From 988eea23e6cdef87e2e8c0bfecd9d71e7d84daff Mon Sep 17 00:00:00 2001 From: Ryan Faircloth Date: Mon, 31 Jan 2022 08:23:19 -0500 Subject: [PATCH] feat: support solace event broker (#1419) fixes #1405 --- docs/sources/Solace/index.md | 47 +++++++++++++++++++ mkdocs.yml | 1 + .../syslog/app-syslog-solace_eventbroker.conf | 24 ++++++++++ tests/test_solace.py | 46 ++++++++++++++++++ 4 files changed, 118 insertions(+) create mode 100644 docs/sources/Solace/index.md create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf create mode 100644 tests/test_solace.py diff --git a/docs/sources/Solace/index.md b/docs/sources/Solace/index.md new file mode 100644 index 0000000000..85d3697fb1 --- /dev/null +++ b/docs/sources/Solace/index.md @@ -0,0 +1,47 @@ +# Vendor - Solace + + +## Product - EventBroker + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | unknown | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| solace:eventbroker | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| solace_eventbroker | solace:eventbroker | main | none | + +### Filter type + +MSGPARSE: + +### Setup and Configuration + +Device setup unknown + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_SOLACE_EVENTBROKER_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_SOLACE_EVENTBROKER_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_SOLACE_EVENTBROKER | no | Enable archive to disk for this specific source | +| SC4S_DEST_SOLACE_EVENTBROKER_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active device will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=solace:eventbroker | stats count by host +``` diff --git a/mkdocs.yml b/mkdocs.yml index bafbfd1e7f..6f785d5b50 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -87,6 +87,7 @@ nav: - Ricoh: sources/Ricoh/index.md - Schneider: sources/Schneider/index.md - "Simple Sources": sources/Simple/index.md + - "Solace": sources/Solace/index.md - "Sophos": sources/Sophos/index.md - Spectracom: "sources/Spectracom/index.md" - Splunk: sources/Splunk/index.md diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf b/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf new file mode 100644 index 0000000000..25310feb92 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-solace_eventbroker.conf @@ -0,0 +1,24 @@ +block parser app-syslog-solace_eventbroker() { + channel { + # + rewrite { + r_set_splunk_dest_default( + index('main') + sourcetype('solace:eventbroker') + vendor_product("solace_eventbroker") + ); + }; + + + }; +}; +application app-syslog-solace_eventbroker[sc4s-syslog] { + filter { + program('^event') + and message('^SYSTEM: [A-Z]+'); + }; + parser { app-syslog-solace_eventbroker(); }; +}; + + + diff --git a/tests/test_solace.py b/tests/test_solace.py new file mode 100644 index 0000000000..9a6d4743a5 --- /dev/null +++ b/tests/test_solace.py @@ -0,0 +1,46 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +env = Environment() + +# <158>Nov 11 15:22:22 xx-09 event: SYSTEM: SYSTEM_CLIENT_CONNECT_FAIL: - - Message VPN (xx) Sol Client username xx clientname xx@RTMD_ALL connect failed from 10.0.0.0:33454 - Forbidden: Client Name Already In Use + + +def test_solace(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ mark }}{{ bsd }}{{ host }} event: SYSTEM: SYSTEM_CLIENT_CONNECT_FAIL: - - Message VPN (xx) Sol Client username xx clientname xx@RTMD_ALL connect failed from 10.0.0.0:33454 - Forbidden: Client Name Already In Use\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host, epoch=epoch) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="solace:eventbroker"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1