def _get_collection_data(self, collection_name, session_key, app, owner,
scheme, host, port, **context):
if not context.get('pool_connections'):
context['pool_connections'] = 5
if not context.get('pool_maxsize'):
context['pool_maxsize'] = 5
kvstore = rest_client.SplunkRestClient(session_key,
app,
owner=owner,
scheme=scheme,
host=host,
port=port,
**context).kvstore
collection_name = re.sub(r'[^\w]+', '_', collection_name)
try:
kvstore.get(name=collection_name)
except binding.HTTPError as e:
if e.status != 404:
raise
fields = {'state': 'string'}
kvstore.create(collection_name, fields=fields)
collections = kvstore.list(search=collection_name)
for collection in collections:
if collection.name == collection_name:
return collection.data
else:
raise KeyError('Get collection data: %s failed.' % collection_name)
def __init__(self,
hec_input_name,
session_key,
scheme=None,
host=None,
port=None,
hec_uri=None,
hec_token=None,
**context):
super(HECEventWriter, self).__init__()
self._session_key = session_key
if not all([scheme, host, port]):
scheme, host, port = get_splunkd_access_info()
if hec_uri and hec_token:
scheme, host, hec_port = utils.extract_http_scheme_host_port(
hec_uri)
else:
hec_port, hec_token = self._get_hec_config(hec_input_name,
session_key, scheme,
host, port, **context)
if not context.get('pool_connections'):
context['pool_connections'] = 10
if not context.get('pool_maxsize'):
context['pool_maxsize'] = 10
self._rest_client = rest_client.SplunkRestClient(hec_token,
app='-',
scheme=scheme,
host=host,
port=hec_port,
**context)
def _get_collection_data(collection_name, session_key, app, owner, scheme,
host, port, **context):
kvstore = rest_client.SplunkRestClient(session_key,
app,
owner=owner,
scheme=scheme,
host=host,
port=port,
**context).kvstore
collection_name = re.sub(r'[^\w]+', '_', collection_name)
try:
kvstore.get(name=collection_name)
except binding.HTTPError as e:
if e.status != 404:
raise
kvstore.create(collection_name)
collections = kvstore.list(search=collection_name)
for collection in collections:
if collection.name == collection_name:
return collection.data
else:
raise KeyError('Get collection data: %s failed.' % collection_name)
def get_collection_data(
collection_name: str,
session_key: str,
app: str,
owner: Optional[str] = None,
scheme: Optional[str] = None,
host: Optional[str] = None,
port: Optional[Union[str, int]] = None,
fields: Optional[Dict] = None,
**context: Any,
) -> client.KVStoreCollectionData:
"""Get collection data, if there is no such collection - creates one.
Arguments:
collection_name: Collection name of KV Store checkpointer.
session_key: Splunk access token.
app: App name of namespace.
owner: Owner of namespace, default is `nobody`.
scheme: The access scheme, default is None.
host: The host name, default is None.
port: The port number, default is None.
fields: Fields used to initialize the collection if it's missing.
context: Other configurations for Splunk rest client.
Raises:
binding.HTTPError: HTTP error different from 404, for example 503 when
KV Store is initializing and not ready to serve requests.
KeyError: KV Store did not get collection_name.
Returns:
KV Store collections data instance.
"""
kvstore = splunk_rest_client.SplunkRestClient(session_key,
app,
owner=owner,
scheme=scheme,
host=host,
port=port,
**context).kvstore
collection_name = re.sub(r"[^\w]+", "_", collection_name)
try:
kvstore.get(name=collection_name)
except binding.HTTPError as e:
if e.status != 404:
raise
fields = fields if fields is not None else {}
kvstore.create(collection_name, fields=fields)
collections = kvstore.list(search=collection_name)
for collection in collections:
if collection.name == collection_name:
return collection.data
else:
raise KeyError(f"Get collection data: {collection_name} failed.")
