feat(wallix): Add support for bastion

splunk · Aug 6, 2021 · acef7f0 · acef7f0
1 parent 58a205c
commit acef7f0
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 0 deletions.
diff --git a/docs/sources/Wallix/index.md b/docs/sources/Wallix/index.md
@@ -0,0 +1,42 @@
+# Vendor - Wallix
+
+## Product - Bastion
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | https://splunkbase.splunk.com/app/3661/                                                                 |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| WB:syslog  | note this sourcetype includes program:rdproxy all other data will be treated as nix  |
+
+
+### Sourcetype and Index Configuration
+
+| key                 | sourcetype             | index    | notes   |
+|---------------------|------------------------|----------|---------|
+| WB:syslog      | infraops      | main     | none    |
+
+### Filter type
+
+MSG Parse: This filter parses message content
+
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_WALLIX_PROXY_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_LISTEN_WALLIX_PROXY_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
+| SC4S_ARCHIVE_WALLIX_PROXY | no | Enable archive to disk for this specific source |
+| SC4S_DEST_WALLIX_PROXY_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+
+### Verification
+
+An active proxy will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=WB:* | stats count by host
+```
+
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -67,6 +67,7 @@ nav:
       - Vectra: sources/Vectra/index.md
       - Varonis: sources/Varonis/index.md
       - VMware: sources/VMWare/index.md
+      - Wallix: sources/Wallix/index.md
       - Zscaler: sources/Zscaler/index.md
   - Performance: "performance.md"
   - Troubleshooting:

diff --git a/package/etc/conf.d/conflib/syslog/app-wallx_proxy.conf b/package/etc/conf.d/conflib/syslog/app-wallx_proxy.conf
@@ -0,0 +1,22 @@
+block parser wallx_proxy-parser() {    
+ channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index("infraops")
+                sourcetype('WB:syslog')
+                vendor_product("walllix_bastion")
+            );            
+        };       
+
+
+
+   };
+};
+application wallx_proxy[sc4s-syslog] {
+	filter { 
+        program('rdpproxy');
+    };	
+    parser { wallx_proxy-parser(); };   
+};
+
+