def _get_default_freezer(self, sessionKey, query_params):
logger.debug("START _get_default_freezer()")
splunk.setDefault('sessionKey', sessionKey)
freezers_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers?output_mode=json'
# Get item json
serverResponse, serverContent = rest.simpleRequest(freezers_uri, sessionKey=sessionKey, method='GET')
logger.debug("freezers: %s" % serverContent)
freezers = json.loads(serverContent)
default_count = 0
default_freezer = {}
for freezer in freezers:
if (freezer['default']):
default_count += 1
default_freezer = freezer
if (default_count == 1):
return self.response(default_freezer, httplib.OK)
else:
msg = 'Invalid default count: count="{}"'.format(default_count)
logger.exception(msg)
return self.response(msg, httplib.BAD_REQUEST)
def __init__(self):
ssl_enabled_conf_str = self.conf(key='enableSplunkdSSL',
name="server",
stanza="sslConfig",
default="true")
# normalizeBoolean doesn't do its job, so we clean up for unusual cases
try:
ssl_enabled = splunk.util.normalizeBoolean(ssl_enabled_conf_str,
enableStrictMode=True)
except ValueError:
ssl_enabled = False
if ssl_enabled:
protocol = 'https'
else:
protocol = 'http'
# old way
self._splunkd_urlhost = '%s://%s' % (protocol,
self.conf('mgmtHostPort'))
# better way: this sets the global default for any object that uses the
# the splunk.* SDK
splunk.setDefault('protocol', protocol)
splunk.mergeHostPath(self.conf('mgmtHostPort'), True)
def _get_item_info(self, sessionKey, query_params):
logger.debug("START _get_item_info()")
logger.debug("query_params: %s" % query_params)
required = ['_key', 'id']
missing = [r for r in required if r not in query_params]
if len(missing) > 1:
return self.response("Missing a required argument: %s" % missing,
httplib.BAD_REQUEST)
splunk.setDefault('sessionKey', sessionKey)
if '_key' in query_params:
item_id = query_params.pop('_key')
else:
item_id = query_params.pop('id')
all_items = self._get_items(sessionKey, query_params)
logger.debug("all_items: %s" % all_items)
for item in all_items['payload']:
if item['id'] == item_id:
item_id = item['_key']
logger.debug("item_id: %s" % item_id)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items/%s' % item_id
# Get item json
serverResponse, serverContent = rest.simpleRequest(
items_uri, sessionKey=sessionKey, method='GET')
logger.debug("items: %s" % serverContent)
items = json.loads(serverContent)
return self.response(items, httplib.OK)
def getSessionKey(username, password, hostPath=None):
'''
Get a session key from the auth system
'''
uri = '/services/auth/login'
if hostPath:
uri = splunk.mergeHostPath(hostPath) + uri
args = {'username': username, 'password': password }
# To prove the theory of timing issue of Splunkd not in running state
# in Windows Bamboo tests, sleep for 10 seconds
# An attempt to fix SPL-37413
# if platform.system() == 'Windows':
# time.sleep(10)
serverResponse, serverContent = rest.simpleRequest(uri, postargs=args)
if serverResponse.status != 200:
logger.error('getSessionKey - unable to login; check credentials')
rest.extractMessages(et.fromstring(serverContent))
return None
root = et.fromstring(serverContent)
sessionKey = root.findtext('sessionKey')
splunk.setDefault('username', username)
splunk.setDefault('sessionKey', sessionKey)
return sessionKey
def _delete_freezer(self, sessionKey, query_params):
logger.debug("START _delete_freezer()")
required = ['_key','id']
missing = [r for r in required if r not in query_params]
if len(missing) > 1:
return self.response("Missing a required argument: %s" % missing, httplib.BAD_REQUEST)
splunk.setDefault('sessionKey', sessionKey)
if '_key' in query_params:
freezer_id = query_params.pop('_key')
else:
freezer_id = query_params.pop('id')
all_freezers = self._get_freezers(sessionKey, query_params)
logger.debug("all_freezers: %s" % all_freezers)
for freezer in all_freezers['payload']:
if freezer['id'] == freezer_id:
freezer_id = freezer['_key']
freezer_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers/%s' % freezer_id
logger.debug("freezer_uri: %s" % freezer_uri)
freezer_removed = {'_key': freezer_id, 'action': "removed"}
serverResponse, serverContent = rest.simpleRequest(freezer_uri, sessionKey=sessionKey, method='DELETE')
logger.debug("freezer_removed: %s" % json.dumps(freezer_removed))
return self.response(freezer_removed, httplib.OK)
def getSessionKey(username, password, hostPath=None):
'''
Get a session key from the auth system
'''
uri = '/services/auth/login'
if hostPath:
uri = splunk.mergeHostPath(hostPath) + uri
args = {'username': username, 'password': password}
# To prove the theory of timing issue of Splunkd not in running state
# in Windows Bamboo tests, sleep for 10 seconds
# An attempt to fix SPL-37413
# if platform.system() == 'Windows':
# time.sleep(10)
serverResponse, serverContent = rest.simpleRequest(uri, postargs=args)
if serverResponse.status != 200:
logger.error('getSessionKey - unable to login; check credentials')
rest.extractMessages(et.fromstring(serverContent))
return None
root = et.fromstring(serverContent)
sessionKey = root.findtext('sessionKey')
splunk.setDefault('username', username)
splunk.setDefault('sessionKey', sessionKey)
return sessionKey
def save_risks(self, contents, **kwargs):
logger.info("Saving risks...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
config = {}
config['index'] = 'risks'
restconfig = entity.getEntities('configs/risk_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
parsed_contents = json.loads(contents)
logger.debug("Contents: %s" % contents)
for entry in parsed_contents:
if '_key' in entry and entry['_key'] != None:
uri = '/servicesNS/nobody/risk_manager/storage/collections/data/risks/' + entry['_key']
# Get current risk
serverResponse, risk = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Current risk: %s" % risk)
risk = json.loads(risk)
# Update risk if score has changed
if int(risk['risk_score']) != int(entry['risk_score']):
logger.info("Updating risk_object_type=%s risk_object=%s to score=%s." % (entry['risk_object_type'], entry['risk_object'], entry['risk_score']))
del entry['_key']
if 'risk_id' in risk:
entry['risk_id'] = risk['risk_id']
else:
entry['risk_id'] = str(uuid.uuid4())
risk['risk_id'] = entry['risk_id']
entryStr = json.dumps(entry)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=entryStr)
logger.debug("Updated entry. serverResponse was ok")
now = datetime.datetime.now().isoformat()
event = 'time="%s" risk_id="%s" action="update_risk_score" alert="Risk Score Tuner" user="******" risk_object_type="%s" risk_object="%s" risk_score="%s" previous_risk_score="%s"' % (now, risk['risk_id'], user, entry['risk_object_type'], entry['risk_object'], entry['risk_score'], risk['risk_score'])
logger.debug("Event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'risk_scoring', source = 'helpers.py', index = config['index'])
else:
logger.info("Won't update risk_object_type=%s risk_object=%s, since score didn't change." % (entry['risk_object_type'], entry['risk_object']))
return 'Done'
def _write_log_entry(self, sessionKey, user, post_data):
logger.debug("START _write_log_entry()")
required = ['incident_id', 'log_action', 'origin']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