def __init__(self,
session_key,
scheme=None,
host=None,
port=None,
**context):
self._rest_client = rest_client.SplunkRestClient(session_key,
'splunk_httpinput',
scheme=scheme,
host=host,
port=port,
**context)
def collect_events(helper, ew):
helper.set_log_level("info")
config_username = '******'
splunk_session_key = helper.context_meta['session_key']
rest_client = src.SplunkRestClient(session_key=splunk_session_key,
app='Splunk_TA_aws',
owner='nobody',
scheme='https',
host='localhost',
port=8089)
aws = aws_helper(helper, rest_client)
ta_creds = list(
aws.get_app_credentials(splunk_session_key, "*", "Splunk_TA_aws"))
incremental_sqs_definitions = aws.get_incremental_sqs_definitions()
helper.log_info("Retrieved count={} credentials".format(len(ta_creds)))
config_role_arn = helper.get_arg('aws_config_role_arn')
aws.configure_ta_cred(config_username, config_role_arn, ta_creds)
service_definition = aws.find_in_dict(incremental_sqs_definitions, 'name',
'config_audit_snapshot')
service_endpoint = 'splunk_ta_aws_aws_sqs_based_s3'
service_config = {
"name": 'config_audit_snapshot',
"aws_account": "SplunkLoader-AWS",
"aws_iam_role": config_username,
"interval": "60",
"sqs_batch_size": "10",
"s3_file_decoder": "Config",
"sqs_queue_url": helper.get_arg('aws_config_sqs_url'),
"sqs_queue_region": helper.get_arg('aws_config_sqs_region'),
"sourcetype": "aws:config",
"index": helper.get_output_index()
}
aws.configure_service(service_config, service_endpoint, service_definition)
input_type = helper.get_input_type()
event = helper.new_event(source=input_type,
index=helper.get_output_index(),
sourcetype=helper.get_sourcetype(),
data="Finished configuring IAM Roles and inputs")
ew.write_event(event)
helper.log_warning("END")
exit(0)
def get_session_key(username,
password,
scheme=None,
host=None,
port=None,
**context):
'''Get splunkd access token.
:param username: The Splunk account username, which is used to
authenticate the Splunk instance.
:type username: ``string``
:param password: The Splunk account password.
:type password: ``string``
:param scheme: (optional) The access scheme, default is None.
:type scheme: ``string``
:param host: (optional) The host name, default is None.
:type host: ``string``
:param port: (optional) The port number, default is None.
:type port: ``integer``
:returns: Splunk session key.
:rtype: ``string``
:param context: Other configurations for Splunk rest client.
:type context: ``dict``
:raises CredentialException: If username/password are Invalid.
Usage::
>>> credentials.get_session_key('user', 'password')
'''
if any([scheme is None, host is None, port is None]):
scheme, host, port = get_splunkd_access_info()
uri = '{scheme}://{host}:{port}/{endpoint}'.format(
scheme=scheme, host=host, port=port, endpoint='services/auth/login')
_rest_client = rest_client.SplunkRestClient(None, '-', 'nobody', scheme,
host, port, **context)
try:
response = _rest_client.http.post(uri,
username=username,
password=password,
output_mode='json')
except binding.HTTPError as e:
if e.status != 401:
raise
raise CredentialException('Invalid username/password.')
return json.loads(response.body.read())['sessionKey']
def __init__(self,
session_key,
app,
owner='nobody',
scheme=None,
host=None,
port=None,
**context):
self._rest_client = rest_client.SplunkRestClient(session_key,
app,
owner=owner,
scheme=scheme,
host=host,
port=port,
**context)
def get_user_capabilities(session_key,
username,
scheme=None,
host=None,
port=None,
**context):
'''Get user capabilities.
:param session_key: Splunk access token.
:type session_key: ``string``
:param username: User name of capabilities to get.
:type username: ``string``
:param scheme: (optional) The access scheme, default is None.
:type scheme: ``string``
:param host: (optional) The host name, default is None.
:type host: ``string``
:param port: (optional) The port number, default is None.
:type port: ``integer``
:param context: Other configurations for Splunk rest client.
:type context: ``dict``
:returns: User capabilities.
:rtype: ``list``
:raises UserNotExistException: If `username` does not exist.
Usage::
>>> from solnlib import user_access
>>> user_capabilities = user_access.get_user_capabilities(
>>> session_key, 'test_user')
'''
_rest_client = rest_client.SplunkRestClient(session_key,
'-',
scheme=scheme,
host=host,
port=port,
**context)
url = '/services/authentication/users/{username}'.format(username=username)
try:
response = _rest_client.get(url, output_mode='json').body.read()
except binding.HTTPError as e:
if e.status != 404:
raise
raise UserNotExistException('User: %s does not exist.' % username)
return json.loads(response)['entry'][0]['content']['capabilities']
def get_user_capabilities(
session_key: str,
username: str,
scheme: str = None,
host: str = None,
port: int = None,
**context: dict,
) -> List[dict]:
"""Get user capabilities.
