https://github.com/splunk/splunk-connect-for-syslog/blob/master/CONTRIBUTING.md

Please review the below text that was adapted from the contribution page for the Splunk Ansible project. If no issues are found, replace "Future Docs covering the contribution process and requirements" with this...

CONTRIBUTING

Prerequisites

When contributing to this repository, please first discuss the change you wish to make via a GitHub issue or Slack message with the owners of this repository.

Setup Development Environment

Contribution Workflow

SC4S is a community project so please consider contributing your efforts! For example, documentation can always use improvement. There's always code that can be clarified, functionality that can be extended, new data filters to develop. If you see something you think should be fixed or added, go for it.

Feature Requests and Bug Reports

Have ideas on improvements or found a problem? While the community encourages everyone to contribute code, it is also appreciated when someone reports an issue. Please report any issues or bugs you find through GitHub's issue tracker.

If you are reporting a bug, please include the following details:

• Your operating system name and version
• Any details about your local setup that might be helpful in troubleshooting (ex. container runtime you use, etc.)
• Detailed steps to reproduce the bug

We want to hear about you enhancements as well. Feel free to submit them as issues:

• Explain in detail how they should work
• Keep the scope as narrow as possible. This will make it easier to implement

Fixing Issues

Look through our issue tracker to find problems to fix! Feel free to comment and tag community members of this project with any questions or concerns.

Pull Requests

What is a "pull request"? It informs the project's core developers about the changes you want to review and merge. Once you submit a pull request, it enters a stage of code review where you and others can discuss its potential modifications and even add more commits to it later on.

If you want to learn more, please consult this tutorial on how pull requests work in the GitHub Help Center.

Here's an overview of how you can make a pull request against this project:

1. Fork the Splunk-connect-for-syslog GitHub repository
2. Clone your fork using git and create a branch off develop
   $ git clone [email protected]:YOUR_GITHUB_USERNAME/splunk-connect-for-syslog.git
   $ cd splunk-connect-for-syslog

This project uses 'develop' for all development activity, so create your branch off that

$ git checkout -b your-bugfix-branch-name develop
3. Run all the tests to verify your environment
$ cd splunk-connect-for-syslog
$ make test
4. Make your changes, commit and push once your tests have passed
$ git commit -m ""
$ git push
5. Submit a pull request through the GitHub website using the changes from your forked codebase

Code Review

There are two aspects of code review: giving and receiving.
To make it easier for your PR to receive reviews, consider the reviewers will need you to:

• Follow the project coding conventions
• Write good commit messages
• Break large changes into a logical series of smaller patches which individually make easily understandable changes, and in aggregate solve a broader issue
  Reviewers, the people giving the review, are highly encouraged to revisit the Code of Conduct and must go above and beyond to promote a collaborative, respectful community.
  When reviewing PRs from others The Gentle Art of Patch Review suggests an iterative series of focuses which is designed to lead new contributors to positive collaboration without inundating them initially with nuances:
• Is the idea behind the contribution sound?
• Is the contribution architected correctly?
• Is the contribution polished?
  For this project, we require that at least 2 approvals are given and a build from our continuous integration system is successful off of your branch. Please note that any new changes made with your existing pull request during review will automatically unapprove and retrigger another build/round of tests.

Testing

Testing is the responsibility of all contributors. In general, we try to adhere to Google's test sizing philosophy when structuring tests.
There are multiple types of tests. The location of the test code varies with type, as do the specifics of the environment needed to successfully run the test.

1. Small: Very fine-grained; exercises low-level logic at the scope of a function or a class; no external resources (except possibly a small data file or two, but preferably no file system dependencies whatsoever); very fast execution on the order of seconds
   $ make small-tests
2. Medium: Exercises interaction between discrete components; may have file system dependencies or run multiple processes; runs on the order of minutes
   $ make medium-tests
3. Large: Exercises the entire system, end-to-end; used to identify crucial performance and basic functionality that will be run for every code check-in and commit; may launch or interact with services in a datacenter, preferably with a staging environment to avoid affecting production
   $ make large-tests
   Continuous integration will run all of these tests either as pre-submits on PRs, post-submits against master/release branches, or both.

Documentation

We could always use improvements to our documentation! Anyone can contribute to these docs - whether you’re new to the project, you’ve been around a long time, and whether you self-identify as a developer, an end user, or someone who just can’t stand seeing typos. What exactly is needed?

1. More complementary documentation. Have you perhaps found something unclear?
2. More examples or generic templates that others can use.
3. Blog posts, articles and such – they’re all very appreciated.
   You can also edit documentation files directly in the GitHub web interface, without creating a local copy. This can be convenient for small typos or grammar fixes.

Samples Needed

https://github.com/splunk/splunk-connect-for-syslog/blob/master/README.md

Suggest the following...

Purpose

Splunk Connect for Syslog (SC4S) is a community project focused on reducing the pain of getting syslog data sources into Splunk. The primary pain points SC4S addresses include the following…

• Shortage of deep syslog expertise in the community
• Inconsistency between syslog server deployments creates a support challenge
• Data sources tagged with catch-all sourcetype “syslog” which limits Splunk analytics
• Uneven data distribution between Splunk indexers impacts search performance

Splunk Connect for Syslog should be used by any Splunk customer needing to onboard data sources via syslog to Splunk.

Usage

For full usage instructions, please visit the Splunk Connect for Syslog documentation page.