incident_id = post_data.pop('incident_id')
log_action = post_data.pop('log_action')
comment = post_data.get('comment', '')
origin = post_data.get('origin', '')
severity = post_data.get('severity', 'INFO')
owner = post_data.get('owner', '')
previous_owner = post_data.get('previous_owner', '')
status = post_data.get('status', '')
previous_status = post_data.get('status', '')
job_id = post_data.get('job_id', '')
result_id = post_data.get('result_id', '')
now = datetime.datetime.now().isoformat()
# Get Index
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
comment = comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident_id + now).hexdigest()
event = ''
if (log_action == "comment"):
event = 'time=%s severity="%s" origin="%s" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, severity, origin, event_id, user, incident_id, comment)
elif (log_action == "change"):
event = 'time=%s severity="%s" origin="%s" event_id="%s" user="******" action="comment" incident_id="%s" job_id="%s" result_id="%s" status="%s" previous_status="%s"' % (now, severity, origin, event_id, user, incident_id, job_id, result_id, status, previous_status)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'helper.py', index = config['index'])
return self.response('Action logged', httplib.OK)
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, httplib.INTERNAL_SERVER_ERROR)
def _get_freezers(self, sessionKey, query_params):
logger.debug("START _get_freezers()")
splunk.setDefault('sessionKey', sessionKey)
freezers_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers?output_mode=json'
# Get item json
serverResponse, serverContent = rest.simpleRequest(freezers_uri, sessionKey=sessionKey, method='GET')
logger.debug("freezers: %s" % serverContent)
freezers = json.loads(serverContent)
return self.response(freezers, httplib.OK)
def _update_incident(self, sessionKey, user, post_data):
logger.debug("START _update_incident()")
required = ['incident_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response(
"Missing required arguments: {}".format(missing),
http.client.BAD_REQUEST)
incident_data = post_data.pop('incident_data')
splunk.setDefault('sessionKey', sessionKey)
eh = EventHandler(sessionKey=sessionKey)
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: {}".format(config))
# Parse the JSON
incident_data = json.loads(incident_data)
# Select between updating multiple incidents (replace full document) and updating single incidents (attribute update)
if 'incident_ids' in incident_data and len(
incident_data['incident_ids']) > 1:
logger.info("do_update_incidents")
self._do_update_incidents(sessionKey, config, eh, incident_data,
user)
elif 'incident_ids' in incident_data and len(
incident_data['incident_ids']) == 1:
logger.info("do_update_incident")
self._do_update_incident(sessionKey, config, eh,
incident_data['incident_ids'][0],
incident_data, user)
else:
logger.info("do_update_incident")
self._do_update_incident(sessionKey, config, eh,
incident_data['incident_id'],
incident_data, user)
return self.response('Successfully updated incident(s).',
http.client.OK)
def stream(self, records):
#self.logger.debug('ModifyIncidentsCommand: %s', self) # logs command line
#user = self._input_header.get('owner')
sessionKey = self._input_header.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
self.logger.debug("Started")
for record in records:
mac_address = None
field = None
if self.field:
if self.field in record:
mac_address = record[self.field]
field = self.field
else:
if 'mac_address' in record:
mac_address = record['mac_address']
field = 'mac_address'
if mac_address != None and field != None:
url = 'http://www.macvendorlookup.com/api/v2/%s' % mac_address
try:
urlHandle = urllib.urlopen(url)
if urlHandle.getcode() == 200:
content = urlHandle.read()
content = json.loads(content)
record[field + '_vendor'] = content[0]['company']
record[field +
'_vendor_country'] = content[0]['country']
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
self.logger.error(
"Unable to open url %s. Reason: %s. Line: %s" %
(url, exc_type, exc_tb.tb_lineno))
else:
self.logger.warn(
"No mac_address field found in event, aborting.")
yield record
def __init__(self):
ssl_enabled_conf_str = self.conf(key='enableSplunkdSSL', name="server", stanza="sslConfig", default="true")
# normalizeBoolean doesn't do its job, so we clean up for unusual cases
try:
ssl_enabled = splunk.util.normalizeBoolean(ssl_enabled_conf_str, enableStrictMode=True)
except ValueError:
ssl_enabled = False
if ssl_enabled:
protocol = 'https'
else:
protocol = 'http'
# old way
self._splunkd_urlhost = '%s://%s' % (protocol, self.conf('mgmtHostPort'))
# better way: this sets the global default for any object that uses the
# the splunk.* SDK
splunk.setDefault('protocol', protocol)
splunk.mergeHostPath(self.conf('mgmtHostPort'), True)
def _add_freezer(self, sessionKey, user, post_data):
logger.debug("START _add_freezer()")
logger.debug('post_data: %s', post_data)
required = ['freezer_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
freezer_data = post_data.pop('freezer_data')
splunk.setDefault('sessionKey', sessionKey)
# Parse the JSON
#item_data = json.loads(item_data)
#logger.debug('item_data: %s', item_data)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers'
serverResponse, serverContent = rest.simpleRequest(items_uri, sessionKey=sessionKey, jsonargs=freezer_data, method='POST')
logger.debug("new_freezer: %s" % serverContent)
new_freezer = json.loads(serverContent)
return self.response(new_freezer, httplib.OK)
def _update_freezer(self, sessionKey, user, post_data):
logger.debug("START _update_freezer()")
logger.debug('post_data: %s', post_data)
required = ['freezer_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
freezer_data = json.loads(post_data.pop('freezer_data'))
logger.debug("freezer_data: %s" % freezer_data)
splunk.setDefault('sessionKey', sessionKey)
freezers_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers?output_mode=json'
# Get freezers json
serverResponse, serverContent = rest.simpleRequest(freezers_uri, sessionKey=sessionKey, method='GET')
logger.debug("freezers: %s" % serverContent)
all_freezers = json.loads(serverContent)
logger.debug("all_freezers: %s" % all_freezers)
for freezer in all_freezers:
logger.debug("freezer: %s" % freezer)
if freezer['id'] == freezer_data['id']:
update_freezer = freezer
for key in freezer_data:
update_freezer[key] = freezer_data[key]
freezer_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers/%s' % update_freezer['_key']
logger.debug("freezer_uri: %s" % freezer_uri)
update_freezer = json.dumps(update_freezer)
serverResponse, serverContent = rest.simpleRequest(freezer_uri, sessionKey=sessionKey, jsonargs=update_freezer, method='POST')
freezer_updated = json.loads(serverContent)
logger.debug("freezer_updated: %s" % json.dumps(freezer_updated))
return self.response(freezer_updated, httplib.OK)
def getSessionKeyForTrustedUser(username, hostPath=None):
'''
Get a session key from the auth system
'''
uri = '/services/auth/trustedlogin'
if hostPath:
uri = splunk.mergeHostPath(hostPath) + uri
args = {'username': username}
serverResponse, serverContent = rest.simpleRequest(uri, postargs=args)
