diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-broadcom_layer7_api_gateway.conf b/package/etc/conf.d/conflib/syslog/app-syslog-broadcom_layer7_api_gateway.conf new file mode 100644 index 0000000000..1b267dbe1f --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-broadcom_layer7_api_gateway.conf @@ -0,0 +1,69 @@ +# Broadcom Layer7 API Gateway (SecureSpan / SSG) — traffic logger (java.util.logging) +# +# Syslog payload after the logger name resembles: +# LEVEL com.l7tech.traffic: +# +# Field order and meaning come from the gateway cluster property trafficlogger.detail +# (context variables); defaults differ by release and customer policy. The column names +# below match one common HTTP traffic layout observed in customer samples; verify against +# Policy Manager → trafficlogger.detail when tuning. + +block parser app-syslog-broadcom_layer7_api_gateway() { + channel { + if { + parser { + regexp-parser( + template("${MESSAGE}") + prefix(".tmp.") + patterns('^(?:[^\s]+\s+)?com\.l7tech\.traffic:\s*(?.*)$') + ); + }; + }; + if { + filter { + "${.tmp.traffic_csv}" ne "" + }; + parser { + csv-parser( + template("${.tmp.traffic_csv}") + prefix(".values.") + delimiters(chars('') strings('; ')) + columns( + 'request_time', + 'traffic_detail_2', + 'traffic_detail_3', + 'traffic_detail_4', + 'http_status', + 'response_size', + 'transaction_id', + 'http_method', + 'http_host', + 'http_uri', + 'routed_url', + 'elapsed_ms', + 'service_http_status' + ) + flags(greedy) + ); + }; + }; + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('broadcom:layer7_api_gateway') + vendor("broadcom") + product("layer7_api_gateway") + template('t_kv_values') + ); + }; + }; +}; + +application app-syslog-broadcom_layer7_api_gateway[sc4s-syslog] { + filter { + message('com.l7tech.traffic' type(string) flags(substring)); + }; + parser { + app-syslog-broadcom_layer7_api_gateway(); + }; +}; diff --git a/package/lite/etc/addons/broadcom/app-syslog-broadcom_layer7_api_gateway.conf b/package/lite/etc/addons/broadcom/app-syslog-broadcom_layer7_api_gateway.conf new file mode 100644 index 0000000000..1b267dbe1f --- /dev/null +++ b/package/lite/etc/addons/broadcom/app-syslog-broadcom_layer7_api_gateway.conf @@ -0,0 +1,69 @@ +# Broadcom Layer7 API Gateway (SecureSpan / SSG) — traffic logger (java.util.logging) +# +# Syslog payload after the logger name resembles: +# LEVEL com.l7tech.traffic: +# +# Field order and meaning come from the gateway cluster property trafficlogger.detail +# (context variables); defaults differ by release and customer policy. The column names +# below match one common HTTP traffic layout observed in customer samples; verify against +# Policy Manager → trafficlogger.detail when tuning. + +block parser app-syslog-broadcom_layer7_api_gateway() { + channel { + if { + parser { + regexp-parser( + template("${MESSAGE}") + prefix(".tmp.") + patterns('^(?:[^\s]+\s+)?com\.l7tech\.traffic:\s*(?.*)$') + ); + }; + }; + if { + filter { + "${.tmp.traffic_csv}" ne "" + }; + parser { + csv-parser( + template("${.tmp.traffic_csv}") + prefix(".values.") + delimiters(chars('') strings('; ')) + columns( + 'request_time', + 'traffic_detail_2', + 'traffic_detail_3', + 'traffic_detail_4', + 'http_status', + 'response_size', + 'transaction_id', + 'http_method', + 'http_host', + 'http_uri', + 'routed_url', + 'elapsed_ms', + 'service_http_status' + ) + flags(greedy) + ); + }; + }; + rewrite { + r_set_splunk_dest_default( + index('netops') + sourcetype('broadcom:layer7_api_gateway') + vendor("broadcom") + product("layer7_api_gateway") + template('t_kv_values') + ); + }; + }; +}; + +application app-syslog-broadcom_layer7_api_gateway[sc4s-syslog] { + filter { + message('com.l7tech.traffic' type(string) flags(substring)); + }; + parser { + app-syslog-broadcom_layer7_api_gateway(); + }; +}; diff --git a/tests/test_broadcom_layer7_api_gateway.py b/tests/test_broadcom_layer7_api_gateway.py new file mode 100644 index 0000000000..593cb4fe0e --- /dev/null +++ b/tests/test_broadcom_layer7_api_gateway.py @@ -0,0 +1,53 @@ +# Copyright 2026 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +import datetime + +import pytest +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + +# Reconstructed from a Splunk screenshot: RFC3164 header + java.util.logging traffic line. +# Semicolon+space fields follow gateway trafficlogger.detail (customer-specific order). +layer7_traffic_samples = [ + r"{{ mark }}{{ bsd }} {{ host }} SSG[{{ pid }}]: INFO com.l7tech.traffic: 2025-02-21T19:58:47.968Z; ; ; ; 200; 158; KOU4U2RNQ1; GET; intg.api.ia.ca; /omni/promotions/v2/contests/DIGITAL_ADOPTION_CLIENT_2025/participants/self; https://we.INTG.webservice.ia.iafg.net/WEMWPNA4/v2/contests/DIGITAL_ADOPTION_CLIENT_2025/participants/self; 87; 200", +] + + +@pytest.mark.addons("broadcom") +@pytest.mark.parametrize("event", layer7_traffic_samples) +def test_broadcom_layer7_api_gateway_traffic( + record_property, get_host_key, get_pid, setup_splunk, setup_sc4s, event +): + host = get_host_key + pid = get_pid + + dt = datetime.datetime.now(datetime.timezone.utc) + _, bsd, _, _, _, _, epoch = time_operations(dt) + epoch = epoch[:-7] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<134>", bsd=bsd, host=host, pid=pid) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netops _time={{ epoch }} sourcetype="broadcom:layer7_api_gateway" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1