Support

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

• Post a question to Splunk Answers using the tag "Splunk Connect For Syslog"
• Join the #splunk-connect-for-syslog room in the splunk-usergroups channel

Contributing

We welcome feedback and contributions from the community! Please see our contribution guidelines for more information on how to get involved.

MOVE USE THE DEMO SECTION TO GETTING STARTED OR A DEDICATED PAGE

Some customers may not have internet access from their container hosts. Update the advanced docs with instructions to download the image from the releases tab and use docker/podman load to access the image.

podman load < oci_container.tar.gz

output
Loaded image: docker.pkg.github.com/splunk/splunk-connect-for-syslog/ci:90196f77f7525bc55b3b966b5fa1ce74861c0250

docker tag docker.pkg.github.com/splunk/splunk-connect-for-syslog/ci:90196f77f7525bc55b3b966b5fa1ce74861c0250 sc4slocal:latest

update the unit file to use sc4slocal:latest as the image name

For support with this app
https://splunkbase.splunk.com/app/4293/#/details

Oct 8 15:00:25 DEVICENAME time=1570561225|hostname=devicename|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time=1570561225|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|
Oct 8 15:48:31 DEVICENAME time=1570564111|hostname=devicename|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time=1570564111|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11_..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|

While converting to the new format, inconsistencies with default indexes and missing entries in splunk_index.csv were noted.

The * subscription manager causes inclusion of the SAP repo

Use a CVS context parse to tag events based on from host our fromip allowing identification of hosts sourcetype where message parse is inadequate

Create a configuration tool to enable sections of configuration in soup mode and structure configuration appropriately.

Samples Needed

Move the SC4S code of conduct to its own dedicated page and link to it as needed.
https://github.com/splunk/splunk-connect-for-syslog/blob/master/CONTRIBUTING.md

This is similar treatment as the Splunk Ansible project.
https://github.com/splunk/splunk-ansible/blob/develop/docs/contributing/code-of-conduct.md

This is much cleaner and can be referenced from multiple docs if required.

use splunk/scs repo

Move the default index/sourcetype configuration to the log-path .conf and only require entries in splunk_index.conf to override as needed by the admin.

use a "key" value in the form of vendor_sourcetype_feature to allow index selection in corner cases such as juniper:junos where one source type contains unrelated data allowing IDS and FW data to be routed to appropriate indexes.

The current demo and test script can re-use volumes created from other branches or clones ensure the volumes used match the current source RHINO-415

https://splunk-connect-for-syslog.readthedocs.io/en/develop/gettingstarted/podman-systemd-general/

In the Install Podman section of Getting Started replace the following line...
"NOTE: Replace the URL and HEC tokens with the appropriate values for our environment"
with...
"Copy and paste the following text into the new sc4s.service file, making sure that all the formatting is identical to that shown."

Develop a harness using eventgen and docker to stress an in stance of sc4s

This gets burped at syslog-ng startup in the sc4s container:

2019-08-07T17:24:25.060171] WARNING: The configured disk buffer size is smaller than the minimum allowed; configured_size='20000', minimum_allowed_size='1048576', new_size='1048576'

The current clair scanner implementation does not report properly vulns using junit

Add support for Cisco ASA
Cisco device must send device ID as host name
Cisco Device must send timestamp
Cisco Device with OS 9.10 and above should be configured for 5424 mode

the host name generator depends on a external web site replace the word list url with a dictionary file

the word list presently contains words with non letter chars ensure the word list would match [a-zA-Z]+

Change the email listed under Enforcement section to [email protected]

https://github.com/splunk/splunk-connect-for-syslog/blob/master/CONTRIBUTING.md

Only merged develop and master branch builds should publish this is a security risk

Need Samples

The syntax currently uses regex and an indirect reference to a variable due to a
#bug/limitation of selector files. The better syntax should be as follows
#filter {match("f5_test" template("$(env PRESUME_SYSLOG)")); };

While this password is used by test automation in a closed container network its getting picked up by random security researches scanning the repo. Move the password to an env var to end the annoyance.

Early test uses hard coded time

Upon sc4s startup, the following is emitted to stderr by the syslog-ng process:

Error opening plugin module; module='mod-python', error='libpython3.6m.so.rh-python36-1.0: cannot open shared object file: No such file or directory'

https://github.com/splunk/splunk-connect-for-syslog/blob/master/CONTRIBUTING.md

Need to correct the Slack Channel name to use hyphens instead of underscores.

Project Discussion Forums
splunk-usergroups #splunk-connect-for-syslog

the public image from master is missing the latest tag

Samples Needed

Review original code and scripts ensure BSD-2 clause license is present
Review documentation and config for CC0 license

Update README.md to explain code/scripts will be licensed BSD-2 while config and docs are licensed CC0

Add the following text and table to the planning deployment section of the getting started guide.
https://github.com/splunk/splunk-connect-for-syslog/blob/master/docs/gettingstarted.md

These deployment hardware specifications are based on Splunk performance testing results. The overall load on your deployment HW will vary based on the percentage of events which are not handled by a filter. This is because unrecognized events will exercise every filter then hit the catch all. Given this it is highly recommended you should validate performance with your hardware and production data samples.

Requires Samples

Remove traditional local even patterns

Previously both syslog-ng and /bin/bash were parented by PID 1. Now syslog-ng is parented by the shell and the container dies upon a syslog-ng kill.

the following kernel-headers are not exploitable
RHSA-2019:2029: False Positive
RHSA-2019:1873: False Positive

Fortigate filter fails tests; inspection revealed standard syslog parser with kv-parser instead of message substitutions would be more efficient

Samples Needed