-
Notifications
You must be signed in to change notification settings - Fork 111
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1195 from splunk/feat-polycom-RPRM
feat(polycom): Support RPRM
- Loading branch information
Showing
4 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Vendor - Polycom | ||
|
|
||
| ## Product - RPRM | ||
|
|
||
| | Ref | Link | | ||
| |----------------|---------------------------------------------------------------------------------------------------------| | ||
| | Splunk Add-on | none | | ||
| | Product Manual | unknown | | ||
|
|
||
|
|
||
| ### Sourcetypes | ||
|
|
||
| | sourcetype | notes | | ||
| |----------------|---------------------------------------------------------------------------------------------------------| | ||
| | polycom:rprm:syslog | | | ||
|
|
||
| ### Sourcetype and Index Configuration | ||
|
|
||
| | key | sourcetype | index | notes | | ||
| |----------------|----------------|----------------|----------------| | ||
| | polycom_rprm | polycom:rprm:syslog | netops | none | | ||
|
|
||
|
|
||
| ### Filter type | ||
|
|
||
| MSG Parse: This filter parses message content | ||
|
|
||
|
|
||
| ### Options | ||
|
|
||
| | Variable | default | description | | ||
| |----------------|----------------|----------------| | ||
| | SC4S_POLYCOM_RPRM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. | | ||
| | SC4S_POLYCOM_RPRM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. | | ||
| | SC4S_ARCHIVE_POLYCOM_RPRM | no | Enable archive to disk for this specific source | | ||
| | SC4S_DEST_POLYCOM_RPRM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | ||
|
|
||
| ### Verification | ||
|
|
||
| One or two sourcetypes are included in Proofpoint PPS logs. The search below will surface both of them: | ||
|
|
||
| ``` | ||
| index=<asconfigured> sourcetype=polycom:rprm:syslog| stats count by host | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| block parser polycom_rprm-parser() { | ||
| channel { | ||
| rewrite { | ||
| r_set_splunk_dest_default( | ||
| index('netops') | ||
| sourcetype('polycom:rprm:syslog') | ||
| vendor_product("polycom_rprm") | ||
| template('t_5424_hdr_sdata_msg') | ||
| ); | ||
| }; | ||
|
|
||
|
|
||
| }; | ||
| }; | ||
| application polycom_rprm[sc4s-syslog] { | ||
| filter { | ||
| program('RPRM'); | ||
| }; | ||
| parser { polycom_rprm-parser(); }; | ||
| }; | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # Copyright 2019 Splunk, Inc. | ||
| # | ||
| # Use of this source code is governed by a BSD-2-clause-style | ||
| # license that can be found in the LICENSE-BSD2 file or at | ||
| # https://opensource.org/licenses/BSD-2-Clause | ||
|
|
||
| from jinja2 import Environment | ||
|
|
||
| from .sendmessage import * | ||
| from .splunkutils import * | ||
| from .timeutils import * | ||
| import pytest | ||
|
|
||
| env = Environment() | ||
|
|
||
| polycom_data = [ | ||
| r'{{ mark }} {{ iso }}Z {{ host }} RPRM 107463 Jserver - DEBUG|||http-nio-5443-exec-22|com.polycom.rpum.epm.engine.ruleengine.ProfileFillingAction| ...df8-46f4-8ed1-2acc1bd62f97, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.autoOffHook.3.enabled, tagValue=1, required=true, canModify=true], ProfileTag [tagId=3e2fb279-c386-410b-866e-b427aaea80c4, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.teluri.showPrompt, tagValue=0, required=true, canModify=true], ProfileTag [tagId=6168b060-fe0e-414d-a25a-acbe629f963c, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=a835bbaf-1202-415a-8933-360a54acced1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap, tagValue=sip\:x.\.x.\@zoomcrc\.com|sip\:x.\@zoomcrc\.com|x.\.x.\@zoomcrc\.com|x.\@zoomcrc\.com|xxxxxxxxx.T|xxxxxxxxxx| , required=true, canModify=true], ProfileTag [tagId=67e41d5e-1112-4e36-8f78-e682ed61b4cc, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap.timeOut, tagValue=4, required=true, canModify=true], ProfileTag [tagId=577dd248-7fdd-4730-aa90-ef7f1aa2f19b, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=f44bd920-fa45-4d11-90ff-2e294a45d1e1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.digitmap.lineSwitching.enable, tagValue=1, required=true, canModify=true], ProfileTag [tagId=5d1f9d8f-6583-4f5d-83c3-76194c299971, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseAllowedSipUriDomains, tagValue=zoomcrc.com,zoom.us,vip2.zoomus.com,bjn.vc,polycom.com, required=true, canModify=true], ProfileTag [tagId=b8a2dd79-7b8f-48be-b452-e529e2071003, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseEmailsAsSipUris, tagValue=1, required=true, canModify=true], ProfileTag [tagId=bfe8cd05...2048', | ||
| ] | ||
|
|
||
| @pytest.mark.parametrize("event", polycom_data) | ||
| def test_polycom(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event): | ||
| host = get_host_key | ||
|
|
||
| dt = datetime.datetime.now(datetime.timezone.utc) | ||
| iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) | ||
|
|
||
| # Tune time functions | ||
| iso = dt.isoformat()[0:23] | ||
| epoch = epoch[:-3] | ||
|
|
||
| mt = env.from_string(event + "\n") | ||
| message = mt.render(mark="<29>1", iso=iso, host=host) | ||
|
|
||
| sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) | ||
|
|
||
| st = env.from_string('search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="polycom:rprm:syslog"') | ||
| search = st.render(epoch=epoch, host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 |