Arguments:
session_key: Splunk access token.
scheme: (optional) The access scheme, default is None.
host: (optional) The host name, default is None.
port: (optional) The port number, default is None.
context: Other configurations for Splunk rest client.
Returns:
User capabilities.
Raises:
UserNotExistException: If `username` does not exist.
Examples:
>>> from solnlib import user_access
>>> user_capabilities = user_access.get_user_capabilities(
>>> session_key, 'test_user')
"""
_rest_client = rest_client.SplunkRestClient(session_key,
"-",
scheme=scheme,
host=host,
port=port,
**context)
url = f"/services/authentication/users/{username}"
try:
response = _rest_client.get(url, output_mode="json").body.read()
except binding.HTTPError as e:
if e.status != 404:
raise
raise UserNotExistException("User: %s does not exist." % username)
return json.loads(response)["entry"][0]["content"]["capabilities"]
def __init__(self, conf_file, session_key, app, owner='nobody',
scheme=None, host=None, port=None, **context):
try:
self._conf_mgr = rest_client.SplunkRestClient(
session_key,
app,
owner=owner,
scheme=scheme,
host=host,
port=port,
**context).confs[conf_file]
except KeyError:
raise ConfManagerException(
'Config file: %s does not exist.' % conf_file)
self._conf_file = conf_file
self._cred_mgr = CredentialManager(
session_key, app, owner=owner, realm=app,
scheme=scheme, host=host, port=port, **context)
def __init__(self,
session_key,
app,
owner='nobody',
realm=None,
scheme=None,
host=None,
port=None,
**context):
self._realm = realm
self._storage_passwords = rest_client.SplunkRestClient(
session_key,
app,
owner=owner,
scheme=scheme,
host=host,
port=port,
**context).storage_passwords
def get_current_username(session_key,
scheme=None,
host=None,
port=None,
**context):
'''Get current user name from `session_key`.
:param session_key: Splunk access token.
:type session_key: ``string``
:param scheme: (optional) The access scheme, default is None.
:type scheme: ``string``
:param host: (optional) The host name, default is None.
:type host: ``string``
:param port: (optional) The port number, default is None.
:type port: ``integer``
:param context: Other configurations for Splunk rest client.
:type context: ``dict``
:returns: Current user name.
:rtype: ``string``
:raises InvalidSessionKeyException: If `session_key` is invalid.
Usage::
>>> from solnlib import user_access
>>> user_name = user_access.get_current_username(session_key)
'''
_rest_client = rest_client.SplunkRestClient(session_key,
'-',
scheme=scheme,
host=host,
port=port,
**context)
try:
response = _rest_client.get('/services/authentication/current-context',
output_mode='json').body.read()
except binding.HTTPError as e:
if e.status != 401:
raise
raise InvalidSessionKeyException('Invalid session key.')
return json.loads(response)['entry'][0]['content']['username']
def get_current_username(
session_key: str,
scheme: str = None,
host: str = None,
port: int = None,
**context: dict,
) -> str:
"""Get current user name from `session_key`.
Arguments:
session_key: Splunk access token.
scheme: (optional) The access scheme, default is None.
host: (optional) The host name, default is None.
port: (optional) The port number, default is None.
context: Other configurations for Splunk rest client.
Returns:
Current user name.
Raises:
InvalidSessionKeyException: If `session_key` is invalid.
Examples:
>>> from solnlib import user_access
>>> user_name = user_access.get_current_username(session_key)
"""
_rest_client = rest_client.SplunkRestClient(session_key,
"-",
scheme=scheme,
host=host,
port=port,
**context)
try:
response = _rest_client.get("/services/authentication/current-context",
output_mode="json").body.read()
except binding.HTTPError as e:
if e.status != 401:
raise
raise InvalidSessionKeyException("Invalid session key.")
return json.loads(response)["entry"][0]["content"]["username"]
def __init__(self, splunk_info, appname, owner='nobody'):
'''
:param splunk_info: `SplunkInfo` object
:param appname: application/addon name
:param owner: owner of the configuration, 'nobody' means globally
shared
'''
self.appname = appname
self.owner = owner
self.splunk_info = splunk_info
session_key = get_session_key(splunk_info)
scheme, host, port = sutils.extract_http_scheme_host_port(
splunk_info.mgmt_uri)
self.rest_client = src.SplunkRestClient(session_key=session_key,
app=appname,
owner=owner,
scheme=scheme,
host=host,
port=port)
def __init__(self,
session_key: str,
scheme: Optional[str] = None,
host: Optional[str] = None,
port: Optional[int] = None,
**context: Any):
"""Initializes ServerInfo.