if serverResponse.status != 200:
logger.error('getSessionKey - unable to login; check credentials')
rest.extractMessages(et.fromstring(serverContent))
return None
root = et.fromstring(serverContent)
sessionKey = root.findtext('sessionKey')
splunk.setDefault('username', username)
splunk.setDefault('sessionKey', sessionKey)
return sessionKey
def getSessionKeyForTrustedUser(username, hostPath=None):
'''
Get a session key from the auth system
'''
uri = '/services/auth/trustedlogin'
if hostPath:
uri = splunk.mergeHostPath(hostPath) + uri
args = {'username': username}
serverResponse, serverContent = rest.simpleRequest(uri, postargs=args)
if serverResponse.status != 200:
logger.error('getSessionKey - unable to login; check credentials')
rest.extractMessages(et.fromstring(serverContent))
return None
root = et.fromstring(serverContent)
sessionKey = root.findtext('sessionKey')
splunk.setDefault('username', username)
splunk.setDefault('sessionKey', sessionKey)
return sessionKey
def _delete_item(self, sessionKey, query_params):
logger.debug("START _delete_item()")
required = ['_key', 'id']
missing = [r for r in required if r not in query_params]
if len(missing) > 1:
return self.response("Missing a required argument: %s" % missing,
httplib.BAD_REQUEST)
splunk.setDefault('sessionKey', sessionKey)
if '_key' in query_params:
item_id = query_params.pop('_key')
else:
item_id = query_params.pop('id')
all_items = self._get_items(sessionKey, query_params)
logger.debug("all_items: %s" % all_items)
for item in all_items['payload']:
if item['id'] == item_id:
item_id = item['_key']
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items/%s' % item_id
logger.debug("items_uri: %s" % items_uri)
items = {'_key': item_id, 'action': "removed"}
# Get item json
serverResponse, serverContent = rest.simpleRequest(
items_uri, sessionKey=sessionKey, method='DELETE')
if int(serverResponse['status']) == 200:
# Get Index
config = {}
config['index'] = 'main'
config['enable'] = 'false'
restconfig = entity.getEntities('freezer_inventory/settings',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['indexing']:
config['index'] = restconfig['indexing']['index']
if 'index' in restconfig['indexing']:
config['enable'] = restconfig['indexing']['enable']
if config['enable'].lower() in ("true", "1"):
event = items
event['action'] = "deleted"
event = json.dumps(event)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='freezer:item',
source='items_rest_endpoint.py',
index=config['index'])
logger.debug("Event successfully added")
logger.debug("items: %s" % json.dumps(items))
return self.response(items, httplib.OK)
def _update_item(self, sessionKey, user, post_data):
logger.debug("START _update_item()")
logger.debug('post_data: %s', post_data)
required = ['item_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
item_data = post_data.pop('item_data')
item_data = json.loads(item_data)
logger.debug("item_data: %s" % item_data)
splunk.setDefault('sessionKey', sessionKey)
required = ['_key', 'id']
missing = [r for r in required if r not in item_data]
if len(missing) > 1:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items?output_mode=json'
# Get item json
serverResponse, serverContent = rest.simpleRequest(
items_uri, sessionKey=sessionKey, method='GET')
logger.debug("items: %s" % serverContent)
all_items = json.loads(serverContent)
provided_keys = item_data
for item in all_items:
if '_key' in item_data:
if item["_key"] == item_data["_key"]:
updated_item = item
del provided_keys["_key"]
elif 'id' in item_data:
if item["id"] == item_data["id"]:
updated_item = item
del provided_keys["id"]
logger.debug("updated_item: %s" % updated_item)
for key in provided_keys:
updated_item[key] = provided_keys[key]
item_id = updated_item["_key"]
updated_item = json.dumps(updated_item)
logger.debug("updated_item: %s" % updated_item)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items/%s' % item_id
# Get incident json
serverResponse, serverContent = rest.simpleRequest(
items_uri,
sessionKey=sessionKey,
jsonargs=updated_item,
method='POST')
logger.debug("items: %s" % serverContent)
if int(serverResponse['status']) == 200:
# Get Index
config = {}
config['index'] = 'main'
config['enable'] = 'false'
restconfig = entity.getEntities('freezer_inventory/settings',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['indexing']:
config['index'] = restconfig['indexing']['index']
if 'index' in restconfig['indexing']:
config['enable'] = restconfig['indexing']['enable']
if config['enable'].lower() in ("true", "1"):
event = json.loads(updated_item)
event['action'] = "updated"
event = json.dumps(event)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='freezer:item',
source='items_rest_endpoint.py',
index=config['index'])
logger.debug("Event successfully added")
items = json.loads(serverContent)
return self.response(items, httplib.OK)
def _add_item(self, sessionKey, user, post_data):
logger.debug("START _add_item()")
logger.debug('post_data: %s', post_data)
required = ['item_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
item_data = post_data.pop('item_data')
splunk.setDefault('sessionKey', sessionKey)
# Parse the JSON
#item_data = json.loads(item_data)
#logger.debug('item_data: %s', item_data)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items'
# Get incident json
serverResponse, serverContent = rest.simpleRequest(
items_uri,
sessionKey=sessionKey,
jsonargs=item_data,
method='POST')
logger.debug("response: %s" % serverResponse)
logger.debug("item: %s" % serverContent)
item = json.loads(serverContent)
if int(serverResponse['status']) == 201:
# Get Index
config = {}
config['index'] = 'main'
config['enable'] = 'false'
restconfig = entity.getEntities('freezer_inventory/settings',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['indexing']:
config['index'] = restconfig['indexing']['index']
if 'index' in restconfig['indexing']:
config['enable'] = restconfig['indexing']['enable']
if config['enable'].lower() in ("true", "1"):
event = json.loads(item_data)
event['action'] = "added"
event['_key'] = item['_key']
event = json.dumps(event)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='freezer:item',
source='items_rest_endpoint.py',
index=config['index'])
logger.debug("Event successfully added")
return self.response(item, httplib.OK)
su.unescape(requestXml.findtext('payload')),
'restmap': {}
}
for node in requestXml.findall('headers/header'):
requestDict['headers'][node.get('key', '').lower()] = su.unescape(
node.text)
for node in requestXml.findall('query/arg'):
requestDict['query'][node.get('key')] = su.unescape(node.text)
for node in requestXml.findall('form/arg'):
requestDict['form'][node.get('key')] = su.unescape(node.text)
for node in requestXml.findall('restmap/key'):
requestDict['restmap'][node.get('name')] = su.unescape(node.text)
# set the host and port
(host, port) = util.splithost(requestDict['headers']['host'])
splunk.setDefault('host', host)
if port:
splunk.setDefault('port', port)
# check if payload content can be auto-converted to primitives
# parsedPayload = format.parseFeedDocument(requestDict['payload'])
except Exception, e:
logger.error(
'Python REST dispatcher received well-formed but unrecognized XML from HTTP server.'
