diff --git a/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf index fc0a6c679b..7f66031700 100644 --- a/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf +++ b/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf @@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() { }; application app-raw-bsd_nopri[sc4s-raw-syslog] { filter { - message('^\w\w\w \d\d \d\d:\d\d:\d\d '); + message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) '); }; parser { app-raw-bsd_nopri(); }; }; diff --git a/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf index fc0a6c679b..7f66031700 100644 --- a/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf +++ b/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf @@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() { }; application app-raw-bsd_nopri[sc4s-raw-syslog] { filter { - message('^\w\w\w \d\d \d\d:\d\d:\d\d '); + message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) '); }; parser { app-raw-bsd_nopri(); }; }; diff --git a/poetry.lock b/poetry.lock index 8167cbce42..a7af2e4fc7 100644 --- a/poetry.lock +++ b/poetry.lock @@ -910,13 +910,13 @@ diagrams = ["jinja2", "railroad-diagrams"] [[package]] name = "pytest" -version = "8.3.3" +version = "8.3.4" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.8" files = [ - {file = "pytest-8.3.3-py3-none-any.whl", hash = "sha256:a6853c7375b2663155079443d2e45de913a911a11d669df02a50814944db57b2"}, - {file = "pytest-8.3.3.tar.gz", hash = "sha256:70b98107bd648308a7952b06e6ca9a50bc660be218d53c257cc1fc94fda10181"}, + {file = "pytest-8.3.4-py3-none-any.whl", hash = "sha256:50e16d954148559c9a74109af1eaf0c945ba2d8f30f0a3d3335edde19788b6f6"}, + {file = "pytest-8.3.4.tar.gz", hash = "sha256:965370d062bce11e73868e0335abac31b4d3de0e82f4007408d242b4f8610761"}, ] [package.dependencies] diff --git a/tests/test_trellix.py b/tests/test_trellix.py index 4f0a3dc968..c461e9ea0d 100644 --- a/tests/test_trellix.py +++ b/tests/test_trellix.py @@ -67,3 +67,37 @@ def test_trellix_cms( record_property("message", message) assert result_count == 1 + + +# Nov 2 00:00:00 trellix-host-xxxx CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt=1030482923264 cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects. +@pytest.mark.addons("trellix") +def test_trellix_cef(record_property, get_host_key, setup_splunk, setup_sc4s): + host = "trellix-host-" + get_host_key + + dt = datetime.datetime(2024, 11, 2, 0, 0) + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # hard coding the bsd to test single digit date (Nov 2 00:00:00) + bsd = "Nov 2 00:00:00" + # Tune time functions + epoch = epoch[:-3] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt={{ epoch }} cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects." + ) + message = mt.render(bsd=bsd, host=host, epoch=epoch) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="cef"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 \ No newline at end of file