Arguments:
session_key: Splunk access token.
scheme: The access scheme, default is None.
host: The host name, default is None.
port: The port number, default is None.
context: Other configurations for Splunk rest client.
"""
self._rest_client = rest_client.SplunkRestClient(session_key,
"-",
scheme=scheme,
host=host,
port=port,
**context)
def __init__(self,
session_key,
app,
owner='nobody',
scheme=None,
host=None,
port=None,
**context):
self._session_key = session_key
self._app = app
self._owner = owner
self._scheme = scheme
self._host = host
self._port = port
self._context = context
self._rest_client = rest_client.SplunkRestClient(self._session_key,
self._app,
owner=self._owner,
scheme=self._scheme,
host=self._host,
port=self._port,
**self._context)
self._confs = None
def collect_events(helper, ew):
from pprint import pformat
helper.set_log_level("info")
# helper.rest_helper.send_http_request
#
splunk_session_key = helper.context_meta['session_key']
rest_client = src.SplunkRestClient(
session_key=splunk_session_key, app='Splunk_TA_aws', owner='nobody', scheme='https', host='localhost',
port=8089)
aws = aws_helper(helper, rest_client)
ta_creds = list(aws.get_app_credentials(splunk_session_key, "*", "Splunk_TA_aws"))
description_definitions = get_description_definitions(helper, rest_client)
helper.log_info("Retrieved count={} credentials".format(len(ta_creds)))
assumed_session = aws.aws_session(role_arn=helper.get_global_setting("root_org_role_arn"),
session_name='org_lookup')
org_accounts = aws.get_orgs(assumed_session)
#check for any configs that are no longer in the org list...to detect deleted roles/accounts
for description_definition in description_definitions:
description_name = description_definition['name']
if "_audit" in description_name:
description_accountid = description_name.replace("_audit","")
if not description_accountid in [org_account['Id'] for org_account in org_accounts]:
helper.log_info("Account not found but description exists! account={}".format(description_accountid))
rest_client.delete("splunk_ta_aws_aws_description/{}".format("{}_audit".format(description_accountid)), owner='nobody',
app='Splunk_TA_aws',
output_mode='json')
for org_account in org_accounts:
role_name = helper.get_arg('aws_description_role_name')
cred_arn = "arn:aws:iam::{}:role/{}".format(org_account['Id'], role_name)
cred_name = "{}_audit".format(org_account['Id'])
aws.configure_ta_cred(cred_name, cred_arn, ta_creds)
helper.log_info("Checking if aws_account_id={} has role={} configured".format(org_account['Id'], role_name))
# Setup description
service_definition = aws.find_in_dict(description_definitions, 'name', cred_name)
service_endpoint = 'splunk_ta_aws_aws_description'
# s3_buckets/42300,
# cloudfront_distributions/42300,
service_config = {
"name": cred_name,
"account": "SplunkLoader-AWS",
"aws_iam_role": cred_name,
"regions": "ap-northeast-1,ap-northeast-2,ap-south-1,ap-southeast-1,ap-southeast-2,ca-central-1,eu-central-1,eu-west-1,eu-west-2,sa-east-1,us-east-1,us-east-2,us-west-1,us-west-2",
"apis": "ec2_volumes/42300,ec2_instances/42300,ec2_reserved_instances/42300,ebs_snapshots/42300,classic_load_balancers/42300,application_load_balancers/42300,vpcs/42300,vpc_network_acls/42300,vpc_subnets/42300,rds_instances/42300,ec2_key_pairs/42300,ec2_security_groups/42300,ec2_images/42300,ec2_addresses/42300,lambda_functions/42300,iam_users/3600",
"sourcetype": "aws:description",
"index": helper.get_output_index()
}
aws.configure_service(service_config, service_endpoint, service_definition)
input_type = helper.get_input_type()
event = helper.new_event(source=input_type, index=helper.get_output_index(), sourcetype=helper.get_sourcetype(),
data="Finished configuring IAM Roles and description")
ew.write_event(event)
helper.log_warning("END")
exit(0)
