -## Product - Carbon Black Protection - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | none | -| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cef | Common sourcetype | - -### Source - -| source | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| carbonblack:protection:cef | Note this method of onboarding is not recommended for a more complete experience utilize the json format supported by he product with hec or s3 | - -### Index Configuration - -| key | source | index | notes | -|----------------|----------------|----------------|----------------| -| Carbon Black_Protection | carbonblack:protection:cef | epintel | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source="carbonblack:protection:cef") -``` - - -## Product - vSphere - ESX NSX (Controller, Manager, Edge) - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Manual | https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.logging.doc/GUID-0674A29A-9D61-4E36-A302-E4192A3DA1A5.html | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| vmware:vsphere:nsx | None | -| vmware:vsphere:esx | None | -| vmware:vsphere:vcenter | None | -| nix:syslog | When used with a default port, this will follow the generic NIX configuration. When using a dedicated port, IP or host rules events will follow the index configuration for vmware nsx | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| vmware_vsphere_esx | vmware:vsphere:esx | main | none | -| vmware_vsphere_nsx | vmware:vsphere:nsx | main | none | -| vmware_vsphere_vcenter | vmware:vsphere:vcenter | main | none | - -### Filter type - -MSG Parse: This filter parses message content when using the default configuration - -### Setup and Configuration - -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_VMWARE_VSPHERE | no | Enable archive to disk for this specific source | -| SC4S_DEST_VMWARE_VSPHERE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype="vmware:vsphere:*" | stats count by host -``` - -# Vendor - Dell - VMware - -## Product - Horizon View - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | None | -| Manual | unknown | - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| vmware:horizon | None | -| nix:syslog | When used with a default port this will follow the generic NIX configuration when using a dedicated port, IP or host rules events will follow the index configuration for vmware nsx | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| vmware_horizon | vmware:horizon | main | none | - -### Filter type - -MSG Parse: This filter parses message content when using the default configuration - -### Setup and Configuration - -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_VMWARE_VSPHERE | no | Enable archive to disk for this specific source | -| SC4S_DEST_VMWARE_VSPHERE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype="vmware:horizon" | stats count by host -``` diff --git a/docs/sources/Varonis/index.md b/docs/sources/Varonis/index.md deleted file mode 100644 index 12d349d4df..0000000000 --- a/docs/sources/Varonis/index.md +++ /dev/null @@ -1,49 +0,0 @@ -# Vendor - Varonis - -## Product - DatAlert - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Technology Add-On for Varonis | https://splunkbase.splunk.com/app/4256/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -|varonis:ta || - -### Index Configuration - -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -|Varonis Inc._DatAdvantage|varonis:ta |main| - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype="deepsecurity*") -``` diff --git a/docs/sources/Wallix/index.md b/docs/sources/Wallix/index.md deleted file mode 100644 index 186eb78301..0000000000 --- a/docs/sources/Wallix/index.md +++ /dev/null @@ -1,42 +0,0 @@ -# Vendor - Wallix - -## Product - Bastion - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3661/ | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| WB:syslog | note this sourcetype includes program:rdproxy all other data will be treated as nix | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|---------------------|------------------------|----------|---------| -| WB:syslog | infraops | main | none | - -### Filter type - -MSG Parse: This filter parses message content - - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_WALLIX_PROXY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_WALLIX_PROXY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_WALLIX_PROXY | no | Enable archive to disk for this specific source | -| SC4S_DEST_WALLIX_PROXY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=WB:* | stats count by host -``` - diff --git a/docs/sources/Zscaler/index.md b/docs/sources/Zscaler/index.md deleted file mode 100644 index 4c1ec7985f..0000000000 --- a/docs/sources/Zscaler/index.md +++ /dev/null @@ -1,126 +0,0 @@ -# Vendor - Zscaler - -## Product - ZIA - -The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page -26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize -the IP or host name of the SC4S instance and port 514 - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | -| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| zscaler_nss_alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | -| zscaler_nss_dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | -| zscaler_nss_web | None | -| zscaler_nss_fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|---------------------|------------------------|----------|---------| -| zscaler_nss_alerts | zscalernss-alerts | main | none | -| zscaler_nss_dns | zscalernss-dns | netdns | none | -| zscaler_nss_fw | zscalernss-fw | netfw | none | -| zscaler_nss_web | zscalernss-web | netproxy | none | -| zscaler_zia_audit | zscalernss-zia-audit | netops | none | -| zscaler_zia_sandbox | zscalernss-zia-sandbox | main | none | - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_NSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_ZSCALER_NSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ZSCALER_NSS | no | Enable archive to disk for this specific source | -| SC4S_DEST_ZSCALER_NSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` - -## Product - LSS - -The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page -26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the LSS to utilize -the IP or host name of the SC4S instance and port 514 - - -| Ref | Link | -|----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/3865/ | -| Product Manual | https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728 | - - -### Sourcetypes - -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| zscaler_lss-app | None | -| zscaler_lss-auth | None | -| zscaler_lss-bba | None | -| zscaler_lss-connector | None | - - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|----------------|--------------------------|------------|---------| -| zscaler_lss | zscalerlss_zpa-app | netproxy | none | -| zscaler_lss | zscalerlss_zpa_auth | netproxy | none | -| zscaler_lss | zscalerlss_zpa_auth | netproxy | none | -| zscaler_lss | zscalerlss_zpa_connector | netproxy | none | - - -### Filter type - -MSG Parse: This filter parses message content - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration - * Select TCP or SSL transport option - * Ensure the format of the event is customized per Splunk documentation - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ZSCALER_LSS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_ZSCALER_LSS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ZSCALER_LSS | no | Enable archive to disk for this specific source | -| SC4S_DEST_ZSCALER_LSS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=zscalernss-* | stats count by host -``` diff --git a/docs/sources/CommonEventFormat/index.md b/docs/sources/base/cef.md similarity index 86% rename from docs/sources/CommonEventFormat/index.md rename to docs/sources/base/cef.md index c291333dfe..23538e01d5 100644 --- a/docs/sources/CommonEventFormat/index.md +++ b/docs/sources/base/cef.md @@ -1,4 +1,4 @@ -# Vendor - Common Event Format Data Sources +# Common Event Format (CEF) ## Product - Various products that send CEF-format messages via syslog @@ -16,14 +16,12 @@ for details. The source documentation included below is a reference baseline for any product that sends data using the CEF log path. - | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ | -| Product Manual | https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm | - +| Splunk Add-on CEF | | +| Product Manual | | -### Splunk Metadata with CEF events +## Splunk Metadata with CEF events The keys (first column) in `splunk_metadata.csv` for CEF data sources have a slightly different meaning than those for non-CEF ones. The typical `vendor_product` syntax is instead replaced by checks against specific columns of the CEF event -- namely the first, @@ -41,10 +39,13 @@ product, and others representing a vendor and product coupled with one or more a metadata assignment (or overrides). Here is a snippet of a sample Imperva CEF event that includes a CEF device class entry (which is "Firewall"): + ``` Apr 19 10:29:53 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium| ``` + and the corresponding match in `splunk_metadata.csv`: + ``` Imperva Inc._SecureSphere_Firewall,sourcetype,imperva:waf:firewall:cef ``` @@ -71,7 +72,7 @@ Imperva Inc._SecureSphere_Firewall,sourcetype,imperva:waf:firewall:cef MSG Parse: This filter parses message content -### Options +## Options | Variable | default | description | |----------------|----------------|----------------| @@ -79,14 +80,5 @@ MSG Parse: This filter parses message content | SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_LISTEN_CEF_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef source=) -``` diff --git a/docs/sources/LogExtendedEventFormat/index.md b/docs/sources/base/leef.md similarity index 89% rename from docs/sources/LogExtendedEventFormat/index.md rename to docs/sources/base/leef.md index 282afb1560..214d9766cd 100644 --- a/docs/sources/LogExtendedEventFormat/index.md +++ b/docs/sources/base/leef.md @@ -1,4 +1,4 @@ -# Vendor - Log Extended Event Format +# Log Extended Event Format (LEEF) ## Product - Various products that send LEEF V1 and V2 format messages via syslog @@ -16,7 +16,7 @@ for details. The source documentation included below is a reference baseline for any product that sends data using the LEEF log path. -Some vendors implement LEEF v2.0 format events incorrectly, omitting the required "key=value" seperator field +Some vendors implement LEEF v2.0 format events incorrectly, omitting the required "key=value" seperator field from the LEEF header, thus forcing the consumer to assume the default tab `\t` character. SC4S will correctly process this omission, but will not correctly process other non-compliant formats. @@ -39,14 +39,12 @@ github. '%b %e %Y %H:%M:%S' ``` - | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| | Splunk Add-on LEEF | None | -| Product Manual | https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_LEEF_Format_Guide_intro.html | - +| Product Manual | | -### Splunk Metadata with LEEF events +## Splunk Metadata with LEEF events The keys (first column) in `splunk_metadata.csv` for LEEF data sources have a slightly different meaning than those for non-LEEF ones. The typical `vendor_product` syntax is instead replaced by checks against specific columns of the LEEF event -- namely the first and @@ -55,12 +53,14 @@ and `device_product`, respectively. `device_vendor`\_`device_product` - Here is a snippet of a sample LANCOPE event in LEEF 2.0 format: + ``` <111>Apr 19 10:29:53 3.3.3.3 LEEF:2.0|Lancope|StealthWatch|1.0|41|^|src=192.0.2.0^dst=172.50.123.1^sev=5^cat=anomaly^srcPort=81^dstPort=21^usrName=joe.black ``` + and the corresponding match in `splunk_metadata.csv`: + ``` Lancope_StealthWatch,source,lancope:stealthwatch ``` @@ -88,7 +88,7 @@ Lancope_StealthWatch,source,lancope:stealthwatch MSG Parse: This filter parses message content -### Options +## Options | Variable | default | description | |----------------|----------------|----------------| @@ -96,14 +96,4 @@ MSG Parse: This filter parses message content | SC4S_LISTEN_LEEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_LISTEN_LEEF_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_LEEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_LEEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=LEEF:* source=) -``` +| SC4S_DEST_LEEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | diff --git a/docs/sources/nix/index.md b/docs/sources/base/nix.md similarity index 77% rename from docs/sources/nix/index.md rename to docs/sources/base/nix.md index 47d42bd030..29ffbaef55 100644 --- a/docs/sources/nix/index.md +++ b/docs/sources/base/nix.md @@ -1,6 +1,4 @@ -# Vendor - Nix Generic - -## Product - All Products +# Generic *NIX Many appliance vendor utilize Linux and BSD distributions as the foundation of the solution. When configured to log via syslog, these devices' OS logs (from a security perspective) can be monitored using the common Splunk Nix TA. @@ -9,47 +7,35 @@ Note: This is NOT a replacement for or alternative to the Splunk Universal forwa server applications, the Universal Forwarder offers more comprehensive collection of events and metrics appropriate for both security and operations use cases. - - | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/833/ | - +| Splunk Add-on | | -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | nix:syslog | None | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| | nix_syslog | nix:syslog | osnix | none | - ### Filter type MSG Parse: This filter parses message content -### Setup and Configuration +## Setup and Configuration * Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. * Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. - -### Options +## Options | Variable | default | description | |----------------|----------------|----------------| | SC4S_ARCHIVE_NIX_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_NIX_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active proxy will generate frequent events. Use the following search to validate events are present per source device +| SC4S_DEST_NIX_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -``` -index=osnix sourcetype=nix:syslog | stats count by host -``` diff --git a/docs/sources/Simple/index.md b/docs/sources/base/simple.md similarity index 94% rename from docs/sources/Simple/index.md rename to docs/sources/base/simple.md index 2f336d0b26..b28f20d986 100644 --- a/docs/sources/Simple/index.md +++ b/docs/sources/base/simple.md @@ -1,6 +1,4 @@ -# Vendor - Neutral Simple Log path by port - -## Product - multiple +# Simple Log path by port The SIMPLE source configuration allows configuration of a log path for SC4S using a single port to a single index/sourcetype combination to quickly onboard new sources that have not been formally @@ -10,18 +8,18 @@ supported in the product. Source data must use RFC5424 or a common variant of RF unique port. A dedicated log path should be developed for the data source to facilitate further parsing and enrichment, as well as allowing the potential sending of this data source over the default (514) listening port. - -### Splunk Metadata with SIMPLE events +## Splunk Metadata with SIMPLE events The keys (first column) in `splunk_metadata.csv` for SIMPLE data sources is a user-created key using the `vendor_product` convention. For example, to on-board a new product `first firewall` using a source type of `first:firewall` and index `netfw`, add the following two lines to the configuration file as shown: + ``` first_firewall,index,netfw first_firewall,sourcetype,first:firewall ``` -### Options +## Options For the variables below, replace `VENDOR_PRODUCT` with the key (converted to upper case) used in the `splunk_metadata.csv`. Based on the example above, to establish a tcp listener for `first firewall` we would use `SC4S_LISTEN_SIMPLE_FIRST_FIREWALL_TCP_PORT`. @@ -32,7 +30,7 @@ Based on the example above, to establish a tcp listener for `first firewall` we | SC4S_LISTEN_SIMPLE_VENDOR_PRODUCT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | | SC4S_LISTEN_SIMPLE_VENDOR_PRODUCT_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | | SC4S_ARCHIVE_SIMPLE_VENDOR_PRODUCT | no | Enable archive to disk for this specific source | -| SC4S_DEST_SIMPLE_VENDOR_PRODUCT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_DEST_SIMPLE_VENDOR_PRODUCT_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Important Notes @@ -46,4 +44,3 @@ sources, either `SIMPLE` ones or those served by regular log paths, are not allo a given source. You can, of course, continue to listen for this source on the same unique ports after having developed the new log path, but use the `SC4S_LISTEN___PORT` form of the variable to ensure the newly developed log path will listen on the specified unique ports. - diff --git a/docs/sources/index.md b/docs/sources/index.md index d886a115b0..866ef4934d 100644 --- a/docs/sources/index.md +++ b/docs/sources/index.md @@ -1,4 +1,5 @@ # Introduction + When using Splunk Connect for Syslog to onboard a data source, the syslog-ng "app-parser" performs the operations that are traditionally performed at index-time by the corresponding Technical Add-on installed there. These index-time operations include linebreaking, source/sourcetype setting and timestamping. For this reason, if a data source is exclusively onboarded using SC4S then you will not need to install its corresponding Add-On on the indexers. You must, however, install the Add-on on the search head(s) for the user communities interested in this data source. SC4S is designed to process "syslog" refering to IETF RFC standards 5424, legacy BSD syslog, RFC3164 (Not a standard document), and may "almost" syslog formats. @@ -11,9 +12,9 @@ definition of a specific port which will be used as a property of the event or b * Define a specific port for vmware and reconfigure sources to use the defined port "SC4S_LISTEN_VMWARE_VSPHERE_TCP=9000". Any events arriving on port 9000 will now have a metadata field attached ".netsource.sc4s_vendor_product=VMWARE_VSPHERE" * Define a "app-parser" to apply the metadata field by using a syslog-ng filter to apply the metadata field. -## Supporting previously unknown sources. +## Supporting previously unknown sources -Many log sources can be supported using one of the flexible options available without specific code known as app-parsers. +Many log sources can be supported using one of the flexible options available without specific code known as app-parsers. * Sources that are *compliant* with RFC 5424,RFC 5425, RFC 5426, or RFC 6587 can be onboarded as [simple sources](https://splunk.github.io/splunk-connect-for-syslog/main/sources/Simple/) * Sources "compatible" with RFC3164 Note incorrect use of the syslog version, or "creative" formats in the time stamp or other fields may prevent use as [simple sources](https://splunk.github.io/splunk-connect-for-syslog/main/sources/Simple/) @@ -61,7 +62,7 @@ to correctly parse and handle the event. The following example is take from a cu }; ``` -### Standard Syslog using message parsing +## Standard Syslog using message parsing Syslog data conforming to RFC3164 or complying with RFC standards mentioned above can be processed with an app-parser allowing the use of the default port rather than requiring custom ports the following example take from a currently supported source uses the value of "program" to identify the source as this program value is @@ -84,17 +85,17 @@ block parser alcatel_switch-parser() { }; }; application alcatel_switch[sc4s-syslog] { - filter { + filter { program('swlogd' type(string) flags(prefix)); - }; + }; parser { alcatel_switch-parser(); }; }; ``` -### Standard Syslog vendor product by source +## Standard Syslog vendor product by source In some cases standard syslog is also generic and can not be disambiguated from other sources by message content alone. -When this happens and only a single source type is desired the "simple" option above is valid but requires managing a port. +When this happens and only a single source type is desired the "simple" option above is valid but requires managing a port. The following example allows use of a named port OR the vendor product by source configuration. ```c @@ -113,7 +114,7 @@ block parser dell_poweredge_cmc-parser() { }; }; application dell_poweredge_cmc[sc4s-network-source] { - filter { + filter { ("${.netsource.sc4s_vendor_product}" eq "dell_poweredge_cmc" or "${SOURCE}" eq "s_DELL_POWEREDGE_CMC") and "${fields.sc4s_vendor_product}" eq "" @@ -142,26 +143,28 @@ block parser cisco_ios_debug-postfilter() { }; }; application cisco_ios_debug-postfilter[sc4s-postfilter] { - filter { + filter { "${fields.sc4s_vendor_product}" eq "cisco_ios" #Note regex reads as # start from first position # Any atleast 1 char that is not a `-` # constant '-7-' and message('^%[^\-]+-7-'); - }; + }; parser { cisco_ios_debug-postfilter(); }; }; ``` ## The SC4S "fallback" sourcetype -If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. +If SC4S receives an event on port 514 which has no soup filter, that event will be given a "fallback" sourcetype. If you see events in Splunk with the fallback sourcetype, then you should figure out what source the events are from and determine why these events are not being sourcetyped correctly. The most common reason for events categorized as "fallback" is the lack of a SC4S filter for that source, and in some cases a misconfigured relay which alters the integrity of the message format. In most cases this means a new SC4S filter must be developed. In this situation you can either build a filter or file an issue with the community to request help. The "fallback" sourcetype is formatted in JSON to allow the administrator to see the constituent syslog-ng "macros" (fields) that have been autmaticially parsed by the syslog-ng server An RFC3164 (legacy BSD syslog) "on the wire" raw message is usually (but unfortunately not always) comprised of the following syslog-ng macros, in this order and spacing: + ``` <$PRI> $HOST $LEGACY_MSGHDR$MESSAGE ``` + These fields can be very useful in building a new filter for that sourcetype. In addition, the indexed field `sc4s_syslog_format` is helpful in determining if the incoming message is standard RFC3164. A value of anything other than `rfc3164` or `rfc5424_strict` indicates a vendor purturbation of standard syslog, which will warrant more careful examination when building a filter. ## Splunk Connect for Syslog and Splunk metadata diff --git a/docs/sources/vendor/AVI/index.md b/docs/sources/vendor/AVI/index.md new file mode 100644 index 0000000000..c20fc95cf3 --- /dev/null +++ b/docs/sources/vendor/AVI/index.md @@ -0,0 +1,26 @@ +# Common + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | https://avinetworks.com/docs/latest/syslog-formats/ | + + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| avi:events | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| avi_vantage | avi:events | netops | none | diff --git a/docs/sources/vendor/Alcatel/Switch.md b/docs/sources/vendor/Alcatel/Switch.md new file mode 100644 index 0000000000..64afcf9bf3 --- /dev/null +++ b/docs/sources/vendor/Alcatel/Switch.md @@ -0,0 +1,26 @@ +# Switch + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| alcatel:switch | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| alcatel_switch | alcatel:switch | netops | none | + diff --git a/docs/sources/vendor/Alsid/Alsid.md b/docs/sources/vendor/Alsid/Alsid.md new file mode 100644 index 0000000000..fcb6a20e0c --- /dev/null +++ b/docs/sources/vendor/Alsid/Alsid.md @@ -0,0 +1,29 @@ +# Alsid + +The product has been purchased and republished under a new product name by Tenable this configuration +is obsolete. + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/5173/ | +| Product Manual | unknown | + + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| alsid:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| alsid_syslog | alsid:syslog | oswinsec | none | diff --git a/docs/sources/Arista/index.md b/docs/sources/vendor/Arista/index.md similarity index 50% rename from docs/sources/Arista/index.md rename to docs/sources/vendor/Arista/index.md index 1fc2a1d221..9a6634a6fb 100644 --- a/docs/sources/Arista/index.md +++ b/docs/sources/vendor/Arista/index.md @@ -1,47 +1,27 @@ -# Vendor - Arista +# EOS +## Key facts -## Product - EOS Switch +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| | Splunk Add-on | None | | Product Manual | unknown | -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | arista:eos:* | None | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| | arista_eos | arista:eos | netops | none | | arista_eos_$PROCESSNAME | arista:eosq | netops | The "process" field is used from the event | -### Filter type - -MSG Parsing - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_ARISTA_EOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_ARISTA_EOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_ARISTA_EOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_ARISTA_EOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=arista:eos:* | stats count by host -``` diff --git a/docs/sources/vendor/Aruba/ap.md b/docs/sources/vendor/Aruba/ap.md new file mode 100644 index 0000000000..bd6c5fb7df --- /dev/null +++ b/docs/sources/vendor/Aruba/ap.md @@ -0,0 +1,43 @@ +# Access Points + +## Key facts + +* MSG Format based filter (Partial) +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| aruba:syslog | Dynamically Created | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| aruba_ap | netops | none | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-aruba_ap.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-aruba_ap[sc4s-vps] { + filter { + host("aruba-ap-*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('aruba') + product('ap') + ); + }; +}; +``` \ No newline at end of file diff --git a/docs/sources/vendor/Aruba/clearpass.md b/docs/sources/vendor/Aruba/clearpass.md new file mode 100644 index 0000000000..6e5af0d94a --- /dev/null +++ b/docs/sources/vendor/Aruba/clearpass.md @@ -0,0 +1,44 @@ +# Clearpass + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| aruba:clearpass | Dynamically Created | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| aruba_clearpass | print | none | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-aruba_clearpass.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-aruba_clearpass[sc4s-vps] { + filter { + host("aruba-cp-*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('aruba') + product('clearpass') + ); + }; +}; + + +``` diff --git a/docs/sources/Avaya/index.md b/docs/sources/vendor/Avaya/index.md similarity index 52% rename from docs/sources/Avaya/index.md rename to docs/sources/vendor/Avaya/index.md index f3adaafd10..f8276d95fc 100644 --- a/docs/sources/Avaya/index.md +++ b/docs/sources/vendor/Avaya/index.md @@ -1,7 +1,12 @@ -# Vendor - Avaya +# SIP Manager +## Key facts -## Product - Avaya Sip Manager +* MSG Format based filter +* Legacy BSD Format default port 514/UDP +* Vendor source is not conformant to RFC3194 by improperly sending unescaped `\n` Use of TCP will cause dataloss + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| @@ -9,37 +14,15 @@ | Product Manual | unknown | -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | avaya:avaya | None | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| | avaya_sipmgr | avaya:avaya | main | none | -### Filter type - -This filter uses msg parsgin. - -### Setup and Configuration - -The source device send non compliant syslog format (legacy bsd based) with embeded new line and no IETF frames this source must - be configured to use UDP protocol. - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_AVAYA_SIPMGR_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=avaya:sipmgr| stats count by host -``` diff --git a/docs/sources/BeyondTrust/index.md b/docs/sources/vendor/BeyondTrust/sra.md similarity index 54% rename from docs/sources/BeyondTrust/index.md rename to docs/sources/vendor/BeyondTrust/sra.md index 52cbf0ec62..69076be07d 100644 --- a/docs/sources/BeyondTrust/index.md +++ b/docs/sources/vendor/BeyondTrust/sra.md @@ -1,47 +1,32 @@ -# Vendor - Beyond Trust +# Secure Remote Access (Bomgar) +## Key facts -## Product - Secure Remote Access (Bomgar) +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| | Splunk Add-on | None | | Product Manual | unknown | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | beyondtrust:sra | None | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| | beyondtrust_sra | beyondtrust:sra | infraops | none | -### Filter type - -MSG Parsing - -### Setup and Configuration - -Device setup unknown - -### Options +## Options | Variable | default | description | |----------------|----------------|----------------| -| SC4S_ARCHIVE_BEYONDTRUST_SRA | no | Enable archive to disk for this specific source | -| SC4S_DEST_BEYONDTRUST_SRA_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_DEST_BEYONDTRUST_SRA_SPLUNK_HEC_FMT | json | Restructure data from vendor format to json for splunk destinations | -| SC4S_DEST_BEYONDTRUST_SRA_SYSLOG_FMT | json | Restructure data from vendor format to SDATA for SYSLOG destinations | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=beyondtrust:sra | stats count by host -``` +| SC4S_DEST_BEYONDTRUST_SRA_SPLUNK_HEC_FMT | JSON | Restructure data from vendor format to json for splunk destinations set to "NONE" for native format | +| SC4S_DEST_BEYONDTRUST_SRA_SYSLOG_FMT | SDATA | Restructure data from vendor format to SDATA for SYSLOG destinations set to "NONE" for native ormat| diff --git a/docs/sources/vendor/Broadcom/brightmail.md b/docs/sources/vendor/Broadcom/brightmail.md new file mode 100644 index 0000000000..22ad6515fa --- /dev/null +++ b/docs/sources/vendor/Broadcom/brightmail.md @@ -0,0 +1,33 @@ +# Brightmail + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | TBD | +| Product Manual | https://support.symantec.com/us/en/article.howto38250.html | + + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| symantec:smg | Requires version TA 3.6 | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| symantec_brightmail | symantec:smg | email | none | + + +## Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG | yes | Email processing events generated by the bmserver process will be grouped by host+program+pid+msg ID into a single event | \ No newline at end of file diff --git a/docs/sources/vendor/Broadcom/dlp.md b/docs/sources/vendor/Broadcom/dlp.md new file mode 100644 index 0000000000..9b17508bdf --- /dev/null +++ b/docs/sources/vendor/Broadcom/dlp.md @@ -0,0 +1,27 @@ +# Symantec DLP + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on Symatec DLP | https://splunkbase.splunk.com/app/3029/ | +| Add-on Manual | http://docs.splunk.com/Documentation/AddOns/latest/SymantecDLP/About | + + +## Sourcetypes + +| sourcetype | notes | +|----------------------|---------------------------------------------------------------------------------------------------------| +| symantec:dlp:syslog | None | + +## Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| symantec_dlp | symantec:dlp:syslog | netauth | none | + diff --git a/docs/sources/vendor/Broadcom/ep.md b/docs/sources/vendor/Broadcom/ep.md new file mode 100644 index 0000000000..d5ad91d825 --- /dev/null +++ b/docs/sources/vendor/Broadcom/ep.md @@ -0,0 +1,39 @@ +# Symantec Endpoint Protection (SEPM) + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 +* KNOWN DATA LOSS ISSUE - The implementation of the syslog output component causes a "burst" behavior when run on schedule this burst can be larger than the udp buffer size on the source and or destination (sc4s) there is no possible workaround and the use of the Splunk Universal Forwarder to monitor file based output is recommended. + +## Product - Symantec Endpoint Protection + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2772/ | +| Product Manual | https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html | + + +## Sourcetypes + +| sourcetype | notes | +|--------------------------------|---------------------------------------------------------------------------------------------------------| +| symantec:ep:syslog | Warning the syslog method of accepting EP logs has been reported to show high data loss and is not Supported by Splunk | +| symantec:ep:admin:syslog | none | +| symantec:ep:agent:syslog | none | +| symantec:ep:agt:system:syslog | none | +| symantec:ep:behavior:syslog | none | +| symantec:ep:packet:syslog | none | +| symantec:ep:policy:syslog | none | +| symantec:ep:proactive:syslog | none | +| symantec:ep:risk:syslog | none | +| symantec:ep:scan:syslog | none | +| symantec:ep:scm:system:syslog | none | +| symantec:ep:security:syslog | none | +| symantec:ep:traffic:syslog | none | + +## Index Configuration + +| key | index | notes | +|----------------|----------------|----------------| +| symantec_ep | epav | none | diff --git a/docs/sources/vendor/Broadcom/proxy.md b/docs/sources/vendor/Broadcom/proxy.md new file mode 100644 index 0000000000..4725f0b8b7 --- /dev/null +++ b/docs/sources/vendor/Broadcom/proxy.md @@ -0,0 +1,45 @@ + +# ProxySG/ASG + +Symantec now Broadcom ProxySG/ASG is formerly known as the "Bluecoat" proxy + +Broadcom products are inclusive of products formerly marketed under Symantec and Bluecoat brands. + +## Key facts + +* MSG Format based filter +* The standard/default bluecoat syslog configurations are NOT supported a SC4S specific configuration is provided below +* RFC5424 without IETF Frame must use 514/TCP or 6514/TLS + + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2758/ | +| Product Manual | https://support.symantec.com/us/en/article.tech242216.html | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| bluecoat:proxysg:access:kv | Requires version TA 3.6 | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| bluecoat_proxy | bluecoat:proxysg:access:kv | netproxy | none | + + +## Setup and Configuration + +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized as follows + +``` +<111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc)Z $(s-computername) bluecoat - splunk_format - c-ip=$(c-ip) rs-Content-Type=$(quot)$(rs(Content-Type))$(quot) cs-auth-groups=$(cs-auth-groups) cs-bytes=$(cs-bytes) cs-categories=$(cs-categories) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-port=$(cs-uri-port) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent))$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) s-action=$(s-action) s-ip=$(s-ip) service.name=$(service.name) service.group=$(service.group) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer))$(quot) c-cpu=$(c-cpu) connect-time=$(connect-time) cs-auth-groups=$(cs-auth-groups) cs-headerlength=$(cs-headerlength) cs-threat-risk=$(cs-threat-risk) r-ip=$(r-ip) r-supplier-ip=$(r-supplier-ip) rs-time-taken=$(rs-time-taken) rs-server=$(rs(server)) s-connect-type=$(s-connect-type) s-icap-status=$(s-icap-status) s-sitename=$(s-sitename) s-source-port=$(s-source-port) s-supplier-country=$(s-supplier-country) sc-Content-Encoding=$(sc(Content-Encoding)) sr-Accept-Encoding=$(sr(Accept-Encoding)) x-auth-credential-type=$(x-auth-credential-type) x-cookie-date=$(x-cookie-date) x-cs-certificate-subject=$(x-cs-certificate-subject) x-cs-connection-negotiated-cipher=$(x-cs-connection-negotiated-cipher) x-cs-connection-negotiated-cipher-size=$(x-cs-connection-negotiated-cipher-size) x-cs-connection-negotiated-ssl-version=$(x-cs-connection-negotiated-ssl-version) x-cs-ocsp-error=$(x-cs-ocsp-error) x-cs-Referer-uri=$(x-cs(Referer)-uri) x-cs-Referer-uri-address=$(x-cs(Referer)-uri-address) x-cs-Referer-uri-extension=$(x-cs(Referer)-uri-extension) x-cs-Referer-uri-host=$(x-cs(Referer)-uri-host) x-cs-Referer-uri-hostname=$(x-cs(Referer)-uri-hostname) x-cs-Referer-uri-path=$(x-cs(Referer)-uri-path) x-cs-Referer-uri-pathquery=$(x-cs(Referer)-uri-pathquery) x-cs-Referer-uri-port=$(x-cs(Referer)-uri-port) x-cs-Referer-uri-query=$(x-cs(Referer)-uri-query) x-cs-Referer-uri-scheme=$(x-cs(Referer)-uri-scheme) x-cs-Referer-uri-stem=$(x-cs(Referer)-uri-stem) x-exception-category=$(x-exception-category) x-exception-category-review-message=$(x-exception-category-review-message) x-exception-company-name=$(x-exception-company-name) x-exception-contact=$(x-exception-contact) x-exception-details=$(x-exception-details) x-exception-header=$(x-exception-header) x-exception-help=$(x-exception-help) x-exception-last-error=$(x-exception-last-error) x-exception-reason=$(x-exception-reason) x-exception-sourcefile=$(x-exception-sourcefile) x-exception-sourceline=$(x-exception-sourceline) x-exception-summary=$(x-exception-summary) x-icap-error-code=$(x-icap-error-code) x-rs-certificate-hostname=$(x-rs-certificate-hostname) x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category) x-rs-certificate-observed-errors=$(x-rs-certificate-observed-errors) x-rs-certificate-subject=$(x-rs-certificate-subject) x-rs-certificate-validate-status=$(x-rs-certificate-validate-status) x-rs-connection-negotiated-cipher=$(x-rs-connection-negotiated-cipher) x-rs-connection-negotiated-cipher-size=$(x-rs-connection-negotiated-cipher-size) x-rs-connection-negotiated-ssl-version=$(x-rs-connection-negotiated-ssl-version) x-rs-ocsp-error=$(x-rs-ocsp-error) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-query=$(quot)$(cs-uri-query)$(quot) c-uri-pathquery=$(c-uri-pathquery) +``` + + diff --git a/docs/sources/vendor/Broadcom/sslva.md b/docs/sources/vendor/Broadcom/sslva.md new file mode 100644 index 0000000000..92366a01d0 --- /dev/null +++ b/docs/sources/vendor/Broadcom/sslva.md @@ -0,0 +1,25 @@ +# SSL Visibility Appliance + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|--------------------------------|---------------------------------------------------------------------------------------------------------| +| broadcom:sslva | none | + +### Index Configuration + +| key | index | notes | +|----------------|----------------|----------------| +| broadcom_sslva | netproxy | none | diff --git a/docs/sources/vendor/Brocade/switch.md b/docs/sources/vendor/Brocade/switch.md new file mode 100644 index 0000000000..172bafe0bc --- /dev/null +++ b/docs/sources/vendor/Brocade/switch.md @@ -0,0 +1,45 @@ +# Switch + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Product - Switches + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| brocade:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| brocade_syslog | brocade:syslog | netops | none | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-brocade_syslog.