splunk · zyphermonkey · Jan 4, 2023
@@ -0,0 +1,20 @@
+# Onboard Administrator
+
+## Key facts
+
+* MSG Format based filter
+* Legacy BSD Format default port 514
+
+## Links
+
+## Sourcetypes
+
+| sourcetype | notes |
+|------------|--------|
+| hpe:oa | none |
+
+### Index Configuration
+
+| key | index | notes |
+|----------------|------------|----------------|
+| hpe_oa | infraops | none |
@@ -0,0 +1,21 @@
+block parser app-syslog-hpe_oa() {
+ channel {
+ rewrite {
+ r_set_splunk_dest_default(
+ index("infraops")
+ sourcetype('hpe:oa')
+ vendor("hpe")
+ product("oa")
+ template("t_msg_only")
+ );
+ };
+
+ };
+};
+application app-syslog-hpe_oa[sc4s-syslog-pgm] {
+ filter {
+ program('OA' type(string) flags(prefix));
+ }; 
+ parser { app-syslog-hpe_oa(); };
+
+};
@@ -0,0 +1,42 @@
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+# <14>Jan 03 10:46:16 10.1.1.2 OA: Administrator logged out of the Onboard Administrator
+def test_hpe_oa(
+ record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s
+):
+ host = get_host_key
+
+ dt = datetime.datetime.now(datetime.timezone.utc)
+ iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+ # Tune time functions
+ epoch = epoch[:-7]
+
+ mt = env.from_string(
+ "{{ mark }} {{ bsd }} {{ host }} OA: Administrator logged out of the Onboard Administrator\n"
+ )
+ message = mt.render(mark="<14>", bsd=bsd, host=host)
+
+ sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+ st = env.from_string(
+ 'search _time={{ epoch }} index=infraops host="{{ host }}" sourcetype="hpe:oa"'
+ )
+ search = st.render(bsd=bsd, host=host)
+
+ resultCount, eventCount = splunk_single(setup_splunk, search)
+
+ record_property("host", host)
+ record_property("resultCount", resultCount)
+ record_property("message", message)
+
+ assert resultCount == 1