Merge branch 'main' into doc/rancher-deployment

.github/workflows/ci-lite.yaml

@@ -161,14 +161,22 @@ jobs:
       - meta
       - build_action
     steps:
+      # To use .trivyignore file, you must check out the repository
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: false
+          persist-credentials: false
       - name: Run docker vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ needs.meta.outputs.container_base }}
           format: 'table'
           exit-code: '1'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
+          trivyignores: '.trivyignore'
+          scanners: "vuln"
+
   test-container:
     runs-on: ubuntu-latest
     needs:
@@ -219,6 +227,7 @@ jobs:
           TEST_SC4S_ACTIVATE_EXAMPLES: "yes"
           SC4S_DEBUG_CONTAINER: "yes"
           SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG: "yes"
+          SC4S_NETAPP_ONTAP_NEW_FORMAT: "yes"
           SC4S_USE_VPS_CACHE: "yes"
     steps:
       - name: Checkout

.github/workflows/ci-main.yaml

@@ -161,14 +161,22 @@ jobs:
       - meta
       - build_action
     steps:
+      # To use .trivyignore file, you must check out the repository
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: false
+          persist-credentials: false
       - name: Run docker vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ needs.meta.outputs.container_base }}
           format: 'table'
           exit-code: '1'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
+          trivyignores: '.trivyignore'
+          scanners: "vuln"
+
   test-container:
     runs-on: ubuntu-latest
     needs:
@@ -219,6 +227,7 @@ jobs:
           TEST_SC4S_ACTIVATE_EXAMPLES: "yes"
           SC4S_DEBUG_CONTAINER: "yes"
           SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG: "yes"
+          SC4S_NETAPP_ONTAP_NEW_FORMAT: "yes"
           SC4S_USE_VPS_CACHE: "yes"
 
     steps:

.trivyignore

@@ -0,0 +1,2 @@
+# This has been safeguarded directly in the code
+CVE-2024-35515

charts/splunk-connect-for-syslog/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: splunk-connect-for-syslog
 description: Deploy Splunk Connect for Syslog
 type: application
-version: 3.31.0
-appVersion: "3.31.0"
+version: 3.33.1
+appVersion: "3.33.1"

docs/sources/vendor/Dell/avamar.md

@@ -22,4 +22,4 @@
 
 | key            | sourcetype     | index          | notes          |
 |----------------|----------------|----------------|----------------|
-| dell_avamar_cms| dell:avamar:msc| netops         | none           |
+| dell_avamar_msc| dell:avamar:msc| netops         | none           |

docs/sources/vendor/NetApp/ontap.md

@@ -3,7 +3,7 @@
 ## Key facts
 
 * MSG Format based filter
-* Legacy BSD Format default port 514
+* Netapp Ontap messages are not distinctive. So, either configure known Netapp Ontap hosts in SC4S, or open unique ports for Netapp Ontap devices
 
 ## Links
 
@@ -16,11 +16,49 @@
 
 | sourcetype     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| netapp:ems  | None |
+| ontap:ems  | This sourcetype will be assinged only when the environment variable `SC4S_NETAPP_ONTAP_NEW_FORMAT` is not set or is set to 'no'. By default it is unset |
+| netapp:ontap:audit  | This sourcetype will be assinged only when the environment variable `SC4S_NETAPP_ONTAP_NEW_FORMAT` is set to 'yes' |
+| netapp:ontap:ems  | This sourcetype will be assinged only when the environment variable `SC4S_NETAPP_ONTAP_NEW_FORMAT` is set to 'yes' |
 
 ## Sourcetype and Index Configuration
 
 | key            | sourcetype     | index          | notes          |
 |----------------|----------------|----------------|----------------|
-| netapp_ontap      | netapp:ems     | infraops          | none          |
+| netapp_ontap      | ontap:ems     | infraops          | none          |
+| netapp_ontap_audit      | netapp:ontap:audit     | infraops          | none          |
+| netapp_ontap_ems      | netapp:ontap:ems     | infraops          | none          |
 
+## Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_NETAPP_ONTAP_NEW_FORMAT      | empty string      | (empty/yes) Set to "yes" for the applying the latest changes. Make sure to configure your system to send the logs to a specific port or have a hostname-based configuration |
+
+## Parser Configuration
+1. Through sc4s-vps
+```c
+#/opt/sc4s/local/config/app-parsers/app-vps-netapp_ontap.conf
+#File name provided is a suggestion it must be globally unique
+
+application app-vps-test-netapp_ontap[sc4s-vps] {
+    filter {
+        host("netapp-ontap-" type(string) flags(prefix))
+        or (
+            message("netapp-ontap-" type(string) flags(prefix))
+            and program("netapp-ontap-" type(string) flags(prefix))
+        )
+    };
+    parser {
+        p_set_netsource_fields(
+            vendor('netapp')
+            product('ontap')
+        );
+    };
+};
+```
+
+2. or through unique port
+```
+# /opt/sc4s/env_file 
+SC4S_LISTEN_NETAPP_ONTAP_UDP_PORT=5005
+```

docs/upgrade.md

@@ -18,6 +18,9 @@ For a step by step guide [see here](./v3_upgrade.md).
 
 You may need to migrate legacy log paths or version 1 app-parsers for version 2. To do this, open an issue and attach the original configuration and a compressed pcap of sample data for testing. We will evaluate whether to include the source in an upcoming release.
 
+### Upgrade from <3.33.0
+In NetApp ONTAP, the ontap:ems sourcetype has been updated to netapp:ontap:audit, so old logs are now classified under netapp:ontap:audit. Additionally, a new netapp:ontap:ems sourcetype has been introduced. If you upgrade and want these new changes, ensure that you set `SC4S_NETAPP_ONTAP_NEW_FORMAT` environment variable to `yes` and configure your system to send the logs to a specific port or have a hostname-based configuration in place for proper log onboarding into Splunk.
+
 ### Upgrade from <2.23.0
 
 * In VMware vSphere, update the ESX and vCenter sourcetype for add-on compatibility.

package/Dockerfile

@@ -28,7 +28,7 @@ RUN apk add -U --upgrade --no-cache \
       less \
       net-tools \
       netcat-openbsd \
-      openssl \
+      "openssl>=3.3.2-r1" \
       procps \
       py3-pip \
       python3 \
@@ -73,6 +73,7 @@ COPY package/etc/test_parsers /etc/syslog-ng/test_parsers
 COPY package/etc/local_config /etc/syslog-ng/local_config
 COPY package/etc/local_config /etc/syslog-ng/local_config
 COPY package/sbin/entrypoint.sh /
+COPY package/sbin/healthcheck.sh /
 COPY package/sbin/source_ports_validator.py /
 
 ENV SC4S_CONTAINER_OPTS=--no-caps

package/Dockerfile.lite

@@ -28,7 +28,7 @@ RUN apk add -U --upgrade --no-cache \
       less \
       net-tools \
       netcat-openbsd \
-      openssl \
+      "openssl>=3.3.2-r1" \
       procps \
       py3-pip \
       python3 \
@@ -95,6 +95,7 @@ COPY package/lite/etc/config.yaml /etc/syslog-ng/config.yaml
 COPY package/lite/etc/addons /etc/syslog-ng/addons
 
 COPY package/sbin/entrypoint.sh /
+COPY package/sbin/healthcheck.sh /
 COPY package/sbin/source_ports_validator.py /
 
 

package/etc/VERSION

@@ -1 +1 @@
-3.31.0
+3.33.1

package/etc/conf.d/conflib/netsource/app-netsource-netapp_ontap.conf

@@ -0,0 +1,55 @@
+block parser app-netsource-netapp_ontap() {
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index("infraops")
+                vendor("netapp")
+                product("ontap")
+            );
+        };
+
+        if {
+            parser {
+                regexp-parser(
+                    prefix(".tmp.")
+                    patterns('^[A-Za-z0-9\-\_\.]+: [0-9a-f]+\.[0-9a-f]+ [0-9a-f]+ [A-Z][a-z][a-z] (?<timestamp>[A-Z][a-z][a-z] \d\d \d\d\d\d \d\d:\d\d:\d\d [+-]?\d{1,2}:\d\d)')
+                );
+                date-parser-nofilter(
+                    format(
+                        '%b %d %Y %H:%M:%S %z',
+                    )
+                    template("${.tmp.timestamp}")
+                );
+            };
+
+            rewrite {
+                set('$PROGRAM: $MESSAGE', value(MESSAGE));
+                set('$PROGRAM', value(HOST));
+                unset(value(PROGRAM));
+            };
+
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('netapp:ontap:audit')
+                    class('audit')
+                );
+            };
+        } else {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('netapp:ontap:ems')
+                    class('ems')
+                );
+            };
+        };
+    };
+};
+
+application app-netsource-netapp_ontap[sc4s-network-source] {
+	filter {
+        match("netapp", value('.netsource.sc4s_vendor'), type(string))
+        and match("ontap", value('.netsource.sc4s_product'), type(string))
+        and "`SC4S_NETAPP_ONTAP_NEW_FORMAT`" eq "yes"
+    };	
+    parser { app-netsource-netapp_ontap(); };
+};