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-brocade_syslog[sc4s-vps] { + filter { + host("^test_brocade-") + }; + parser { + p_set_netsource_fields( + vendor('brocade') + product('syslog') + ); + }; +}; + +``` diff --git a/docs/sources/vendor/Buffalo/index.md b/docs/sources/vendor/Buffalo/index.md new file mode 100644 index 0000000000..2a3f156703 --- /dev/null +++ b/docs/sources/vendor/Buffalo/index.md @@ -0,0 +1,45 @@ +# Terastation + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| buffalo:terastation | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| buffalo_terastation | buffalo:terastation | infraops | none | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-buffalo_terastation.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-buffalo_terastation[sc4s-vps] { + filter { + host("^test_buffalo_terastation-") + }; + parser { + p_set_netsource_fields( + vendor('buffalo') + product('terastation') + ); + }; +}; + +``` diff --git a/docs/sources/vendor/Checkpoint/firewallos.md b/docs/sources/vendor/Checkpoint/firewallos.md new file mode 100644 index 0000000000..267e1b8334 --- /dev/null +++ b/docs/sources/vendor/Checkpoint/firewallos.md @@ -0,0 +1,42 @@ + +# Firewall OS + +Firewall OS format is by devices supporting a direct Syslog output +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cp_log:fw:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_fw | cp_log:fw:syslog | netops | none | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-checkpoint_fw.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-checkpoint_fw[sc4s-vps] { + filter { + host("^checkpoint_fw-") + }; + parser { + p_set_netsource_fields( + vendor('checkpoint') + product('fw') + ); + }; +}; + +``` \ No newline at end of file diff --git a/docs/sources/vendor/Checkpoint/logexporter_5424.md b/docs/sources/vendor/Checkpoint/logexporter_5424.md new file mode 100644 index 0000000000..80bed61d2a --- /dev/null +++ b/docs/sources/vendor/Checkpoint/logexporter_5424.md @@ -0,0 +1,79 @@ +# Log Exporter (Syslog) + +## Key Facts + +* As of 2/1/2022 The Log Exporter configuration provided by CheckPoint is defective and produces invalid data the configuration below is REQUIRED +* MSG Format based filter +* RFC5424 without frame use port 514 TCP + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cp_log:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk | cp_log:syslog | netops | none | + +## Source and Index Configuration + +Checkpoint Software blades with CIM mapping have been sub-grouped into sources +to allow routing to appropriate indexes. All other source meta data is left at default + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk_dlp | dlp | netdlp | none | +| checkpoint_splunk_email | email | email | none | +| checkpoint_splunk_firewall | firewall | netfw | none | +| checkpoint_splunk_sessions | sessions | netops | none | +| checkpoint_splunk_web | web | netproxy | none | +| checkpoint_splunk_audit | audit | netops | none | +| checkpoint_splunk_endpoint | endpoint | netops | none | +| checkpoint_splunk_network | network | netops | +| checkpoint_splunk_ids | ids | netids | +| checkpoint_splunk_ids_malware | ids_malware | netids | + +## Source Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. +* To configure the valid syslog format in Checkpoint, follow the steps below +* Go to the cp terminal +* Enter expert command for login in expert mode +* Enter cd $EXPORTERDIR +* Then navigate to conf directory +* Execute cp SyslogFormatDefination.xml SplunkRecommendedFormatDefinition.xml +* Open SplunkRecommendedFormatDefinition.xml in edit mode and modify the start_message_body,fields_seperatator,field_value_seperatator as shown below. + +```xml +[sc4s@2620 +``` + +```xml + +``` + +```xml += +``` + +* Copy SplunkRecommendedFormatDefinition.xml into $EXPORTERDIR/targets//conf +* Navigate to the configuration file $EXPORTERDIR/targets//conf/targetConfigurationSample.xml and open it in edit mode. +* Add the reference to the SplunkRecommendedFormatDefinition.xml under the key . For example, if $EXPORTERDIR=/opt/CPrt-R81/log_exporter, the absolute path will become: + +```xml +/opt/CPrt-R81/log_exporter/targets//conf/SplunkRecommendedFormatDefinition.xml +``` + +* Restart cp_log_exporter by executing the command cp_log_export restart name + +* Warning: Make sure if you migrating to different format, the earlier format is disabled or else it would lead to data duplication. + diff --git a/docs/sources/vendor/Checkpoint/logexporter_legacy.md b/docs/sources/vendor/Checkpoint/logexporter_legacy.md new file mode 100644 index 0000000000..b28d344277 --- /dev/null +++ b/docs/sources/vendor/Checkpoint/logexporter_legacy.md @@ -0,0 +1,63 @@ +# Log Exporter (Splunk) + +The "Splunk Format" is legacy and should not be used for new deployments see Log Exporter (Syslog) + +## Key Facts + +* Format is not conformant to RFC3164 avoid use +* MSG Format based filter +* Legacy BSD Format default port 514 + +The Splunk `host` field will be derived as follows using the first match + +* Use the hostname field +* Use the first CN component of origin_sic_name/originsicname +* If host is not set from CN use the `hostname` field +* If host is not set use the BSD syslog header host + +If the host is in the format `-v_` use `bladename` for host + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cp_log | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk | cp_log | netops | none | + +## Source and Index Configuration + +Checkpoint Software blades with CIM mapping have been sub-grouped into sources +to allow routing to appropriate indexes. All other source meta data is left at default + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| checkpoint_splunk_dlp | dlp | netdlp | none | +| checkpoint_splunk_email | email | email | none | +| checkpoint_splunk_firewall | firewall | netfw | none | +| checkpoint_splunk_os | program:${program} | netops | none | +| checkpoint_splunk_sessions | sessions | netops | none | +| checkpoint_splunk_web | web | netproxy | none | +| checkpoint_splunk_audit | audit | netops | none | +| checkpoint_splunk_endpoint | endpoint | netops | none | +| checkpoint_splunk_network | network | netops | +| checkpoint_splunk_ids | ids | netids | +| checkpoint_splunk_ids_malware | ids_malware | netids | + +## Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL | no | Suppress any duplicate product+loguid pairs processed within 2 seconds of the last matching event | +| SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES | empty string | when set to `yes` reverts host name selection order to originsicname-->origin_sic_name-->hostname | diff --git a/docs/sources/vendor/Cisco/cisco_ace.md b/docs/sources/vendor/Cisco/cisco_ace.md new file mode 100644 index 0000000000..05bb2e1307 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_ace.md @@ -0,0 +1,24 @@ +# Application Control Engine (ACE) + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Links +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ace | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ace | cisco:ace | netops | none | + diff --git a/docs/sources/vendor/Cisco/cisco_acs.md b/docs/sources/vendor/Cisco/cisco_acs.md new file mode 100644 index 0000000000..084592fa79 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_acs.md @@ -0,0 +1,35 @@ +# Cisco Access Control System (ACS) + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:acs | Aggregation used | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_acs | cisco:acs | netauth | None | + +## Splunk Setup and Configuration + +* Replace the following extract using Splunk local configuration. Impacts version 1.5.0 of the addond + +``` +EXTRACT-AA-signature = CSCOacs_(?\S+):? +# Note the value of this config is empty to disable +EXTRACT-AA-syslog_message = +EXTRACT-acs_message_header2 = ^CSCOacs_\S+\s+(?\S+)\s+(?\d+)\s+(?\d+)\s+(?.*) +``` diff --git a/docs/sources/vendor/Cisco/cisco_asa.md b/docs/sources/vendor/Cisco/cisco_asa.md new file mode 100644 index 0000000000..78f982cc84 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_asa.md @@ -0,0 +1,46 @@ +# ASA/FTD (Firepower) + +## Key facts + +* Note Splunk "ASA" TA is also used for FTD appliances +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + + +# Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on for ASA (No long supports FWSM and PIX) | | +| Cisco eStreamer for Splunk | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:asa | cisco FTD Firepower will also use this source type except those noted below | +| cisco:ftd | cisco FTD Firepower will also use this source type except those noted below | +| cisco:fwsm | Splunk has | +| cisco:pix | cisco PIX will also use this source type except those noted below | +| cisco:firepower:syslog | FTD Unified events see | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_asa | cisco:asa | netfw | none | +| cisco_fwsm | cisco:fwsm | netfw | none | +| cisco_pix | cisco:pix | netfw | none | +| cisco_firepower | cisco:firepower:syslog | netids | none | +| cisco_ftd | cisco:ftd | netfw | none | + +## Source Setup and Configuration + +* Follow vendor configuration steps per Product Manual above ensure: + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included + diff --git a/docs/sources/vendor/Cisco/cisco_esa.md b/docs/sources/vendor/Cisco/cisco_esa.md new file mode 100644 index 0000000000..a169bd1855 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_esa.md @@ -0,0 +1,63 @@ +# Email Security Appliance (ESA) + + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:esa:http | The HTTP logs of Cisco IronPort ESA record information about the secure HTTP services enabled on the interface. | +| cisco:esa:textmail | Text mail logs of Cisco IronPort ESA record email information and status. | +| cisco:esa:amp | Advanced Malware Protection (AMP) of Cisco IronPort ESA records malware detection and blocking, continuous analysis, and retrospective alerting details. | +| cisco:esa:authentication | These logs record successful user logins and unsuccessful login attempts. | +| cisco:esa:cef | The Consolidated Event Logs summarizes each message event in a single log line. | +| cisco:esa:error_logs | Error logs of Cisco IronPort ESA records error that occured for ESA configurations or internal issues. | +| cisco:esa:content_scanner | Content scanner logs of Cisco IronPort ESA scans messages that contain password-protected attachments for +malicious activity and data privacy. | +| cisco:esa:antispam | Anti-spam logs record the status of the anti-spam scanning feature of your system, including the status on receiving updates of the latest anti-spam rules. Also, any logs related to the Context Adaptive Scanning Engine are logged here. | +| cisco:esa:system_logs | System logs record the boot information, virtual appliance license expiration alerts, DNS status information, and comments users typed using commit command. | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_esa | cisco:esa:http | email | None | +| cisco_esa | cisco:esa:textmail | email | None | +| cisco_esa | cisco:esa:amp | email | None | +| cisco_esa | cisco:esa:authentication | email | None | +| cisco_esa | cisco:esa:cef | email | None | +| cisco_esa | cisco:esa:error_logs | email | None | +| cisco_esa | cisco:esa:content_scanner | email | None | +| cisco_esa | cisco:esa:antispam | email | None | +| cisco_esa | cisco:esa:system_logs | email | None | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-cisco_esa.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-cisco_esa[sc4s-vps] { + filter { + host("^esa-") + }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('esa') + ); + }; +}; + +``` \ No newline at end of file diff --git a/docs/sources/vendor/Cisco/cisco_imc.md b/docs/sources/vendor/Cisco/cisco_imc.md new file mode 100644 index 0000000000..15a2d82204 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_imc.md @@ -0,0 +1,24 @@ +# Cisco Integrated Management Controller (IMC) + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Product Manual | multiple | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ucm | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_cimc | cisco:infraops | infraops | None | + diff --git a/docs/sources/vendor/Cisco/cisco_ios.md b/docs/sources/vendor/Cisco/cisco_ios.md new file mode 100644 index 0000000000..0dbbfc4848 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_ios.md @@ -0,0 +1,68 @@ +# Cisco Networking (IOS and Compatible) + +Cisco Network Products of multiple types share common logging characteristics the following types are known to be compatible: + +* Cisco AireOS (AP & WLC) +* Cisco APIC/ACI +* Cisco IOS +* Cisco IOS-XR +* Cisco IOS-XE +* Cisco NX-OS +* Cisco FX-OS + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| IOS Manual | | +| NX-OS Manual | | +| Cisco ACI | | +| Cisco WLC & AP | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ios | This source type is also used for NX-OS, ACI and WLC product lines | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ios | cisco:ios | netops | none | + +### Filter type + +* Cisco IOS products can be identified by message parsing alone +* Cisco WLC, and ACI products must be identified by host or ip assignment update the filter `f_cisco_ios` as required + +## Setup and Configuration + +* IOS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" + * Protocol is TCP/IP + * permit-hostdown is on + * device-id is hostname and included + * timestamp is included +* NX-OS Follow vendor configuration steps per Product Manual above ensure: + * Ensure a reliable NTP server is set and synced + * Log Level is 6 "Informational" user may select alternate levels by module based on use cases + * Protocol is TCP/IP + * device-id is hostname and included + * timestamp is included and milisecond accuracy selected +* ACI Logging configuration of the ACI product often varies by use case. + * Ensure NTP sync is configured and active + * Ensure proper host names are configured +* WLC + * Ensure NTP sync is configured and active + * Ensure proper host names are configured + * For security use cases per AP logging is required + diff --git a/docs/sources/vendor/Cisco/cisco_ise.md b/docs/sources/vendor/Cisco/cisco_ise.md new file mode 100644 index 0000000000..53d712cd6f --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_ise.md @@ -0,0 +1,25 @@ +## Cisco Identity Services Engine (ISE) + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ise:syslog | Aggregation used | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ise | cisco:ise:syslog | netauth | None | diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md new file mode 100644 index 0000000000..4437c04905 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -0,0 +1,45 @@ +## Meraki (MR, MS, MX, MV) + +## Key facts + +* MSG Format based filter (Partial) +* Requires vendor product by source configuration +* None conformant legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| meraki | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmenation into more appropriate indexes | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-cisco_meraki.