)
raise
# locate module
parts = handlerClassName.split('.')
if not len(parts) or len(parts) > 2 or not handlerClassName:
def save(self, contents, **kwargs):
logger.info("Saving incident settings contents...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
eh = EventHandler(sessionKey = sessionKey)
config = {}
config['index'] = 'alerts'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query['incident_id'] = contents['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
logger.debug("URI for incident update: %s" % uri )
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
changed_keys.append(key)
logger.info("%s for incident %s changed. Writing change event to index %s." % (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (now, event_id, user, incident[0]['incident_id'], key, contents[key], key, incident[0][key])
logger.debug("Change event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, contents['incident_id'])
if "owner" in changed_keys:
eh.handleEvent(alert=incident[0]["alert"], event="incident_assigned", incident=incident[0], context=ic.getContext())
elif "status" in changed_keys and contents["status"] == "resolved":
eh.handleEvent(alert=incident[0]["alert"], event="incident_resolved", incident=incident[0], context=ic.getContext())
else:
eh.handleEvent(alert=incident[0]["alert"], event="incident_changed", incident=incident[0], context=ic.getContext())
if contents['comment'] != "":
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], contents['comment'])
logger.debug("Comment event will be: %s" % event)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
return 'Done'
'payload': su.unescape(requestXml.findtext('payload')),
'restmap': {}
})
for node in requestXml.findall('headers/header'):
requestDict['headers'][node.get('key','').lower()] = su.unescape(node.text or "")
for node in requestXml.findall('query/arg'):
requestDict['query'][node.get('key')] = su.unescape(node.text or "")
for node in requestXml.findall('form/arg'):
requestDict['form'][node.get('key')] = su.unescape(node.text or "")
for node in requestXml.findall('restmap/key'):
requestDict['restmap'][node.get('name')] = su.unescape(node.text or "")
# set the host and port
try:
(host, port) = util.splithost(requestDict['headers']['host'])
splunk.setDefault('host', host)
if port:
splunk.setDefault('port', port)
except KeyError:
# It must have been an HTTP/1.0 request with no Host: header
localIP = su.unescape(requestXml.findtext('connectionData/nicIPaddr'))
if localIP == "":
localIP = "127.0.0.1"
if requestDict['remoteAddr'].find(':') >= 0: # if connection was IPv6, use that
localIP = "::1"
splunk.setDefault('host', localIP)
splunk.setDefault('port', su.unescape(requestXml.findtext('connectionData/listeningPort')))
# check if payload content can be auto-converted to primitives
# parsedPayload = format.parseFeedDocument(requestDict['payload'])
file_handler = logging.handlers.RotatingFileHandler(make_splunkhome_path(['var', 'log', 'splunk', log_name]), maxBytes=2500000, backupCount=5)
formatter = logging.Formatter(log_format)
file_handler.setFormatter(formatter)
logger.handlers = []
logger.addHandler(file_handler)
logger.debug("init read structures service logger")
return logger
logger = setupLogger()
splunk.setDefault()
local_host_path = splunk.mergeHostPath()
class SOLNSelectorError(cherrypy.HTTPError):
"""
This error class will be used to set the status and msg on the error
responses.
"""
def get_error_page(self, *args, **kwargs):
kwargs['noexname'] = 'true'
return super(SOLNSelectorError, self).get_error_page(*args, **kwargs)
class read_structures_service(controllers.BaseController):
'''Read Structures Service Controller'''
def save(self, contents, **kwargs):
logger.info("Saving incident settings contents...")
user = cherrypy.session["user"]["name"]
sessionKey = cherrypy.session.get("sessionKey")
splunk.setDefault("sessionKey", sessionKey)
eh = EventHandler(sessionKey=sessionKey)
config = {}
config["index"] = "alerts"
restconfig = entity.getEntities("configs/alert_manager", count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if "index" in restconfig["settings"]:
config["index"] = restconfig["settings"]["index"]
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query["incident_id"] = contents["incident_id"]
logger.debug("Filter: %s" % json.dumps(query))
uri = "/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s" % urllib.quote(
json.dumps(query)
)
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = "/servicesNS/nobody/alert_manager/storage/collections/data/incidents/" + incident[0]["_key"]
logger.debug("URI for incident update: %s" % uri)
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
changed_keys.append(key)
logger.info(
"%s for incident %s changed. Writing change event to index %s."
