feat: add Aruba Silver Peak parser (#2537)

splunk · Aug 21, 2024 · 8a4712b · 8a4712b
1 parent ed5ece0
commit 8a4712b
Show file tree

Hide file tree

Showing 13 changed files with 218 additions and 33 deletions.
diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml
@@ -136,7 +136,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push action
         id: docker_action_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           provenance: false

diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml
@@ -136,7 +136,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push action
         id: docker_action_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           provenance: false

diff --git a/ansible/resources/docker_sc4s.service b/ansible/resources/docker_sc4s.service
@@ -30,6 +30,8 @@ ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/docker rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/docker run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -41,4 +43,4 @@ ExecStart=/usr/bin/docker run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure
diff --git a/ansible/resources/podman_sc4s.service b/ansible/resources/podman_sc4s.service
@@ -29,6 +29,8 @@ ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/podman rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/podman run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -42,4 +44,4 @@ ExecStart=/usr/bin/podman run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure
diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md
@@ -168,6 +168,9 @@ ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE
 # Note: The path /usr/bin/bash may vary based on your operating system.
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl --user set-environment SC4SHOST=$(hostname -s)"
+
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/podman rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/podman run -p 2514:514 -p 2514:514/udp -p 6514:6514  \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -180,7 +183,7 @@ ExecStart=/usr/bin/podman run -p 2514:514 -p 2514:514/udp -p 6514:6514  \
         --network host \
         --name SC4S \
         --rm $SC4S_IMAGE
-Restart=on-abnormal
+Restart=on-failure
 ```
 
 5. Create your `env_file` file at ```/home/sc4s/env_file```

diff --git a/docs/resources/docker/sc4s.service b/docs/resources/docker/sc4s.service
@@ -30,6 +30,8 @@ ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/docker rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/docker run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -41,4 +43,4 @@ ExecStart=/usr/bin/docker run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure
diff --git a/docs/resources/podman/sc4s.service b/docs/resources/podman/sc4s.service
@@ -29,6 +29,8 @@ ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE
 # when startup fails on running bash check if the path is correct
 ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 
+# Note: Prevent the error 'The container name "/SC4S" is already in use by container <container_id>. You have to remove (or rename) that container to be able to reuse that name.'
+ExecStartPre=/usr/bin/bash -c "/usr/bin/podman rm SC4S > /dev/null 2>&1 || true"
 ExecStart=/usr/bin/podman run \
         -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         -v "$SC4S_PERSIST_MOUNT" \
@@ -42,4 +44,4 @@ ExecStart=/usr/bin/podman run \
         --name SC4S \
         --rm $SC4S_IMAGE
 
-Restart=on-abnormal
+Restart=on-failure
diff --git a/docs/sources/vendor/Aruba/silverpeak.md b/docs/sources/vendor/Aruba/silverpeak.md
@@ -0,0 +1,44 @@
+# Silverpeak
+
+## Key facts
+
+* Requires vendor product by source configuration
+* Legacy BSD Format default port 514
+
+## Links
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+
+## Sourcetypes
+
+| sourcetype       | notes |
+|------------------|-------|
+| aruba:silverpeak |       |    
+
+
+### Index Configuration
+
+| key                                      | index  | notes          |
+|------------------------------------------|--------|----------------|
+| aruba_silverpeak                         | netops | none           |
+
+
+## Parser Configuration
+
+```c
+#/opt/sc4s/local/config/app-parsers/app-vps-aruba_silverpeak.conf
+#File name provided is a suggestion it must be globally unique
+
+application app-vps-test-aruba_silverpeak[sc4s-vps] {
+ filter {
+        host("silverpeak-" type(string) flags(prefix))
+    };
+    parser {
+        p_set_netsource_fields(
+            vendor('aruba')
+            product('silverpeak')
+        );
+    };
+};
+```
diff --git a/package/etc/conf.d/conflib/netsource/app-netsource-aruba_silverpeak.conf b/package/etc/conf.d/conflib/netsource/app-netsource-aruba_silverpeak.conf
@@ -0,0 +1,32 @@
+block parser app-netsource-aruba_silverpeak() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops')
+                sourcetype('aruba:silverpeak')
+                vendor('aruba')
+                product('silverpeak')
+            );
+        };
+    };
+};
+
+
+application app-netsource-aruba_silverpeak[sc4s-network-source] {
+    filter {
+        not filter(f_is_source_identified)
+        and (
+                (
+                    match("aruba", value('.netsource.sc4s_vendor'), type(string))
+                    and match("silverpeak", value('.netsource.sc4s_product'), type(string))
+                )
+                and (tags("ns_vendor:aruba") and tags("ns_product:silverpeak"))
+                or tags(".source.s_ARUBA_SILVERPEAK")
+                or "${.netsource.sc4s_vendor_product}" eq "aruba_silverpeak"
+            )
+        ;
+    };
+    parser { app-netsource-aruba_silverpeak(); };
+};
+
+
diff --git a/package/etc/test_parsers/app-vps-test-aruba_silverpeak.conf b/package/etc/test_parsers/app-vps-test-aruba_silverpeak.conf
@@ -0,0 +1,11 @@
+application app-vps-aruba_silverpeak[sc4s-vps] {
+ filter {
+        host("silverpeak-" type(string) flags(prefix))
+    };
+    parser {
+        p_set_netsource_fields(
+            vendor('aruba')
+            product('silverpeak')
+        );
+    };
+};
diff --git a/package/lite/etc/addons/aruba/app-netsource-aruba_silverpeak.conf b/package/lite/etc/addons/aruba/app-netsource-aruba_silverpeak.conf
@@ -0,0 +1,30 @@
+block parser app-netsource-aruba_silverpeak() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netops')
+                sourcetype('aruba:silverpeak')
+                vendor('aruba')
+                product('silverpeak')
+            );
+        };
+    };
+};
+
+
+application app-netsource-aruba_silverpeak[sc4s-network-source] {
+    filter {
+        not filter(f_is_source_identified)
+        and (
+                (
+                    match("aruba", value('.netsource.sc4s_vendor'), type(string))
+                    and match("silverpeak", value('.netsource.sc4s_product'), type(string))
+                )
+                and (tags("ns_vendor:aruba") and tags("ns_product:silverpeak"))
+                or tags(".source.s_ARUBA_SILVERPEAK")
+                or "${.netsource.sc4s_vendor_product}" eq "aruba_silverpeak"
+            )
+        ;
+    };
+    parser { app-netsource-aruba_silverpeak(); };
+};
diff --git a/poetry.lock b/poetry.lock