def main():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
if len(args) < 2:
logger.error("pancontentpack: Wrong number of arguments: %s, expected 2.\n" % len(args))
usage()
if args[1] == "apps":
logger.info("Getting apps from content pack on Palo Alto Networks device at %s..." % args[0])
elif args[1] == "threats":
logger.info("Getting threats from content pack on Palo Alto Networks device at %s..." % args[0])
else:
usage()
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
# Ignore the results
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, args[0], debug)
device = pandevice.base.PanDevice(args[0], api_key=apikey)
device.refresh_system_info()
try:
if args[1] == "apps":
device.xapi.get("/config/predefined/application")
app_xml = device.xapi.xml_document
csv = parse_apps(app_xml)
else:
if device._version_info >= (8, 0, 0):
threat_xml = device.op(
'show predefined xpath "/predefined/threats"',
xml=True, cmd_xml=True,
)
else:
device.xapi.get("/config/predefined/threats")
threat_xml = device.xapi.xml_document
csv = parse_threats(threat_xml)
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(csv)
def main_splunk():
# Get arguments passed to command on Splunk searchbar
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
debug = common.check_debug(kwargs)
# Setup the logger. $SPLUNK_HOME/var/log/splunk/python.log
logger = common.logging.getLogger()
if debug:
logger.setLevel(common.logging.DEBUG)
# Results contains the data from the search results and settings contains
# the sessionKey that we can use to talk to splunk
logger.debug("Getting search results and settings from Splunk")
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
# If there are logs to act on, get the Panorama user and password from Splunk using the sessionKey
if len(results) == 0:
logger.debug(
"WildFire Report Retrieval: No search results. Nothing to do.")
splunk.Intersplunk.outputResults(results)
sys.exit(0)
logger.debug("Getting WildFire APIKey from encrypted store")
wf_apikey = common.get_wildfire_apikey(sessionKey)
# Get a wildfire report for each row
logger.debug("Getting WildFire reports for %s search results" %
len(results))
for idx, result in enumerate(results):
# Check to see if the result has the necessary fields
if 'file_digest' in result:
logger.debug(
"Getting WildFire report for result # %s with file_digest: %s"
% (idx, result['file_digest']))
try:
# Get the report
wfReportXml = retrieveWildFireData(
wf_apikey, result['file_digest']).strip()
result['wildfire_report'] = wfReportXml
except:
logger.warn(
"Error retrieving WildFire report for file_digest: %s" %
result['file_digest'])
# Log the result row in case of an exception
logger.info("Log with error: %s" % result)
stack = traceback.format_exc()
# log the stack information
logger.warn(stack)
else:
logger.debug("Required fields missing from result # %s."
"Expected the following fields: file_digest" % idx)
# output the complete results sent back to splunk
splunk.Intersplunk.outputResults(results)
def main():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
if len(args) < 2:
logger.error(
"pancontentpack: Wrong number of arguments: %s, expected 2.\n" %
len(args))
usage()
if args[1] == "apps":
logger.info(
"Getting apps from content pack on Palo Alto Networks device at %s..."
% args[0])
elif args[1] == "threats":
logger.info(
"Getting threats from content pack on Palo Alto Networks device at %s..."
% args[0])
else:
usage()
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
# Ignore the results
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, args[0], debug)
device = pandevice.base.PanDevice(args[0], api_key=apikey)
try:
if args[1] == "apps":
device.xapi.get("/config/predefined/application")
app_xml = device.xapi.xml_document
csv = parse_apps(app_xml)
else:
device.xapi.get("/config/predefined/threats")
threat_xml = device.xapi.xml_document
csv = parse_threats(threat_xml)
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(csv)
def main_splunk():
# Get arguments passed to command on Splunk searchbar
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
debug = common.check_debug(kwargs)
# Setup the logger. $SPLUNK_HOME/var/log/splunk/python.log
logger = common.logging.getLogger()
if debug:
logger.setLevel(common.logging.DEBUG)
# Results contains the data from the search results and settings contains
# the sessionKey that we can use to talk to splunk
logger.debug("Getting search results and settings from Splunk")
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
# If there are logs to act on, get the Panorama user and password from Splunk using the sessionKey
if len(results) < 0:
logger.debug("No search results. Nothing to do.")
