From 330741701195d79ff0d098f8149e6feff84948be Mon Sep 17 00:00:00 2001
From: zyphermonkey <zyphermonkey@gmail.com>
Date: Wed, 4 Jan 2023 13:22:59 +0000
Subject: [PATCH] feat: add hpe onboard administrator parser

---
 docs/sources/vendor/HPe/oa.md                 | 20 +++++++++
 .../conflib/syslog/app-syslog-hpe_oa.conf     | 21 ++++++++++
 tests/test_hpe_oa.py                          | 42 +++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 docs/sources/vendor/HPe/oa.md
 create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-hpe_oa.conf
 create mode 100644 tests/test_hpe_oa.py

diff --git a/docs/sources/vendor/HPe/oa.md b/docs/sources/vendor/HPe/oa.md
new file mode 100644
index 0000000000..ba0c5d5d88
--- /dev/null
+++ b/docs/sources/vendor/HPe/oa.md
@@ -0,0 +1,20 @@
+# Onboard Administrator
+
+## Key facts
+
+* MSG Format based filter
+* Legacy BSD Format default port 514
+
+## Links
+
+## Sourcetypes
+
+| sourcetype | notes  |
+|------------|--------|
+| hpe:oa     | none   |
+
+### Index Configuration
+
+| key            | index      | notes          |
+|----------------|------------|----------------|
+| hpe_oa         | infraops   | none           |
diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-hpe_oa.conf b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_oa.conf
new file mode 100644
index 0000000000..6928de9910
--- /dev/null
+++ b/package/etc/conf.d/conflib/syslog/app-syslog-hpe_oa.conf
@@ -0,0 +1,21 @@
+block parser app-syslog-hpe_oa() {
+ channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index("infraops")
+                sourcetype('hpe:oa')
+                vendor("hpe")
+                product("oa")
+                template("t_msg_only")
+            );
+        };
+
+   };
+};
+application app-syslog-hpe_oa[sc4s-syslog-pgm] {
+	filter {
+        program('OA' type(string) flags(prefix));
+    };	
+    parser { app-syslog-hpe_oa(); };
+
+};
diff --git a/tests/test_hpe_oa.py b/tests/test_hpe_oa.py
new file mode 100644
index 0000000000..93489f7ea5
--- /dev/null
+++ b/tests/test_hpe_oa.py
@@ -0,0 +1,42 @@
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+# <14>Jan 03 10:46:16 10.1.1.2 OA: Administrator logged out of the Onboard Administrator
+def test_hpe_oa(
+    record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s
+):
+    host = get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} OA: Administrator logged out of the Onboard Administrator\n"
+    )
+    message = mt.render(mark="<14>", bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=infraops host="{{ host }}" sourcetype="hpe:oa"'
+    )
+    search = st.render(bsd=bsd, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1