package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf

@@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() {
 };
 application app-raw-bsd_nopri[sc4s-raw-syslog] {
     filter {
-        message('^\w\w\w \d\d \d\d:\d\d:\d\d ');
+        message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) ');
     };
     parser { app-raw-bsd_nopri(); };
 };

package/etc/conf.d/conflib/syslog/app-syslog-juniper_junos_unstructured.conf

@@ -74,6 +74,7 @@ application app-syslog-juniper_junos_unstructured-pgm[sc4s-syslog-pgm] {
         or program('RT_FLOW' type(string) flags(prefix))
         or program('RT_IDS' type(string) flags(prefix))
         or program('RT_UTM' type(string) flags(prefix))
+        or program('RT_SYSTEM' type(string) flags(prefix))
         or program('Juniper' type(string) flags(prefix))
         or program('rpd' type(string) flags(prefix))
         or program('eswd' type(string) flags(prefix))

package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf

@@ -37,7 +37,8 @@ block parser app-syslog-netapp_ontap() {
 };
 application app-syslog-netapp_ontap[sc4s-syslog] {
 	filter {
-        program('^[A-Za-z0-9\-\_\.]+$');
+        program('^[A-Za-z0-9\-\_\.]+$')
+        and not "`SC4S_NETAPP_ONTAP_NEW_FORMAT`" eq "yes";
     };	
     parser { app-syslog-netapp_ontap(); };
 };

package/etc/pylib/parser_source_cache.py

@@ -20,12 +20,12 @@ class LogDestination:
 
 def ip2int(addr):
     ip4_to_int = lambda addr: struct.unpack("!I", socket.inet_aton(addr))[0]
-    
+
     def ip6_to_int(addr):
         ip6 = socket.inet_pton(socket.AF_INET6, addr)
         a, b = struct.unpack(">QQ", ip6)
         return (a << 64) | b
-    
+
     try:
         return ip4_to_int(addr)
     except OSError:
@@ -41,7 +41,7 @@ def int_to_ip6(num):
         ip6 = struct.pack(">QQ", a, b)
         addr = socket.inet_ntop(socket.AF_INET6, ip6)
         return addr
-    
+
     try:
         return int_to_ip4(addr)
     except struct.error:
@@ -126,4 +126,4 @@ def flush(self):
     db = SqliteDict(f"{hostdict}.sqlite", autocommit=True)
     db[0] = "seed"
     db.commit()
-    db.close()
+    db.close()

package/etc/pylib/parser_vps_cache.py

@@ -98,4 +98,4 @@ def flush(self):
 
 
 if __name__ == "__main__":
-    pass
+    pass

package/etc/pylib/psc_dump.py

@@ -1,4 +1,3 @@
-
 import sys
 import traceback
 import socket
@@ -9,5 +8,5 @@
 hostdict = str("/var/lib/syslog-ng/cache/hostip")
 db = SqliteDict(f"{hostdict}.sqlite")
 
-for k,v in db.items():
-    print(f"key={k}={v}")
+for k, v in db.items():
+    print(f"key={k}={v}")

package/etc/test_parsers/app-vps-test-netapp_ontap.conf

@@ -0,0 +1,15 @@
+application app-vps-test-netapp_ontap[sc4s-vps] {
+    filter {
+        host("netapp-ontap-" type(string) flags(prefix))
+        or (
+            message("netapp-ontap-" type(string) flags(prefix))
+            and program("netapp-ontap-" type(string) flags(prefix))
+        )
+    };
+    parser {
+        p_set_netsource_fields(
+            vendor('netapp')
+            product('ontap')
+        );
+    };
+};

package/lite/etc/addons/juniper/app-syslog-juniper_junos_unstructured.conf

@@ -74,6 +74,7 @@ application app-syslog-juniper_junos_unstructured-pgm[sc4s-syslog-pgm] {
         or program('RT_FLOW' type(string) flags(prefix))
         or program('RT_IDS' type(string) flags(prefix))
         or program('RT_UTM' type(string) flags(prefix))
+        or program('RT_SYSTEM' type(string) flags(prefix))
         or program('Juniper' type(string) flags(prefix))
         or program('rpd' type(string) flags(prefix))
         or program('eswd' type(string) flags(prefix))