% (key, incident[0]["incident_id"], config["index"])
)
event_id = hashlib.md5(incident[0]["incident_id"] + now).hexdigest()
event = (
'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"'
% (now, event_id, user, incident[0]["incident_id"], key, contents[key], key, incident[0][key])
)
logger.debug("Change event will be: %s" % event)
input.submit(
event,
hostname=socket.gethostname(),
sourcetype="incident_change",
source="incident_settings.py",
index=config["index"],
)
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]["incident_id"]))
del incident[0]["_key"]
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, contents["incident_id"])
if "owner" in changed_keys:
eh.handleEvent(
alert=incident[0]["alert"], event="incident_assigned", incident=incident[0], context=ic.getContext()
)
elif "status" in changed_keys and contents["status"] == "resolved":
eh.handleEvent(
alert=incident[0]["alert"], event="incident_resolved", incident=incident[0], context=ic.getContext()
)
else:
eh.handleEvent(
alert=incident[0]["alert"], event="incident_changed", incident=incident[0], context=ic.getContext()
)
if contents["comment"] != "":
event_id = hashlib.md5(incident[0]["incident_id"] + now).hexdigest()
event = (
'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"'
% (now, event_id, user, incident[0]["incident_id"], contents["comment"])
)
logger.debug("Comment event will be: %s" % event)
event = event.encode("utf8")
input.submit(
event,
hostname=socket.gethostname(),
sourcetype="incident_change",
source="incident_settings.py",
index=config["index"],
)
return "Done"
def stream(self, records):
#self.logger.debug('ModifyIncidentsCommand: %s', self) # logs command line
user = self._input_header.get('owner')
sessionKey = self._input_header.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
sessionKey = self._input_header.get('sessionKey')
self.config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
self.config['index'] = restconfig['settings']['index']
self.logger.debug("Global settings: %s" % self.config)
self.logger.debug("Started")
for record in records:
if 'incident_id' in record:
attrs = {}
if self.status:
attrs.update({"status": self.status})
if self.owner:
attrs.update({"owner": self.owner})
if self.urgency:
attrs.update({"urgency": self.urgency})
self.logger.debug("Attrs: %s" % attrs)
if len(attrs) > 0 or self.comment:
# Get incident
query = {}
query['incident_id'] = record['incident_id']
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
incident = json.loads(incident)
self.logger.debug("Read incident from collection: %s" % json.dumps(incident[0]))
now = time.strftime("%Y-%m-%dT%H:%M:%S%z", time.localtime())
changed_keys = []
for key in incident[0].keys():
if (key in attrs) and (incident[0][key] != attrs[key]):
changed_keys.append(key)
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time="%s" severity=INFO origin="ModifyIncidentsCommand" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (now, event_id, user, incident[0]['incident_id'], key, attrs[key], key, incident[0][key])
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
incident[0][key] = attrs[key]
if len(changed_keys) > 0:
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
if self.comment:
self.comment = self.comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time="%s" severity=INFO origin="ModifyIncidentsCommand" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], self.comment)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
else:
self.logger.warn("No attributes to modify found, aborting.")
else:
self.logger.warn("No incident_id field found in event, aborting.")
yield record
return None
if serverResponse.status != 200:
logger.error(
"getRemoteSessionKey - unable to login; check credentials")
rest.extractMessages(et.fromstring(serverContent))
return None
root = et.fromstring(serverContent)
sessionKey = root.findtext("sessionKey")
return sessionKey
logger = setupLogger()
splunk.setDefault()
local_host_path = splunk.mergeHostPath()
def readRestConfigForCsv():
path = CSV_PATH
conf = []
f = open(path, "r")
try:
info_file = csv.reader(f)
for line in info_file:
conf = line
except:
logger.error('file=clayrest.py, msg=Read clay_rest_info.csv Error')
stack = traceback.format_exc()
logger.error(stack)
def _update_incident(self, sessionKey, user, post_data):
logger.debug("START _update_incident()")
required = ['incident_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
incident_data = post_data.pop('incident_data')
splunk.setDefault('sessionKey', sessionKey)
eh = EventHandler(sessionKey=sessionKey)
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
incident_data = json.loads(incident_data)
# Get key
query = {}
query['incident_id'] = incident_data['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri,
sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[
0]['_key']
logger.debug("URI for incident update: %s" % uri)
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in incident_data) and (incident[0][key] !=
incident_data[key]):
changed_keys.append(key)
logger.info(
"%s for incident %s changed. Writing change event to index %s."
% (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (
now, event_id, user, incident[0]['incident_id'], key,
incident_data[key], key, incident[0][key])
logger.debug("Change event will be: %s" % event)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
incident[0][key] = incident_data[key]
else:
logger.info("%s for incident %s didn't change." %
(key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " %
serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, incident_data['incident_id'])
if "owner" in changed_keys:
eh.handleEvent(alert=incident[0]["alert"],
event="incident_assigned",
incident=incident[0],
context=ic.getContext())
elif "status" in changed_keys and incident_data[
"status"] == "resolved":
eh.handleEvent(alert=incident[0]["alert"],
event="incident_resolved",
incident=incident[0],
context=ic.getContext())
else:
eh.handleEvent(alert=incident[0]["alert"],
event="incident_changed",
incident=incident[0],
context=ic.getContext())
if incident_data['comment'] != "":
incident_data['comment'] = incident_data['comment'].replace(
'\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (
now, event_id, user, incident[0]['incident_id'],
incident_data['comment'])
logger.debug("Comment event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
ic = IncidentContext(sessionKey, incident_data['incident_id'])
eh.handleEvent(alert=incident[0]["alert"],
event="incident_commented",
incident=incident[0],
context=ic.getContext())
return self.response('Successfully updated incident.', httplib.OK)
def _update_incident(self, sessionKey, user, post_data):
logger.debug("START _update_incident()")
required = ['incident_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
incident_data = post_data.pop('incident_data')
splunk.setDefault('sessionKey', sessionKey)
eh = EventHandler(sessionKey = sessionKey)
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
incident_data = json.loads(incident_data)
# Get key
query = {}
query['incident_id'] = incident_data['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
logger.debug("URI for incident update: %s" % uri )
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in incident_data) and (incident[0][key] != incident_data[key]):
changed_keys.append(key)
logger.info("%s for incident %s changed. Writing change event to index %s." % (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (now, event_id, user, incident[0]['incident_id'], key, incident_data[key], key, incident[0][key])
logger.debug("Change event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
incident[0][key] = incident_data[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, incident_data['incident_id'])
if "owner" in changed_keys:
eh.handleEvent(alert=incident[0]["alert"], event="incident_assigned", incident=incident[0], context=ic.getContext())
elif "status" in changed_keys and incident_data["status"] == "resolved":
eh.handleEvent(alert=incident[0]["alert"], event="incident_resolved", incident=incident[0], context=ic.getContext())
else:
eh.handleEvent(alert=incident[0]["alert"], event="incident_changed", incident=incident[0], context=ic.getContext())
if incident_data['comment'] != "":
incident_data['comment'] = incident_data['comment'].replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], incident_data['comment'])
logger.debug("Comment event will be: %s" % event)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
