diff --git a/docs/sources/vendor/Dell/emc_powerstore.md b/docs/sources/vendor/Dell/emc_powerstore.md new file mode 100644 index 0000000000..bf324653e6 --- /dev/null +++ b/docs/sources/vendor/Dell/emc_powerstore.md @@ -0,0 +1,26 @@ +# Dell Powerstore + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------------------------------| +| Splunk Add-on | N/A | +| Add-on Manual | N/A | +| Product Manual | [Powerstore Documentation](https://www.dell.com/support/kbdoc/en-us/000130110/powerstore-info-hub-product-documentation-videos) | + +## Sourcetypes + +| sourcetype | notes | +|-----------------------|-------| +| `dell:emc:powerstore` | None | + +### Index Configuration + +| key | sourcetype | index | notes | +|--------------------|-----------------------|----------|-------| +| dellemc_powerstore | `dell:emc:powerstore` | `netops` | none | diff --git a/package/enterprise/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf b/package/enterprise/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf new file mode 100644 index 0000000000..7a3c0044b8 --- /dev/null +++ b/package/enterprise/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf @@ -0,0 +1,18 @@ +block parser app-syslog-dell_powerstore() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('dell:emc:powerstore') + vendor('dellemc') + product('powerstore') + ); + }; + }; +}; +application app-syslog-dell_powerstore[sc4s-network-source] { + filter { + match('\[PowerStore_audit_event@1139' value("MESSAGE")); + }; + parser { app-syslog-dell_powerstore(); }; +}; \ No newline at end of file diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf b/package/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf new file mode 100644 index 0000000000..7a3c0044b8 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-dell_powerstore.conf @@ -0,0 +1,18 @@ +block parser app-syslog-dell_powerstore() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('dell:emc:powerstore') + vendor('dellemc') + product('powerstore') + ); + }; + }; +}; +application app-syslog-dell_powerstore[sc4s-network-source] { + filter { + match('\[PowerStore_audit_event@1139' value("MESSAGE")); + }; + parser { app-syslog-dell_powerstore(); }; +}; \ No newline at end of file diff --git a/package/lite/etc/addons/dell/app-syslog-dell_powerstore.conf b/package/lite/etc/addons/dell/app-syslog-dell_powerstore.conf new file mode 100644 index 0000000000..7a3c0044b8 --- /dev/null +++ b/package/lite/etc/addons/dell/app-syslog-dell_powerstore.conf @@ -0,0 +1,18 @@ +block parser app-syslog-dell_powerstore() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('dell:emc:powerstore') + vendor('dellemc') + product('powerstore') + ); + }; + }; +}; +application app-syslog-dell_powerstore[sc4s-network-source] { + filter { + match('\[PowerStore_audit_event@1139' value("MESSAGE")); + }; + parser { app-syslog-dell_powerstore(); }; +}; \ No newline at end of file diff --git a/tests/test_dell_powerstore.py b/tests/test_dell_powerstore.py new file mode 100644 index 0000000000..4b81b7110e --- /dev/null +++ b/tests/test_dell_powerstore.py @@ -0,0 +1,65 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations +import datetime + +import pytest + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + +# <110>Jan 31 19:43:24 APM00243620939-B [358]: 2025-01-31T19:43:17 APM00243620939-B PSb8ad27c26647 358@HM3CTZ3 Authentication [PowerStore_audit_event@1139 id="2341" user="admin" resource_type="login_session" action="None" client_ip="10.114.173.252" appliance="APM00243620939" status="success"] User "admin" logged in successfully. +# <110>Jan 31 19:44:44 APM00243620939-B [358]: 2025-01-31T19:44:31 APM00243620939-B PSb8ad27c26647 358@HM3CTZ3 Authentication [PowerStore_audit_event@1139 id="2342" user="EncryptHTTP.PSb8ad27c26647" resource_type="login_session" action="None" client_ip="None" appliance="APM00243620939" status="success"] Successfully authenticated cert_account : Dell EMC PowerStore CA P9XEU8F5/EncryptHTTP.PSb8ad27c26647. +# <110>Jan 31 19:45:44 APM00243620939-B [358]: 2025-01-31T19:45:29 APM00243620939-B PSb8ad27c26647 358@HM3CTZ3 Service [PowerStore_audit_event@1139 id="2347" user="root" resource_type="unknown" action="not