marcredhat-siem-toolkit-patched/tools/stormshield-verify

Stormshield ingest verifier

End-to-end regression test for the SDL Stormshield parser. Sends raw syslog events to /api/uploadLogs, waits for ingest, and confirms the OCSF rewrites (src_endpoint.ip, dst_endpoint.ip, actor.user.name, ...) populated by the parser at ingest time.

Setup

cp config.example.json config.json
chmod 600 config.json
# Fill in log_write_key, log_read_key — both are SDL Data Lake API keys.
# Generate them in the S1 console: Singularity Data Lake -> API Keys.

config.json is gitignored. Never commit real tokens.

Run

# Single-event upload + 150s polling verifier (prints which OCSF fields landed)
python3 test.py

# Burst of 4 varied events with current timestamps (different users, IPs, actions)
python3 send_burst.py

# One-shot regression: burst + 40s wait + query last 15 min
bash run_and_verify.sh

How to find the events afterwards

The SDL console search field (and PowerQuery) attribute for the parser name is parser, not parser.name:

parser="stormshield" | sort -timestamp | limit 10

Behaviour quirks worth knowing

1. server-host HTTP header is overwritten to the literal string uploadLogs on this tenant. Don't try to filter by serverHost for precise event matching; use parser='stormshield' instead.
2. parser.name is always None on uploadLogs-ingested events. Use the bare parser attribute.
3. Embedded time="..." in the syslog body is taken as the event's canonical timestamp via $timestamp=tsPattern$. The scripts rewrite this to "now" so events appear under recent activity in the console.
4. Ingest latency is 5-60s. test.py polls for up to 150s.

Files

• test.py — single upload + polling verifier
• send_burst.py — N varied events with current timestamps
• verify_query.py — query last 15 min of stormshield events
• run_and_verify.sh — burst + sleep + verify (regression test)
• config.example.json — template, copy to config.json