[Imperva] Replace RSA2ELK with Syslog integration for Imperva Securesphere

packages/imperva/_dev/build/build.yml

@@ -1,3 +1,4 @@
 dependencies:
   ecs:
-    reference: "[email protected]"
+    reference: [email protected]
+    import_mappings: true

packages/imperva/_dev/build/docs/README.md

@@ -1,11 +1,58 @@
-# Imperva integration
+# Imperva
 
-This integration is for Imperva device's logs. It includes the following
+This integration is for Imperva device logs. It includes the
 datasets for receiving logs over syslog or read from a file:
 - `securesphere` dataset: supports Imperva SecureSphere logs.
 
-### Securesphere
+## Data streams
 
-The `securesphere` dataset collects Imperva SecureSphere logs.
+The Imperva integration collects one type of data: securesphere.
+
+**Securesphere** consists of alerts, violations, and system events. See more details about [alerts, violations, and events](https://docs.imperva.com/bundle/v14.7-web-application-firewall-user-guide/page/1024.htm)
+
+## Requirements
+
+Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using fleet management because it makes the management and upgrade of your agents considerably easier.
+
+### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent, and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+The minimum **kibana.version** required is **8.10.1**.
+
+## Setup
+
+### Enabling the integration in Elastic:
+
+1. In Kibana, go to Management > Integrations
+2. In the "Search for integrations" search bar, type Imperva.
+3. Click on the "Imperva" integration from the search results.
+4. Click on the "Add Imperva" button to add the integration.
+5. Enable the data collection mode from the following: Filestream, TCP, or UDP.
+6. Add all the required configuration parameters, such as paths for the filestream or listen address and listen port for the TCP and UDP.
+
+## Logs Reference
+
+### SecureSphere
+
+This is the `Securesphere` dataset.
+
+#### Example
+
+{{event "securesphere"}}
 
 {{fields "securesphere"}}

packages/imperva/_dev/deploy/docker/docker-compose.yml

@@ -7,14 +7,17 @@ services:
       - ${SERVICE_LOGS_DIR}:/var/log
     command: /bin/sh -c "cp /sample_logs/* /var/log/"
   imperva-securesphere-udp:
-    image: akroh/stream:v0.2.0
+    image: docker.elastic.co/observability/stream:v0.10.0
     volumes:
       - ./sample_logs:/sample_logs:ro
-    entrypoint: /bin/bash
-    command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9531 -p=udp /sample_logs/imperva-securesphere-*.log"
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9507 -p=udp /sample_logs/test-imperva-securesphere.log
   imperva-securesphere-tcp:
-    image: akroh/stream:v0.2.0
+    image: docker.elastic.co/observability/stream:v0.10.0
     volumes:
       - ./sample_logs:/sample_logs:ro
-    entrypoint: /bin/bash
-    command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9531 -p=tcp /sample_logs/imperva-securesphere-*.log"
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9507 -p=tcp /sample_logs/test-imperva-securesphere.log
+  imperva-securesphere-tls:
+    image: docker.elastic.co/observability/stream:v0.10.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9507 -p=tls --insecure /sample_logs/test-imperva-securesphere.log

packages/imperva/_dev/deploy/docker/sample_logs/test-imperva-securesphere.log

@@ -0,0 +1,2 @@
+<14>CEF:0|Imperva Inc.|SecureSphere|15.0.0.10_0|Signature|suspicious-pattern|High|act=block dst=81.2.69.142 dpt=80 duser=${Alert.username} src=81.2.69.142 spt=56112 proto=TCP cat=Alert cs1=Recommended Signatures Policy for Web Applications cs1Label=Policy cs2=SG cs2Label=ServerGroup cs3=service cs3Label=ServiceName cs4=Default Web Application cs4Label=ApplicationName cs5=suspicious-pattern cs5Label=Description
+<14>CEF:0|Imperva Inc.|SecureSphere|15.1.0|User logged in|User admin logged in from 81.2.69.142.|High|suser=admin rt=Oct 05 2023 18:33:02 cat=SystemEvent

packages/imperva/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.19.0"
+  changes:
+    - description: Replace RSA2ELK with Syslog integration.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8237
 - version: 0.18.0
   changes:
     - description: ECS version updated to 8.10.0.

packages/imperva/data_stream/securesphere/_dev/test/pipeline/test-common-config.yml

@@ -3,3 +3,4 @@ dynamic_fields:
 fields:
   tags:
     - preserve_original_event
+    - preserve_duplicate_custom_fields