ic = IncidentContext(sessionKey, incident_data['incident_id'])
eh.handleEvent(alert=incident[0]["alert"], event="incident_commented", incident=incident[0], context=ic.getContext())
return self.response('Successfully updated incident.', httplib.OK)
def _set_default_freezer(self, sessionKey, user, post_data):
logger.debug("START _set_default_freezer()")
logger.debug('post_data: %s', post_data)
required = ['freezer_data']
#required = ['_key','id']
missing = [r for r in required if r not in post_data]
if missing:
logger.exception("Missing required arguments: %s" % missing)
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
freezer_data = json.loads(post_data.pop('freezer_data'))
logger.debug("input_freezer_data: %s" % freezer_data)
splunk.setDefault('sessionKey', sessionKey)
freezers_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers?output_mode=json'
# Get item json
serverResponse, serverContent = rest.simpleRequest(freezers_uri, sessionKey=sessionKey, method='GET')
logger.debug("freezers: %s" % serverContent)
freezers = json.loads(serverContent)
update_data = []
for freezer in freezers:
if 'id' in freezer_data:
if (freezer["id"] == freezer_data["id"]):
freezer["default"] = True
update_data.append(freezer)
else:
freezer["default"] = False
update_data.append(freezer)
if '_key' in freezer_data:
if (freezer["_key"] == freezer_data["_key"]):
freezer["default"] = True
update_data.append(freezer)
else:
freezer["default"] = False
update_data.append(freezer)
update_data = json.dumps(update_data)
logger.debug("update_data: %s" % update_data)
update_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers/batch_save'
serverResponse, serverContent = rest.simpleRequest(update_uri, sessionKey=sessionKey, jsonargs=update_data, method='POST')
logger.debug("batch_update: %s" % serverContent)
freezers_updated = json.loads(serverContent)
return self.response(freezers_updated, httplib.OK)
#def _get_freezer_items(self, sessionKey, query_params):
# logger.debug("START _get_item_info()")
# required = ['_key','id']
# missing = [r for r in required if r not in query_params]
# if len(missing) > 1:
# return self.response("Missing a required argument: %s" % missing, httplib.BAD_REQUEST)
#
# splunk.setDefault('sessionKey', sessionKey)
#
# if '_key' in query_params:
# item_id = query_params.pop('_key')
# else:
# item_id = query_params.pop('id')
# all_items = self._get_items(sessionKey, query_params)
# logger.debug("all_items: %s" % all_items)
# for item in all_items['payload']:
# if item['id'] == item_id:
# item_id = item['_key']
#
# items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/freezers/%s' % item_id
#
# # Get item json
# serverResponse, serverContent = rest.simpleRequest(items_uri, sessionKey=sessionKey, method='GET')
# logger.debug("item_info: %s" % serverContent)
# item_info = json.loads(serverContent)
#
# return self.response(item_info, httplib.OK)
'form': {},
'payload': su.unescape(requestXml.findtext('payload')),
'restmap': {}
}
for node in requestXml.findall('headers/header'):
requestDict['headers'][node.get('key','').lower()] = su.unescape(node.text)
for node in requestXml.findall('query/arg'):
requestDict['query'][node.get('key')] = su.unescape(node.text)
for node in requestXml.findall('form/arg'):
requestDict['form'][node.get('key')] = su.unescape(node.text)
for node in requestXml.findall('restmap/key'):
requestDict['restmap'][node.get('name')] = su.unescape(node.text)
# set the host and port
(host, port) = util.splithost(requestDict['headers']['host'])
splunk.setDefault('host', host)
if port:
splunk.setDefault('port', port)
# check if payload content can be auto-converted to primitives
# parsedPayload = format.parseFeedDocument(requestDict['payload'])
except Exception, e:
logger.error('Python REST dispatcher received well-formed but unrecognized XML from HTTP server.')
raise
# locate module
parts = handlerClassName.split('.')
if not len(parts) or len(parts) > 2 or not handlerClassName:
raise SyntaxError, 'The "handler=%s" key is incorrect. Handler names must be in the form "<module_name>.<class_name>".' \
% handlerClassName
def stream(self, records):
#self.logger.debug('ModifyIncidentsCommand: %s', self) # logs command line
user = self._input_header.get('owner')
sessionKey = self._input_header.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
self.logger.debug("Started")
for record in records:
if 'incident_id' in record:
attrs = {}
if self.status:
attrs.update({"status": self.status})
if self.owner:
attrs.update({"owner": self.owner})
if self.urgency:
attrs.update({"urgency": self.urgency})
self.logger.debug("Attrs: %s" % attrs)
if len(attrs) > 0 or self.comment:
# Get incident
query = {}
query['incident_id'] = record['incident_id']
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
json.dumps(query))
serverResponse, incident = rest.simpleRequest(
uri, sessionKey=sessionKey)
incident = json.loads(incident)
self.logger.debug("Read incident from collection: %s" %
json.dumps(incident[0]))
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in attrs) and (incident[0][key] != attrs[key]):
changed_keys.append(key)
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="ModifyIncidentsCommand" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (
now, event_id, user,
incident[0]['incident_id'], key, attrs[key],
key, incident[0][key])
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='modifyincidents.py',
index='alerts')
incident[0][key] = attrs[key]
if len(changed_keys) > 0:
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[
0]['_key']
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=contentsStr)
else:
self.logger.warn(
"No changed attributes found, aborting.")
if self.comment:
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (
now, event_id, user, incident[0]['incident_id'],
self.comment)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='modifyincidents.py',
index='alerts')
else:
self.logger.warn(
"No attributes to modify found, aborting.")
else:
self.logger.warn(
"No incident_id field found in event, aborting.")
yield record
def stream(self, records):
#self.logger.debug('ModifyIncidentsCommand: {}'.format(self)) # logs command line
user = self._input_header.get('owner')
sessionKey = self._input_header.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
sessionKey = self._input_header.get('sessionKey')
self.config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
self.config['index'] = restconfig['settings']['index']
self.logger.debug("Global settings: {}".format(self.config))
self.logger.debug("Started")
for record in records:
if 'incident_id' in record:
attrs = {}
if self.status:
attrs.update({"status": self.status})
if self.owner:
attrs.update({"owner": self.owner})
if self.urgency:
attrs.update({"urgency": self.urgency})
self.logger.debug("Attrs: {}".format(attrs))
if len(attrs) > 0 or self.comment:
# Get incident
query = {}
query['incident_id'] = record['incident_id']
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query={}'.format(urllib.parse.quote(json.dumps(query)))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
incident = json.loads(incident.decode('utf-8'))
self.logger.debug("Read incident from collection: {}".format(json.dumps(incident[0])))
now = time.strftime("%Y-%m-%dT%H:%M:%S+0000", time.gmtime())
changed_keys = []
for key in incident[0].keys():
if (key in attrs) and (incident[0][key] != attrs[key]):
changed_keys.append(key)
event_id = hashlib.md5(incident[0]['incident_id'].encode('utf-8') + now.encode('utf-8')).hexdigest()
event = 'time="{}" severity=INFO origin="ModifyIncidentsCommand" event_id="{}" user="******" action="change" incident_id="{}" {}="{}" previous_{}="{}"'.format(now, event_id, user, incident[0]['incident_id'], key, attrs[key], key, incident[0][key])
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
incident[0][key] = attrs[key]
if len(changed_keys) > 0:
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
if self.comment:
self.comment = self.comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'].encode('utf-8') + now.encode('utf-8')).hexdigest()
event = 'time="{}" severity=INFO origin="ModifyIncidentsCommand" event_id="{}" user="******" action="comment" incident_id="{}" comment="{}"'.format(now, event_id, user, incident[0]['incident_id'], self.comment)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
else:
self.logger.warn("No attributes to modify found, aborting.")