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-cisco_meraki[sc4s-vps] { + filter { + host("^testcm-") + }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('meraki') + ); + }; +}; +``` \ No newline at end of file diff --git a/docs/sources/vendor/Cisco/cisco_tvcs.md b/docs/sources/vendor/Cisco/cisco_tvcs.md new file mode 100644 index 0000000000..a635ce9791 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_tvcs.md @@ -0,0 +1,20 @@ +# TelePresence Video Communication Server (TVCS) + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:vcs | none | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_tvcs | cisco:tvcs | main | none | + diff --git a/docs/sources/vendor/Cisco/cisco_ucm.md b/docs/sources/vendor/Cisco/cisco_ucm.md new file mode 100644 index 0000000000..407d4073bb --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_ucm.md @@ -0,0 +1,25 @@ +# Unified Communications Manager (UCM) + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +# Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Product Manual | multiple | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ucm | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ucm | cisco:ucm | ucm | None | diff --git a/docs/sources/vendor/Cisco/cisco_ucshx.md b/docs/sources/vendor/Cisco/cisco_ucshx.md new file mode 100644 index 0000000000..a9e4d96e50 --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_ucshx.md @@ -0,0 +1,26 @@ +# Unified Computing System (UCS) + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Product Manual | multiple | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cisco:ucs | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_ucs | cisco:ucs | infraops | None | + diff --git a/docs/sources/vendor/Cisco/cisco_wsa.md b/docs/sources/vendor/Cisco/cisco_wsa.md new file mode 100644 index 0000000000..02101cceba --- /dev/null +++ b/docs/sources/vendor/Cisco/cisco_wsa.md @@ -0,0 +1,60 @@ +# Web Security Appliance (WSA) + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf`` update the host or ip mask for ``f_cisco_wsa`` to identiy the wsa squid events prior to WSA v11.7 and ``f_cisco_wsa11-7`` to identify the squid events since WSA v11.7. Update the host or ip mask for ``f_cisco_wsa_w3crecommended`` to identify the wsa w3c events since WSA v12.5. + +## Sourcetypes + +| cisco:wsa:l4tm | The L4TM logs of Cisco IronPort WSA record sites added to the L4TM block and allow lists. | +| cisco:wsa:squid | The access logs of Cisco IronPort WSA version prior to 11.7 record Web Proxy client history in squid. | +| cisco:wsa:squid:new | The access logs of Cisco IronPort WSA version since 11.7 record Web Proxy client history in squid. | +| cisco:wsa:w3c:recommended | The access logs of Cisco IronPort WSA version since 12.5 record Web Proxy client history in W3C. | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| cisco_wsa | cisco:wsa:l4tm | netproxy | None | +| cisco_wsa | cisco:wsa:squid | netproxy | None | +| cisco_wsa | cisco:wsa:squid:new | netproxy | None | +| cisco_wsa | cisco:wsa:w3c:recommended | netproxy | None | + +### Filter type + +IP, Netmask or Host + +## Source Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* WSA Follow vendor configuration steps per Product Manual. +* Ensure host and timestamp are included. + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-cisco_wsa.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-cisco_wsa[sc4s-vps] { + filter { + host("^wsa-") + }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('wsa') + ); + }; +}; +``` \ No newline at end of file diff --git a/docs/sources/vendor/Citrix/netscaler.md b/docs/sources/vendor/Citrix/netscaler.md new file mode 100644 index 0000000000..a576dc3eae --- /dev/null +++ b/docs/sources/vendor/Citrix/netscaler.md @@ -0,0 +1,29 @@ +# Netscaler ADC/SDX + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| citrix:netscaler:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| citrix_netscaler | citrix:netscaler:syslog | netfw | none | + +## Source Setup and Configuration + +* Follow vendor configuration steps per Product Manual above. Ensure the data format selected is "DDMMYYYY" diff --git a/docs/sources/Cohesity/index.md b/docs/sources/vendor/Cohesity/cluster.md similarity index 54% rename from docs/sources/Cohesity/index.md rename to docs/sources/vendor/Cohesity/cluster.md index 779c40e9fc..6784622421 100644 --- a/docs/sources/Cohesity/index.md +++ b/docs/sources/vendor/Cohesity/cluster.md @@ -1,49 +1,28 @@ -# Vendor - Cohesity +# Cluster +## Key facts -## Product - Switches +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| | Splunk Add-on | None | | Product Manual | unknown | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | cohesity:cluster:audit | None | | cohesity:cluster:dataprotection | None | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| | cohesity_cluster_audit | cohesity:cluster:audit | infraops | none | | cohesity_cluster_dataprotection | cohesity:cluster:dataprotection | infraops | none | -### Filter type - -MSG Parsing - -### Setup and Configuration - -Device setup unknown - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_COHESITY_CLUSTER_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_COHESITY_CLUSTER_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_COHESITY_CLUSTER | no | Enable archive to disk for this specific source | -| SC4S_DEST_COHESITY_CLUSTER_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=cohesity:cluster:* | stats count by host -``` diff --git a/docs/sources/vendor/CyberArk/epv.md b/docs/sources/vendor/CyberArk/epv.md new file mode 100644 index 0000000000..4e0c835d13 --- /dev/null +++ b/docs/sources/vendor/CyberArk/epv.md @@ -0,0 +1,26 @@ +# Vendor - CyberArk + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Product - EPV + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CyberArk | | +| Add-on Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cyberark:epv:cef | None | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| CyberArk_Vault | cyberark:epv:cef | netauth | none | + diff --git a/docs/sources/vendor/CyberArk/pta.md b/docs/sources/vendor/CyberArk/pta.md new file mode 100644 index 0000000000..d8d31fc8aa --- /dev/null +++ b/docs/sources/vendor/CyberArk/pta.md @@ -0,0 +1,26 @@ +# PTA + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CyberArk | | +| Add-on Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cyberark:pta:cef | None | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| Cyber-Ark_Vault | cyberark:pta:cef | main | none | + diff --git a/docs/sources/Cylance/index.md b/docs/sources/vendor/Cylance/protect.md similarity index 79% rename from docs/sources/Cylance/index.md rename to docs/sources/vendor/Cylance/protect.md index cf9d03fc33..dbb4365514 100644 --- a/docs/sources/Cylance/index.md +++ b/docs/sources/vendor/Cylance/protect.md @@ -1,13 +1,18 @@ -# Vendor - Cylance +# Protect -## Product - Protect + +## Key facts + +* MSG Format based filter +* None conformant legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CyberArk | https://splunkbase.splunk.com/app/3709/ | +| Splunk Add-on CyberArk | | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| @@ -38,23 +43,3 @@ | cylance_protect_scriptcontrol | syslog_script_control | epintel | none | | cylance_protect_optics | syslog_optics | epintel | none | -### Filter type - -MSG Parse: This filter parses message content - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CYLANCE_PROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | - - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype=cef sourcetype="syslog_*") -``` diff --git a/docs/sources/vendor/Dell/cmc.md b/docs/sources/vendor/Dell/cmc.md new file mode 100644 index 0000000000..bd8bf9bbcf --- /dev/null +++ b/docs/sources/vendor/Dell/cmc.md @@ -0,0 +1,45 @@ +# CMC (VRTX) + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Add-on Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| dell:poweredge:cmc:syslog | None | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| dell_poweredge_cmc | dell:poweredge:cmc:syslog | infraops | none | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-dell_cmc.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-dell_cmc[sc4s-vps] { + filter { + host("test-dell-cmc-" type(string) flags(prefix)) + }; + parser { + p_set_netsource_fields( + vendor('dell') + product('poweredge_cmc') + ); + }; +}; +``` \ No newline at end of file diff --git a/docs/sources/vendor/Dell/emc_powerswitchn.md b/docs/sources/vendor/Dell/emc_powerswitchn.md new file mode 100644 index 0000000000..dc8a94966c --- /dev/null +++ b/docs/sources/vendor/Dell/emc_powerswitchn.md @@ -0,0 +1,27 @@ +# EMC Powerswitch N Series + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| dell:emc:powerswitch:n | None | +| nix:syslog | Non conforming messages | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| dellemc_powerswitch_n | all | netops | none | + diff --git a/docs/sources/vendor/Dell/idrac.md b/docs/sources/vendor/Dell/idrac.md new file mode 100644 index 0000000000..872ffde900 --- /dev/null +++ b/docs/sources/vendor/Dell/idrac.md @@ -0,0 +1,26 @@ +# iDrac + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Add-on Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| dell:poweredge:idrac:syslog | None | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| dell_poweredge_idrac | dell:poweredge:idrac:syslog | infraops | none | + diff --git a/docs/sources/vendor/Dell/rsa_secureid.md b/docs/sources/vendor/Dell/rsa_secureid.md new file mode 100644 index 0000000000..94bfec6b6e --- /dev/null +++ b/docs/sources/vendor/Dell/rsa_secureid.md @@ -0,0 +1,49 @@ +# RSA SecureID + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| rsa:securid:syslog | Catchall; used if a more specific source type can not be identified | +| rsa:securid:admin:syslog | None | +| rsa:securid:runtime:syslog | None | rsa:securid:system:syslog | None | +| nix:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| dell_rsa_secureid | all | netauth | none | +| dell_rsa_secureid | nix:syslog | osnix | uses os_nix key of not configured bye host/ip/port | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-dell_rsa_secureid.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-dell_rsa_secureid[sc4s-vps] { + filter { + host("test_rsasecureid*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('dell') + product('rsa_secureid') + ); + }; +}; +``` \ No newline at end of file diff --git a/docs/sources/F5/index.md b/docs/sources/vendor/F5/bigip.md similarity index 54% rename from docs/sources/F5/index.md rename to docs/sources/vendor/F5/bigip.md index b54c79e7b0..4dc8ec2789 100644 --- a/docs/sources/F5/index.md +++ b/docs/sources/vendor/F5/bigip.md @@ -1,15 +1,18 @@ -# Vendor - F5 +# BigIP +## Key facts -## Product - BigIP +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2680/ | +| Splunk Add-on | | | Product Manual | unknown | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| @@ -24,7 +27,6 @@ | nix:syslog | None | | f5:bigip:ltm:access_json | User defined configuration via irule producing a RFC5424 syslog event with json content within the message field `<111>1 2020-05-28T22:48:15Z foo.example.com F5 - access_json - {"event_type":"HTTP_REQUEST", "src_ip":"10.66.98.41"}` This source type requires a customer specific Splunk Add-on for utility value | - ### Index Configuration | key | index | notes | @@ -36,31 +38,23 @@ | f5_bigip_nix | netops | if `f_f5_bigip` is not set the index osnix will be used | | f5_bigip_access_json | netops | none | -### Filter type -* MSGPARSE: sourcetypes with the exception of f5:bigip:syslog -* `f5:bigip:syslog` Must be identified by host or ip assignment. Update the `vendor_product_by_source.conf` filter `f_f5_bigip` or configure a dedicated port as required +## Parser Configuration -### Setup and Configuration +```c +#/opt/sc4s/local/app-parsers/app-vps-f5_bigip.conf +#File name provided is a suggestion it must be globally unique -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used, -* the addon is not required on the indexer. -* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. -* Refer to the admin manual for specific details of configuration. +application app-vps-test-f5_bigip[sc4s-vps] { + filter { + "${HOST}" eq "f5_bigip" + }; + parser { + p_set_netsource_fields( + vendor('f5') + product('bigip') + ); + }; +}; -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_F5_BIGIP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_F5_BIGIP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_F5_BIGIP | no | Enable archive to disk for this specific source | -| SC4S_DEST_F5_BIGIP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=f5:bigip:*| stats count by host ``` diff --git a/docs/sources/vendor/FireEye/cms.md b/docs/sources/vendor/FireEye/cms.md new file mode 100644 index 0000000000..0c0b5a8239 --- /dev/null +++ b/docs/sources/vendor/FireEye/cms.md @@ -0,0 +1,24 @@ +# CMS + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Technology Add-On for FireEye | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fe_cef_syslog || + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| FireEye_CMS |fe_cef_syslog |fireeye| diff --git a/docs/sources/vendor/FireEye/emps.md b/docs/sources/vendor/FireEye/emps.md new file mode 100644 index 0000000000..2df60800e6 --- /dev/null +++ b/docs/sources/vendor/FireEye/emps.md @@ -0,0 +1,24 @@ +# eMPS + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Technology Add-On for FireEye | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fe_cef_syslog || + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| FireEye_eMPS |fe_cef_syslog |fireeye| diff --git a/docs/sources/vendor/FireEye/etp.md b/docs/sources/vendor/FireEye/etp.md new file mode 100644 index 0000000000..42e9499942 --- /dev/null +++ b/docs/sources/vendor/FireEye/etp.md @@ -0,0 +1,24 @@ +# etp + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Technology Add-On for FireEye | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fe_etp | source does not provide host name constant "etp.fireeye.com" is use regardless of region | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| FireEye_ETP | fe_etp | fireeye | diff --git a/docs/sources/vendor/FireEye/hx.md b/docs/sources/vendor/FireEye/hx.md new file mode 100644 index 0000000000..0f5a34364d --- /dev/null +++ b/docs/sources/vendor/FireEye/hx.md @@ -0,0 +1,25 @@ +# hx + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Technology Add-On for FireEye | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| hx_cef_syslog || + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| fireeye_hx |hx_cef_syslog |fireeye| + diff --git a/docs/sources/vendor/Forcepoint/index.md b/docs/sources/vendor/Forcepoint/index.md new file mode 100644 index 0000000000..2de3b30838 --- /dev/null +++ b/docs/sources/vendor/Forcepoint/index.md @@ -0,0 +1,26 @@ +# Email Security + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | none | +| Product Manual | none | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| forcepoint:email:kv | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| forcepoint_email | forcepoint:email:kv | email | none | + diff --git a/docs/sources/vendor/Forcepoint/webprotect.md b/docs/sources/vendor/Forcepoint/webprotect.md new file mode 100644 index 0000000000..3c1f37d65d --- /dev/null +++ b/docs/sources/vendor/Forcepoint/webprotect.md @@ -0,0 +1,27 @@ + +# Webprotect (Websense) + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| websense:cg:kv | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| forcepoint_webprotect | websense:cg:kv | netproxy | none | + diff --git a/docs/sources/Fortinet/FortiGate_event.png b/docs/sources/vendor/Fortinet/FortiGate_event.png similarity index 100% rename from docs/sources/Fortinet/FortiGate_event.png rename to docs/sources/vendor/Fortinet/FortiGate_event.png diff --git a/docs/sources/Fortinet/FortiGate_traffic.png b/docs/sources/vendor/Fortinet/FortiGate_traffic.png similarity index 100% rename from docs/sources/Fortinet/FortiGate_traffic.png rename to docs/sources/vendor/Fortinet/FortiGate_traffic.png diff --git a/docs/sources/Fortinet/FortiGate_utm.png b/docs/sources/vendor/Fortinet/FortiGate_utm.png similarity index 100% rename from docs/sources/Fortinet/FortiGate_utm.png rename to docs/sources/vendor/Fortinet/FortiGate_utm.png diff --git a/docs/sources/vendor/Fortinet/fortios.md b/docs/sources/vendor/Fortinet/fortios.md new file mode 100644 index 0000000000..2a8faf4f42 --- /dev/null +++ b/docs/sources/vendor/Fortinet/fortios.md @@ -0,0 +1,75 @@ +# Fortios + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fgt_log | Catch-all sourcetype; not used by the TA | +| fgt_traffic | None | +| fgt_utm | None | +| fgt_event | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| fortinet_fortios_traffic | fgt_traffic | netfw | none | +| fortinet_fortios_utm | fgt_utm | netfw | none | +| fortinet_fortios_event | fgt_event | netops | none | +| fortinet_fortios_log | fgt_log | netops | none | + +## Source Setup and Configuration + +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + +``` +config log memory filter + +set forward-traffic enable + +set local-traffic enable + +set sniffer-traffic disable + +set anomaly enable + +set voip disable + +set multicast-traffic enable + +set dns enable + +end + +config system global + +set cli-audit-log enable + +end + +config log setting + +set neighbor-event enable + +end + +``` + +## Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX | fgt | Notice starting with version 1.6 of the fortinet add-on and app the sourcetype required changes from `fgt_*` to `fortinet_*` this is a breaking change to use the new sourcetype set this variable to `fortigate` in the env_file | + diff --git a/docs/sources/vendor/Fortinet/fortiweb.md b/docs/sources/vendor/Fortinet/fortiweb.md new file mode 100644 index 0000000000..4b6a9e7a31 --- /dev/null +++ b/docs/sources/vendor/Fortinet/fortiweb.md @@ -0,0 +1,63 @@ +# FortiWeb + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| fgt_log | Catch-all sourcetype; not used by the TA | +| fwb_traffic | None | +| fwb_attack | None | +| fwb_event | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| fortinet_fortiweb_traffic | fwb_traffic | netfw | none | +| fortinet_fortiweb_attack | fwb_attack | netids | none | +| fortinet_fortiweb_event | fwb_event | netops | none | +| fortinet_fortiweb_log | fwb_log | netops | none | + +## Source Setup and Configuration + +* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features. + +``` +config log syslog-policy + +edit splunk + +config syslog-server-list + +edit 