feat: support solace event broker (#1419)

fixes #1405
splunk · Jan 31, 2022 · 988eea2 · 988eea2
1 parent 083c70e
commit 988eea2
Show file tree

Hide file tree

Showing 4 changed files with 118 additions and 0 deletions.
diff --git a/docs/sources/Solace/index.md b/docs/sources/Solace/index.md
@@ -0,0 +1,47 @@
+# Vendor - Solace
+
+
+## Product - EventBroker
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | None                                    |
+| Product Manual | unknown   |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| solace:eventbroker        | None                                                                                                    |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| solace_eventbroker        | solace:eventbroker        | main          | none          |
+
+### Filter type
+
+MSGPARSE:
+
+### Setup and Configuration
+
+Device setup unknown 
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_SOLACE_EVENTBROKER_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_SOLACE_EVENTBROKER_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_SOLACE_EVENTBROKER | no | Enable archive to disk for this specific source |
+| SC4S_DEST_SOLACE_EVENTBROKER_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active device will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=solace:eventbroker | stats count by host
+```
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -87,6 +87,7 @@ nav:
       - Ricoh: sources/Ricoh/index.md
       - Schneider: sources/Schneider/index.md
       - "Simple Sources": sources/Simple/index.md
+      - "Solace": sources/Solace/index.md
       - "Sophos": sources/Sophos/index.md
       - Spectracom: "sources/Spectracom/index.md"
       - Splunk: sources/Splunk/index.md

diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf b/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf
@@ -0,0 +1,24 @@
+block parser app-syslog-solace_eventbroker() {    
+ channel {
+        #
+        rewrite {
+            r_set_splunk_dest_default(
+                index('main')
+                sourcetype('solace:eventbroker')
+                vendor_product("solace_eventbroker")
+            );              
+        };                       
+
+
+   };
+};
+application app-syslog-solace_eventbroker[sc4s-syslog] {
+    filter { 
+            program('^event')
+            and message('^SYSTEM: [A-Z]+');
+        };           
+	parser { app-syslog-solace_eventbroker(); };   
+};
+
+
+
diff --git a/tests/test_solace.py b/tests/test_solace.py
@@ -0,0 +1,46 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+# <158>Nov 11 15:22:22 xx-09 event: SYSTEM: SYSTEM_CLIENT_CONNECT_FAIL: - - Message VPN (xx) Sol Client username xx clientname xx@RTMD_ALL connect failed from 10.0.0.0:33454 - Forbidden: Client Name Already In Use
+
+
+def test_solace(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }}{{ bsd }}{{ host }} event: SYSTEM: SYSTEM_CLIENT_CONNECT_FAIL: - - Message VPN (xx) Sol Client username xx clientname xx@RTMD_ALL connect failed from 10.0.0.0:33454 - Forbidden: Client Name Already In Use\n"
+    )
+    message = mt.render(mark="<111>", bsd=bsd, host=host, epoch=epoch)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="solace:eventbroker"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1