else:
self.logger.warn("No incident_id field found in event, aborting.")
yield record
#
# BEGING Setup
#
payload = json.loads(sys.stdin.read())
# log.debug("Payload: %s" % json.dumps(payload))
sessionKey = payload.get("session_key")
job_id = payload.get("sid")
search_name = payload.get("search_name")
# Support for manually running the alert action using the 'sendalert' search command
if search_name == "":
search_name = "adhoc"
# Need to set the sessionKey (input.submit() doesn't allow passing the sessionKey)
splunk.setDefault("sessionKey", sessionKey)
# Get app settings
settings = getAppSettings(sessionKey)
log.debug("Parsed index from app settings: %s" % settings.get("index"))
# Get incident config
config = getIncidentSettings(payload, settings, search_name)
# Get job details
job = getJob(job_id, sessionKey)
result_count = job["content"]["resultCount"]
log.info(
"Found job for alert '%s' with title '%s'. Context is '%s' with %s results."
% (search_name, config["title"], payload.get("app"), result_count)
)
def _create_new_incident(self, sessionKey, user, post_data):
logger.debug("START _create_new_incident()")
logger.debug("post_data: {}".format(post_data))
config = {}
config['index'] = 'main'
config['collect_data_results'] = False
config['index_data_results'] = False
# Get config data
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
# Get index
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
# Check if results have be written to collection
if 'collect_data_results' in restconfig['settings']:
if restconfig['settings']['collect_data_results'].lower() in (
'1', 'true'):
config['collect_data_results'] = True
else:
config['collect_data_results'] = False
# Check if results have be indexed
if 'index_data_results' in restconfig['settings']:
if restconfig['settings']['index_data_results'].lower() in (
'1', 'true'):
config['index_data_results'] = True
else:
config['index_data_results'] = False
logger.info("Global settings: {}".format(config))
# Create timestamp for event
gmtime = time.gmtime()
now = time.strftime("%Y-%m-%dT%H:%M:%S.000+0000", gmtime)
now_epoch = time.strftime("%s", gmtime)
required = ['title', 'urgency', 'impact', 'owner']
missing = [r for r in required if r not in post_data]
if missing:
return self.response(
"Missing required arguments: {}".format(missing),
http.client.BAD_REQUEST)
title = post_data.get('title')
category = post_data.get('category')
subcategory = post_data.get('subcategory')
tags = post_data.get('tags')
urgency = post_data.get('urgency')
impact = post_data.get('impact')
owner = post_data.get('owner')
origin = post_data.get('origin')
group_id = post_data.get('group_id')
fields = post_data.get('fields')
earliest_time = post_data.get('earliest_time')
latest_time = post_data.get('latest_time')
event_search = post_data.get('event_search')
if not category:
category = 'unknown'
if not subcategory:
subcategory = 'unknown'
if not tags:
tags = '[Untagged]'
if not event_search:
event_search = '|noop'
if not earliest_time:
earliest_time = int(now_epoch) - 1
if not latest_time:
latest_time = now
# Field validation and formatting
if fields:
fields = fields.rstrip()
try:
fields = (dict(item.split("=") for item in fields.split("\n")))
# Remove double-quotes
for key, value in fields.items():
fields[key] = value.replace('"', '')
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
# Create unique id
incident_id = str(uuid.uuid4())
# Create event_id
event_id = hashlib.md5(
incident_id.encode('utf-8') + now.encode('utf-8')).hexdigest()
# Defaults
ttl = 3600
alert_time = now
search_name = 'Manual Alert'
result_id = 0
job_id = event_id
alert = title
display_fields = ''
external_reference_id = ''
priority = ''
status = 'new'
app = 'alert_manager'
logger.debug("title: {}".format(title))
# Create metadata event
metadata = '{{"alert":"{}", "alert_time": "{}", "origin": "{}", "app": "{}", "category": "{}", "display_fields": "{}", "entry":[{{"content": "earliestTime": "{}", "eventSearch": "{}","latestTime": "{}"}}], "external_reference_id": "{}", "impact": "{}", "incident_id": "{}", "job_id": "{}", "owner": "{}", "priority": "{}", "result_id": "{}", "subcategory": "{}", "tags": "{}", "title": "{}", "ttl": "{}", "urgency": "{}"}}'.format(
alert, now, origin, app, category, display_fields, earliest_time,
event_search, latest_time, external_reference_id, impact,
incident_id, job_id, owner, priority, result_id, subcategory, tags,
title, ttl, urgency)
logger.debug("Metadata {}".format(metadata))
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(metadata,
hostname=socket.gethostname(),
sourcetype='alert_metadata',
source='helper.py',
index=config['index'])
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
# Create incident
entry = {}
entry['title'] = title
entry['category'] = category
entry['subcategory'] = subcategory
entry['tags'] = tags
entry['display_fields'] = display_fields
entry['incident_id'] = incident_id
entry['alert_time'] = now_epoch
entry['job_id'] = job_id
entry['result_id'] = result_id
entry['alert'] = alert
entry['app'] = app
entry['status'] = status
entry['ttl'] = ttl
entry['impact'] = impact
entry['urgency'] = urgency
entry['priority'] = priority
entry['owner'] = owner
entry['search'] = event_search
entry['external_reference_id'] = external_reference_id
entry['group_id'] = group_id
entry = json.dumps(entry, sort_keys=True)
logger.debug("createIncident(): Entry: {}".format(entry))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents'
rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=entry)
# Create incident results
if fields:
field_array = []
field_array.append(fields)
field_list = []
for key in fields:
field_list.append(key)
logger.debug("fields: {}".format(fields))
results = {}
results['incident_id'] = incident_id
results['fields'] = field_array
results['field_list'] = field_list
logger.debug("Entry: {}".format(results))
# Write results to incident_results collection
if config['collect_data_results'] == True:
try:
# Add job_id and result_id to collection
results['job_id'] = job_id
results['result_id'] = result_id
results = json.dumps(results, sort_keys=True)
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incident_results'
rest.simpleRequest(uri,
sessionKey=sessionKey,
jsonargs=results)
logger.info(
"Results for incident_id={} written to collection.".