1 + +set server x.x.x.x + +set port 514 (Example. Should be the same as default or dedicated port selected for sc4s) + +end + +end + +config log syslogd + +set policy splunk + +set status enable + +end + +``` + diff --git a/docs/sources/vendor/GitHub/index.md b/docs/sources/vendor/GitHub/index.md new file mode 100644 index 0000000000..311d738242 --- /dev/null +++ b/docs/sources/vendor/GitHub/index.md @@ -0,0 +1,26 @@ +# Enterprise Server + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| github:enterprise:audit | The audit logs of GitHub Enterprise server have information about audites actions performed by github user. | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| github_ent | github:enterprise:audit | gitops | None | + diff --git a/docs/sources/vendor/HAProxy/syslog.md b/docs/sources/vendor/HAProxy/syslog.md new file mode 100644 index 0000000000..54dc3fe086 --- /dev/null +++ b/docs/sources/vendor/HAProxy/syslog.md @@ -0,0 +1,26 @@ +# HAProxy + + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| haproxy:tcp | Default syslog format | +| haproxy:splunk:http | Splunk's documented custom format. Note: detection is based on `client_ip` prefix in message | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| haproxy_syslog | netlb | none | diff --git a/docs/sources/vendor/HPe/ilo.md b/docs/sources/vendor/HPe/ilo.md new file mode 100644 index 0000000000..6b45ac24c7 --- /dev/null +++ b/docs/sources/vendor/HPe/ilo.md @@ -0,0 +1,21 @@ +# ILO (4+) + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| hpe:ilo | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| hpe_ilo | infraops | none | + diff --git a/docs/sources/vendor/HPe/jedirect.md b/docs/sources/vendor/HPe/jedirect.md new file mode 100644 index 0000000000..9478ee3344 --- /dev/null +++ b/docs/sources/vendor/HPe/jedirect.md @@ -0,0 +1,25 @@ + +## JetDirect + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| hpe:jetdirect | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| hpe_jetdirect | print | none | + diff --git a/docs/sources/vendor/HPe/procurve.md b/docs/sources/vendor/HPe/procurve.md new file mode 100644 index 0000000000..826627d68c --- /dev/null +++ b/docs/sources/vendor/HPe/procurve.md @@ -0,0 +1,28 @@ +# Procurve Switch + +HP Procurve switches have multiple log formats used. + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Switch | | +| Switch (A Series) (Flex) | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| hpe:procurve | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| hpe_procurve | netops | none | + diff --git a/docs/sources/vendor/IBM/datapower.md b/docs/sources/vendor/IBM/datapower.md new file mode 100644 index 0000000000..d22231296b --- /dev/null +++ b/docs/sources/vendor/IBM/datapower.md @@ -0,0 +1,39 @@ +# Data power + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ibm:datapower:syslog | Common sourcetype | +| ibm:datapower:* | * is taken from the event sourcetype | + | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| ibm_datapower | na | inifraops | none | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-ibm_datapower.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-ibm_datapower[sc4s-vps] { + filter { + host("^test-ibmdp-") + }; + parser { + p_set_netsource_fields( + vendor('ibm') + product('datapower') + ); + }; +}; + +``` diff --git a/docs/sources/vendor/ISC/bind.md b/docs/sources/vendor/ISC/bind.md new file mode 100644 index 0000000000..dd0f0ab9c1 --- /dev/null +++ b/docs/sources/vendor/ISC/bind.md @@ -0,0 +1,27 @@ +# bind + +This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired +see that source documentation for instructions + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| isc:bind | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| isc_bind | isc:bind | none | diff --git a/docs/sources/vendor/ISC/dhcpd.md b/docs/sources/vendor/ISC/dhcpd.md new file mode 100644 index 0000000000..f25d615d27 --- /dev/null +++ b/docs/sources/vendor/ISC/dhcpd.md @@ -0,0 +1,46 @@ + +# dhcpd + +This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired +see that source documentation for instructions + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| isc:dhcp | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| isc_dhcp | isc:dhcp | none | + +### Filter type + +MSG Parse: This filter parses message content + +## Options + +None + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=isc:dhcp") +``` diff --git a/docs/sources/vendor/Imperva/incapusla.md b/docs/sources/vendor/Imperva/incapusla.md new file mode 100644 index 0000000000..914b422c61 --- /dev/null +++ b/docs/sources/vendor/Imperva/incapusla.md @@ -0,0 +1,34 @@ +# Incapsula + + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | | +| Splunk Add-on Source Specific | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +## Source + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| Imperva:Incapsula | Common sourcetype | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| Incapsula_SIEMintegration | Imperva:Incapsula | netwaf | none | + diff --git a/docs/sources/vendor/Imperva/waf.md b/docs/sources/vendor/Imperva/waf.md new file mode 100644 index 0000000000..8524007c5b --- /dev/null +++ b/docs/sources/vendor/Imperva/waf.md @@ -0,0 +1,29 @@ + +# On-Premises WAF (SecureSphere WAF) + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|--------------------------|-------| +| imperva:waf | none | +| imperva:waf:firewall:cef | none | +| imperva:waf:security:cef | none | + +### Index Configuration + +| key | index | notes | +|----------------------------|----------|----------------| +| Imperva Inc._SecureSphere | netwaf | none | + diff --git a/docs/sources/vendor/InfoBlox/index.md b/docs/sources/vendor/InfoBlox/index.md new file mode 100644 index 0000000000..c30667f43d --- /dev/null +++ b/docs/sources/vendor/InfoBlox/index.md @@ -0,0 +1,56 @@ +# NIOS + +Warning: Despite the TA indication this data source is CIM compliant all versions of NIOS including the most recent available as of 2019-12-17 do not support the DNS data model correctly. For DNS security use cases use Splunk Stream instead. + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| infoblox:dns | None | +| infoblox:dhcp | None | +| infoblox:threat | None | +| nix:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| infoblox_nios_dns | infoblox:dns | netdns | none | +| infoblox_nios_dhcp | infoblox:dhcp | netipam | none | +| infoblox_nios_threat | infoblox:threatprotect | netids | none | +| infoblox_nios_audit | infoblox:audit | netops | none | +| infoblox_nios_fallback | infoblox:port | netops | none | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-infoblox_nios.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-infoblox_nios[sc4s-vps] { + filter { + host("infoblox-*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('infoblox') + product('nios') + ); + }; +}; + + +``` diff --git a/docs/sources/vendor/Juniper/junos.md b/docs/sources/vendor/Juniper/junos.md new file mode 100644 index 0000000000..b0346b8fe3 --- /dev/null +++ b/docs/sources/vendor/Juniper/junos.md @@ -0,0 +1,34 @@ +# JunOS + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|-------------------|-------------------------------------------------------------------------| +| Splunk Add-on | | +| JunOS TechLibrary | | + +## Sourcetypes + +| sourcetype | notes | +|--------------------------|------------------------------------------------------------------| +| juniper:junos:firewall | None | +| juniper:junos:firewall:structured | None | +| juniper:junos:idp | None | +| juniper:junos:idp:structured | None | +| juniper:junos:aamw:structured | None | +| juniper:junos:secintel:structured | None | +| juniper:junos:snmp | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------------------|------------------------|----------------|---------------| +| juniper_junos_flow | juniper:junos:firewall | netfw | none | +| juniper_junos_idp | juniper:junos:idp | netids | none | +| juniper_junos_utm | juniper:junos:firewall | netfw | none | + diff --git a/docs/sources/vendor/Juniper/netscreen.md b/docs/sources/vendor/Juniper/netscreen.md new file mode 100644 index 0000000000..7fc50f87f8 --- /dev/null +++ b/docs/sources/vendor/Juniper/netscreen.md @@ -0,0 +1,26 @@ +## Netscreen + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Netscreen Manual | | + +## Sourcetypes + +| sourcetype | notes | +|-------------------------|------------------------------------------------------------------------------------------------| +| netscreen:firewall | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|------------------------|---------------------|----------------|---------------| +| juniper_netscreen | netscreen:firewall | netfw | none | + diff --git a/docs/sources/vendor/McAfee/epo.md b/docs/sources/vendor/McAfee/epo.md new file mode 100644 index 0000000000..7ad92cdf55 --- /dev/null +++ b/docs/sources/vendor/McAfee/epo.md @@ -0,0 +1,72 @@ +# EPO + +## Key facts + +* MSG Format based filter +* Source requires use of TLS legacy BSD port 6514 +* TLS Certificate must be trusted by EPO instance + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| mcafee:epo:syslog | none | + +## Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| policy_auditor_vulnerability_assessment | Policy Auditor Vulnerability Assessment events | +| mcafee_agent | McAfee Agent events | +| mcafee_endpoint_security | McAfee Endpoint Security events | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| mcafee_epo | epav | none | + +### Filter type + +MSG Parse: This filter parses message content + +## Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_MCAFEE_EPO_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_MCAFEE_EPO | no | Enable archive to disk for this specific source | +| SC4S_DEST_MCAFEE_EPO_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_SOURCE_TLS_ENABLE | no | This must be set to yes so that SC4S listens for encrypted syslog from ePO + +### Additional setup + +You must create a certificate for the SC4S server to receive encrypted syslog from ePO. A self-signed certificate is fine. Generate a self-signed certificate on the SC4S host: + +`openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /opt/sc4s/tls/server.key -out /opt/sc4s/tls/server.pem` + +Uncomment the following line in `/lib/systemd/system/sc4s.service` to allow the docker container to use the certificate: + +`Environment="SC4S_TLS_DIR=-v :/etc/syslog-ng/tls:z"` + +### Troubleshooting + +from the command line of the SC4S host, run this: `openssl s_client -connect localhost:6514` + +The message: + +``` +socket: Bad file descriptor +connect:errno=9 +``` + +indicates that SC4S is not listening for encrypted syslog. Note that a `netstat` may show the port open, but it is not accepting encrypted traffic as configured. + +It may take several minutes for the syslog option to be available in the `registered servers` dropdown. diff --git a/docs/sources/vendor/McAfee/nsp.md b/docs/sources/vendor/McAfee/nsp.md new file mode 100644 index 0000000000..10215f99a2 --- /dev/null +++ b/docs/sources/vendor/McAfee/nsp.md @@ -0,0 +1,35 @@ + +# Network Security Platform + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +| ---------- | ----- | +| mcafee:nsp | none | + +## Source + +| source | notes | +| ------------------- | ----------------------------------- | +| mcafee:nsp:alert | Alert/Attack Events | +| mcafee:nsp:audit | Audit Event or User Activity Events | +| mcafee:nsp:fault | Fault Events | +| mcafee:nsp:firewall | Firewall Events | + +### Index Configuration + +| key | index | notes | +| ---------- | ---------- | ----- | +| mcafee_nsp | netids | none | + diff --git a/docs/sources/vendor/McAfee/wg.md b/docs/sources/vendor/McAfee/wg.md new file mode 100644 index 0000000000..e1535e0ada --- /dev/null +++ b/docs/sources/vendor/McAfee/wg.md @@ -0,0 +1,25 @@ +## Web Gateway + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| mcafee:wg:kv | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| mcafee_wg | netproxy | none | diff --git a/docs/sources/vendor/Microfocus/arcsight.md b/docs/sources/vendor/Microfocus/arcsight.md new file mode 100644 index 0000000000..be69167e30 --- /dev/null +++ b/docs/sources/vendor/Microfocus/arcsight.md @@ -0,0 +1,31 @@ +# Arcsight Internal Agent + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +## Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ArcSight:ArcSight | Internal logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| ArcSight_ArcSight | ArcSight:ArcSight | main | none | + diff --git a/docs/sources/vendor/Microfocus/windows.md b/docs/sources/vendor/Microfocus/windows.md new file mode 100644 index 0000000000..e140eb23db --- /dev/null +++ b/docs/sources/vendor/Microfocus/windows.md @@ -0,0 +1,35 @@ +# Arcsight Microsoft Windows (CEF) + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | | +| Splunk Add-on CEF | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +## Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| CEFEventLog:System or Application Event | Windows Application and System Event Logs | +| CEFEventLog:Microsoft Windows | Windows Security Event Logs | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| Microsoft_System or Application Event | CEFEventLog:System or Application Event | oswin | none | +| Microsoft_Microsoft Windows | CEFEventLog:Microsoft Windows | oswinsec | none | + diff --git a/docs/sources/vendor/Microsoft/index.md b/docs/sources/vendor/Microsoft/index.md new file mode 100644 index 0000000000..191ea84ab3 --- /dev/null +++ b/docs/sources/vendor/Microsoft/index.md @@ -0,0 +1,32 @@ +# Cloud App Security (MCAS) + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | | +| Splunk Add-on Source Specific | none | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +## Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| microsoft:cas | Common sourcetype | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| MCAS_SIEM_Agent | microsoft:cas | main | none | diff --git a/docs/sources/vendor/Mikrotik/routeros.md b/docs/sources/vendor/Mikrotik/routeros.md new file mode 100644 index 0000000000..239c11d290 --- /dev/null +++ b/docs/sources/vendor/Mikrotik/routeros.md @@ -0,0 +1,43 @@ +# RouterOS + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 +* RouterOS will send ISC Bind and ISC DHCPD events + +## Links + + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| routeros | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| mikrotik_routeros | netops | none | +| mikrotik_routeros_fw | netfw | Used for events with forward: | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-mikrotik_routeros.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-mikrotik_routeros[sc4s-vps] { + filter { + host("test-mrtros-" type(string) flags(prefix)) + }; + parser { + p_set_netsource_fields( + vendor('mikrotik') + product('routeros') + ); + }; +}; + +``` diff --git a/docs/sources/vendor/NetApp/ontap.md b/docs/sources/vendor/NetApp/ontap.md new file mode 100644 index 0000000000..2eacc9c6a7 --- /dev/null +++ b/docs/sources/vendor/NetApp/ontap.md @@ -0,0 +1,26 @@ +# OnTap + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| netapp:ems | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| netapp_ontap | netapp:ems | infraops | none | + diff --git a/docs/sources/vendor/Netmotion/reporting.md b/docs/sources/vendor/Netmotion/reporting.md new file mode 100644 index 0000000000..2e4ae0f4a7 --- /dev/null +++ b/docs/sources/vendor/Netmotion/reporting.md @@ -0,0 +1,26 @@ +# Reporting + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | none | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| netmotion:reporting | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| netmotion_reporting | netmotion:reporting | netops | none | + diff --git a/docs/sources/vendor/Novell/netiq.md b/docs/sources/vendor/Novell/netiq.md new file mode 100644 index 0000000000..3c2791121b --- /dev/null +++ b/docs/sources/vendor/Novell/netiq.md @@ -0,0 +1,26 @@ +# NetIQ + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| novell:netiq | none | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| novell_netiq | novell_netiq | netauth | None | + diff --git a/docs/sources/vendor/Ossec/ossec.md b/docs/sources/vendor/Ossec/ossec.md new file mode 100644 index 0000000000..28fb9d1535 --- /dev/null +++ b/docs/sources/vendor/Ossec/ossec.md @@ -0,0 +1,25 @@ +# Ossec + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ossec | The add-on supports data from the following sources: File Integrity Management (FIM) data, FTP data, su data, ssh data, Windows data, including audit and logon information | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| ossec_ossec | ossec | main | None | diff --git a/docs/sources/vendor/PaloaltoNetworks/cortexxdr.md b/docs/sources/vendor/PaloaltoNetworks/cortexxdr.md new file mode 100644 index 0000000000..97b9f64924 --- /dev/null +++ b/docs/sources/vendor/PaloaltoNetworks/cortexxdr.md @@ -0,0 +1,24 @@ +# Cortext + +## Key facts + +* MSG Format based filter +* Cortex requires TLS and uses IETF Framed SYSLOG default port is 6587 + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|--------------------------|-------| +| pan:*| | Sourcetypes and keys compatible with NGFW are supported | +| pan:xsoar | none | + +### Index Configuration + +| key | index | notes | +|----------------------------|----------|----------------| +| Palo Alto Networks_Palo Alto Networks Cortex XSOAR | epintel | none | + diff --git a/docs/sources/vendor/PaloaltoNetworks/panos.md b/docs/sources/vendor/PaloaltoNetworks/panos.md new file mode 100644 index 0000000000..57504a275e --- /dev/null +++ b/docs/sources/vendor/PaloaltoNetworks/panos.md @@ -0,0 +1,72 @@ +# panos + +## Key facts + +* MSG Format based filter from NGFW, PANORAMA OR CORTEX data lake +* Legacy BSD Format default port 514 used by default. "Default TCP/UDP" is 30% slower than prefered IETF Framed +* IMPORTANT IETF Framed syslog must use port 601 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pan:log | None | +| pan:pan_globalprotect | none | +| pan:traffic | None | +| pan:threat | None | +| pan:system | None | +| pan:config | None | +| pan:hipmatch | None | +| pan:correlation | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| pan_panos_log | pan:log | netops | none | +| pan_panos_globalprotect | pan:pan_globalprotect | netfw | none | +| pan_tpanos_raffic | pan:traffic | netfw | none | +| pan_panos_threat | pan:threat | netproxy | none | +| pan_panos_system | pan:system | netops | none | +| pan_panos_config | pan:config | netops | none | +| pan_panos_hipmatch | pan:hipmatch | netops | none | +| pan_panos_correlation | pan:correlation | netops | none | + +### Filter type + +MSG Parse: This filter parses message content + +## Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration + * Select TCP or SSL transport option + * Select IETF Format + * Ensure the format of the event is not customized + +## Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_PULSE_PAN_PANOS_RFC6587_PORT | empty string | Enable a TCP using IETF Framing (RFC6587) port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_PAN_PANOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_PAN_PANOS | no | Enable archive to disk for this specific source | +| SC4S_DEST_PAN_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active firewall will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=pan:*| stats count by host +``` + + diff --git a/docs/sources/vendor/PaloaltoNetworks/traps.md b/docs/sources/vendor/PaloaltoNetworks/traps.md new file mode 100644 index 0000000000..b7ec965a0f --- /dev/null +++ b/docs/sources/vendor/PaloaltoNetworks/traps.md @@ -0,0 +1,25 @@ +## TRAPS + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|--------------------------|-------| +| pan:traps4 | none | + +### Index Configuration + +| key | index | notes | +|----------------------------|----------|----------------| +| Palo Alto Networks_Traps Agent | epintel | none | + diff --git a/docs/sources/vendor/Pfsense/firewall.md b/docs/sources/vendor/Pfsense/firewall.md new file mode 100644 index 0000000000..bd2eac5651 --- /dev/null +++ b/docs/sources/vendor/Pfsense/firewall.md @@ -0,0 +1,49 @@ +# Firewall + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pfsense:filterlog | None | +| pfsense:* | All programs other than filterlog | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| pfsense | pfsense | netops | none | +| pfsense_filterlog | pfsense:filterlog | netfw | none | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-pfsense_firewall.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-pfsense_firewall[sc4s-vps] { + filter { + "${HOST}" eq "pfsense_firewall" + }; + parser { + p_set_netsource_fields( + vendor('pfsense') + product('firewall') + ); + }; +}; + + +``` diff --git a/docs/sources/vendor/Polycom/rprm.md b/docs/sources/vendor/Polycom/rprm.md new file mode 100644 index 0000000000..fbb51a1fdb --- /dev/null +++ b/docs/sources/vendor/Polycom/rprm.md @@ -0,0 +1,25 @@ +# RPRM + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | none | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| polycom:rprm:syslog | | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| polycom_rprm | polycom:rprm:syslog | netops | none | diff --git a/docs/sources/vendor/Proofpoint/index.md b/docs/sources/vendor/Proofpoint/index.md new file mode 100644 index 0000000000..4cddd5224c --- /dev/null +++ b/docs/sources/vendor/Proofpoint/index.md @@ -0,0 +1,50 @@ +# Proofpoint Protection Server + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 +* NOTE: This filter will simply parse the syslog message itself, and will _not_ perform the (required) re-assembly of related +messages to create meaningful final output. This will require follow-on processing in Splunk. + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| pps_filter_log | | +| pps_mail_log | This sourcetype will conflict with sendmail itself, so will require that the PPS send syslog on a dedicated port or be uniquely identifiable with a hostname glob or CIDR block if this sourcetype is desired for PPS. | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| proofpoint_pps_filter | pps_filter_log | email | none | +| proofpoint_pps_sendmail | pps_mail_log | email | none | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-proofpoint_pps.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-proofpoint_pps[sc4s-vps] { + filter { + host("pps-*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('proofpoint') + product('pps') + ); + }; +}; + + +``` diff --git a/docs/sources/vendor/Pulse/connectsecure.md b/docs/sources/vendor/Pulse/connectsecure.md new file mode 100644 index 0000000000..52d124f318 --- /dev/null +++ b/docs/sources/vendor/Pulse/connectsecure.md @@ -0,0 +1,28 @@ +# Pulse + +## Key facts + +* Requires vendor product by source configuration +* IETF Frames use port 601/tcp or 6587/TLS + +## Links + +| Ref | Link | +|-------------------|-------------------------------------------------------------------------| +| Splunk Add-on | | +| JunOS TechLibrary | | + +## Sourcetypes + +| sourcetype | notes | +|--------------------------|------------------------------------------------------------------| +| pulse:connectsecure | None | +| pulse:connectsecure:web | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------------------|------------------------|----------------|---------------| +| pulse_connect_secure | pulse:connectsecure | netfw | none | +| pulse_connect_secure_web | pulse:connectsecure:web | netproxy | none | + diff --git a/docs/sources/vendor/PureStorage/array.md b/docs/sources/vendor/PureStorage/array.md new file mode 100644 index 0000000000..022b33fae1 --- /dev/null +++ b/docs/sources/vendor/PureStorage/array.md @@ -0,0 +1,28 @@ +# Array + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None note TA published on Splunk base does not include syslog extractions | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| purestorage:array | | +| purestorage:array:${class} | This type is generated from the message | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| purestorage_array | purestorage:array | infraops | None | +| purestorage_array_${class} | purestorage:array:class | infraops | class is extracted as the string following "purity." | + diff --git a/docs/sources/vendor/Qumulo/storage.md b/docs/sources/vendor/Qumulo/storage.md new file mode 100644 index 0000000000..5f4c75eaef --- /dev/null +++ b/docs/sources/vendor/Qumulo/storage.md @@ -0,0 +1,25 @@ +# Storage + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|-------------------|-------------------------------------------------------------------------| +| Splunk Add-on | none | + +## Sourcetypes + +| sourcetype | notes | +|--------------------------|------------------------------------------------------------------| +| qumulo:storage | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------------------|------------------------|----------------|---------------| +| qumulo_storage | qumulo:storage | infraops | none | + diff --git a/docs/sources/vendor/Radware/defensepro.md b/docs/sources/vendor/Radware/defensepro.md new file mode 100644 index 0000000000..79a44c6c55 --- /dev/null +++ b/docs/sources/vendor/Radware/defensepro.md @@ -0,0 +1,26 @@ +# DefensePro + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | Note this add-on does not provide functional extractions | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| radware:defensepro | Note some events do not contain host | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| radware_defensepro | radware:defensepro | netops | none | + diff --git a/docs/sources/vendor/Raritan/dsx.md b/docs/sources/vendor/Raritan/dsx.md new file mode 100644 index 0000000000..3b7b68f22c --- /dev/null +++ b/docs/sources/vendor/Raritan/dsx.md @@ -0,0 +1,48 @@ +# DSX + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | none | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| raritan:dsx | Note events do not contain host | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| raritan_dsx | raritan:dsx | infraops | none | + + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-raritan_dsx.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-raritan_dsx[sc4s-vps] { + filter { + host("raritan_dsx*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('raritan') + product('dsx') + ); + }; +}; + + +``` diff --git a/docs/sources/Ricoh/index.md b/docs/sources/vendor/Ricoh/mfp.md similarity index 56% rename from docs/sources/Ricoh/index.md rename to docs/sources/vendor/Ricoh/mfp.md index cd582188b4..61edb30ab2 100644 --- a/docs/sources/Ricoh/index.md +++ b/docs/sources/vendor/Ricoh/mfp.md @@ -1,48 +1,32 @@ -# Vendor - Ricoh +# MFP +## Key facts -## Product - MFP +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| | Splunk Add-on | None | | Product Manual | unknown | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | ricoh:mfp | None | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| | ricoh_syslog | ricoh:mfp | printer | none | -### Filter type - -MSG Parsing - -### Setup and Configuration - -Device setup unknown - -### Options +## SC4S Options | Variable | default | description | |----------------|----------------|----------------| -| SC4S_LISTEN_RICOH_SYSLOG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_RICOH_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_RICOH_SYSLOG | no | Enable archive to disk for this specific source | -| SC4S_DEST_RICOH_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_SOURCE_RICOH_SYSLOG_FIXHOST | yes | Current firmware incorrectly sends the value of HOST in the program field if this is ever corrected this value will need to be set back to no we suggest using yes | - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device +| SC4S_SOURCE_RICOH_SYSLOG_FIXHOST | yes | Current firmware incorrectly sends the value of HOST in the program field if this is ever corrected this value will need to be set back to no we suggest using yes | -``` -index= sourcetype=alcatel:switch | stats count by host -``` diff --git a/docs/sources/vendor/Schneider/apc.md b/docs/sources/vendor/Schneider/apc.md new file mode 100644 index 0000000000..3c44d54ef5 --- /dev/null +++ b/docs/sources/vendor/Schneider/apc.md @@ -0,0 +1,48 @@ +# APC Power systems + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | none | +| Product Manual | multiple | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| apc:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| schneider_apc | apc:syslog | main | none | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-schneider_apc.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-schneider_apc[sc4s-vps] { + filter { + host("test_apc-*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('schneider') + product('apc') + ); + }; +}; + + + +``` diff --git a/docs/sources/vendor/Solace/evenbroker.md b/docs/sources/vendor/Solace/evenbroker.md new file mode 100644 index 0000000000..db0a2e1dce --- /dev/null +++ b/docs/sources/vendor/Solace/evenbroker.md @@ -0,0 +1,25 @@ +# EventBroker + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| solace:eventbroker | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| solace_eventbroker | solace:eventbroker | main | none | diff --git a/docs/sources/vendor/Sophos/webappliance.md b/docs/sources/vendor/Sophos/webappliance.md new file mode 100644 index 0000000000..2ef435a803 --- /dev/null +++ b/docs/sources/vendor/Sophos/webappliance.md @@ -0,0 +1,47 @@ +# Web Appliance + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| sophos:webappliance | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| sophos_webappliance | sophos:webappliance | netproxy | none | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-sophos_webappliance.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-sophos_webappliance[sc4s-vps] { + filter { + host("test-sophos-webapp-" type(string) flags(prefix)) + }; + parser { + p_set_netsource_fields( + vendor('sophos') + product('webappliance') + ); + }; +}; + + +``` diff --git a/docs/sources/vendor/Spectracom/index.md b/docs/sources/vendor/Spectracom/index.md new file mode 100644 index 0000000000..905d6b5c27 --- /dev/null +++ b/docs/sources/vendor/Spectracom/index.md @@ -0,0 +1,47 @@ +# NTP Appliance + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| spectracom:ntp | None | +| nix:syslog | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| spectracom_ntp | spectracom:ntp | netops | none | + + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-spectracom_ntp.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-spectracom_ntp[sc4s-vps] { + filter { + netmask(169.254.100.1/24) + }; + parser { + p_set_netsource_fields( + vendor('spectracom') + product('ntp') + ); + }; +}; + +``` diff --git a/docs/sources/Splunk/index.md b/docs/sources/vendor/Splunk/sc4s.md similarity index 86% rename from docs/sources/Splunk/index.md rename to docs/sources/vendor/Splunk/sc4s.md index d43a17154f..2d81959adb 100644 --- a/docs/sources/Splunk/index.md +++ b/docs/sources/vendor/Splunk/sc4s.md @@ -1,22 +1,24 @@ -# Vendor - Splunk +# Splunk Connect for Syslog (SC4S) +## Key facts -## Product - Splunk Connect for Syslog (SC4S) +* Internal events + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4740/ | -| Product Manual | https://splunk-connect-for-syslog.readthedocs.io/en/latest/ | - +| Splunk Add-on | | +| Product Manual | | -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | sc4s:events | Internal events from the SC4S container and underlying syslog-ng process | | sc4s:metrics | syslog-ng operational metrics that will be delivered directly to a metrics index in Splunk | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| @@ -27,13 +29,13 @@ SC4S events and metrics are generated automatically and no specific ports or filters need to be configured for the collection of this data. -### Setup and Configuration +## Setup and Configuration * The default index used for sc4s metrics will be "_metrics" * Metrics data is collected by default as traditional events; use of Splunk Metrics is enabled by an opt-in set by the variable `SC4S_DEST_SPLUNK_SC4S_METRICS_HEC`. See the "Options" section below for details. -### Options +## Options | Variable | default | description | |-----------------------------------|-----------|----------------| @@ -47,5 +49,7 @@ SC4S will generate versioning events at startup. These startup events can be use ``` index= sourcetype=sc4s:events | stats count by host ``` + Metrics can be observed via the "Analytics-->Metrics" navigation in the Search and Reporting app in Splunk. + * NOTE: The presentation of metrics is undergoing active development; the delivery of metrics is currently considered an experimental feature. diff --git a/docs/sources/vendor/Tanium/platform.md b/docs/sources/vendor/Tanium/platform.md new file mode 100644 index 0000000000..17993d8e31 --- /dev/null +++ b/docs/sources/vendor/Tanium/platform.md @@ -0,0 +1,28 @@ +# Platform + +This source requires a TLS connection; in most cases enabling TLS and using the default port 6514 is adequate. +The source is understood to require a valid certificate. + +## Key facts + +* MSG Format based filter +* Requires TLS and uses IETF Frames use port 6587 after TLS Configuration + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| tanium | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| tanium_syslog | epintel | none | + diff --git a/docs/sources/vendor/Tenable/ad.md b/docs/sources/vendor/Tenable/ad.md new file mode 100644 index 0000000000..d129dcd342 --- /dev/null +++ b/docs/sources/vendor/Tenable/ad.md @@ -0,0 +1,25 @@ +# ad + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| tenable:ad:alerts | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| tenable_ad | tenable:ad:alerts | oswinsec | none | \ No newline at end of file diff --git a/docs/sources/vendor/Tenable/nnm.md b/docs/sources/vendor/Tenable/nnm.md new file mode 100644 index 0000000000..0c82cbdafa --- /dev/null +++ b/docs/sources/vendor/Tenable/nnm.md @@ -0,0 +1,27 @@ + +# nnm + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| tenable:nnm:vuln | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| tenable_nnm | tenable:nnm:vuln | netfw | none | + diff --git a/docs/sources/Thycotic/index.md b/docs/sources/vendor/Thycotic/secretserver.md similarity index 61% rename from docs/sources/Thycotic/index.md rename to docs/sources/vendor/Thycotic/secretserver.md index 57dfb3adc6..f5f8ebadd5 100644 --- a/docs/sources/Thycotic/index.md +++ b/docs/sources/vendor/Thycotic/secretserver.md @@ -1,39 +1,26 @@ -# Vendor - Thycotic +# Secret Server +## Key facts -## Product - Secret Server +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ | +| Splunk Add-on | | | Product Manual | | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| | thycotic:syslog | None | -### Sourcetype and Index Configuration +## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| | Thycotic Software_Secret Server | thycotic:syslog | netauth | none | -### Filter type - -CEF - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| - -### Verification - -An active device will generate frequent events. Use the following search to validate events are present per source device - -``` -index= sourcetype=thycotic:syslog | stats count by host -``` \ No newline at end of file diff --git a/docs/sources/vendor/Tintri/syslog.md b/docs/sources/vendor/Tintri/syslog.md new file mode 100644 index 0000000000..f01bf2264e --- /dev/null +++ b/docs/sources/vendor/Tintri/syslog.md @@ -0,0 +1,25 @@ +# Syslog + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| tintri | none | + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| tintri_syslog | infraops | none | + diff --git a/docs/sources/Trend/index.md b/docs/sources/vendor/Trend/deepsecurity.md similarity index 63% rename from docs/sources/Trend/index.md rename to docs/sources/vendor/Trend/deepsecurity.md index 30119413d6..21ff4d82b7 100644 --- a/docs/sources/Trend/index.md +++ b/docs/sources/vendor/Trend/deepsecurity.md @@ -1,13 +1,17 @@ -# Vendor - Trend Micro +# Deep Security -## Product - Deep Security +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on