splunk.Intersplunk.outputResults(results)
sys.exit(0)
logger.debug("Getting Wildfire APIKey from encrypted store")
wf_apikey = common.get_wildfire_apikey(sessionKey)
# Get a wildfire report for each row
logger.debug("Getting Wildfire reports for %s search results" % len(results))
for idx, result in enumerate(results):
# Check to see if the result has the necessary fields
if 'serial_number' in result and 'report_id' in result:
logger.debug("Getting Wildfire report for result # %s with report_id: %s" % (idx, result['report_id']))
try:
# Get the report
wfReportXml = retrieveWildFireData(wf_apikey, result['serial_number'],
result['report_id']).read().strip()
# Add the report id to the XML for correlation to the original WildFire log from the firewall
wfReportXml = wfReportXml.replace("</version>", "</version>\n<id>" + result['report_id'] + "</id>", 1)
result['wildfire_report'] = wfReportXml
except:
logger.warn("Error retrieving WildFire report for report id: %s" % result['report_id'])
# Log the result row in case of an exception
logger.info("Log with error: %s" % result)
stack = traceback.format_exc()
# Log the stack information
logger.warn(stack)
else:
logger.debug("Required fields missing from result # %s."
"Expected the following fields: serial_number, report_id" % idx)
# output the complete results sent back to splunk
splunk.Intersplunk.outputResults(results)
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# tag
# tag_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if 'device' not in kwargs and 'panorama' not in kwargs:
common.exit_with_error("Missing required command argument: device or panorama", 3)
if 'tag' not in kwargs and 'tag_field' not in kwargs:
common.exit_with_error("Missing required command argument: tag or tag_field", 3)
# Assign defaults to fields that aren't specified
action = kwargs['action'] if 'action' in kwargs else "addip"
vsys = kwargs['vsys'] if 'vsys' in kwargs else None
ip_field = kwargs['ip_field'] if 'ip_field' in kwargs else "src_ip"
user_field = kwargs['user_field'] if 'user_field' in kwargs else "src_user"
# Support 'field' argument (legacy syntax)
if 'field' in kwargs and not 'ip_field' in kwargs:
ip_field = kwargs['field']
tag = kwargs['tag'] if 'tag' in kwargs else None
tag_field = kwargs['tag_field'] if 'tag_field' in kwargs else None
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug, "Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs['device']
if vsys is None:
vsys = "vsys1"
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs['panorama']
if "serial" in kwargs:
serial = kwargs['serial']
if vsys is None:
vsys = "vsys1"
else:
common.exit_with_error("Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
else:
log(debug, "Using serials from logs")
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall if only one serial
panorama = Panorama(hostname, api_key=apikey)
if serial is not None:
firewall = {'firewall': Firewall(serial=serial, vsys=vsys)}
panorama.add(firewall['firewall'])
firewall['firewall'].userid.batch_start()
else:
firewall = {}
else:
firewall = {'firewall': Firewall(hostname, api_key=apikey, vsys=vsys)}
firewall['firewall'].userid.batch_start()
# Collect all the ip addresses and tags into firewall batch requests
for result in results:
## Find the serial (if not a single firewall)
if use_panorama and serial is None:
try:
this_serial = result['serial_number']
this_vsys = result['vsys']
except KeyError as e:
result['status'] = "ERROR: Unable to determine serial number or vsys of device"
continue
else:
## Create the firewall object if using multiple serials
if this_serial in firewall:
this_firewall = firewall[(this_serial, this_vsys)]
else:
# Create the firewall object for this serial
firewall[(this_serial, this_vsys)] = Firewall(serial=this_serial, vsys=this_vsys)
this_firewall = firewall[(this_serial, this_vsys)]
panorama.add(this_firewall)
this_firewall.userid.batch_start()
else:
this_firewall = firewall['firewall']
## Find the tag (if a tag_field was specified)
this_tag = []
if tag_field is not None:
try:
this_tag.append(result[tag_field])
except KeyError as e:
result['status'] = "ERROR: Unable to determine tag from field: %s" % tag_field
continue
if tag is not None:
this_tag.append(tag)
## Find the field
try:
if action in ("adduser", "removeuser"):
this_field = result[user_field]
else:
this_field = result[ip_field]
except KeyError as e:
result['status'] = "ERROR: Unable to determine value from field: %s" % this_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action in ("add", "addip"):
log(debug, "Registering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.register(this_field, this_tag)
elif action in ("remove", "removeip"):
log(debug, "Unregistering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.unregister(this_field, this_tag)
elif action == "adduser":
log(debug, "Registering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.tag_user(this_field, this_tag)
elif action == "removeuser":
log(debug, "Unregistering tags on firewall %s: %s - %s" % (this_firewall, this_field, this_tag))
this_firewall.userid.untag_user(this_field, this_tag)
