From 21b036df584ed1be476b957fa9d23852248642e1 Mon Sep 17 00:00:00 2001 From: MehaSal Date: Thu, 22 Feb 2024 10:32:13 -0600 Subject: [PATCH] adding back layer7 config --- ...log_security_layer7.securespan.soa.gw.conf | 233 ++++++++++++++++++ 1 file changed, 233 insertions(+) create mode 100644 config/processors/syslog_security_layer7.securespan.soa.gw.conf diff --git a/config/processors/syslog_security_layer7.securespan.soa.gw.conf b/config/processors/syslog_security_layer7.securespan.soa.gw.conf new file mode 100644 index 00000000..8c6a0054 --- /dev/null +++ b/config/processors/syslog_security_layer7.securespan.soa.gw.conf @@ -0,0 +1,233 @@ +# Copyright [2021] [Cargill, Incorporated.] +# SPDX-License-Identifier: Apache-2.0 +input { + pipeline { + address => VAR_PIPELINE_NAME + } +} +filter { + if ![event][dataset] { + mutate { + add_field => { "[event][module]" => "layer7_soa_gw" } + add_field => { "[event][dataset]" => "layer7_soa_gw.traffic" } + } + + + mutate { + strip => ["message"] + } + grok { + tag_on_failure => "_parsefailure_header" + match => { "message" => "(^(.*?)(<(?\d+)>)(\s)?(?.*$))|(^(?.*)$)" } + timeout_millis => 500 + } + syslog_pri { + syslog_pri_field_name => "pri" + } + if [pri] =~ "14" { + if [actual_msg] =~ "applicationId" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 1" } + } + dissect { + mapping => { + actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[rule][description]]}: %{+[[rule][description]]}: %{+[[rule][description]]}: Connection:%{[[rule][ruleset]]}, Content-Length:%{[[file][size]]}, Content-Type:%{[[file][extension]]}; charset=utf-8, Date:%{[[event][created]]}, %{+[[event][created]]} %{+[[event][created]]} %{+[[event][created]]} %{+[[event][created]]} %{[[time][zone]]}, Server:%{server}, X-Powered-By:%{[[process][name]]} %{+[[process][name]]} REQUEST BODY: %{?[[request][body]]} %{?[[application][id]]}%{[[event][action]]}%{[[service][id]]}%{?[[issuer][id]]}%{?[[issue][date]]}%{?[[receive][date]]} %{msg}" + # %{prod.result.date} + } + } + } + else { + if [actual_msg] =~ ", , 200" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 2 (dropped)" } + } + drop {} + } + if [actual_msg] =~ " Message processed successfully" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 3" } + } + dissect { + mapping => { + actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[rule][description]]}" + } + } + } + else if [actual_msg] =~ "#####Client SSL Protocol" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 4" } + } + dissect { + mapping => { + actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[event][severity_name]} %{[[system][properties]]}: %{[[rule][description]]} - %{+[[rule][description]]} - %{[[network][protocol]]}_%{?[[key][exchange]]}_WITH_%{[[symmetric][encryption]]}_%{+[[symmetric][encryption]]}_%{+[[symmetric][encryption]]}_%{?sha}" + } + } + } + else if [actual_msg] =~ "service: A00" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 5" } + } + dissect { + mapping => { + actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][message]]}: %{+[[system][message]]}: %{[[rule][description]]}" + } + } + } + else if [actual_msg] =~ "Requestor address" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 6" } + } + dissect { + mapping => { + actual_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[event][severity_name]} %{[[system][properties]]}: %{[[source][port]]}: Requestor address %{[[source][address]]} %{[[event][action]]}" + } + } + } + else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "authorization:" and [actual_msg] =~ "host:" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 7" } + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} %{[[msg][del]]} (Verb): %{[[http][request][method]]} %{[[msg][del]]} authorization:%{authorization} %{[[msg][del]]} host:%{[[host][hostname]]}:%{chk_data}" + # sap-language:%{sap.language}, sap-passport:%{sap.passport} + } + } + if [chk_data] =~ "," { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 7 (a)" } + } + dissect { + mapping => { + chk_data => "%{[[source][port]]}, %{[[rule][description]]}" + } + } + } + else { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 7 (b)" } + } + dissect { + mapping => { + chk_data => "%{[[source][port]]} %{[[rule][description]]}" + } + } + } + } + else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "authorization:" and [actual_msg] !~ "host:" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 8" } + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} %{[[msg][del]]} (Verb): %{[[http][request][method]]} %{[[msg][del]]} authorization:%{authorization}" + } + } + } + else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "(Verb):" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 9" } + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} %{[[msg][del]]} (Verb): %{[[http][request][method]]}" + } + } + } + else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] =~ "Original Request Query:" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 9(a)" } + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]} Original Request Query: %{[[url][query]]}" + } + } + } + else if [actual_msg] =~ "IntegrationId" and [actual_msg] =~ "URL:" and [actual_msg] !~ "Original Request Query:" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 9(b)" } + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{?[[original][request]]} URL: %{[[url][path]]}" + } + } + } + else if [actual_msg] =~ "IntegrationId:" and [actual_msg] !~ "URL" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 10" } + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} IntegrationId: %{[[process][pid]]} %{[[rule][description]]}" + } + } + } + else if [actual_msg] =~ "parsedIntUrl:" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 11" } + } + mutate { + gsub => ["rest_msg"," "," "] + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[msg][del]]} parsedIntUrl: %{[[url][full]]}" + } + } + } + } + } + # if [actual_msg] =~ "USER:WARN" { + else { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 12" } + } + dissect { + mapping => { + rest_msg => "%{[[event][start]]->} %{+[[event][start]]} %{+[[event][start]]} %{[[source][address]]} %{?ssg}: %{[[event][severity_name]]} %{[[system][properties]]}: %{[[event][action]]}" + } + } + if [pri] == "12" and [actual_msg] =~ "Error" { + mutate { + add_field => { "[agent][parse_rule]" => "RULE 13" } + } + mutate { + update => {"[event][severity_name]" => "Error" } + } + } + } + date { + match => ["[event][created]" , "MMM dd HH:mm:ss","MMM dd HH:mm:ss.SSS"] + timezone => "GMT" + locale => "en" + target => "[event][created]" + } + date { + match => ["[event][start]" , "MMM dd HH:mm:ss","MMM dd HH:mm:ss.SSS"] + timezone => "GMT" + locale => "en" + target => "[event][start]" + } + mutate { + remove_field => ["msg","[log][date]","[time][zone]","actual_msg","[sytem][properties]","server","authorization","chk_data","[msg][del]","pri"] + } + #### Classification part #### + translate { + source => "[event][severity_name]" + target => "[rule][category]" + dictionary => { + "WARNING" => "Ops Warning" + "INFO" => "Ops Information" + "Error" => "Ops Error" + } + fallback => "Others" + } + }else { + # put tibco_ems parsing here + } +} +output { + pipeline { send_to => [enrichments] } +}