CEF | https://splunkbase.splunk.com/app/1936/ | +| Splunk Add-on CEF | | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| @@ -20,7 +24,6 @@ | deepsecurity-antimalware | | | deepsecurity-app_control | | - ### Index Configuration | key | sourcetype | index | notes | @@ -35,31 +38,3 @@ |Trend Micro_Deep Security Agent_app control|deepsecurity-app_control|epintel|| |Trend Micro_Deep Security Manager|deepsecurity-system_events|epintel|| -### Filter type - -MSG Parse: This filter parses message content - -### Options - -Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype="deepsecurity*") -``` diff --git a/docs/sources/vendor/Ubiquiti/unifi.md b/docs/sources/vendor/Ubiquiti/unifi.md new file mode 100644 index 0000000000..57c5bd4985 --- /dev/null +++ b/docs/sources/vendor/Ubiquiti/unifi.md @@ -0,0 +1,59 @@ +# Unifi + +All Ubiquity Unfi firewalls, switches, and access points share a common syslog configuration via the NMS. + +* Login to NMS +* Navigate to settings +* Navigate to Site +* Enable Remote syslog server +* Enter hostname and port +* Update ``vi /opt/sc4s/local/context/vendor_product_by_source.conf`` update the host or ip mask for ``f_ubiquiti_unifi_fw`` to identify USG firewalls + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ubnt | Used when no sub source type is required by add on | +| ubnt:fw | USG events | +| ubnt:threat | USG IDS events | +| ubnt:switch | Unifi Switches | +| ubnt:wireless | Access Point logs | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| ubiquiti_unifi | ubnt | netops | none | +| ubiquiti_unifi_fw | ubnt:fw | netfw | none | + +## Parser Configuration + +```c +#/opt/sc4s/local/app-parsers/app-vps-ubiquiti_unifi_fw.conf +#File name provided is a suggestion it must be globally unique + +application app-vps-test-ubiquiti_unifi_fw[sc4s-vps] { + filter { + host("usg-*" type(glob)) + }; + parser { + p_set_netsource_fields( + vendor('ubiquiti') + product('unifi') + ); + }; +}; + +``` diff --git a/docs/sources/vendor/VMWare/carbonblack.md b/docs/sources/vendor/VMWare/carbonblack.md new file mode 100644 index 0000000000..7c07c23362 --- /dev/null +++ b/docs/sources/vendor/VMWare/carbonblack.md @@ -0,0 +1,31 @@ +# Carbon Black Protection + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | none | +| Splunk Add-on Source Specific | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +## Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| carbonblack:protection:cef | Note this method of onboarding is not recommended for a more complete experience utilize the json format supported by he product with hec or s3 | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| Carbon Black_Protection | carbonblack:protection:cef | epintel | none | diff --git a/docs/sources/vendor/VMWare/horizonview.md b/docs/sources/vendor/VMWare/horizonview.md new file mode 100644 index 0000000000..1b560535ac --- /dev/null +++ b/docs/sources/vendor/VMWare/horizonview.md @@ -0,0 +1,26 @@ +# Horizon View + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Manual | unknown | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| vmware:horizon | None | +| nix:syslog | When used with a default port this will follow the generic NIX configuration when using a dedicated port, IP or host rules events will follow the index configuration for vmware nsx | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| vmware_horizon | vmware:horizon | main | none | diff --git a/docs/sources/vendor/VMWare/index.md b/docs/sources/vendor/VMWare/index.md new file mode 100644 index 0000000000..9c9e85a23d --- /dev/null +++ b/docs/sources/vendor/VMWare/index.md @@ -0,0 +1,54 @@ + +## Product - vSphere - ESX NSX (Controller, Manager, Edge) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| vmware:vsphere:nsx | None | +| vmware:vsphere:esx | None | +| vmware:vsphere:vcenter | None | +| nix:syslog | When used with a default port, this will follow the generic NIX configuration. When using a dedicated port, IP or host rules events will follow the index configuration for vmware nsx | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| vmware_vsphere_esx | vmware:vsphere:esx | main | none | +| vmware_vsphere_nsx | vmware:vsphere:nsx | main | none | +| vmware_vsphere_vcenter | vmware:vsphere:vcenter | main | none | + +### Filter type + +MSG Parse: This filter parses message content when using the default configuration + +## Setup and Configuration + +* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation + +## Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_VMWARE_VSPHERE_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_VMWARE_VSPHERE_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_VMWARE_VSPHERE | no | Enable archive to disk for this specific source | +| SC4S_DEST_VMWARE_VSPHERE_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active proxy will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype="vmware:vsphere:*" | stats count by host +``` + diff --git a/docs/sources/vendor/Varonis/datadvantage.md b/docs/sources/vendor/Varonis/datadvantage.md new file mode 100644 index 0000000000..9072df0a9e --- /dev/null +++ b/docs/sources/vendor/Varonis/datadvantage.md @@ -0,0 +1,25 @@ +# DatAdvantage + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Technology Add-On for Varonis | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +|varonis:ta || + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +|Varonis Inc._DatAdvantage|varonis:ta |main| + diff --git a/docs/sources/Vectra/index.md b/docs/sources/vendor/Vectra/cognito.md similarity index 51% rename from docs/sources/Vectra/index.md rename to docs/sources/vendor/Vectra/cognito.md index 9e87e07037..96f604665c 100644 --- a/docs/sources/Vectra/index.md +++ b/docs/sources/vendor/Vectra/cognito.md @@ -1,13 +1,17 @@ -# Vendor - Vectra +# Cognito -## Product - Cognito +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Technology Add-On for Vectra Cognito | https://splunkbase.splunk.com/app/4408/ | +| Technology Add-On for Vectra Cognito | | - -### Sourcetypes +## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| @@ -20,7 +24,6 @@ |vectra:cognito:hostscoring || |vectra:cognito:accountlockdown || - ### Index Configuration | key | sourcetype | index | notes | @@ -33,33 +36,3 @@ |Vectra Networks_X Series_health|vectra:cognito:health |main| |Vectra Networks_X Series_hsc|vectra:cognito:hostscoring |main| |Vectra Networks_X Series_lockdown|vectra:cognito:accountlockdown |main| - - -### Filter type - -MSG Parse: This filter parses message content - -### Options - -Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | -| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how -many ports are in use by this CEF source (or any others). See the "Common Event Format" source -documentation for more information. - -### Verification - -An active site will generate frequent events use the following search to check for new events - -Verify timestamp, and host values match as expected - -``` -index= (sourcetype="deepsecurity*") -``` diff --git a/docs/sources/vendor/Wallix/bastion.md b/docs/sources/vendor/Wallix/bastion.md new file mode 100644 index 0000000000..14107808b0 --- /dev/null +++ b/docs/sources/vendor/Wallix/bastion.md @@ -0,0 +1,25 @@ +# Bastion + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| WB:syslog | note this sourcetype includes program:rdproxy all other data will be treated as nix | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|---------------------|------------------------|----------|---------| +| WB:syslog | infraops | main | none | + diff --git a/docs/sources/vendor/Zscaler/lss.md b/docs/sources/vendor/Zscaler/lss.md new file mode 100644 index 0000000000..b26e068171 --- /dev/null +++ b/docs/sources/vendor/Zscaler/lss.md @@ -0,0 +1,36 @@ +# LSS + +The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page +26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the LSS to utilize +the IP or host name of the SC4S instance and port 514 + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| zscaler_lss-app | None | +| zscaler_lss-auth | None | +| zscaler_lss-bba | None | +| zscaler_lss-connector | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|--------------------------|------------|---------| +| zscaler_lss | zscalerlss_zpa-app | netproxy | none | +| zscaler_lss | zscalerlss_zpa_auth | netproxy | none | +| zscaler_lss | zscalerlss_zpa_auth | netproxy | none | +| zscaler_lss | zscalerlss_zpa_connector | netproxy | none | + diff --git a/docs/sources/vendor/Zscaler/nss.md b/docs/sources/vendor/Zscaler/nss.md new file mode 100644 index 0000000000..04f2086294 --- /dev/null +++ b/docs/sources/vendor/Zscaler/nss.md @@ -0,0 +1,49 @@ +# NSS + +The ZScaler product manual includes and extensive section of configuration for multiple Splunk TCP input ports around page +26. When using SC4S these ports are not required and should not be used. Simply configure all outputs from the NSS to utilize +the IP or host name of the SC4S instance and port 514 + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | | +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| zscaler_nss_alerts | Requires format customization add ``\tvendor=Zscaler\tproduct=alerts`` immediately prior to the ``\n`` in the NSS Alert Web format. See Zscaler manual for more info. | +| zscaler_nss_dns | Requires format customization add ``\tvendor=Zscaler\tproduct=dns`` immediately prior to the ``\n`` in the NSS DNS format. See Zscaler manual for more info. | +| zscaler_nss_web | None | +| zscaler_nss_fw | Requires format customization add ``\tvendor=Zscaler\tproduct=fw`` immediately prior to the ``\n`` in the Firewall format. See Zscaler manual for more info. | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|---------------------|------------------------|----------|---------| +| zscaler_nss_alerts | zscalernss-alerts | main | none | +| zscaler_nss_dns | zscalernss-dns | netdns | none | +| zscaler_nss_fw | zscalernss-fw | netfw | none | +| zscaler_nss_web | zscalernss-web | netproxy | none | +| zscaler_zia_audit | zscalernss-zia-audit | netops | none | +| zscaler_zia_sandbox | zscalernss-zia-sandbox | main | none | + +### Filter type + +MSG Parse: This filter parses message content + +## Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. +* Refer to the Splunk TA documentation for the specific customer format required for proxy configuration + * Select TCP or SSL transport option + * Ensure the format of the event is customized per Splunk documentation diff --git a/docs/sources/vendor/syslog-ng/loggen.md b/docs/sources/vendor/syslog-ng/loggen.md new file mode 100644 index 0000000000..93b443d6c2 --- /dev/null +++ b/docs/sources/vendor/syslog-ng/loggen.md @@ -0,0 +1,26 @@ +# loggen + +Loggen is a tool used to load test syslog implementations. + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Product Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| syslogng:loggen | By default, loggen uses the legacy BSD-syslog message format.
BSD example:
`loggen --inet --dgram --number 1 `
RFC5424 example:
`loggen --inet --dgram -PF --number 1 `
Refer to above manual link for more examples. | + +### Index Configuration + +| key | index | notes | +|----------------|----------------|----------------| +| syslogng_loggen | main | none | + diff --git a/mkdocs.yml b/mkdocs.yml index ab08332a25..514ff2b9e4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,5 +1,7 @@ site_name: Splunk Connect for Syslog - +plugins: + - search + - include_dir_to_nav extra: version: provider: mike @@ -37,74 +39,8 @@ nav: - Destinations: "destinations.md" - Sources: - Read First: sources/index.md - - Alcatel: sources/Alcatel/index.md - - Alsid: sources/Alsid/index.md - - Arista: sources/Arista/index.md - - Avaya: sources/Avaya/index.md - - "Avi Networks": sources/Avi_Networks/index.md - - BeyondTrust: sources/BeyondTrust/index.md - - Brocade: sources/Brocade/index.md - - Buffalo: sources/Buffalo/index.md - - Checkpoint: sources/Checkpoint/index.md - - Cisco: sources/Cisco/index.md - - Citrix: sources/Citrix/index.md - - Cohesity: sources/Cohesity/index.md - - "Common Event Format": sources/CommonEventFormat/index.md - - CyberArk: sources/CyberArk/index.md - - Cylance: sources/Cylance/index.md - - Dell: sources/Dell/index.md - - "Dell RSA": sources/Dell_RSA/index.md - - "Dell EMC": sources/Dell_EMC/index.md - - F5: sources/F5/index.md - - FireEye: sources/FireEye/index.md - - Forcepoint: sources/Forcepoint/index.md - - Fortinet: sources/Fortinet/index.md - - HAProxy: sources/HAProxy/index.md - - HPe: sources/HPe/index.md - - IBM: sources/IBM/index.md - - Imperva: sources/Imperva/index.md - - InfoBlox: sources/InfoBlox/index.md - - ISC: sources/ISC/index.md - - "Log Extended Format": sources/LogExtendedEventFormat/index.md - - Juniper: sources/Juniper/index.md - - Loggen: sources/Loggen/index.md - - McAfee: sources/McAfee/index.md - - Microfocus: sources/Microfocus/index.md - - Microsoft: sources/Microsoft/index.md - - Mikrotik: sources/Mikrotik/index.md - - NetApp: sources/NetApp/index.md - - Netmotion: sources/Netmotion/index.md - - Novell: sources/Novell/index.md - - Nix: sources/nix/index.md - - OSSEC: sources/Ossec/index.md - - "Palo Alto Networks": sources/PaloaltoNetworks/index.md - - "pfSense": sources/Pfsense/index.md - - Polycom: sources/Polycom/index.md - - Pulse: sources/Pulse/index.md - - PureStorage: sources/PureStorage/index.md - - Proofpoint: sources/Proofpoint/index.md - - Qumulo: sources/Qumulo/index.md - - Radware: sources/Radware/index.md - - Raritan: sources/Raritan/index.md - - Ricoh: sources/Ricoh/index.md - - Schneider: sources/Schneider/index.md - - "Simple Sources": sources/Simple/index.md - - "Solace": sources/Solace/index.md - - "Sophos": sources/Sophos/index.md - - Spectracom: "sources/Spectracom/index.md" - - Splunk: sources/Splunk/index.md - - Broadcom: sources/Broadcom/index.md - - Tanium: sources/Tanium/index.md - - Tenable: sources/Tenable/index.md - - Thycotic: sources/Thycotic/index.md - - Tintri: sources/Tintri/index.md - - Trend: sources/Trend/index.md - - Ubiquiti: sources/Ubiquiti/index.md - - Vectra: sources/Vectra/index.md - - Varonis: sources/Varonis/index.md - - VMware: sources/VMWare/index.md - - Wallix: sources/Wallix/index.md - - Zscaler: sources/Zscaler/index.md + - Basic Onboarding: sources/base + - Known Vendors: sources/vendor - Performance: "performance.md" - Troubleshooting: - SC4S Startup and Validation: "troubleshooting/troubleshoot_SC4S_server.md" diff --git a/package/etc/conf.d/conflib/_splunk/netsourcefields.conf b/package/etc/conf.d/conflib/_splunk/netsourcefields.conf new file mode 100644 index 0000000000..93b5dffc35 --- /dev/null +++ b/package/etc/conf.d/conflib/_splunk/netsourcefields.conf @@ -0,0 +1,12 @@ +block parser p_set_netsource_fields( + vendor("${.netsource.sc4s_vendor}") + product("${.netsource.sc4s_product}") +) { + channel { + rewrite { + set("`vendor`", value(".netsource.sc4s_vendor") condition('`vendor`' ne "")); + set("`product`", value(".netsource.sc4s_product") condition('`product`' ne "")); + set("`vendor`_`product`", value(".netsource.sc4s_vendor_product")); + }; + }; +}; diff --git a/package/etc/test_parsers/app-vps-test-aruba_clearpass.conf b/package/etc/test_parsers/app-vps-test-aruba_clearpass.conf index 2bd79db8b3..31e3daf7ae 100644 --- a/package/etc/test_parsers/app-vps-test-aruba_clearpass.conf +++ b/package/etc/test_parsers/app-vps-test-aruba_clearpass.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-brocade_syslog() { - channel { - rewrite { - r_set_splunk_vps( - vendor('brocade') - product('syslog') - ); - }; - }; -}; -application app-vps-test-brocade_syslog[sc4s-vps] { +application app-vps-test-aruba_clearpass[sc4s-vps] { filter { - host("test_brocade-*" type(glob)) + host("aruba-cp-*" type(glob)) }; - parser { app-vps-test-brocade_syslog(); }; + parser { + p_set_netsource_fields( + vendor('aruba') + product('clearpass') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-brocade_syslog.conf b/package/etc/test_parsers/app-vps-test-brocade_syslog.conf index 29687b2989..dc8a8659fe 100644 --- a/package/etc/test_parsers/app-vps-test-brocade_syslog.conf +++ b/package/etc/test_parsers/app-vps-test-brocade_syslog.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-aruba_clearpass() { - channel { - rewrite { - r_set_splunk_vps( - vendor('aruba') - product('clearpass') - ); - }; - }; -}; -application app-vps-test-aruba_clearpass[sc4s-vps] { +application app-vps-test-brocade_syslog[sc4s-vps] { filter { - host("aruba-cp-*" type(glob)) + host("^test_brocade-") }; - parser { app-vps-test-aruba_clearpass(); }; + parser { + p_set_netsource_fields( + vendor('brocade') + product('syslog') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-cisco_esa.conf b/package/etc/test_parsers/app-vps-test-cisco_esa.conf index 77d1ead8ba..68ac23891e 100644 --- a/package/etc/test_parsers/app-vps-test-cisco_esa.conf +++ b/package/etc/test_parsers/app-vps-test-cisco_esa.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-cisco_esa() { - channel { - rewrite { - r_set_splunk_vps( - vendor('cisco') - product('esa') - ); - }; - }; -}; application app-vps-test-cisco_esa[sc4s-vps] { filter { "${HOST}" eq "cisco_esa" }; - parser { app-vps-test-cisco_esa(); }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('esa') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-cisco_meraki.conf b/package/etc/test_parsers/app-vps-test-cisco_meraki.conf index b68dd7205a..edb0254b99 100644 --- a/package/etc/test_parsers/app-vps-test-cisco_meraki.conf +++ b/package/etc/test_parsers/app-vps-test-cisco_meraki.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-cisco_meraki() { - channel { - rewrite { - r_set_splunk_vps( - vendor('cisco') - product('meraki') - ); - }; - }; -}; application app-vps-test-cisco_meraki[sc4s-vps] { filter { host("^testcm-") }; - parser { app-vps-test-cisco_meraki(); }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('meraki') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-cisco_wsa.conf b/package/etc/test_parsers/app-vps-test-cisco_wsa.conf index 0821796565..60eb9c20fe 100644 --- a/package/etc/test_parsers/app-vps-test-cisco_wsa.conf +++ b/package/etc/test_parsers/app-vps-test-cisco_wsa.