result['status'] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
for fw in list(firewall.values()):
fw.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# user_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if "device" not in kwargs and "panorama" not in kwargs:
common.exit_with_error("Missing required command argument: device or panorama", 3)
if "panorama" in kwargs and "serial" not in kwargs:
common.exit_with_error("Found 'panorama' arguments, but missing 'serial' argument", 3)
# Assign defaults to fields that aren't specified
action = kwargs["action"] if "action" in kwargs else "login"
vsys = kwargs["vsys"] if "vsys" in kwargs else "vsys1"
ip_field = kwargs["ip_field"] if "ip_field" in kwargs else "src_ip"
user_field = kwargs["tag_field"] if "tag_field" in kwargs else "user"
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug, "Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs["device"]
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs["panorama"]
serial = kwargs["serial"]
else:
common.exit_with_error("Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings["sessionKey"]
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall object
panorama = Panorama(hostname, api_key=apikey)
firewall = Firewall(panorama=panorama, serial=serial, vsys=vsys)
firewall.userid.batch_start()
else:
# No Panorama, so just create the firewall object
firewall = Firewall(hostname, api_key=apikey, vsys=vsys)
firewall.userid.batch_start()
# Collect all the ip addresses and tags into firewall batch requests
for result in results:
## Find the tag (if a tag_field was specified)
try:
this_user = result[user_field]
except KeyError as e:
result["status"] = "ERROR: Unable to determine user from field: %s" % user_field
continue
## Find the IP
try:
this_ip = result[ip_field]
except KeyError as e:
result["status"] = "ERROR: Unable to determine ip from field: %s" % ip_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action == "login":
log(debug, "Login event on firewall %s: %s - %s" % (firewall, this_ip, this_user))
firewall.userid.login(this_user, this_ip)
else:
log(debug, "Logout event on firewall %s: %s - %s" % (firewall, this_ip, this_user))
firewall.userid.logout(this_user, this_ip)
result["status"] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
firewall.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)
newAppUrl = 'https://ww2.paloaltonetworks.com/iphone/NewApps.aspx'
# Create a request object
newAppReq = urllib2.Request(newAppUrl)
# Make the request
result = opener.open(newAppReq)
return result
try:
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# Results contains the data from the search results
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
existing_apps = []
for app in results:
existing_apps.append(str(app['app{@name}']))
results = []
log(
debug, "Existing apps already known and considered: %s" %
(len(existing_apps), ))
log(debug, existing_apps)
log(debug, "Getting new Apps from Palo Alto Networks")
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# tag
# tag_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if 'device' not in kwargs and 'panorama' not in kwargs:
common.exit_with_error("Missing required command argument: device or panorama", 3)
if 'tag' not in kwargs and 'tag_field' not in kwargs:
common.exit_with_error("Missing required command argument: tag or tag_field", 3)
# Assign defaults to fields that aren't specified
action = kwargs['action'] if 'action' in kwargs else "add"
vsys = kwargs['vsys'] if 'vsys' in kwargs else None
ip_field = kwargs['ip_field'] if 'ip_field' in kwargs else "src_ip"
# Support 'field' argument (legacy syntax)
if 'field' in kwargs and not 'ip_field' in kwargs:
ip_field = kwargs['field']
tag = kwargs['tag'] if 'tag' in kwargs else None
tag_field = kwargs['tag_field'] if 'tag_field' in kwargs else None
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug, "Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs['device']
if vsys is None:
vsys = "vsys1"
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs['panorama']
if "serial" in kwargs:
serial = kwargs['serial']
if vsys is None:
vsys = "vsys1"
else:
common.exit_with_error("Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
else:
log(debug, "Using serials from logs")
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall if only one serial
panorama = Panorama(hostname, api_key=apikey)
if serial is not None:
firewall = {'firewall': Firewall(panorama=panorama, serial=serial, vsys=vsys)}
firewall['firewall'].userid.batch_start()
else:
firewall = {}
else:
firewall = {'firewall': Firewall(hostname, api_key=apikey, vsys=vsys)}
firewall['firewall'].userid.batch_start()
# Collect all the ip addresses and tags into firewall batch requests
for result in results:
## Find the serial (if not a single firewall)
if use_panorama and serial is None:
try:
this_serial = result['serial_number']
this_vsys = result['vsys']
except KeyError as e:
result['status'] = "ERROR: Unable to determine serial number or vsys of device"
continue
else:
## Create the firewall object if using multiple serials
if this_serial in firewall:
this_firewall = firewall[(this_serial, this_vsys)]
else:
# Create the firewall object for this serial
firewall[(this_serial, this_vsys)] = Firewall(panorama=panorama, serial=this_serial, vsys=this_vsys)
this_firewall = firewall[(this_serial, this_vsys)]
this_firewall.userid.batch_start()
else:
this_firewall = firewall['firewall']
## Find the tag (if a tag_field was specified)
this_tag = []
if tag_field is not None:
try:
this_tag.append(result[tag_field])
except KeyError as e:
result['status'] = "ERROR: Unable to determine tag from field: %s" % tag_field
continue
if tag is not None:
this_tag.append(tag)
## Find the IP
try:
this_ip = result[ip_field]
except KeyError as e:
result['status'] = "ERROR: Unable to determine ip from field: %s" % ip_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action == "add":
log(debug, "Registering tags on firewall %s: %s - %s" % (this_firewall, this_ip, this_tag))
this_firewall.userid.register(this_ip, this_tag)
else:
log(debug, "Unregistering tags on firewall %s: %s - %s" % (this_firewall, this_ip, this_tag))
this_firewall.userid.unregister(this_ip, this_tag)
result['status'] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
for fw in firewall.values():
fw.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)
# Create a request object
newAppReq = urllib2.Request(newAppUrl)
# Make the request
result = opener.open(newAppReq)
return result
try:
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# Results contains the data from the search results
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
existing_apps = []
for app in results:
existing_apps.append(str(app['app{@name}']))
results = []
log(debug, "Existing apps already known and considered: %s" % (len(existing_apps),))
log(debug, existing_apps)
log(debug, "Getting new Apps from Palo Alto Networks")
resp = retrieveNewApps()
log(debug, "Apps retrieved")
def main_splunk():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
# kwargs contains important parameters.
# parameters from splunk searchbar include:
# action
# device
# panorama
# serial
# vsys
# user_field
# ip_field
# debug
# Verify required args were passed to command
log(debug, "Determining if required arguments are present")
if 'device' not in kwargs and 'panorama' not in kwargs:
common.exit_with_error(
"Missing required command argument: device or panorama", 3)
if 'panorama' in kwargs and 'serial' not in kwargs:
common.exit_with_error(
"Found 'panorama' arguments, but missing 'serial' argument", 3)
# Assign defaults to fields that aren't specified
action = kwargs['action'] if 'action' in kwargs else "login"
vsys = kwargs['vsys'] if 'vsys' in kwargs else "vsys1"
ip_field = kwargs['ip_field'] if 'ip_field' in kwargs else "src_ip"
user_field = kwargs['user_field'] if 'user_field' in kwargs else "user"
# Determine if device hostname or serial was provided as argument or should be pulled from entries
log(debug,
"Determining how firewalls should be contacted based on arguments")
use_panorama = False
hostname = None
serial = None
if "device" in kwargs:
hostname = kwargs['device']
elif "panorama" in kwargs:
use_panorama = True
hostname = kwargs['panorama']
serial = kwargs['serial']
else:
common.exit_with_error(
"Missing required command argument: device or panorama", 3)
log(debug, "Use Panorama: %s" % use_panorama)
log(debug, "VSys: %s" % vsys)
log(debug, "Hostname: %s" % hostname)
if use_panorama and serial is not None:
log(debug, "Device Serial: %s" % serial)
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, hostname, debug)
# Create the connection to the firewall or Panorama
panorama = None
if use_panorama:
# For Panorama, create the Panorama object, and the firewall object
panorama = Panorama(hostname, api_key=apikey)
firewall = Firewall(panorama=panorama, serial=serial, vsys=vsys)
firewall.userid.batch_start()
else:
# No Panorama, so just create the firewall object
firewall = Firewall(hostname, api_key=apikey, vsys=vsys)
firewall.userid.batch_start()
# Collect all the ip addresses and users into firewall batch requests
for result in results:
## Find the user (if a user_field was specified)
try:
this_user = result[user_field]
except KeyError as e:
result[
'status'] = "ERROR: Unable to determine user from field: %s" % user_field
continue
## Find the IP
try:
this_ip = result[ip_field]
except KeyError as e:
result[
'status'] = "ERROR: Unable to determine ip from field: %s" % ip_field
## Create a request in the batch user-id update for the firewall
## No API call to the firewall happens until all batch requests are created.
if action == "login":
log(
debug, "Login event on firewall %s: %s - %s" %
(firewall, this_ip, this_user))
firewall.userid.login(this_user, this_ip)
else:
log(
debug, "Logout event on firewall %s: %s - %s" %
(firewall, this_ip, this_user))
firewall.userid.logout(this_user, this_ip)
result['status'] = "Submitted successfully"
## Make the API calls to the User-ID API of each firewall
try:
firewall.userid.batch_end()
except pan.xapi.PanXapiError as e:
common.exit_with_error(str(e))
except Exception as e:
common.exit_with_error(str(e))
# output results
splunk.Intersplunk.outputResults(results)
