Add Aruba ClearPass support to change sourcetype

[olivierpas]

What is the sc4s version ? 2.49.8

Is there a pcap available? it can be

What the vendor name? Aruba

What's the product name? ClearPass

Feature Request description:

Make sourcetype based on the syslog Clearpass filter name ClearPass Integration Guide Splunk APP and HEC Extension > Importing ClearPass Syslog Filters

For example:

Filter name : CPPM_Endpoint_Profile --> sourcetype : aruba:clearpass:endpoint:profile Filter name : CPPM_Alert --> sourcetype: aruba:clearpass:alerte Filter name : CPPM_Audit_Record --> sourcetype: aruba:clearpass:endpoint:audit:record Filter name : CPPM_Policy_Server_Session --> sourcetype: aruba:clearpass:policy:server:session Filter name : CPPM_Post_Auth_Monit_Config --> sourcetype: aruba:clearpass:post:auth:monit:config Filter name : CPPM_RADIUS_Session --> sourcetype: aruba:clearpass:radius:session Filter name : CPPM_SNMP_Session_Log --> sourcetype: aruba:clearpass:snmp:session:log Filter name : CPPM_System_Event --> sourcetype: aruba:clearpass:system:event Filter name : CPPM_TACACS_Accounting_Detail --> sourcetype: aruba:clearpass:tacacs:accounting:detail Filter name : CPPM_TACACS_Accouting_Record --> sourcetype: aruba:clearpass:tacacs:accounting:record

Should it support TCP or UDP? BOTH

Do you want to have it for local usage or prepare a github PR? BOTH

[ikheifets-splunk]

Hello, @olivierpas ! Can you please provide .pcap file (I will open in WireShark) with raw logs that producing your device. Also will be great if you will tell me, in which index should logs go (per each sourcetype). P.S. You can send pcap file on my email ikheifets@splunk.com

[ikheifets-splunk]

Yet another note, @olivierpas ! According your sc4s tags from screenshot, you already have your own custom parser for Aruba Clearpass. If it's true, please make a Pull Request. We open for external contributors 😃

[ikheifets-splunk]

Talked with @olivierpas directly.

We can't propose on PR new sourcetype aruba:clearpass:something instead of generic aruba:clearpass, because It will break backward compatibility for another customer who will upgrade SC4S and can potentially break Aruba Clearpass add-on.

By this reason on PR we add this info to sc4s_class field:

But if anyway need this aruba:clearpass:something we can propose post filter:

block parser aruba_clearpass_postfilter() {
    channel {
        rewrite {
           r_set_splunk_dest_update_v2(
               sourcetype('${fields.sc4s_vendor}:${fields.sc4s_product}:${fields.sc4s_class}')
           );
        };
    };
};

application aruba_clearpass_postfilter[sc4s-postfilter] {
    filter {
        'aruba' eq "${fields.sc4s_vendor}" and 'clearpass' eq "${fields.sc4s_product}"
    };  
    parser { aruba_clearpass_postfilter(); };
};

After applying post filter you will got this result: