From 2a18b0f55450aa835fc345ff356e127ec01f81e5 Mon Sep 17 00:00:00 2001 From: Stephan Eicher Date: Fri, 9 Feb 2024 23:14:20 +0100 Subject: [PATCH] Add sophos module --- manifests/module/sophos.pp | 86 ++++++++++++++++++++++ spec/classes/module/sophos_spec.rb | 110 +++++++++++++++++++++++++++++ 2 files changed, 196 insertions(+) create mode 100644 manifests/module/sophos.pp create mode 100644 spec/classes/module/sophos_spec.rb diff --git a/manifests/module/sophos.pp b/manifests/module/sophos.pp new file mode 100644 index 0000000..835feaf --- /dev/null +++ b/manifests/module/sophos.pp @@ -0,0 +1,86 @@ +# filebeat::module::sophos +# +# @summary +# This class manages the Filebeat Sophos module. +# +# @example +# class { 'filebeat::module::sophos': +# xg_enabled => true, +# xg_input => 'udp', +# xg_syslog_host => '0.0.0.0', +# xg_syslog_port => 514, +# xg_host_name => 'sophos-xg', +# } +# +# @param xg_enabled +# Whether to enable the Sophos XG module. +# @param xg_paths +# An array of paths to the Sophos XG logs. +# @param xg_input +# The input type for the Sophos XG module. tcp or udp for syslog input, file for log files. +# @param xg_syslog_host +# Interface to listen to for syslog input. +# @param xg_syslog_port +# Port to listen on for syslog input. +# @param xg_host_name +# Host name / Observer name, since SophosXG does not provide this in the syslog file. +# @param utm_enabled +# Whether to enable the Sophos UTM module. +# @param utm_paths +# An array of paths to the Sophos UTM logs. +# @param utm_input +# The input type for the Sophos UTM module. tcp or udp for syslog input, file for log files. +# @param utm_syslog_host +# Interface to listen to for syslog input. +# @param utm_syslog_port +# Port to listen on for syslog input. +# @param utm_tz_offset +# Timezone offset. If the logs are in a different timezone than the Filebeat host, set this to the timezone offset. +# @param utm_rsa_fields +# Flag to control whether non-ECS fields are added to the event. +# @param utm_keep_raw_fields +# Flag to control the addition of the raw parser fields to the event. +# +class filebeat::module::sophos ( + Boolean $xg_enabled = false, + Optional[Array[Stdlib::Absolutepath]] $xg_paths = undef, + Optional[Enum['udp', 'tcp','file']] $xg_input = undef, + Optional[Stdlib::Host] $xg_syslog_host = undef, + Optional[Stdlib::Port] $xg_syslog_port = undef, + Optional[Stdlib::Host] $xg_host_name = undef, + Boolean $utm_enabled = false, + Optional[Array[Stdlib::Absolutepath]] $utm_paths = undef, + Optional[Enum['udp', 'tcp','file']] $utm_input = undef, + Optional[Stdlib::Host] $utm_syslog_host = undef, + Optional[Stdlib::Port] $utm_syslog_port = undef, + Optional[Pattern[/^[-+]\d{2}:\d{2}$/]] $utm_tz_offset = undef, + Optional[Boolean] $utm_rsa_fields = undef, + Optional[Boolean] $utm_keep_raw_fields = undef, +) { + filebeat::module { 'sophos': + config => { + 'xg' => delete_undef_values( + { + 'enabled' => $xg_enabled, + 'var.input' => $xg_input, + 'var.paths' => $xg_paths, + 'var.syslog_host' => $xg_syslog_host, + 'var.syslog_port' => $xg_syslog_port, + 'var.host_name' => $xg_host_name, + } + ), + 'utm' => delete_undef_values( + { + 'enabled' => $utm_enabled, + 'var.input' => $utm_input, + 'var.paths' => $utm_paths, + 'var.syslog_host' => $utm_syslog_host, + 'var.syslog_port' => $utm_syslog_port, + 'var.tz_offset' => $utm_tz_offset, + 'var.rsa_fields' => $utm_rsa_fields, + 'var.keep_raw_fields' => $utm_keep_raw_fields, + } + ), + }, + } +} diff --git a/spec/classes/module/sophos_spec.rb b/spec/classes/module/sophos_spec.rb new file mode 100644 index 0000000..c3cb9a0 --- /dev/null +++ b/spec/classes/module/sophos_spec.rb @@ -0,0 +1,110 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'filebeat::module::sophos' do + let :pre_condition do + 'include ::filebeat' + end + + let(:facts) { + { + :kernel => 'Linux', + :os => { + :family => 'Debian', + :name => 'Ubuntu', + } + } + } + + context 'on default values' do + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to contain_file('filebeat-module-sophos').with_content( + %r{- module: sophos\n\s{2}xg:\n\s{4}enabled: false\n\s{2}utm:\n\s{4}enabled: false\n\n}, + )} + end + + context 'on xg and utm enabled with paths' do + let(:params) do + { + 'xg_enabled' => true, + 'xg_input' => 'file', + 'xg_paths' => ['/var/log/xg.log'], + 'utm_enabled' => true, + 'utm_input' => 'file', + 'utm_paths' => ['/var/log/utm.log'], + } + end + + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to contain_file('filebeat-module-sophos').with_content( + <<-EOS +### Filebeat configuration managed by Puppet ### +--- +- module: sophos + xg: + enabled: true + var.input: file + var.paths: + - "/var/log/xg.log" + utm: + enabled: true + var.input: file + var.paths: + - "/var/log/utm.log" + +EOS + ) + } + end + + context 'on xg and utm enabled with syslog input' do + let(:params) do + { + 'xg_enabled' => true, + 'xg_input' => 'udp', + 'xg_syslog_host' => '0.0.0.0', + 'xg_syslog_port' => 514, + 'xg_host_name' => 'sophos-xg', + 'utm_enabled' => true, + 'utm_input' => 'tcp', + 'utm_syslog_host' => '0.0.0.0', + 'utm_syslog_port' => 515, + 'utm_tz_offset' => '-07:00', + 'utm_rsa_fields' => true, + 'utm_keep_raw_fields' => true, + } + end + + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to contain_file('filebeat-module-sophos').with_content( + <<-EOS +### Filebeat configuration managed by Puppet ### +--- +- module: sophos + xg: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 514 + var.host_name: sophos-xg + utm: + enabled: true + var.input: tcp + var.syslog_host: 0.0.0.0 + var.syslog_port: 515 + var.tz_offset: "-07:00" + var.rsa_fields: true + var.keep_raw_fields: true + +EOS + ) + } + end +end