-
Notifications
You must be signed in to change notification settings - Fork 8
/
splunk_helper.py
227 lines (182 loc) · 7.46 KB
/
splunk_helper.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
# -*- coding: utf-8 -*-
# !/usr/bin/env python
"""
Splunk HEC Helper, part of evtx2splunk
"""
__progname__ = "evtx2splunk"
__date__ = "2020-01-10"
__version__ = "0.1"
__author__ = "whitekernel - PAM"
from typing import Any
import requests
from requests.auth import HTTPBasicAuth
import logging as log
from xml.dom.minidom import parse, parseString
from requests.packages.urllib3.exceptions import InsecureRequestWarning
class SplunkHelper(object):
def __init__(self, splunk_url: str, splunk_port: int, splunk_ssl_verify: bool, username: str, password: str):
"""
Init class of the helper.
:param splunk_url: URL of the Splunk instance
:param splunk_port: port of the splunk instance
:param splunk_ssl_verify: True to check ssl certificate
:param username: Administrative account
:param password: Password account
"""
self._surl = "https://{url}:{port}/".format(url=splunk_url,
port=splunk_port)
self._suser = username
self._spwd = password
self._ssl_verify = splunk_ssl_verify
if not self._ssl_verify:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.link_up = self.test_connection()
self._hec_token = None
def _uri(self, uri: str):
"""
Return a complete URL from an URI
:param uri: URI
:return: A string with the complete URL
"""
return self._surl + uri
def _request(self, uri: str, method: str = "GET", data: Any = None):
"""
Make a request and handle the errors
:param uri: URI to request
:param method: Method to index
:param data: Data for post method
:return: Tuple (Bool, Response)
"""
ret = False
response = None
try:
if method == "GET":
response = requests.get(url=self._uri(uri=uri),
verify=self._ssl_verify,
auth=HTTPBasicAuth(self._suser, self._spwd),
timeout=2)
elif method == "POST":
response = requests.post(url=self._uri(uri=uri),
data=data,
verify=self._ssl_verify,
auth=HTTPBasicAuth(self._suser, self._spwd),
timeout=2)
except Exception as e:
log.error(e)
log.error("Unable to connect to Splunk. Please check URL and ports")
return ret, None
if response.status_code == 401:
log.error("Unable to connect to Splunk. Please check administrative credentials")
elif response.status_code == 200 or response.status_code == 201:
ret = True
else:
log.error("Server error. See message below. Status {status}".format(status=response.status_code))
return ret, response
def test_connection(self):
"""
Test connection to the Splunk instance
:return: True if successful, else False
"""
ret, _ = self._request(uri='services/data/inputs/http')
return ret
def create_index(self, index: str):
"""
Create an index in the Splunk instance.
:return: True if created successfully
"""
if not self.link_up:
return False
# Check if we have one index with this name already
ret, response = self._request(uri='services/data/indexes/{index}'.format(index=index))
if ret:
log.info("{index} already created. Continuing".format(index=index))
return True
data = {
"name": index
}
ret, response = self._request(uri='services/data/indexes',
method="POST",
data=data)
if ret:
log.info("Index {index} created successfully".format(index=index))
return True
else:
log.error("Unable to create index {index}".format(index=index))
log.error("{message}".format(message=response.text))
return False
def get_or_create_hect(self):
"""
Look for an HEC token or create one if none is available
:return:
"""
hect = None
if not self.link_up:
return hect
if self._hec_token:
return self._hec_token
# Check if a token is already registered under the same name
ret, response = self._request(uri='services/data/inputs/http/evtx2splunk')
if ret:
dom = parseString(response.text)
for e in dom.getElementsByTagName("s:key"):
if e.getAttribute("name") == "token":
# We have a key, return the node value which
# is the HEC token
log.info("HEC token found")
self._hec_token = e.firstChild.nodeValue
return self._hec_token
# If we are here, we don't have a token yet, so create it
data = {
"name": "evtx2splunk"
}
ret, response = self._request(uri='services/data/inputs/http',
method="POST",
data=data)
if ret:
dom = parseString(response.text)
for e in dom.getElementsByTagName("s:key"):
if e.getAttribute("name") == "token":
# We have a key, return the node value which
# is the HEC token
log.info("HEC token created successfully")
self._hec_token = e.firstChild.nodeValue
return self._hec_token
log.error("Unable to create HEC token")
log.error("{message}".format(message=response.text))
return hect
def register_index_to_hec(self, index: str):
"""
Register an index to the HEC listener
:param index: Index to add
:return: True if added successfully, else False
"""
# Retrieve the HEC token
if not self._hec_token:
self._hec_token = self.get_or_create_hect()
# Retrieve the list of indexes allowed to be pushed with the HEC token
ret, response = self._request(uri='services/data/inputs/http/evtx2splunk')
indexes = []
if ret:
dom = parseString(response.text)
for e in dom.getElementsByTagName("s:key"):
if e.getAttribute("name") == "indexes":
indexes = [item.firstChild.nodeValue for item in e.getElementsByTagName("s:item")]
# Check if the index is already associated
if index in indexes:
log.info("Index already registered, continuing")
return True
# Add the index and push
indexes.append(index)
data = {
"indexes": ",".join(indexes),
"index": indexes[0]
}
ret, response = self._request(uri='services/data/inputs/http/evtx2splunk',
method="POST",
data=data)
if ret:
log.info("Index associated successfully")
return True
log.error("Unable to create associate index with the HEC token")
log.error("{message}".format(message=response.text))
return False