applicable" client_ip="not applicable" appliance="APM00243620939" status="success"] User root executed the service script command [/cyc_host/cyc_service/bin/svc_diag list --hardware --sub_options firmware] from APM00243620939-A via shell. +# <110>Jan 31 19:48:25 APM00243620939-B [358]: 2025-01-31T19:48:16 APM00243620939-B PSb8ad27c26647 358@HM3CTZ3 Authentication [PowerStore_audit_event@1139 id="2349" user="EncryptHTTP.PSb8ad27c26647" resource_type="login_session" action="None" client_ip="None" appliance="APM00243620939" status="success"] Successfully authenticated cert_account : Dell EMC PowerStore CA P9XEU8F5/EncryptHTTP.PSb8ad27c26647. +# <110>Jan 31 19:49:05 APM00243620939-B [358]: 2025-01-31T19:48:49 APM00243620939-B PSb8ad27c26647 358@HM3CTZ3 Config [PowerStore_audit_event@1139 id="2351" user="admin" resource_type="system_health_check" action="create" client_ip="10.114.173.252" appliance="APM00243620939" status="failed"] Failed to perform system health check on pki-tech-ps-p01. +# <110>Jan 31 19:58:46 APM00243620939-B [358]: 2025-01-31T19:58:22 APM00243620939-B PSb8ad27c26647 358@HM3CTZ3 Logout [PowerStore_audit_event@1139 id="2352" user="admin" resource_type="login_session" action="delete" client_ip="10.114.173.252" appliance="APM00243620939" status="success"] User "admin" was successfully logged out. + +test_cases = [ + "{{ mark }}{{ bsd }} {{ host }} [358]: {{ iso }} {{ host }} PSb8ad27c26647 358@HM3CTZ3 Authentication [PowerStore_audit_event@1139 id=\"2341\" user=\"admin\" resource_type=\"login_session\" action=\"None\" client_ip=\"10.114.173.252\" appliance=\"APM00243620939\" status=\"success\"] User \"admin\" logged in successfully.", + "{{ mark }}{{ bsd }} {{ host }} [358]: {{ iso }} {{ host }} PSb8ad27c26647 358@HM3CTZ3 Authentication [PowerStore_audit_event@1139 id=\"2342\" user=\"EncryptHTTP.PSb8ad27c26647\" resource_type=\"login_session\" action=\"None\" client_ip=\"None\" appliance=\"APM00243620939\" status=\"success\"] Successfully authenticated cert_account : Dell EMC PowerStore CA P9XEU8F5/EncryptHTTP.PSb8ad27c26647.", + "{{ mark }}{{ bsd }} {{ host }} [358]: {{ iso }} {{ host }} PSb8ad27c26647 358@HM3CTZ3 Service [PowerStore_audit_event@1139 id=\"2347\" user=\"root\" resource_type=\"unknown\" action=\"not applicable\" client_ip=\"not applicable\" appliance=\"APM00243620939\" status=\"success\"] User root executed the service script command [/cyc_host/cyc_service/bin/svc_diag list --hardware --sub_options firmware] from APM00243620939-A via shell.", + "{{ mark }}{{ bsd }} {{ host }} [358]: {{ iso }} {{ host }} PSb8ad27c26647 358@HM3CTZ3 Authentication [PowerStore_audit_event@1139 id=\"2349\" user=\"EncryptHTTP.PSb8ad27c26647\" resource_type=\"login_session\" action=\"None\" client_ip=\"None\" appliance=\"APM00243620939\" status=\"success\"] Successfully authenticated cert_account : Dell EMC PowerStore CA P9XEU8F5/EncryptHTTP.PSb8ad27c26647.", + "{{ mark }}{{ bsd }} {{ host }} [358]: {{ iso }} {{ host }} PSb8ad27c26647 358@HM3CTZ3 Config [PowerStore_audit_event@1139 id=\"2351\" user=\"admin\" resource_type=\"system_health_check\" action=\"create\" client_ip=\"10.114.173.252\" appliance=\"APM00243620939\" status=\"failed\"] Failed to perform system health check on pki-tech-ps-p01.", + "{{ mark }}{{ bsd }} {{ host }} [358]: {{ iso }} {{ host }} PSb8ad27c26647 358@HM3CTZ3 Logout [PowerStore_audit_event@1139 id=\"2352\" user=\"admin\" resource_type=\"login_session\" action=\"delete\" client_ip=\"10.114.173.252\" appliance=\"APM00243620939\" status=\"success\"] User \"admin\" was successfully logged out." + +] + + +@pytest.mark.parametrize("case", test_cases) +@pytest.mark.addons("dell") +def test_dell_powerstore( + record_property, setup_splunk, setup_sc4s, case +): + host = f'test-dell-powerstore-{test_cases.index(case)}' + + dt = datetime.datetime.now() + iso, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string(case + "\n") + message = mt.render(mark="<110>", bsd=bsd, host=host, iso=iso) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netops _time={{ epoch }} sourcetype="dell:emc:powerstore" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1