Add OPSWAT as a known vendor

[cornemrc]

We would like to ask you to add OPSWAT as a known vendor to the SC4S product.

OPSWAT has different kind of products. In our case, we use a combination of MetaDefender Core and MetaDefender ICAP.
Syslog is configured on MetaDefender Core and on ICAP itself.

What is the sc4s version?
3.38.0

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
No

What the vendor name?
OPSWAT

What's the product name?
Metadefender Core / Metadefender ICAP

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?
index icap
sourcetype icap:syslog

Do you have syslog documentation or a manual for that device??
Core
"MetaDefender Core supports to send CEF (Common Event Format) syslog message style"
https://www.opswat.com/docs/mdcore/configuration/syslog-message-format

ICAP
Documentation tells nothing about CEF or RFC format:
https://www.opswat.com/docs/mdicap/configuration/configuration-file

Feature Request description:
Provide the new parser for OPSWAT Metadefender products out of the box

Do you want to have it for local usage or prepare a github PR?
github PR

[sbylica-splunk]

Hi @cornemrc, can you provide sample logs for this vendor? Preferably in a pcap format (or a text file). You can send them to sbylica@splunk.com or attach here.

[sbylica-splunk]

@cornemrc after looking at the examples from the docs, it seems that they should parse correctly?
This parser should cover such cases.

If you want to just rewrite index/sourcetype this is the way to do it:
https://splunk.github.io/splunk-connect-for-syslog/main/configuration/#override-the-log-path-of-indexes-or-metadata

[cornemrc]

Hi @sbylica-splunk thanks for reaching out.
Yes, right now our log onboarding is running with a simple listener on port 5107, parsing looks fine.

However, we prefer to have a "known vendor" instead, so we could keep it on the default port and follow the approach of

https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/simple/

This is an interim step that should be used only to quickly onboard well-formatted data that is being sent over a unique port. A dedicated log path should be developed for the data source to facilitate further parsing and enrichment, as well as allowing the potential sending of this data source over the default (514) listening port.

I will send you some example logs via email in the next minutes.

[sbylica-splunk]

@cornemrc I created a pr with a implementation for this vendor, so far I was able to create a parser for Metadefender Core (since there is documentation with log examples for that) but not for ICAP.

The logs examples sent to me are somewhat useful, but without the pcap file I wont be able to create a parser for ICAP since they are missing information about device product. Without the pcap file or logs in syslog format we can try guessing the message format or just implement metadefender core without ICAP.

[cornemrc]

@sbylica-splunk Thank you for developing the Metadefender Core implementation — I really appreciate the effort you’ve put into it.

Regarding the ICAP logs, I’m a bit unclear about what specific information is missing. Could you please clarify what details are needed and why they must be extracted from a pcap file? Understanding this better will help us figure out the best way to proceed.

[sbylica-splunk]

@cornemrc as I understand we want to use syslog-format logs, like the one in example here:
https://www.opswat.com/docs/mdcore/configuration/syslog-message-format

Especially this part is useful for extracting information from the log: CEF:0|OPSWAT|MSCL|4.16.0|core.network|MSCL[7548]

The logs from the attached file are in a basic log format, like this one: https://www.opswat.com/docs/mdcore/configuration/log-message-format

We can potentially parse them too but I think it's preferable to use both core/icap in syslog format.

[cornemrc]

@sbylica-splunk got it, thanks for the explanation. I was not aware of the different log structure, so I will provide you the syslog log format files again via email in a few minutes.

[sbylica-splunk]

@cornemrc I was thinking about something like this one:

Jun 24 14:33:18 192.168.200.223 2019-06-24T14:33:19+07:00 OPSWATPC CEF:0|OPSWAT|MSCL|4.16.0|core.network|MSCL[7548] New maximum agent count is set|2|maxAgentCount='1' msgid=665

Would it be possible to format them this way?

[cornemrc]

@sbylica-splunk We had to reconfigure our environment to activate the CEF on syslog. I will send you the files in the next minutes via email.

[sbylica-splunk]

@cornemrc thanks! These look very good, will get to testing them today.

[sbylica-splunk]

Ok so we'll have a parser that puts OPSWAT events into netwaf index (this seems to make most sense to me) and with opswat:{program}:cef sourcetype. Is that ok?

[cornemrc]

Nice, yes I think that makes sense. We will adjust the index anyway but from a general perspective it should be fine.