def load_conf(app): ''' Loads our cefly.conf and gets the stanza for our app/search we are currently working with ''' try: stanza = splunk.clilib.cli_common.getConfStanza(CEFLY_OUTPUTS, app) except Exception, e: logger.error('message="Unable to open stanza in cefly.conf for app/search", app="%s"' % app) sys.exit()
def make_cef(data): ''' Returns a formatted CEF message based on data given What a CEF message should look like: CEF:0|<device_vendor>|<device_product>|<device_version>|<signature_id>|<name>|<severity>|key=value, foo=bar, baz=bing Example: CEF:0|CISCO|ASA|7||Firewall Accept|1|src=192.168.1.20, dst=10.18.40.50, dport=53, proto=DNS,categoryDeviceGroup:/Network, categoryOutcome:/Success ''' prefix_maps = data['prefix_map'] custom_maps = data['field_map'] custom_labels = data['labels'] splunk_meta = data['splunk_meta'] cef_prefix = [] output = [] cef_prefix.append("CEF:0") if not 'd_vendor' in prefix_maps.keys(): cef_prefix.append("Splunk CEFly") else: cef_prefix.append(str(prefix_maps['d_vendor'])) if not 'd_product' in prefix_maps.keys(): cef_prefix.append(splunk_meta['sourcetype']) else: cef_prefix.append(str(prefix_maps['d_product'])) if not 'd_version' in prefix_maps: cef_prefix.append("1.0") else: cef_prefix.append(str(prefix_maps['d_version'])) if not 'sig_id' in prefix_maps.keys(): cef_prefix.append("1") elif prefix_maps['sig_id'] == '""': cef_prefix.append("") else: cef_prefix.append(prefix_maps['sig_id']) if not 'name' in prefix_maps: cef_prefix.append("generic event -- address me ASAP") else: cef_prefix.append(str(prefix_maps['name'])) if not 'severity' in prefix_maps: cef_prefix.append('5') else: cef_prefix.append( ("%s %s") % (prefix_maps['severity'], "|") ) ''' map our custom CEF static maps - format: <splunk_field>:CEF_field, <another_splunk_field>:another_CEF_field example: outcome:/Success, _time:end, host:src ''' my_s_maps = [] for k,v in cef_static_map.iteritems(): my_s_maps.append( ( "%s=%s " ) % (k,v) ) ''' map our Custom String Labels format: <cef_field>:<string>, <cef_field>:<string> example: cslabel1:some_custom_string, cslabel2:some other string ''' my_cs_maps = [] for k,v in custom_labels.iteritems(): my_cs_maps.append( ( "%s=%s " ) % ( k,v ) ) # map our custom cef fields, this would be the splunk_field => arcsight_field mapping my_maps = [] for item in custom_maps: if item['data']: my_maps.append( ( "%s=%s ") % ( item['as_cef_field'], escape_cef_chars(item['data']) ) ) # for debugging if not my_maps: logger.error( 'message="not everything is here", custom_maps="%s", my_s_maps="%s", my_cs_maps="%s"' % ( custom_maps, my_s_maps, my_cs_maps ) ) # If we were not able to map our custom CEF fields, then there was an issue return False try: cef_msg = "|".join(cef_prefix) + " ".join(my_cs_maps) + " ".join(my_s_maps) + " ".join(my_maps) except Exception, e: logger.error('message="Unable to create CEF message", cef_prefix="%s", cs_maps="%s", s_maps="%s", my_data="%s"' % ( cef_prefix, my_cs_maps, my_s_maps, my_data ))
try: stanza = splunk.clilib.cli_common.getConfStanza(CEFLY_OUTPUTS, app) except Exception, e: logger.error('message="Unable to open stanza in cefly.conf for app/search", app="%s"' % app) sys.exit() # If we are inheriting from another stanza, lets load it and combine the two stanzas together if 'inherits' in stanza: try: inherited = load_conf( stanza['inherits'] ) stanza = _dmerge(inherited,stanza) except Exception, e: logger.error("Unable to load inherited stanza: %e" % (e)) logger.exception(e) # We have have a disabled config, no need to go any further if 'disabled' in stanza: if stanza['disabled'].lower() in ('1','true'): logger.info('message="loading a configuration for a disabled app/stanza, will now exit", app="%s"' % ( app )) sys.exit() return stanza def _dmerge(d1, d2): '''