From a58ad633e1153c34298ad77ddfdd61fc09cf1114 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 21 Jan 2022 11:57:07 -0500 Subject: [PATCH] feat(PureStorage): Support purestorage arrays --- docs/sources/PureStorage/index.md | 50 +++++++++++++++++++ mkdocs.yml | 1 + .../conflib/syslog/app-pure_storage.conf | 29 +++++++++++ tests/test_purestorage.py | 43 ++++++++++++++++ 4 files changed, 123 insertions(+) create mode 100644 docs/sources/PureStorage/index.md create mode 100644 package/etc/conf.d/conflib/syslog/app-pure_storage.conf create mode 100644 tests/test_purestorage.py diff --git a/docs/sources/PureStorage/index.md b/docs/sources/PureStorage/index.md new file mode 100644 index 0000000000..9843624f58 --- /dev/null +++ b/docs/sources/PureStorage/index.md @@ -0,0 +1,50 @@ +# Vendor - Pure Storage + +## Product - Array + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None note TA published on Splunk base does not include syslog extractions | +| Product Manual | | + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| ossec | The add-on supports data from the following sources: File Integrity Management (FIM) data, FTP data, su data, ssh data, Windows data, including audit and logon information | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| purestorage_array | purestorage:array | infraops | None | +| purestorage_array_${class} | purestorage:array:class | infraops | class is extracted as the string following "purity." | + +### Filter type + +MSG Parsing + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Pure Storage Follow vendor configuration steps per Product Manual. +* Ensure host and timestamp are included. + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_PURESTORAGE_ARRAY_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_PURESTORAGE_ARRAY_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_PURESTORAGE_ARRAY | no | Enable archive to disk for this specific source | +| SC4S_DEST_PURESTORAGE_ARRAY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +Use the following search to validate events are present + +``` +index=infraops sourcetype=purestorage:array* +``` + +Verify timestamp, and host values match as expected \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 9118a94805..05ed170da0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -76,6 +76,7 @@ nav: - "pfSense": sources/Pfsense/index.md - Polycom: sources/Polycom/index.md - Pulse: sources/Pulse/index.md + - PureStorage: sources/PureStorage/index.md - Proofpoint: sources/Proofpoint/index.md - Qumulo: sources/Qumulo/index.md - Radware: sources/Radware/index.md diff --git a/package/etc/conf.d/conflib/syslog/app-pure_storage.conf b/package/etc/conf.d/conflib/syslog/app-pure_storage.conf new file mode 100644 index 0000000000..70ed255c2e --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-pure_storage.conf @@ -0,0 +1,29 @@ +block parser pure_storage-parser() { + channel { + rewrite { + r_set_splunk_dest_default( + index("infraops") + sourcetype('purestorage:array') + vendor_product("purestorage_array") + template('t_msg_only') + ); + }; + if { + filter { + message('^purity\.([^:\s]+)', flags(store-matches)); + }; + rewrite { + r_set_splunk_dest_update( + sourcetype('purestorage:array:$1') + meta_key('purestorage_array_$1') + ); + }; + }; + }; +}; +application pure_storage[sc4s-syslog] { + filter { + message('^purity\.'); + }; + parser { pure_storage-parser(); }; +}; diff --git a/tests/test_purestorage.py b/tests/test_purestorage.py new file mode 100644 index 0000000000..5430c6df81 --- /dev/null +++ b/tests/test_purestorage.py @@ -0,0 +1,43 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +env = Environment() + +# <182>Jan 19 10:47:33 host purity.test: INFO [root] This is a test message generated by Pure Storage FlashArray. UTC Time: 2022 Jan 19 15:47:33 Array Name: TTDSA-PS02 +def test_pure_storage(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{mark}}{{ bsd }} {{ host }} purity.test: INFO [root] This is a test message generated by Pure Storage FlashArray. UTC Time: 2022 Jan 19 15:47:33 Array Name: TTDSA-PS02\n" + ) + message = mt.render(mark="<27>", bsd=bsd, host=host) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=infraops sourcetype=purestorage:array:test host="{{key}}"' + ) + search = st.render(epoch=epoch, key=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1