Skip to content

Commit

Permalink
Merge pull request #486 from Cargill/moving_layer7
Browse files Browse the repository at this point in the history 
adding back layer7 config
  • Loading branch information
@MehaSal
MehaSal authored Feb 22, 2024
2 parents 4a91ce7 + 21b036d commit 7d08f77
Showing 1 changed file with 233 additions and 0 deletions.
233 changes: 233 additions & 0 deletions config/processors/syslog_security_layer7.securespan.soa.gw.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,233 @@
# Copyright [2021] [Cargill, Incorporated.]
# SPDX-License-Identifier: Apache-2.0
input {
pipeline {
address => VAR_PIPELINE_NAME
}
}
filter {
if ![event][dataset] {
mutate {
add_field => { "[event][module]" => "layer7_soa_gw" }
add_field => { "[event][dataset]" => "layer7_soa_gw.traffic" }
}


mutate {
strip => ["message"]
}
grok {
tag_on_failure => "_parsefailure_header"
match => { "message" => "(^(.*?)(<(?<pri>\d+)>)(\s)?(?<actual_msg>.*$))|(^(?<actual_msg>.*)$)" }
timeout_millis => 500
}
syslog_pri {
syslog_pri_field_name => "pri"
}
if [pri] =~ "14" {
if [actual_msg] =~ "applicationId" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 1" }
}
dissect {
mapping => {
actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[rule][description]]}: %{+[[rule][description]]}: %{+[[rule][description]]}: Connection:%{[[rule][ruleset]]}, Content-Length:%{[[file][size]]}, Content-Type:%{[[file][extension]]}; charset=utf-8, Date:%{[[event][created]]}, %{+[[event][created]]} %{+[[event][created]]} %{+[[event][created]]} %{+[[event][created]]} %{[[time][zone]]}, Server:%{server}, X-Powered-By:%{[[process][name]]} %{+[[process][name]]} REQUEST BODY: %{?[[request][body]]} <applicationId>%{?[[application][id]]}</a%{?data} <status>%{[[event][action]]}</s%{?data} <serviceId>%{[[service][id]]}</%{?data} <issuerId>%{?[[issuer][id]]}</%{?data} <issueDate>%{?[[issue][date]]}</%{?data} <rcvDate>%{?[[receive][date]]}</rcvDate> %{msg}"
# <prdcRsltDate>%{prod.result.date}</prdcRsltDate>
}
}
}
else {
if [actual_msg] =~ ", , 200" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 2 (dropped)" }
}
drop {}
}
if [actual_msg] =~ " Message processed successfully" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 3" }
}
dissect {
mapping => {
actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[rule][description]]}"
}
}
}
else if [actual_msg] =~ "#####Client SSL Protocol" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 4" }
}
dissect {
mapping => {
actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[event][severity_name]} %{[[system][properties]]}: %{[[rule][description]]} - %{+[[rule][description]]} - %{[[network][protocol]]}_%{?[[key][exchange]]}_WITH_%{[[symmetric][encryption]]}_%{+[[symmetric][encryption]]}_%{+[[symmetric][encryption]]}_%{?sha}"
}
}
}
else if [actual_msg] =~ "service: A00" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 5" }
}
dissect {
mapping => {
actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][message]]}: %{+[[system][message]]}: %{[[rule][description]]}"
}
}
}
else if [actual_msg] =~ "Requestor address" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 6" }
}
dissect {
mapping => {
actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[event][severity_name]} %{[[system][properties]]}: %{[[source][port]]}: Requestor address %{[[source][address]]} %{[[event][action]]}"
}
}
}
else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "authorization:" and [actual_msg] =~ "host:" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 7" }
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} %{[[msg][del]]} (Verb): %{[[http][request][method]]} %{[[msg][del]]} authorization:%{authorization} %{[[msg][del]]} host:%{[[host][hostname]]}:%{chk_data}"
# sap-language:%{sap.language}, sap-passport:%{sap.passport}
}
}
if [chk_data] =~ "," {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 7 (a)" }
}
dissect {
mapping => {
chk_data => "%{[[source][port]]}, %{[[rule][description]]}"
}
}
}
else {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 7 (b)" }
}
dissect {
mapping => {
chk_data => "%{[[source][port]]} %{[[rule][description]]}"
}
}
}
}
else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "authorization:" and [actual_msg] !~ "host:" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 8" }
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} %{[[msg][del]]} (Verb): %{[[http][request][method]]} %{[[msg][del]]} authorization:%{authorization}"
}
}
}
else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "(Verb):" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 9" }
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} %{[[msg][del]]} (Verb): %{[[http][request][method]]}"
}
}
}
else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "Original Request Query:" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 9(a)" }
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} Original Request Query: %{[[url][query]]}"
}
}
}
else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] !~ "Original Request Query:" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 9(b)" }
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]}"
}
}
}
else if [actual_msg] =~ "IntegrationId:" and [actual_msg] !~ "URL" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 10" }
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{[[rule][description]]}"
}
}
}
else if [actual_msg] =~ "parsedIntUrl:" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 11" }
}
mutate {
gsub => ["rest_msg"," "," "]
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} parsedIntUrl: %{[[url][full]]}"
}
}
}
}
}
# if [actual_msg] =~ "USER:WARN" {
else {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 12" }
}
dissect {
mapping => {
rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[event][action]]}"
}
}
if [pri] == "12" and [actual_msg] =~ "Error" {
mutate {
add_field => { "[agent][parse_rule]" => "RULE 13" }
}
mutate {
update => {"[event][severity_name]" => "Error" }
}
}
}
date {
match => ["[event][created]" , "MMM dd HH:mm:ss","MMM dd HH:mm:ss.SSS"]
timezone => "GMT"
locale => "en"
target => "[event][created]"
}
date {
match => ["[event][start]" , "MMM dd HH:mm:ss","MMM dd HH:mm:ss.SSS"]
timezone => "GMT"
locale => "en"
target => "[event][start]"
}
mutate {
remove_field => ["msg","[log][date]","[time][zone]","actual_msg","[sytem][properties]","server","authorization","chk_data","[msg][del]","pri"]
}
#### Classification part ####
translate {
source => "[event][severity_name]"
target => "[rule][category]"
dictionary => {
"WARNING" => "Ops Warning"
"INFO" => "Ops Information"
"Error" => "Ops Error"
}
fallback => "Others"
}
}else {
# put tibco_ems parsing here
}
}
output {
pipeline { send_to => [enrichments] }
}

0 comments on commit 7d08f77

Please sign in to comment.