-
Notifications
You must be signed in to change notification settings - Fork 111
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fixes #1272
- Loading branch information
rfaircloth-splunk
committed
Oct 21, 2021
1 parent
8b05216
commit 712fe03
Showing
6 changed files
with
183 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
# Vendor - Mikrotik | ||
|
||
## Product - dns | ||
|
||
This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired | ||
see that source documentation for instructions | ||
|
||
| Ref | Link | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| Splunk Add-on | https://splunkbase.splunk.com/app/3845/ | | ||
|
||
|
||
### Sourcetypes | ||
|
||
| sourcetype | notes | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| routeros | none | | ||
|
||
|
||
### Index Configuration | ||
|
||
| key | index | notes | | ||
|----------------|------------|----------------| | ||
| mikrotik_routeros | netops | none | | ||
| mikrotik_routeros_fw | netfw | Used for events with forward: | | ||
|
||
### Filter type | ||
|
||
Vendor Product by source configuration required | ||
|
||
### Options | ||
|
||
None | ||
|
||
|
||
|
||
### Verification | ||
|
||
An active site will generate frequent events use the following search to check for new events | ||
|
||
Verify timestamp, and host values match as expected | ||
|
||
``` | ||
index=<asconfigured> (sourcetype=routeros") | ||
``` | ||
|
||
|
||
|
||
## Product - DHCPD | ||
|
||
This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired | ||
see that source documentation for instructions | ||
|
||
| Ref | Link | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| Splunk Add-on | https://splunkbase.splunk.com/app/3010/ | | ||
|
||
|
||
### Sourcetypes | ||
|
||
| sourcetype | notes | | ||
|----------------|---------------------------------------------------------------------------------------------------------| | ||
| isc:dhcp | none | | ||
|
||
|
||
### Index Configuration | ||
|
||
| key | index | notes | | ||
|----------------|------------|----------------| | ||
| isc_dhcp | isc:dhcp | none | | ||
|
||
### Filter type | ||
|
||
MSG Parse: This filter parses message content | ||
|
||
### Options | ||
|
||
None | ||
|
||
|
||
|
||
### Verification | ||
|
||
An active site will generate frequent events use the following search to check for new events | ||
|
||
Verify timestamp, and host values match as expected | ||
|
||
``` | ||
index=<asconfigured> (sourcetype=isc:dhcp") | ||
``` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
package/etc/conf.d/conflib/net_source/app-mikrotik_routeros.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
block parser mikrotik_routeros-parser() { | ||
channel { | ||
rewrite { | ||
r_set_splunk_dest_default( | ||
index('netops') | ||
source('program:${.PROGRAM}') | ||
sourcetype('routeros') | ||
vendor_product("mikrotik_routeros") | ||
template('t_hdr_msg') | ||
); | ||
}; | ||
|
||
if { | ||
filter{program('forward' type(string) flags(prefix))}; | ||
rewrite { | ||
r_set_splunk_dest_update( | ||
index('netfw') | ||
meta_key('mikrotik_routeros_fw') | ||
); | ||
}; | ||
}; | ||
|
||
|
||
}; | ||
}; | ||
application mikrotik_routeros[sc4s-network-source] { | ||
filter { | ||
( | ||
"${.netsource.sc4s_vendor_product}" eq "mikrotik_routeros" | ||
or "${SOURCE}" eq "s_MIKROTIK_ROUTEROS" | ||
) | ||
}; | ||
parser { mikrotik_routeros-parser(); }; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Copyright 2019 Splunk, Inc. | ||
# | ||
# Use of this source code is governed by a BSD-2-clause-style | ||
# license that can be found in the LICENSE-BSD2 file or at | ||
# https://opensource.org/licenses/BSD-2-Clause | ||
import random | ||
|
||
from jinja2 import Environment | ||
|
||
from .sendmessage import * | ||
from .splunkutils import * | ||
from .timeutils import * | ||
import pytest | ||
|
||
env = Environment() | ||
|
||
testdata = [ | ||
"{{mark}}{{ bsd }} {{ host }} forward: in:ether1 out:bridge, src-mac 26:5a:4c:57:6e:cc, proto TCP (SYN), 192.168.1.196:62583->10.1.0.0:8000, len 64", | ||
] | ||
# Tue, 15 Jun 2021 02:35:28 +1000 | ||
|
||
|
||
@pytest.mark.parametrize("event", testdata) | ||
def test_routeros(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): | ||
host = "test-mrtros-{}-{}".format( | ||
random.choice(setup_wordlist), random.choice(setup_wordlist) | ||
) | ||
|
||
dt = datetime.datetime.now(datetime.timezone.utc) | ||
iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) | ||
# Tune time functions | ||
epoch = epoch[:-7] | ||
device_time = dt.strftime("%a, %d %b %Y %H:%M:%S +0000") | ||
|
||
mt = env.from_string(event + "\n") | ||
message = mt.render(mark="<132>", bsd=bsd, host=host, device_time=device_time) | ||
|
||
sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) | ||
|
||
st = env.from_string('search index=netfw _time={{ epoch }} sourcetype="routeros"') | ||
|
||
search = st.render(epoch=epoch, host=host) | ||
|
||
resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
||
record_property("host", host) | ||
record_property("resultCount", resultCount) | ||
record_property("message", message) | ||
|
||
assert resultCount == 1 |