Add sophos module

manifests/module/sophos.pp

@@ -0,0 +1,86 @@
+# filebeat::module::sophos
+#
+# @summary
+#   This class manages the Filebeat Sophos module.
+#
+# @example
+#   class { 'filebeat::module::sophos':
+#     xg_enabled => true,
+#     xg_input => 'udp',
+#     xg_syslog_host => '0.0.0.0',
+#     xg_syslog_port => 514,
+#     xg_host_name => 'sophos-xg',
+#   }
+#
+# @param xg_enabled
+#   Whether to enable the Sophos XG module.
+# @param xg_paths
+#   An array of paths to the Sophos XG logs.
+# @param xg_input
+#   The input type for the Sophos XG module. tcp or udp for syslog input, file for log files.
+# @param xg_syslog_host
+#   Interface to listen to for syslog input.
+# @param xg_syslog_port
+#   Port to listen on for syslog input.
+# @param xg_host_name
+#   Host name / Observer name, since SophosXG does not provide this in the syslog file. 
+# @param utm_enabled
+#   Whether to enable the Sophos UTM module.
+# @param utm_paths
+#   An array of paths to the Sophos UTM logs.
+# @param utm_input
+#   The input type for the Sophos UTM module. tcp or udp for syslog input, file for log files.
+# @param utm_syslog_host
+#   Interface to listen to for syslog input.
+# @param utm_syslog_port
+#   Port to listen on for syslog input.
+# @param utm_tz_offset
+#   Timezone offset. If the logs are in a different timezone than the Filebeat host, set this to the timezone offset.
+# @param utm_rsa_fields
+#   Flag to control whether non-ECS fields are added to the event.
+# @param utm_keep_raw_fields
+#   Flag to control the addition of the raw parser fields to the event.
+#
+class filebeat::module::sophos (
+  Boolean $xg_enabled = false,
+  Optional[Array[Stdlib::Absolutepath]] $xg_paths = undef,
+  Optional[Enum['udp', 'tcp','file']] $xg_input = undef,
+  Optional[Stdlib::Host] $xg_syslog_host = undef,
+  Optional[Stdlib::Port] $xg_syslog_port = undef,
+  Optional[Stdlib::Host] $xg_host_name = undef,
+  Boolean $utm_enabled = false,
+  Optional[Array[Stdlib::Absolutepath]] $utm_paths = undef,
+  Optional[Enum['udp', 'tcp','file']] $utm_input = undef,
+  Optional[Stdlib::Host] $utm_syslog_host = undef,
+  Optional[Stdlib::Port] $utm_syslog_port = undef,
+  Optional[Pattern[/^[-+]\d{2}:\d{2}$/]] $utm_tz_offset = undef,
+  Optional[Boolean] $utm_rsa_fields = undef,
+  Optional[Boolean] $utm_keep_raw_fields = undef,
+) {
+  filebeat::module { 'sophos':
+    config => {
+      'xg' => delete_undef_values(
+        {
+          'enabled' => $xg_enabled,
+          'var.input' => $xg_input,
+          'var.paths' => $xg_paths,
+          'var.syslog_host' => $xg_syslog_host,
+          'var.syslog_port' => $xg_syslog_port,
+          'var.host_name' => $xg_host_name,
+        }
+      ),
+      'utm' => delete_undef_values(
+        {
+          'enabled' => $utm_enabled,
+          'var.input' => $utm_input,
+          'var.paths' => $utm_paths,
+          'var.syslog_host' => $utm_syslog_host,
+          'var.syslog_port' => $utm_syslog_port,
+          'var.tz_offset' => $utm_tz_offset,
+          'var.rsa_fields' => $utm_rsa_fields,
+          'var.keep_raw_fields' => $utm_keep_raw_fields,
+        }
+      ),
+    },
+  }
+}

spec/classes/module/sophos_spec.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'filebeat::module::sophos' do
+  let :pre_condition do
+    'include ::filebeat'
+  end
+
+  let(:facts) { 
+    {
+      :kernel => 'Linux',
+      :os => {
+        :family => 'Debian',
+        :name => 'Ubuntu',
+      }
+    } 
+  }
+
+  context 'on default values' do
+    it { is_expected.to compile.with_all_deps }
+
+    it {
+      is_expected.to contain_file('filebeat-module-sophos').with_content(
+      %r{- module: sophos\n\s{2}xg:\n\s{4}enabled: false\n\s{2}utm:\n\s{4}enabled: false\n\n},
+    )}
+  end
+
+  context 'on xg and utm enabled with paths' do
+    let(:params) do
+      {
+        'xg_enabled' => true,
+        'xg_input' => 'file',
+        'xg_paths' => ['/var/log/xg.log'],
+        'utm_enabled' => true,
+        'utm_input' => 'file',
+        'utm_paths' => ['/var/log/utm.log'],
+      }
+    end
+
+    it { is_expected.to compile.with_all_deps }
+
+    it {
+      is_expected.to contain_file('filebeat-module-sophos').with_content(
+        <<-EOS
+### Filebeat configuration managed by Puppet ###
+---
+- module: sophos
+  xg:
+    enabled: true
+    var.input: file
+    var.paths:
+    - "/var/log/xg.log"
+  utm:
+    enabled: true
+    var.input: file
+    var.paths:
+    - "/var/log/utm.log"
+
+EOS
+    )
+    }
+  end
+
+  context 'on xg and utm enabled with syslog input' do
+    let(:params) do
+      {
+        'xg_enabled' => true,
+        'xg_input' => 'udp',
+        'xg_syslog_host' => '0.0.0.0',
+        'xg_syslog_port' => 514,
+        'xg_host_name' => 'sophos-xg',
+        'utm_enabled' => true,
+        'utm_input' => 'tcp',
+        'utm_syslog_host' => '0.0.0.0',
+        'utm_syslog_port' => 515,
+        'utm_tz_offset' => '-07:00',
+        'utm_rsa_fields' => true,
+        'utm_keep_raw_fields' => true,
+      }
+    end
+
+    it { is_expected.to compile.with_all_deps }
+
+    it {
+      is_expected.to contain_file('filebeat-module-sophos').with_content(
+        <<-EOS
+### Filebeat configuration managed by Puppet ###
+---
+- module: sophos
+  xg:
+    enabled: true
+    var.input: udp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 514
+    var.host_name: sophos-xg
+  utm:
+    enabled: true
+    var.input: tcp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 515
+    var.tz_offset: "-07:00"
+    var.rsa_fields: true
+    var.keep_raw_fields: true
+
+EOS
+    )
+    }
+  end
+end