Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/update-helm-charts #2637

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fix/update-helm-charts #2637

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
81042c5
chore(deps): update dependency mkdocs-material to v9.5.42 (#2624)
renovate[bot] Oct 21, 2024
e32e519
chore(deps): update splunk/addonfactory-test-matrix-action action to …
renovate[bot] Oct 21, 2024
3ee8fa0
fix: fix CISE_Alarm messages parsing (#2609)
wojtekzyla Oct 21, 2024
e43315d
fix: improve SC4S Dashboard performance (#2592)
mstopa-splunk Oct 21, 2024
ed89995
docs: Removed reference of Cisco eStreamer for Splunk app from ASA/FT…
cwadhwani-splunk Oct 29, 2024
0ee9941
fix: add nodeAffinity and externalTrafficPolicy configuration to valu…
wojtekzyla Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci-lite.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ jobs:
type=ref,event=tag
- name: matrix
id: matrix
uses: splunk/[email protected].8
uses: splunk/[email protected].9

security-fossa-scan:
continue-on-error: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ jobs:
type=ref,event=tag
- name: matrix
id: matrix
uses: splunk/[email protected].8
uses: splunk/[email protected].9

security-fossa-scan:
continue-on-error: true
Expand Down
4 changes: 2 additions & 2 deletions charts/splunk-connect-for-syslog/templates/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ metadata:

spec:
type: {{ .Values.service.type }}
externalTrafficPolicy: Local
externalTrafficPolicy: {{ .Values.externalTrafficPolicy }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
Expand Down Expand Up @@ -92,7 +92,7 @@ metadata:
{{- include "splunk-connect-for-syslog.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
externalTrafficPolicy: Local
externalTrafficPolicy: {{ .Values.externalTrafficPolicy }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
Expand Down
4 changes: 4 additions & 0 deletions charts/splunk-connect-for-syslog/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,10 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
{{- with .Values.nodeAffinity }}
nodeAffinity:
{{- toYaml . | nindent 10 }}
{{- end }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
Expand Down
4 changes: 4 additions & 0 deletions charts/splunk-connect-for-syslog/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,4 +206,8 @@ autoscaling:

nodeSelector: {}

nodeAffinity: {}

tolerations: []

externalTrafficPolicy: Cluster
21 changes: 12 additions & 9 deletions dashboard/dashboard.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
</search>
<search id="baseEventsSearch">
<query>
index=* sc4s_container=$sc4s_instance$
| tstats count where index=* sc4s_container=$sc4s_instance$ by index _time
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
Expand All @@ -43,8 +43,8 @@
<input type="time" token="time_range">
<label>Timer</label>
<default>
<earliest>rt-15m</earliest>
<latest>rt</latest>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<html>
Expand Down Expand Up @@ -220,6 +220,7 @@
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
Expand Down Expand Up @@ -310,14 +311,15 @@
<single>
<title>Total volume of actual syslog traffic delivered by this SC4S instance to Splunk</title>
<search base="baseEventsSearch">
<query>| stats count</query>
<query>| stats sum(count)</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
Expand All @@ -336,7 +338,7 @@
<title>Distributions of events by index</title>
<chart>
<search base="baseEventsSearch">
<query>| stats count by index</query>
<query>| stats sum(count) as count by index</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
Expand Down Expand Up @@ -366,6 +368,7 @@
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
Expand All @@ -375,7 +378,7 @@
<title>Trends of events by index</title>
<table>
<search base="baseEventsSearch">
<query>| chart sparkline(count) AS "Indexes Trend" count AS Total BY index</query>
<query>| stats sparkline(sum(count)) as "Indexes Trend" sum(count) as Total by index</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
Expand All @@ -393,7 +396,7 @@
<chart>
<search>
<query>
index=* sc4s_container=$sc4s_instance$ | eval tags=split(sc4s_tags,"|") | mvexpand tags | search tags=".app.*" | timechart count by tags
| tstats count where index=* sc4s_container=$sc4s_instance$ by sc4s_tags _time | eval tags=split(sc4s_tags,"|") | mvexpand tags | search tags=".app.*" | timechart sum(count) by tags
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
Expand Down Expand Up @@ -439,7 +442,7 @@
<table>
<search>
<query>
index=* sc4s_container=$sc4s_instance$ | eval tags=split(sc4s_tags,"|") | mvexpand tags | chart count by tags
| tstats count where index=* sc4s_container=$sc4s_instance$ by sc4s_tags _time | eval tags=split(sc4s_tags,"|") | mvexpand tags | stats sum(count) as eventCount by tags | sort - eventCount
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
Expand All @@ -449,4 +452,4 @@
</table>
</panel>
</row>
</form>
</form>
1 change: 0 additions & 1 deletion docs/sources/vendor/Cisco/cisco_asa.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on for ASA (No long supports FWSM and PIX) | <https://splunkbase.splunk.com/app/1620/> |
| Cisco eStreamer for Splunk | <https://splunkbase.splunk.com/app/1629/> |
| Product Manual | <https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html> |

