feat(PureStorage): Support purestorage arrays

docs/sources/PureStorage/index.md

@@ -0,0 +1,50 @@
+# Vendor - Pure Storage
+
+## Product - Array
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | None  note TA published on Splunk base does not include syslog extractions                                                                |
+| Product Manual |  |
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| ossec     |  The add-on supports data from the following sources: File Integrity Management (FIM) data, FTP data, su data, ssh data, Windows data, including audit and logon information  |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| purestorage_array    | purestorage:array    | infraops          | None     |
+| purestorage_array_${class}    | purestorage:array:class    | infraops          | class is extracted as the string following "purity."     |
+
+### Filter type
+
+MSG Parsing
+
+### Setup and Configuration
+
+* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
+* Pure Storage Follow vendor configuration steps per Product Manual.
+* Ensure host and timestamp are included.
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_PURESTORAGE_ARRAY_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_PURESTORAGE_ARRAY_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_PURESTORAGE_ARRAY | no | Enable archive to disk for this specific source |
+| SC4S_DEST_PURESTORAGE_ARRAY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+Use the following search to validate events are present
+
+```
+index=infraops sourcetype=purestorage:array*
+```
+
+Verify timestamp, and host values match as expected

mkdocs.yml

@@ -76,6 +76,7 @@ nav:
       - "pfSense": sources/Pfsense/index.md
       - Polycom: sources/Polycom/index.md
       - Pulse: sources/Pulse/index.md
+      - PureStorage: sources/PureStorage/index.md
       - Proofpoint: sources/Proofpoint/index.md
       - Qumulo: sources/Qumulo/index.md
       - Radware: sources/Radware/index.md

package/etc/conf.d/conflib/syslog/app-pure_storage.conf

@@ -0,0 +1,29 @@
+block parser pure_storage-parser() {    
+ channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index("infraops")
+                sourcetype('purestorage:array')
+                vendor_product("purestorage_array")
+                template('t_msg_only')
+            );                         
+        };
+        if {
+            filter { 
+                message('^purity\.([^:\s]+)', flags(store-matches));
+            };	
+            rewrite {
+                    r_set_splunk_dest_update(
+                        sourcetype('purestorage:array:$1')
+                        meta_key('purestorage_array_$1')
+                    );
+            };             
+        };               
+    };
+};
+application pure_storage[sc4s-syslog] {
+	filter { 
+        message('^purity\.');
+    };	
+    parser { pure_storage-parser(); };   
+};

tests/test_purestorage.py

@@ -0,0 +1,43 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+# <182>Jan 19 10:47:33 host purity.test: INFO [root] This is a test message generated by Pure Storage FlashArray. UTC Time: 2022 Jan 19 15:47:33 Array Name: TTDSA-PS02
+def test_pure_storage(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{mark}}{{ bsd }} {{ host }} purity.test: INFO [root] This is a test message generated by Pure Storage FlashArray. UTC Time: 2022 Jan 19 15:47:33 Array Name: TTDSA-PS02\n"
+    )
+    message = mt.render(mark="<27>", bsd=bsd, host=host)
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=infraops sourcetype=purestorage:array:test host="{{key}}"'
+    )
+    search = st.render(epoch=epoch, key=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1