From f03383aa7efd4525a1cef869e0f5bfbdf2dbd3d3 Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Fri, 29 Apr 2022 10:50:45 -0500 Subject: [PATCH 1/4] [sophos] Improve inputs for Sophos XG - Add TLS support to TCP input - Add custom TCP options support - Add system test for TCP input --- packages/sophos/changelog.yml | 5 +++ .../xg/_dev/test/system/test-tcp-config.yml | 12 ++++++ .../data_stream/xg/agent/stream/tcp.yml.hbs | 6 +++ packages/sophos/data_stream/xg/manifest.yml | 40 +++++++++++++++++++ packages/sophos/manifest.yml | 2 +- 5 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 packages/sophos/data_stream/xg/_dev/test/system/test-tcp-config.yml diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index 8e31dc49894..1280552a7ba 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.0" + changes: + - description: Improve inputs for Sophos XG pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/xxxx - version: "2.1.0" changes: - description: Update to ECS 8.2.0 to use new email field set. diff --git a/packages/sophos/data_stream/xg/_dev/test/system/test-tcp-config.yml b/packages/sophos/data_stream/xg/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..5ac7ed1771b --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,12 @@ +service: sophos-xg-tcp +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + syslog_host: 0.0.0.0 + syslog_port: 9549 + known_devices: | + - hostname: XG230 + serial_number: "1234567890123456" + - hostname: SG430 + serial_number: "S4000806149EE49" diff --git a/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs b/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs index e7c44bbdaca..c1866d64a7d 100644 --- a/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs +++ b/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs @@ -10,6 +10,9 @@ tags: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} processors: {{#if processors}} {{processors}} @@ -23,3 +26,6 @@ processors: {{#if known_devices}} {{known_devices}} {{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} \ No newline at end of file diff --git a/packages/sophos/data_stream/xg/manifest.yml b/packages/sophos/data_stream/xg/manifest.yml index b764a5830f5..51993f60822 100644 --- a/packages/sophos/data_stream/xg/manifest.yml +++ b/packages/sophos/data_stream/xg/manifest.yml @@ -67,6 +67,46 @@ streams: description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. template_path: tcp.yml.hbs title: Sophos XG logs description: Collect Sophos XG logs diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index 00103a0475d..45b40c08b73 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 2.1.0 +version: 2.2.0 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga From d64a64d624a332b05fdf82ca5f8a8d341728a84b Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Tue, 10 May 2022 11:20:35 -0500 Subject: [PATCH 2/4] Update changelog with PR number --- packages/sophos/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index 1280552a7ba..af7c875275c 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Improve inputs for Sophos XG pipeline. type: enhancement - link: https://github.com/elastic/integrations/pull/xxxx + link: https://github.com/elastic/integrations/pull/3322 - version: "2.1.0" changes: - description: Update to ECS 8.2.0 to use new email field set. From 690969c9c901e61705aa299e3c700bb7997e2d03 Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Wed, 11 May 2022 14:06:08 -0500 Subject: [PATCH 3/4] Add TLS system test --- .../_dev/deploy/docker/docker-compose.yml | 6 ++ .../xg/_dev/test/system/test-tls-config.yml | 64 +++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 packages/sophos/data_stream/xg/_dev/test/system/test-tls-config.yml diff --git a/packages/sophos/_dev/deploy/docker/docker-compose.yml b/packages/sophos/_dev/deploy/docker/docker-compose.yml index 2162572ef10..53c8924a8ac 100644 --- a/packages/sophos/_dev/deploy/docker/docker-compose.yml +++ b/packages/sophos/_dev/deploy/docker/docker-compose.yml @@ -30,3 +30,9 @@ services: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=tcp /sample_logs/sophos-xg*.log" + sophos-xg-tls: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9550 -p=tls --insecure /sample_logs/sophos-xg*.log" diff --git a/packages/sophos/data_stream/xg/_dev/test/system/test-tls-config.yml b/packages/sophos/data_stream/xg/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..53ce3b3f3a7 --- /dev/null +++ b/packages/sophos/data_stream/xg/_dev/test/system/test-tls-config.yml @@ -0,0 +1,64 @@ +service: sophos-xg-tls +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + syslog_host: 0.0.0.0 + syslog_port: 9550 + known_devices: | + - hostname: XG230 + serial_number: "1234567890123456" + - hostname: SG430 + serial_number: "S4000806149EE49" + ssl: | + key: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhCLvLsQAHufsN + U+u1x/CequAUphfXZqLhDo2Eo/holfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU + /Ru8E76Az1egzMwT3TVAPLVU8NbrxBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxS + cD1sa0oikXCJN1a3BSoAf9iiZ/dxz4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg70 + 4vHOeg0rBbIoSNfjDUVZWjwC95K1BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDL + SHWis65p+1AAa5xieYDb47vyJ0SSR7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloIT + Xg9ag1OlAgMBAAECggEAEHfPJmzhj68wjB0kFr13AmWG2Hv/Kqg8KzQhbx+AwkaW + u7j+L70NGpvLZ9VQtLNyhxoz9cksZO1SZO/Q48aeHlcOFppmJN3/U6AdtQWa9M35 + FLLpmX16wjxVHsfvzOvopgLOoYl8PqZt66qDFDgVyMnT7na6RdJ+7GJuvBPXq+Bc + vgThvAZitHSAOhnBFYmTMlBi6AzOMMsaFlgE3Xf9v3M0pAKItPRKMhXlC3MyvA/v + jgbra4Ib+0ryohggHheHB3bn3Jgv7iFKoW9OQSePVxacJ+kfr9H+No5g495URzqR + mx/96WCiv3rAh3ct8Sk/C4/3zMC8fUueDJIVjhgw0QKBgQD8NufLINNkIpBrLoCS + 972oFEjZB2u6EusQ7X9raROqpaw26ZSu+zSHeIKCGQ93M3aRb3FpdGeOxgZ095MV + 8a+nlh4stOvHj2Mm5YhTBDUavTC7o9aVR3Od5eTXUpHnaJpNI/uyIcKupeK1UJnV + UlBLeIwo/vJ1gsVrKMMAJkuKbwKBgQDkaWRRd0w2gUIbCTGf203BqXft0VdIiOW7 + +gnkeaNHAf09XljzxMcQzrB8kG63aKVGbJffphEfzxtiJ+HRQVH+7QpKRhU/GHmu + +6OKkxTcxJm5zhoRFxcSi2wG4PWmUGJvc7ss1OJGcaOUxwocCepO7N/jfdDz9Uke + KnA+YWOdKwKBgQDteZkYlojT0QOgF8HyH5gQyUCqMKWLJ0LzxltiPCbLV4Dml1pq + w5Z7M8nWS1hXiTpLx93GSFc1hFkSCwYP9GfK6Lryp0sVtHnMZvTMDbseuSJImwRx + vDwtYQfugg1lEQWwOoBEAiu3m/PxernNtNprpU57T0nlwUK3GkM5QdWAuwKBgQCZ + ZF3GiANapzupxGbbH//8Cr9LqsafI7CEqMpz8WxBh4h16iJ6sq+tDeFgBe8UpOY5 + gTwNKg1d+0w8guQYD3HtbWr3rlEeamVtqfiOW3ArQqyqJ0tCJuuLvK3zgKf35Qv2 + JRaSaPT8sdxVUcXsRoxgLJu+vwPQke1koMN4YRbwuQKBgQDJiZ/WSeqa5oIqkXbn + hjm7RXKaf2oE1U/bNjdSFtdEP7T4vUvvr7Hq2f/jiBLtCE7w16PJjKx9iIq2+jMl + qIY43Sk9bdi5FxtYTHda0hwrbH274P+QVcVs5PXCT0TGktOleHGBlXaaPrxl9iCh + 8tmmxZZYa5aQxEO/lxB9xQKaiQ== + -----END PRIVATE KEY----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUW5TDu1tJMY2Oa7PsL+BQSmeWqz0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEwMDEwNTAwMjNaFw0yMTEw + MDIwNTAwMjNaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDhCLvLsQAHufsNU+u1x/CequAUphfXZqLhDo2Eo/ho + lfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU/Ru8E76Az1egzMwT3TVAPLVU8Nbr + xBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxScD1sa0oikXCJN1a3BSoAf9iiZ/dx + z4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg704vHOeg0rBbIoSNfjDUVZWjwC95K1 + BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDLSHWis65p+1AAa5xieYDb47vyJ0SS + R7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloITXg9ag1OlAgMBAAGjUzBRMB0GA1Ud + DgQWBBRYUSKDHBBE9Q6fTeTqogicCxcXwDAfBgNVHSMEGDAWgBRYUSKDHBBE9Q6f + TeTqogicCxcXwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc + T8B+GpvPy9NQ700LsywRPY0L9IJCKiu6j3TP1tqqSPjAC/cg9ac+bFXuWOu7V+KJ + s09Q/pItq9SLX6UvnfRzTxu5lCBwwGX9cL131mTIu5SmFo7Eks+sorbiIarWDMoC + e+9An3GFpagW+YhOt4BdIM5lTqoeodzganDBsOUZI9aDAj2Yo5h2O7r6Wd12cb6T + mz8vMfB2eG8BxU20ZMfkdERWjiyXHOSBQqeqfkV8d9370gMu5RcJNcIgnbmTRdho + X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA + qEf55SihFqErRMeURPPF + -----END CERTIFICATE----- From 4a060059e5fdcabc27133433335da40499673653 Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Wed, 11 May 2022 14:16:42 -0500 Subject: [PATCH 4/4] formatting --- packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs b/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs index c1866d64a7d..b901abd7783 100644 --- a/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs +++ b/packages/sophos/data_stream/xg/agent/stream/tcp.yml.hbs @@ -28,4 +28,4 @@ processors: {{/if}} {{#if tcp_options}} {{tcp_options}} -{{/if}} \ No newline at end of file +{{/if}}