From 712fe03cca4da6309e5af4de055377ef25107197 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 21 Oct 2021 09:02:55 -0400 Subject: [PATCH] feat(mikrotik): Support routeros fixes #1272 --- docs/sources/Mikrotik/index.md | 91 +++++++++++++++++++ mkdocs.yml | 1 + .../net_source/app-mikrotik_routeros.conf | 34 +++++++ .../vendor_product_by_source.conf.example | 6 +- .../vendor_product_by_source.csv.example | 3 +- tests/test_mikrotik.py | 50 ++++++++++ 6 files changed, 183 insertions(+), 2 deletions(-) create mode 100644 docs/sources/Mikrotik/index.md create mode 100644 package/etc/conf.d/conflib/net_source/app-mikrotik_routeros.conf create mode 100644 tests/test_mikrotik.py diff --git a/docs/sources/Mikrotik/index.md b/docs/sources/Mikrotik/index.md new file mode 100644 index 0000000000..1d155e19ee --- /dev/null +++ b/docs/sources/Mikrotik/index.md @@ -0,0 +1,91 @@ +# Vendor - Mikrotik + +## Product - dns + +This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired +see that source documentation for instructions + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3845/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| routeros | none | + + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| mikrotik_routeros | netops | none | +| mikrotik_routeros_fw | netfw | Used for events with forward: | + +### Filter type + +Vendor Product by source configuration required + +### Options + +None + + + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=routeros") +``` + + + +## Product - DHCPD + +This source type is often re-implemented by specific add-ons such as infoblox or bluecat if a more specific source type is desired +see that source documentation for instructions + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/3010/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| isc:dhcp | none | + + +### Index Configuration + +| key | index | notes | +|----------------|------------|----------------| +| isc_dhcp | isc:dhcp | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +None + + + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=isc:dhcp") +``` + diff --git a/mkdocs.yml b/mkdocs.yml index 0ed1ec9c5d..c6510c7365 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -65,6 +65,7 @@ nav: - McAfee: sources/McAfee/index.md - Microfocus: sources/Microfocus/index.md - Microsoft: sources/Microsoft/index.md + - Mikrotik: sources/Mikrotik/index.md - NetApp: sources/NetApp/index.md - Netmotion: sources/Netmotion/index.md - Novell: sources/Novell/index.md diff --git a/package/etc/conf.d/conflib/net_source/app-mikrotik_routeros.conf b/package/etc/conf.d/conflib/net_source/app-mikrotik_routeros.conf new file mode 100644 index 0000000000..ec9395979f --- /dev/null +++ b/package/etc/conf.d/conflib/net_source/app-mikrotik_routeros.conf @@ -0,0 +1,34 @@ +block parser mikrotik_routeros-parser() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netops') + source('program:${.PROGRAM}') + sourcetype('routeros') + vendor_product("mikrotik_routeros") + template('t_hdr_msg') + ); + }; + + if { + filter{program('forward' type(string) flags(prefix))}; + rewrite { + r_set_splunk_dest_update( + index('netfw') + meta_key('mikrotik_routeros_fw') + ); + }; + }; + + + }; +}; +application mikrotik_routeros[sc4s-network-source] { + filter { + ( + "${.netsource.sc4s_vendor_product}" eq "mikrotik_routeros" + or "${SOURCE}" eq "s_MIKROTIK_ROUTEROS" + ) + }; + parser { mikrotik_routeros-parser(); }; +}; diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example index 9fa2d8059b..2c2189b761 100644 --- a/package/etc/context_templates/vendor_product_by_source.conf.example +++ b/package/etc/context_templates/vendor_product_by_source.conf.example @@ -95,4 +95,8 @@ filter f_dell_cmc { filter f_ibm_datapower { host("test-ibmdp-" type(string) flags(prefix)) -}; \ No newline at end of file +}; + +filter f_mikrotik_routeros { + host("test-mrtros-" type(string) flags(prefix)) +}; diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example index 0ae8272b37..8f63995a81 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv.example +++ b/package/etc/context_templates/vendor_product_by_source.csv.example @@ -21,4 +21,5 @@ f_cisco_esa,sc4s_vendor_product,"cisco_esa" f_sophos_webappliance,sc4s_vendor_product,"sophos_webappliance" f_vmware_esx,sc4s_vendor_product,"vmware_esx" f_dell_cmc,sc4s_vendor_product,"dell_poweredge_cmc" -f_ibm_datapower,sc4s_vendor_product,"ibm_datapower" \ No newline at end of file +f_ibm_datapower,sc4s_vendor_product,"ibm_datapower" +f_mikrotik_routeros,sc4s_vendor_product,"mikrotik_routeros" \ No newline at end of file diff --git a/tests/test_mikrotik.py b/tests/test_mikrotik.py new file mode 100644 index 0000000000..daf3b7337e --- /dev/null +++ b/tests/test_mikrotik.py @@ -0,0 +1,50 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * +import pytest + +env = Environment() + +testdata = [ + "{{mark}}{{ bsd }} {{ host }} forward: in:ether1 out:bridge, src-mac 26:5a:4c:57:6e:cc, proto TCP (SYN), 192.168.1.196:62583->10.1.0.0:8000, len 64", +] +# Tue, 15 Jun 2021 02:35:28 +1000 + + +@pytest.mark.parametrize("event", testdata) +def test_routeros(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): + host = "test-mrtros-{}-{}".format( + random.choice(setup_wordlist), random.choice(setup_wordlist) + ) + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + # Tune time functions + epoch = epoch[:-7] + device_time = dt.strftime("%a, %d %b %Y %H:%M:%S +0000") + + mt = env.from_string(event + "\n") + message = mt.render(mark="<132>", bsd=bsd, host=host, device_time=device_time) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string('search index=netfw _time={{ epoch }} sourcetype="routeros"') + + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1