format(incident_id))
except:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg,
http.client.INTERNAL_SERVER_ERROR)
# Write results to index
if config['index_data_results'] == True:
try:
results = json.dumps(results, sort_keys=True)
input.submit(results,
hostname=socket.gethostname(),
sourcetype='alert_data_results',
source='helper.py',
index=config['index'])
logger.info(
"Results for incident_id={} written to index.".format(
incident_id))
except:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg,
http.client.INTERNAL_SERVER_ERROR)
# Create incident_change events
event = 'time={} event_id={} severity=INFO origin="alert_handler" user="******" action="create" alert="{}" incident_id="{}" job_id="{}" result_id="{}" owner="{}" status="new" urgency="{}" ttl="{}" alert_time="{}"'.format(
now, event_id, user, search_name, incident_id, job_id, result_id,
owner, urgency, ttl, alert_time)
logger.debug("Event will be: {}".format(event))
event = event.encode('utf8')
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='helper.py',
index=config['index'])
return self.response('Action logged', http.client.OK)
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
return self.response('Action logged', http.client.OK)
def save(self, contents, **kwargs):
"""
Save the contents of a lookup file
"""
logger.info("Saving incident settings contents...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
config = {}
config['index'] = 'alerts'
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query['job_id'] = contents['job_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri,
sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[
0]['_key']
logger.debug("URI for incident update: %s" % uri)
# Prepared new entry
now = datetime.datetime.now().isoformat()
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
logger.info(
"%s for incident %s changed. Writing change event to index %s."
% (key, incident[0]['job_id'], config['index']))
event_id = hashlib.md5(incident[0]['job_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" job_id="%s" %s="%s" previous_%s="%s" comment="%s"' % (
now, event_id, user, incident[0]['job_id'], key,
contents[key], key, incident[0][key], contents['comment'])
logger.debug("Event will be: %s" % event)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." %
(key, incident[0]['job_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " %
serverResponse)
return 'Data has been saved'
#
# BEGING Setup
#
payload = json.loads(sys.stdin.read())
#log.debug("Payload: %s" % json.dumps(payload))
sessionKey = payload.get('session_key')
job_id = payload.get('sid')
search_name = payload.get('search_name').encode('utf-8')
# Support for manually running the alert action using the 'sendalert' search command
if search_name == '':
search_name = 'adhoc'
# Need to set the sessionKey (input.submit() doesn't allow passing the sessionKey)
splunk.setDefault('sessionKey', sessionKey)
# Get app settings
settings = getAppSettings(sessionKey)
log.debug("Parsed index from app settings: %s" % settings.get('index'))
# Get incident config
config = getIncidentSettings(payload, settings, search_name)
# Get job details
job = getJob(job_id, sessionKey)
result_count = job['content']['resultCount']
log.info("Found job for alert '%s' with title '%s'. Context is '%s' with %s results." % (search_name, config['title'], payload.get('app'), result_count))
# Get saved search config
savedSearch = getSavedSearch(payload.get('app'), search_name, sessionKey)
def _write_log_entry(self, sessionKey, user, post_data):
logger.debug("START _write_log_entry()")
required = ['incident_id', 'log_action', 'origin']
missing = [r for r in required if r not in post_data]
if missing:
return self.response(
"Missing required arguments: {}".format(missing),
http.client.BAD_REQUEST)
incident_id = post_data.pop('incident_id')
log_action = post_data.pop('log_action')
comment = post_data.get('comment', '')
origin = post_data.get('origin', '')
severity = post_data.get('severity', 'INFO')
owner = post_data.get('owner', '')
previous_owner = post_data.get('previous_owner', '')
status = post_data.get('status', '')
previous_status = post_data.get('previous_status', '')
job_id = post_data.get('job_id', '')
result_id = post_data.get('result_id', '')
now = datetime.datetime.now().isoformat()
# Get Index
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
comment = comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(
incident_id.encode('utf-8') + now.encode('utf-8')).hexdigest()
event = ''
if (log_action == "comment"):
event = 'time={} severity="{}" origin="{}" event_id="{}" user="******" action="comment" incident_id="{}" comment="{}"'.format(
now, severity, origin, event_id, user, incident_id, comment)
elif (log_action == "change"):
event = 'time={} severity="{}" origin="{}" event_id="{}" user="******" action="change" incident_id="{}" job_id="{}" result_id="{}" status="{}" previous_status="{}"'.format(
now, severity, origin, event_id, user, incident_id, job_id,
result_id, status, previous_status)
logger.debug("Event will be: {}".format(event))
event = event.encode('utf8')
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='helper.py',
index=config['index'])
return self.response('Action logged', http.client.OK)
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
log.debug("KVStore is available. Response status: %s" %
serverResponse['status'])
return True
except Exception as e:
log.debug("KVStore unavailable. Exception: %s" % str(e))
return False
if __name__ == "__main__":
start = time.time()
# Setup logger
log = setupLogger('migration')
sessionKey = sys.stdin.readline().strip()
splunk.setDefault('sessionKey', sessionKey)
# Setup ApiManager
am = ApiManager(sessionKey=sessionKey)
#eh = EventHandler(sessionKey=sessionKey)
#sh = SuppressionHelper(sessionKey=sessionKey)
#sessionKey = urllib.unquote(sessionKey[11:]).decode('utf8')
log.debug("Alert Manager migration started. sessionKey=%s" % sessionKey)
#
# Get global settings
#
config = {}
config['index'] = 'alerts'
def save(self, contents, **kwargs):
"""
Save the contents of a lookup file
"""
logger.info("Saving incident settings contents...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
config = {}
config['index'] = 'alerts'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query['incident_id'] = contents['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
logger.debug("URI for incident update: %s" % uri )
# Prepared new entry
now = datetime.datetime.now().isoformat()
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
logger.info("%s for incident %s changed. Writing change event to index %s." % (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], key, contents[key], key, incident[0][key], contents['comment'])
logger.debug("Event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
return 'Data has been saved'