From 3a00290a0a1821c571b7cf5ca5715a99ff075438 Mon Sep 17 00:00:00 2001 From: Ilya Kheifets Date: Fri, 5 Apr 2024 17:15:59 +0200 Subject: [PATCH] feat: create parser dell avamar --- docs/sources/vendor/Dell/avamar.md | 25 +++++++++ .../syslog/app-syslog-dell_avamar.conf | 36 +++++++++++++ .../addons/dell/app-syslog-dell_avamar.conf | 36 +++++++++++++ tests/test_dell_avamar.py | 53 +++++++++++++++++++ 4 files changed, 150 insertions(+) create mode 100644 docs/sources/vendor/Dell/avamar.md create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-dell_avamar.conf create mode 100644 package/lite/etc/addons/dell/app-syslog-dell_avamar.conf create mode 100644 tests/test_dell_avamar.py diff --git a/docs/sources/vendor/Dell/avamar.md b/docs/sources/vendor/Dell/avamar.md new file mode 100644 index 0000000000..0abaf3b97a --- /dev/null +++ b/docs/sources/vendor/Dell/avamar.md @@ -0,0 +1,25 @@ +# Dell Avamar + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | +| Add-on Manual | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| dell:avamar:msc| None | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| dell_avamar_cms| dell:avamar:msc| netops | none | \ No newline at end of file diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-dell_avamar.conf b/package/etc/conf.d/conflib/syslog/app-syslog-dell_avamar.conf new file mode 100644 index 0000000000..0e987d22d8 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-dell_avamar.conf @@ -0,0 +1,36 @@ +block parser app-syslog-dell_avamar() { + channel { + parser { + regexp-parser( + template("${MESSAGE}") + prefix(".tmp.") + patterns('<(?.*)') + ); + kv-parser( + prefix(".values.") + pair-separator("<") + value-separator(">") + template("${.tmp.message}") + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('dell:avamar:msc') + vendor('dell') + product('avamar') + class('msc') + template("t_json_values") + ); + }; + }; +}; + +application app-syslog-dell_avamar[sc4s-syslog] { + filter { + message('' type(string) flags(substring)) and + message('' type(string) flags(substring)) and + message('' type(string) flags(substring)); + }; + parser { app-syslog-dell_avamar(); }; +}; diff --git a/package/lite/etc/addons/dell/app-syslog-dell_avamar.conf b/package/lite/etc/addons/dell/app-syslog-dell_avamar.conf new file mode 100644 index 0000000000..0e987d22d8 --- /dev/null +++ b/package/lite/etc/addons/dell/app-syslog-dell_avamar.conf @@ -0,0 +1,36 @@ +block parser app-syslog-dell_avamar() { + channel { + parser { + regexp-parser( + template("${MESSAGE}") + prefix(".tmp.") + patterns('<(?.*)') + ); + kv-parser( + prefix(".values.") + pair-separator("<") + value-separator(">") + template("${.tmp.message}") + ); + }; + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('dell:avamar:msc') + vendor('dell') + product('avamar') + class('msc') + template("t_json_values") + ); + }; + }; +}; + +application app-syslog-dell_avamar[sc4s-syslog] { + filter { + message('' type(string) flags(substring)) and + message('' type(string) flags(substring)) and + message('' type(string) flags(substring)); + }; + parser { app-syslog-dell_avamar(); }; +}; diff --git a/tests/test_dell_avamar.py b/tests/test_dell_avamar.py new file mode 100644 index 0000000000..b5611221a2 --- /dev/null +++ b/tests/test_dell_avamar.py @@ -0,0 +1,53 @@ +# Copyright 2024 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations +import datetime + +import pytest + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + + +test_cases = [ + '{{ mark }} {{ bsd }} {{ host }}: 22555 AUDIT PROCESS SECURITY email@my.com {{ host }} Changed backup expiration. /clients/Dev-Cert/Windows/test.com 2024-02-03 02:32:09 CST 3001 388 2024-02-16 ', +] + + +@pytest.mark.parametrize("case", test_cases) +@pytest.mark.addons("dell") +def test_dell_emc_powerswitch_nseries( + record_property, setup_splunk, setup_sc4s, case +): + host = 'amavar' + + dt = datetime.datetime.now() + _, bsd, _, date, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string(case + "\n") + message = mt.render(mark="<141>", bsd=bsd, host=host, date=date) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netops _time={{ epoch }} sourcetype="dell:avamar:msc" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1