diff --git a/docs/sources/Polycom/index.md b/docs/sources/Polycom/index.md new file mode 100644 index 0000000000..6624f68742 --- /dev/null +++ b/docs/sources/Polycom/index.md @@ -0,0 +1,44 @@ +# Vendor - Polycom + +## Product - RPRM + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | none | +| Product Manual | unknown | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| polycom:rprm:syslog | | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| polycom_rprm | polycom:rprm:syslog | netops | none | + + +### Filter type + +MSG Parse: This filter parses message content + + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_POLYCOM_RPRM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. | +| SC4S_POLYCOM_RPRM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. | +| SC4S_ARCHIVE_POLYCOM_RPRM | no | Enable archive to disk for this specific source | +| SC4S_DEST_POLYCOM_RPRM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: + +``` +index= sourcetype=polycom:rprm:syslog| stats count by host +``` diff --git a/mkdocs.yml b/mkdocs.yml index acd8d3870f..aeed729693 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -47,6 +47,7 @@ nav: - Nix: sources/nix/index.md - "Palo Alto Networks": sources/PaloaltoNetworks/index.md - "pfSense": sources/Pfsense/index.md + - Polycom: sources/Polycom/index.md - Pulse: sources/Pulse/index.md - Proofpoint: sources/Proofpoint/index.md - Radware: sources/Radware/index.md diff --git a/package/etc/conf.d/conflib/syslog/app-polycom_rprm.conf b/package/etc/conf.d/conflib/syslog/app-polycom_rprm.conf new file mode 100644 index 0000000000..6c315394a2 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-polycom_rprm.conf @@ -0,0 +1,21 @@ +block parser polycom_rprm-parser() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('polycom:rprm:syslog') + vendor_product("polycom_rprm") + template('t_5424_hdr_sdata_msg') + ); + }; + + + }; +}; +application polycom_rprm[sc4s-syslog] { + filter { + program('RPRM'); + }; + parser { polycom_rprm-parser(); }; +}; + diff --git a/tests/test_polycom.py b/tests/test_polycom.py new file mode 100644 index 0000000000..9bbb20d6c0 --- /dev/null +++ b/tests/test_polycom.py @@ -0,0 +1,45 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * +import pytest + +env = Environment() + +polycom_data = [ + r'{{ mark }} {{ iso }}Z {{ host }} RPRM 107463 Jserver - DEBUG|||http-nio-5443-exec-22|com.polycom.rpum.epm.engine.ruleengine.ProfileFillingAction| ...df8-46f4-8ed1-2acc1bd62f97, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.autoOffHook.3.enabled, tagValue=1, required=true, canModify=true], ProfileTag [tagId=3e2fb279-c386-410b-866e-b427aaea80c4, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.teluri.showPrompt, tagValue=0, required=true, canModify=true], ProfileTag [tagId=6168b060-fe0e-414d-a25a-acbe629f963c, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=a835bbaf-1202-415a-8933-360a54acced1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap, tagValue=sip\:x.\.x.\@zoomcrc\.com|sip\:x.\@zoomcrc\.com|x.\.x.\@zoomcrc\.com|x.\@zoomcrc\.com|xxxxxxxxx.T|xxxxxxxxxx| , required=true, canModify=true], ProfileTag [tagId=67e41d5e-1112-4e36-8f78-e682ed61b4cc, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap.timeOut, tagValue=4, required=true, canModify=true], ProfileTag [tagId=577dd248-7fdd-4730-aa90-ef7f1aa2f19b, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=f44bd920-fa45-4d11-90ff-2e294a45d1e1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.digitmap.lineSwitching.enable, tagValue=1, required=true, canModify=true], ProfileTag [tagId=5d1f9d8f-6583-4f5d-83c3-76194c299971, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseAllowedSipUriDomains, tagValue=zoomcrc.com,zoom.us,vip2.zoomus.com,bjn.vc,polycom.com, required=true, canModify=true], ProfileTag [tagId=b8a2dd79-7b8f-48be-b452-e529e2071003, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseEmailsAsSipUris, tagValue=1, required=true, canModify=true], ProfileTag [tagId=bfe8cd05...2048', +] + +@pytest.mark.parametrize("event", polycom_data) +def test_polycom(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event): + host = get_host_key + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + iso = dt.isoformat()[0:23] + epoch = epoch[:-3] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<29>1", iso=iso, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string('search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="polycom:rprm:syslog"') + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1