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-cisco_wsa() { - channel { - rewrite { - r_set_splunk_vps( - vendor('cisco') - product('wsa') - ); - }; - }; -}; application app-vps-test-cisco_wsa[sc4s-vps] { filter { host('^cisco-wsa-') }; - parser { app-vps-test-cisco_wsa(); }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('wsa') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-cisco_wsa11_7.conf b/package/etc/test_parsers/app-vps-test-cisco_wsa11_7.conf index 186d6831ee..33187a8428 100644 --- a/package/etc/test_parsers/app-vps-test-cisco_wsa11_7.conf +++ b/package/etc/test_parsers/app-vps-test-cisco_wsa11_7.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-cisco_wsa11-7() { - channel { - rewrite { - r_set_splunk_vps( - vendor('cisco') - product('wsa11-7') - ); - }; - }; -}; application app-vps-test-cisco_wsa11-7[sc4s-vps] { filter { host('^cisco-wsa11-7-') }; - parser { app-vps-test-cisco_wsa11-7(); }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('wsa11-7') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-cisco_wsa_recommended.conf b/package/etc/test_parsers/app-vps-test-cisco_wsa_recommended.conf index 76d8dfb9a9..42da70ae54 100644 --- a/package/etc/test_parsers/app-vps-test-cisco_wsa_recommended.conf +++ b/package/etc/test_parsers/app-vps-test-cisco_wsa_recommended.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-cisco_wsa_recommended() { - channel { - rewrite { - r_set_splunk_vps( - vendor('cisco') - product('wsa_recommended') - ); - }; - }; -}; application app-vps-test-cisco_wsa_recommended[sc4s-vps] { filter { host('^cisco-wsaw3c-') }; - parser { app-vps-test-cisco_wsa_recommended(); }; + parser { + p_set_netsource_fields( + vendor('cisco') + product('wsa_recommended') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-dell_cmc.conf b/package/etc/test_parsers/app-vps-test-dell_cmc.conf index aa2b38ad85..94abdd13ba 100644 --- a/package/etc/test_parsers/app-vps-test-dell_cmc.conf +++ b/package/etc/test_parsers/app-vps-test-dell_cmc.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-dell_cmc() { - channel { - rewrite { - r_set_splunk_vps( - vendor('dell') - product('poweredge_cmc') - ); - }; - }; -}; application app-vps-test-dell_cmc[sc4s-vps] { filter { host("test-dell-cmc-" type(string) flags(prefix)) }; - parser { app-vps-test-dell_cmc(); }; + parser { + p_set_netsource_fields( + vendor('dell') + product('poweredge_cmc') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-dell_rsa_secureid.conf b/package/etc/test_parsers/app-vps-test-dell_rsa_secureid.conf index ccaf57df97..5834fe72bc 100644 --- a/package/etc/test_parsers/app-vps-test-dell_rsa_secureid.conf +++ b/package/etc/test_parsers/app-vps-test-dell_rsa_secureid.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-dell_rsa_secureid() { - channel { - rewrite { - r_set_splunk_vps( - vendor('dell') - product('rsa_secureid') - ); - }; - }; -}; application app-vps-test-dell_rsa_secureid[sc4s-vps] { filter { host("test_rsasecureid*" type(glob)) }; - parser { app-vps-test-dell_rsa_secureid(); }; + parser { + p_set_netsource_fields( + vendor('dell') + product('rsa_secureid') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-f5_bigip.conf b/package/etc/test_parsers/app-vps-test-f5_bigip.conf index 3ceb0ca5ad..0db556ab8d 100644 --- a/package/etc/test_parsers/app-vps-test-f5_bigip.conf +++ b/package/etc/test_parsers/app-vps-test-f5_bigip.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-f5_bigip() { - channel { - rewrite { - r_set_splunk_vps( - vendor('f5') - product('bigip') - ); - }; - }; -}; application app-vps-test-f5_bigip[sc4s-vps] { filter { "${HOST}" eq "f5_bigip" }; - parser { app-vps-test-f5_bigip(); }; + parser { + p_set_netsource_fields( + vendor('f5') + product('bigip') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-ibm_datapower.conf b/package/etc/test_parsers/app-vps-test-ibm_datapower.conf index a8e5c0fc8e..7e32e84b11 100644 --- a/package/etc/test_parsers/app-vps-test-ibm_datapower.conf +++ b/package/etc/test_parsers/app-vps-test-ibm_datapower.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-ibm_datapower() { - channel { - rewrite { - r_set_splunk_vps( - vendor('ibm') - product('datapower') - ); - }; - }; -}; application app-vps-test-ibm_datapower[sc4s-vps] { filter { host("^test-ibmdp-") }; - parser { app-vps-test-ibm_datapower(); }; + parser { + p_set_netsource_fields( + vendor('ibm') + product('datapower') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-infoblox_nios.conf b/package/etc/test_parsers/app-vps-test-infoblox_nios.conf index ad940e4571..7f983d51a7 100644 --- a/package/etc/test_parsers/app-vps-test-infoblox_nios.conf +++ b/package/etc/test_parsers/app-vps-test-infoblox_nios.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-infoblox_nios() { - channel { - rewrite { - r_set_splunk_vps( - vendor('infoblox') - product('nios') - ); - }; - }; -}; application app-vps-test-infoblox_nios[sc4s-vps] { filter { host("infoblox-*" type(glob)) }; - parser { app-vps-test-infoblox_nios(); }; + parser { + p_set_netsource_fields( + vendor('infoblox') + product('nios') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-mikrotik_routeros.conf b/package/etc/test_parsers/app-vps-test-mikrotik_routeros.conf index a0c2eca199..05b6d755d3 100644 --- a/package/etc/test_parsers/app-vps-test-mikrotik_routeros.conf +++ b/package/etc/test_parsers/app-vps-test-mikrotik_routeros.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-mikrotik_routeros() { - channel { - rewrite { - r_set_splunk_vps( - vendor('mikrotik') - product('routeros') - ); - }; - }; -}; application app-vps-test-mikrotik_routeros[sc4s-vps] { filter { host("test-mrtros-" type(string) flags(prefix)) }; - parser { app-vps-test-mikrotik_routeros(); }; + parser { + p_set_netsource_fields( + vendor('mikrotik') + product('routeros') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-pfsense_firewall.conf b/package/etc/test_parsers/app-vps-test-pfsense_firewall.conf index 3d6d5d5594..13fa52c296 100644 --- a/package/etc/test_parsers/app-vps-test-pfsense_firewall.conf +++ b/package/etc/test_parsers/app-vps-test-pfsense_firewall.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-pfsense_firewall() { - channel { - rewrite { - r_set_splunk_vps( - vendor('pfsense') - product('firewall') - ); - }; - }; -}; application app-vps-test-pfsense_firewall[sc4s-vps] { filter { "${HOST}" eq "pfsense_firewall" }; - parser { app-vps-test-pfsense_firewall(); }; + parser { + p_set_netsource_fields( + vendor('pfsense') + product('firewall') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-proofpoint_pps.conf b/package/etc/test_parsers/app-vps-test-proofpoint_pps.conf index 90a8e23c8f..5249b7c39a 100644 --- a/package/etc/test_parsers/app-vps-test-proofpoint_pps.conf +++ b/package/etc/test_parsers/app-vps-test-proofpoint_pps.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-proofpoint_pps() { - channel { - rewrite { - r_set_splunk_vps( - vendor('proofpoint') - product('pps') - ); - }; - }; -}; application app-vps-test-proofpoint_pps[sc4s-vps] { filter { host("pps-*" type(glob)) }; - parser { app-vps-test-proofpoint_pps(); }; + parser { + p_set_netsource_fields( + vendor('proofpoint') + product('pps') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-schneider_apc.conf b/package/etc/test_parsers/app-vps-test-schneider_apc.conf index 42aee51d07..b8ba137515 100644 --- a/package/etc/test_parsers/app-vps-test-schneider_apc.conf +++ b/package/etc/test_parsers/app-vps-test-schneider_apc.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-schneider_apc() { - channel { - rewrite { - r_set_splunk_vps( - vendor('schneider') - product('apc') - ); - }; - }; -}; application app-vps-test-schneider_apc[sc4s-vps] { filter { host("test_apc-*" type(glob)) }; - parser { app-vps-test-schneider_apc(); }; + parser { + p_set_netsource_fields( + vendor('schneider') + product('apc') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-sophos_webappliance.conf b/package/etc/test_parsers/app-vps-test-sophos_webappliance.conf index b00dc99ed5..ea88ab0a52 100644 --- a/package/etc/test_parsers/app-vps-test-sophos_webappliance.conf +++ b/package/etc/test_parsers/app-vps-test-sophos_webappliance.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-sophos_webappliance() { - channel { - rewrite { - r_set_splunk_vps( - vendor('sophos') - product('webappliance') - ); - }; - }; -}; application app-vps-test-sophos_webappliance[sc4s-vps] { filter { host("test-sophos-webapp-" type(string) flags(prefix)) }; - parser { app-vps-test-sophos_webappliance(); }; + parser { + p_set_netsource_fields( + vendor('sophos') + product('webappliance') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-spectracom_ntp.conf b/package/etc/test_parsers/app-vps-test-spectracom_ntp.conf index 9a49ac512f..b8fefbe8f0 100644 --- a/package/etc/test_parsers/app-vps-test-spectracom_ntp.conf +++ b/package/etc/test_parsers/app-vps-test-spectracom_ntp.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-spectracom_ntp() { - channel { - rewrite { - r_set_splunk_vps( - vendor('spectracom') - product('ntp') - ); - }; - }; -}; application app-vps-test-spectracom_ntp[sc4s-vps] { filter { netmask(169.254.100.1/24) }; - parser { app-vps-test-spectracom_ntp(); }; + parser { + p_set_netsource_fields( + vendor('spectracom') + product('ntp') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-symantec_dlp.conf b/package/etc/test_parsers/app-vps-test-symantec_dlp.conf index 6092b73349..ed7396b90a 100644 --- a/package/etc/test_parsers/app-vps-test-symantec_dlp.conf +++ b/package/etc/test_parsers/app-vps-test-symantec_dlp.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-symantec_dlp() { - channel { - rewrite { - r_set_splunk_vps( - vendor('symantec') - product('dlp') - ); - }; - }; -}; application app-vps-test-symantec_dlp[sc4s-vps] { filter { host("test-dlp-" type(string) flags(prefix)) }; - parser { app-vps-test-symantec_dlp(); }; + parser { + p_set_netsource_fields( + vendor('symantec') + product('dlp') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-ubiquiti_unifi_fw.conf b/package/etc/test_parsers/app-vps-test-ubiquiti_unifi_fw.conf index 389e4f803c..ab21563fc7 100644 --- a/package/etc/test_parsers/app-vps-test-ubiquiti_unifi_fw.conf +++ b/package/etc/test_parsers/app-vps-test-ubiquiti_unifi_fw.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-ubiquiti_unifi_fw() { - channel { - rewrite { - r_set_splunk_vps( - vendor('ubiquiti') - product('unifi') - ); - }; - }; -}; application app-vps-test-ubiquiti_unifi_fw[sc4s-vps] { filter { host("usg-*" type(glob)) }; - parser { app-vps-test-ubiquiti_unifi_fw(); }; + parser { + p_set_netsource_fields( + vendor('ubiquiti') + product('unifi') + ); + }; }; diff --git a/package/etc/test_parsers/app-vps-test-vmware_vcenter.conf b/package/etc/test_parsers/app-vps-test-vmware_vcenter.conf index 4ddd8ad92e..bd9914b6c0 100644 --- a/package/etc/test_parsers/app-vps-test-vmware_vcenter.conf +++ b/package/etc/test_parsers/app-vps-test-vmware_vcenter.conf @@ -1,16 +1,11 @@ -block parser app-vps-test-vmware_vcenter() { - channel { - rewrite { - r_set_splunk_vps( - vendor('vmware') - product('vcenter') - ); - }; - }; -}; application app-vps-test-vmware_vcenter[sc4s-vps] { filter { host("testvmwe-" type(string) flags(prefix)) }; - parser { app-vps-test-vmware_vcenter(); }; + parser { + p_set_netsource_fields( + vendor('vmware') + product('vcenter') + ); + }; }; diff --git a/poetry.lock b/poetry.lock index 88b0b65a73..ad44c90aa1 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,6 +1,6 @@ [[package]] name = "arrow" -version = "1.2.1" +version = "1.2.2" description = "Better dates & times for Python" category = "dev" optional = false @@ -49,7 +49,7 @@ python-versions = ">=3.6.1" [[package]] name = "charset-normalizer" -version = "2.0.10" +version = "2.0.11" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." category = "dev" optional = false @@ -145,11 +145,11 @@ dev = ["twine", "markdown", "flake8", "wheel"] [[package]] name = "identify" -version = "2.4.4" +version = "2.4.8" description = "File identification library for Python" category = "dev" optional = false -python-versions = ">=3.6.1" +python-versions = ">=3.7" [package.extras] license = ["ukkonen"] @@ -313,9 +313,20 @@ watchdog = ">=2.0" [package.extras] i18n = ["babel (>=2.9.0)"] +[[package]] +name = "mkdocs-include-dir-to-nav" +version = "1.1.0" +description = "A MkDocs plugin include all file in dir to navigation" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +mkdocs = ">=1.0.4" + [[package]] name = "mkdocs-material" -version = "8.1.7" +version = "8.1.10" description = "A Material Design theme for MkDocs" category = "dev" optional = false @@ -626,7 +637,7 @@ test = ["coverage", "flake8 (>=3.7)", "mypy", "pretend", "pytest"] [[package]] name = "virtualenv" -version = "20.13.0" +version = "20.13.1" description = "Virtual Python Environment builder" category = "dev" optional = false @@ -668,12 +679,12 @@ testing = ["pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-flake8", "pytest- [metadata] lock-version = "1.1" python-versions = "^3.9" -content-hash = "392e8e491b3b7bad154194c1406adefca701392185a5f448a00275d34edebb69" +content-hash = "cf25270fc681cbb06c8b6c04d06c12a338c06d57baa7aeee6290f93ae05b1fdd" [metadata.files] arrow = [ - {file = "arrow-1.2.1-py3-none-any.whl", hash = "sha256:6b2914ef3997d1fd7b37a71ce9dd61a6e329d09e1c7b44f4d3099ca4a5c0933e"}, - {file = "arrow-1.2.1.tar.gz", hash = "sha256:c2dde3c382d9f7e6922ce636bf0b318a7a853df40ecb383b29192e6c5cc82840"}, + {file = "arrow-1.2.2-py3-none-any.whl", hash = "sha256:d622c46ca681b5b3e3574fcb60a04e5cc81b9625112d5fb2b44220c36c892177"}, + {file = "arrow-1.2.2.tar.gz", hash = "sha256:05caf1fd3d9a11a1135b2b6f09887421153b94558e5ef4d090b567b47173ac2b"}, ] atomicwrites = [ {file = "atomicwrites-1.4.0-py2.py3-none-any.whl", hash = "sha256:6d1784dea7c0c8d4a5172b6c620f40b6e4cbfdf96d783691f2e1302a7b88e197"}, @@ -692,8 +703,8 @@ cfgv = [ {file = "cfgv-3.3.1.tar.gz", hash = "sha256:f5a830efb9ce7a445376bb66ec94c638a9787422f96264c98edc6bdeed8ab736"}, ] charset-normalizer = [ - {file = "charset-normalizer-2.0.10.tar.gz", hash = "sha256:876d180e9d7432c5d1dfd4c5d26b72f099d503e8fcc0feb7532c9289be60fcbd"}, - {file = "charset_normalizer-2.0.10-py3-none-any.whl", hash = "sha256:cb957888737fc0bbcd78e3df769addb41fd1ff8cf950dc9e7ad7793f1bf44455"}, + {file = "charset-normalizer-2.0.11.tar.gz", hash = "sha256:98398a9d69ee80548c762ba991a4728bfc3836768ed226b3945908d1a688371c"}, + {file = "charset_normalizer-2.0.11-py3-none-any.whl", hash = "sha256:2842d8f5e82a1f6aa437380934d5e1cd4fcf2003b06fed6940769c164a480a45"}, ] click = [ {file = "click-8.0.3-py3-none-any.whl", hash = "sha256:353f466495adaeb40b6b5f592f9f91cb22372351c84caeb068132442a4518ef3"}, @@ -728,8 +739,8 @@ ghp-import = [ {file = "ghp_import-2.0.2-py3-none-any.whl", hash = "sha256:5f8962b30b20652cdffa9c5a9812f7de6bcb56ec475acac579807719bf242c46"}, ] identify = [ - {file = "identify-2.4.4-py2.py3-none-any.whl", hash = "sha256:aa68609c7454dbcaae60a01ff6b8df1de9b39fe6e50b1f6107ec81dcda624aa6"}, - {file = "identify-2.4.4.tar.gz", hash = "sha256:6b4b5031f69c48bf93a646b90de9b381c6b5f560df4cbe0ed3cf7650ae741e4d"}, + {file = "identify-2.4.8-py2.py3-none-any.whl", hash = "sha256:a55bdd671b6063eb837af938c250ec00bba6e610454265133b0d2db7ae718d0f"}, + {file = "identify-2.4.8.tar.gz", hash = "sha256:97e839c1779f07011b84c92af183e1883d9745d532d83412cca1ca76d3808c1c"}, ] idna = [ {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"}, @@ -848,9 +859,13 @@ mkdocs = [ {file = "mkdocs-1.2.3-py3-none-any.whl", hash = "sha256:a1fa8c2d0c1305d7fc2b9d9f607c71778572a8b110fb26642aa00296c9e6d072"}, {file = "mkdocs-1.2.3.tar.gz", hash = "sha256:89f5a094764381cda656af4298727c9f53dc3e602983087e1fe96ea1df24f4c1"}, ] +mkdocs-include-dir-to-nav = [ + {file = "mkdocs_include_dir_to_nav-1.1.0-py3-none-any.whl", hash = "sha256:2958640ae86faf47bab44c8a44363bfd4010a7a6cf529257e4c81f181604e909"}, + {file = "mkdocs_include_dir_to_nav-1.1.0.tar.gz", hash = "sha256:764f44c99680412cb37a5fa3b95e56e6df9a505a1345211746084e6cca209c6f"}, +] mkdocs-material = [ - {file = "mkdocs-material-8.1.7.tar.gz", hash = "sha256:16a50e3f08f1e41bdc3115a00045d174e7fd8219c26917d0d0b48b2cc9d5a18f"}, - {file = "mkdocs_material-8.1.7-py2.py3-none-any.whl", hash = "sha256:71bcac6795b22dcf8bab8b9ad3fe462242c4cd05d28398281902425401f23462"}, + {file = "mkdocs-material-8.1.10.tar.gz", hash = "sha256:10970bfe2628eaa41c379e9075121b1232f4304cac9876feac8ac9d0d2e9035b"}, + {file = "mkdocs_material-8.1.10-py2.py3-none-any.whl", hash = "sha256:e47ad89b98c32a0832509a72ade2114e0c84727a573018d768f4c6de19886b2f"}, ] mkdocs-material-extensions = [ {file = "mkdocs-material-extensions-1.0.3.tar.gz", hash = "sha256:bfd24dfdef7b41c312ede42648f9eb83476ea168ec163b613f9abd12bbfddba2"}, @@ -991,8 +1006,8 @@ verspec = [ {file = "verspec-0.1.0.tar.gz", hash = "sha256:c4504ca697b2056cdb4bfa7121461f5a0e81809255b41c03dda4ba823637c01e"}, ] virtualenv = [ - {file = "virtualenv-20.13.0-py2.py3-none-any.whl", hash = "sha256:339f16c4a86b44240ba7223d0f93a7887c3ca04b5f9c8129da7958447d079b09"}, - {file = "virtualenv-20.13.0.tar.gz", hash = "sha256:d8458cf8d59d0ea495ad9b34c2599487f8a7772d796f9910858376d1600dd2dd"}, + {file = "virtualenv-20.13.1-py2.py3-none-any.whl", hash = "sha256:45e1d053cad4cd453181ae877c4ffc053546ae99e7dd049b9ff1d9be7491abf7"}, + {file = "virtualenv-20.13.1.tar.gz", hash = "sha256:e0621bcbf4160e4e1030f05065c8834b4e93f4fcc223255db2a823440aca9c14"}, ] watchdog = [ {file = "watchdog-2.1.6-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:9693f35162dc6208d10b10ddf0458cc09ad70c30ba689d9206e02cd836ce28a3"}, diff --git a/pyproject.toml b/pyproject.toml index 92b5372951..3327c76b7e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -26,6 +26,7 @@ mkdocs-material = "^8.1.1" mike = "^1.1.2" pre-commit = "^2.16.0" typing-extensions = "*" +mkdocs-include-dir-to-nav = "^1.1.0" [build-system] requires = ["poetry-core>=1.0.0"]