## Sourcetypes
Expand Down
3 changes: 2 additions & 1 deletion package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@ block parser app-postfilter-cisco_ise() {
application app-postfilter-cisco_ise[sc4s-finalfilter] {
filter {
program('CISE_' type(string) flags(prefix))
and "${.values.num}" != 1;
and "${.values.num}" != 1
and not program('CISE_Alarm');
};
parser { app-postfilter-cisco_ise(); };
};
29 changes: 25 additions & 4 deletions package/etc/conf.d/conflib/syslog/app-syslog-cisco_ise.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,27 @@ parser ise_event_time {
block parser app-syslog-cisco_ise() {

channel {

if {
parser {
regexp-parser(
template("${MESSAGE}")
patterns("^(?<real_day>\\d{2}) (?<real_hour>\\d{2}:\\d{2}:\\d{2}) (?<real_host>[^ ]+) (?<real_program>[^ ]+) (?<rest_of_message>.*)")
prefix(".parsed.")
);

date-parser-nofilter(
format('%b %d %H:%M:%S')
template("${PROGRAM} ${.parsed.real_day} ${.parsed.real_hour}")
);
};
rewrite {
set("${.parsed.real_host}" value("HOST"));
set("${.parsed.real_program}" value("PROGRAM"));
set("${.parsed.rest_of_message}" value("MESSAGE"));
};
};

parser {
csv-parser(
columns(serial, num, seq, message)
Expand All @@ -44,13 +65,13 @@ block parser app-syslog-cisco_ise() {
product('ise')
);
};


};
};
};

application app-syslog-cisco_ise[sc4s-syslog-pgm] {
filter {
program('CISE_' type(string) flags(prefix));
program('CISE_' type(string) flags(prefix))
or message('CISE_' type(string) flags(substring));
};
parser { app-syslog-cisco_ise(); };
};
3 changes: 2 additions & 1 deletion package/lite/etc/addons/cisco/app-postfilter-cisco_ise.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@ block parser app-postfilter-cisco_ise() {
application app-postfilter-cisco_ise[sc4s-finalfilter] {
filter {
program('CISE_' type(string) flags(prefix))
and "${.values.num}" != 1;
and "${.values.num}" != 1
and not program('CISE_Alarm');
};
parser { app-postfilter-cisco_ise(); };
};
29 changes: 25 additions & 4 deletions package/lite/etc/addons/cisco/app-syslog-cisco_ise.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,27 @@ parser ise_event_time {
block parser app-syslog-cisco_ise() {

channel {

if {
parser {
regexp-parser(
template("${MESSAGE}")
patterns("^(?<real_day>\\d{2}) (?<real_hour>\\d{2}:\\d{2}:\\d{2}) (?<real_host>[^ ]+) (?<real_program>[^ ]+) (?<rest_of_message>.*)")
prefix(".parsed.")
);

date-parser-nofilter(
format('%b %d %H:%M:%S')
template("${PROGRAM} ${.parsed.real_day} ${.parsed.real_hour}")
);
};
rewrite {
set("${.parsed.real_host}" value("HOST"));
set("${.parsed.real_program}" value("PROGRAM"));
set("${.parsed.rest_of_message}" value("MESSAGE"));
};
};

parser {
csv-parser(
columns(serial, num, seq, message)
Expand All @@ -44,13 +65,13 @@ block parser app-syslog-cisco_ise() {
product('ise')
);
};


};
};
};

application app-syslog-cisco_ise[sc4s-syslog-pgm] {
filter {
program('CISE_' type(string) flags(prefix));
program('CISE_' type(string) flags(prefix))
or message('CISE_' type(string) flags(substring));
};
parser { app-syslog-cisco_ise(); };
};
6 changes: 3 additions & 3 deletions poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading