From 14d73c0e293111b73568a2852e3a7e09bbd08eec Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Wed, 5 Nov 2025 10:02:19 +0100 Subject: [PATCH 1/8] feat:Added work in progress docs for OPSWAT --- docs/sources/vendor/OPSWAT/index.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 docs/sources/vendor/OPSWAT/index.md diff --git a/docs/sources/vendor/OPSWAT/index.md b/docs/sources/vendor/OPSWAT/index.md new file mode 100644 index 0000000000..ea2d5a236f --- /dev/null +++ b/docs/sources/vendor/OPSWAT/index.md @@ -0,0 +1,26 @@ +# Metadefender Core + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | https://www.opswat.com/docs/mdcore/configuration/syslog-message-format | + + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| avi:events | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| avi_vantage | avi:events | netops | none | From bd1f06bd2dd8d72877deb7fc70b29cb34e91afe4 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Thu, 13 Nov 2025 14:47:24 +0100 Subject: [PATCH 2/8] feat:Added opswat parser and docs --- .../OPSWAT/{index.md => metadefender_core.md} | 6 +++-- .../conf.d/conflib/cef/app-cef-opswat.conf | 25 +++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) rename docs/sources/vendor/OPSWAT/{index.md => metadefender_core.md} (74%) create mode 100644 package/etc/conf.d/conflib/cef/app-cef-opswat.conf diff --git a/docs/sources/vendor/OPSWAT/index.md b/docs/sources/vendor/OPSWAT/metadefender_core.md similarity index 74% rename from docs/sources/vendor/OPSWAT/index.md rename to docs/sources/vendor/OPSWAT/metadefender_core.md index ea2d5a236f..d6d69b7f26 100644 --- a/docs/sources/vendor/OPSWAT/index.md +++ b/docs/sources/vendor/OPSWAT/metadefender_core.md @@ -17,10 +17,12 @@ | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| avi:events | None | +| opswat:mscl:cef | None +| opswat:mscw:cef | None | ## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| avi_vantage | avi:events | netops | none | +| opswat_mscl_cef | opswat:mscl:cef | netwaf | none | +| opswat_mscw_cef | opswat:mscw:cef | netwaf | none | diff --git a/package/etc/conf.d/conflib/cef/app-cef-opswat.conf b/package/etc/conf.d/conflib/cef/app-cef-opswat.conf new file mode 100644 index 0000000000..8bfa2f01ec --- /dev/null +++ b/package/etc/conf.d/conflib/cef/app-cef-opswat.conf @@ -0,0 +1,25 @@ +block parser app-cef-opswat-mscl() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netwaf'), + vendor('opswat'), + product('${.metadata.cef.device_product}'), + source('opswat:$(lowercase ${.metadata.cef.device_product})'), + sourcetype('opswat:$(lowercase ${.metadata.cef.device_product}):cef') + ); + }; + }; +}; + +application app-cef-opswat-mscl[cef] { + filter{ + match("OPSWAT" value(".metadata.cef.device_vendor")) + and ( + match("MSCL" value(".metadata.cef.device_product")) + or match("MSCW" value(".metadata.cef.device_product")) + or match("ICAP" value(".metadata.cef.device_product")) + ); + }; + parser { app-cef-opswat-mscl(); }; +}; From 298dd3b3af0edabf452b8ad2ee2f41086d247d88 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Thu, 13 Nov 2025 15:00:18 +0100 Subject: [PATCH 3/8] feat:added tests for oswat --- .../conf.d/conflib/cef/app-cef-opswat.conf | 25 +++++++++++ tests/test_opswat.py | 43 +++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf create mode 100644 tests/test_opswat.py diff --git a/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf b/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf new file mode 100644 index 0000000000..8bfa2f01ec --- /dev/null +++ b/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf @@ -0,0 +1,25 @@ +block parser app-cef-opswat-mscl() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netwaf'), + vendor('opswat'), + product('${.metadata.cef.device_product}'), + source('opswat:$(lowercase ${.metadata.cef.device_product})'), + sourcetype('opswat:$(lowercase ${.metadata.cef.device_product}):cef') + ); + }; + }; +}; + +application app-cef-opswat-mscl[cef] { + filter{ + match("OPSWAT" value(".metadata.cef.device_vendor")) + and ( + match("MSCL" value(".metadata.cef.device_product")) + or match("MSCW" value(".metadata.cef.device_product")) + or match("ICAP" value(".metadata.cef.device_product")) + ); + }; + parser { app-cef-opswat-mscl(); }; +}; diff --git a/tests/test_opswat.py b/tests/test_opswat.py new file mode 100644 index 0000000000..1d8e6f2f54 --- /dev/null +++ b/tests/test_opswat.py @@ -0,0 +1,43 @@ +# Copyright 2023 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import datetime +import pytest + +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + + +@pytest.mark.addons("opswat") +def test_opswat( + record_property, setup_splunk, setup_sc4s, get_host_key +): + host = get_host_key + mt = env.from_string( + "{{ mark }}{{ bsd }} {{ host }} CEF:0|OPSWAT|MSCL|4.16.0|core.network|MSCL[7548] New maximum agent count is set|2|maxAgentCount='1' msgid=665" + ) + dt = datetime.datetime.now(datetime.timezone.utc) + _, bsd, _, _, _, _, epoch = time_operations(dt) + message = mt.render(mark="<134>", bsd=bsd, host=host) + + # Tune time functions + epoch = epoch[:-7] + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + st = env.from_string( + f'search index=netwaf sourcetype="opswat:mscl:cef" earliest={epoch}' + ) + search = st.render(epoch=epoch) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 \ No newline at end of file From 11fe74227ce62720e2cc872232727d2cb3a6bc15 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Fri, 14 Nov 2025 12:20:38 +0100 Subject: [PATCH 4/8] feat:fixed opswat tests --- tests/test_opswat.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/test_opswat.py b/tests/test_opswat.py index 1d8e6f2f54..b2254f44f0 100644 --- a/tests/test_opswat.py +++ b/tests/test_opswat.py @@ -21,7 +21,7 @@ def test_opswat( ): host = get_host_key mt = env.from_string( - "{{ mark }}{{ bsd }} {{ host }} CEF:0|OPSWAT|MSCL|4.16.0|core.network|MSCL[7548] New maximum agent count is set|2|maxAgentCount='1' msgid=665" + "{{ mark }}{{ bsd }} {{ host }} OPSWATPC CEF:0|OPSWAT|MSCL|4.16.0|core.network|MSCL[7548] New maximum agent count is set|2|maxAgentCount='1' msgid=665" ) dt = datetime.datetime.now(datetime.timezone.utc) _, bsd, _, _, _, _, epoch = time_operations(dt) @@ -30,8 +30,9 @@ def test_opswat( # Tune time functions epoch = epoch[:-7] sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + st = env.from_string( - f'search index=netwaf sourcetype="opswat:mscl:cef" earliest={epoch}' + 'search index=netwaf sourcetype="opswat:mscl:cef" earliest={{ epoch }}' ) search = st.render(epoch=epoch) From e0408103adaa1d9365e7ba281e1cc1fc9af262d7 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Tue, 18 Nov 2025 10:46:49 +0100 Subject: [PATCH 5/8] feat:Changed opswat parser to also fit other products --- .../etc/conf.d/conflib/cef/app-cef-opswat.conf | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf b/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf index 8bfa2f01ec..b308df8227 100644 --- a/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf +++ b/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf @@ -1,4 +1,4 @@ -block parser app-cef-opswat-mscl() { +block parser app-cef-opswat() { channel { rewrite { r_set_splunk_dest_default( @@ -12,14 +12,9 @@ block parser app-cef-opswat-mscl() { }; }; -application app-cef-opswat-mscl[cef] { +application app-cef-opswat[cef] { filter{ match("OPSWAT" value(".metadata.cef.device_vendor")) - and ( - match("MSCL" value(".metadata.cef.device_product")) - or match("MSCW" value(".metadata.cef.device_product")) - or match("ICAP" value(".metadata.cef.device_product")) - ); }; - parser { app-cef-opswat-mscl(); }; + parser { app-cef-opswat(); }; }; From 1c833210942b395d4d7b3a1aaabea9a520d64330 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Tue, 18 Nov 2025 11:34:16 +0100 Subject: [PATCH 6/8] feat: fixed a missing etc package --- package/etc/conf.d/conflib/cef/app-cef-opswat.conf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/package/etc/conf.d/conflib/cef/app-cef-opswat.conf b/package/etc/conf.d/conflib/cef/app-cef-opswat.conf index 8bfa2f01ec..de2484ccad 100644 --- a/package/etc/conf.d/conflib/cef/app-cef-opswat.conf +++ b/package/etc/conf.d/conflib/cef/app-cef-opswat.conf @@ -15,11 +15,6 @@ block parser app-cef-opswat-mscl() { application app-cef-opswat-mscl[cef] { filter{ match("OPSWAT" value(".metadata.cef.device_vendor")) - and ( - match("MSCL" value(".metadata.cef.device_product")) - or match("MSCW" value(".metadata.cef.device_product")) - or match("ICAP" value(".metadata.cef.device_product")) - ); }; parser { app-cef-opswat-mscl(); }; }; From 6cb25fb64bd935506a0a5655f05d41e2c50beff8 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Wed, 19 Nov 2025 10:12:39 +0100 Subject: [PATCH 7/8] feat: Added opswat to lite package --- .../etc/addons/opswat/addon_metadata.yaml | 2 ++ .../etc/addons/opswat/app-cef-opswat.conf | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 package/lite/etc/addons/opswat/addon_metadata.yaml create mode 100644 package/lite/etc/addons/opswat/app-cef-opswat.conf diff --git a/package/lite/etc/addons/opswat/addon_metadata.yaml b/package/lite/etc/addons/opswat/addon_metadata.yaml new file mode 100644 index 0000000000..3343b61de0 --- /dev/null +++ b/package/lite/etc/addons/opswat/addon_metadata.yaml @@ -0,0 +1,2 @@ +--- +name: "opswat" diff --git a/package/lite/etc/addons/opswat/app-cef-opswat.conf b/package/lite/etc/addons/opswat/app-cef-opswat.conf new file mode 100644 index 0000000000..de2484ccad --- /dev/null +++ b/package/lite/etc/addons/opswat/app-cef-opswat.conf @@ -0,0 +1,20 @@ +block parser app-cef-opswat-mscl() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netwaf'), + vendor('opswat'), + product('${.metadata.cef.device_product}'), + source('opswat:$(lowercase ${.metadata.cef.device_product})'), + sourcetype('opswat:$(lowercase ${.metadata.cef.device_product}):cef') + ); + }; + }; +}; + +application app-cef-opswat-mscl[cef] { + filter{ + match("OPSWAT" value(".metadata.cef.device_vendor")) + }; + parser { app-cef-opswat-mscl(); }; +}; From 7085539b6d85d88a0037a864d7a7ff29fb9fbc14 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Wed, 19 Nov 2025 10:40:36 +0100 Subject: [PATCH 8/8] feat: added opswat addon to the list --- package/lite/etc/config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/package/lite/etc/config.yaml b/package/lite/etc/config.yaml index 17e438262a..01d4da1a3f 100644 --- a/package/lite/etc/config.yaml +++ b/package/lite/etc/config.yaml @@ -87,3 +87,4 @@ addons: - aviatrix - veeam - suricata + - opswat