def load_conf(app):
'''
Loads our cefly.conf and gets the stanza for our app/search we are currently working with
'''
try:
stanza = splunk.clilib.cli_common.getConfStanza(CEFLY_OUTPUTS, app)
except Exception, e:
logger.error('message="Unable to open stanza in cefly.conf for app/search", app="%s"' % app)
sys.exit()
def make_cef(data):
'''
Returns a formatted CEF message based on data given
What a CEF message should look like:
CEF:0|<device_vendor>|<device_product>|<device_version>|<signature_id>|<name>|<severity>|key=value, foo=bar, baz=bing
Example:
CEF:0|CISCO|ASA|7||Firewall Accept|1|src=192.168.1.20, dst=10.18.40.50, dport=53, proto=DNS,categoryDeviceGroup:/Network, categoryOutcome:/Success
'''
prefix_maps = data['prefix_map']
custom_maps = data['field_map']
custom_labels = data['labels']
splunk_meta = data['splunk_meta']
cef_prefix = []
output = []
cef_prefix.append("CEF:0")
if not 'd_vendor' in prefix_maps.keys():
cef_prefix.append("Splunk CEFly")
else:
cef_prefix.append(str(prefix_maps['d_vendor']))
if not 'd_product' in prefix_maps.keys():
cef_prefix.append(splunk_meta['sourcetype'])
else:
cef_prefix.append(str(prefix_maps['d_product']))
if not 'd_version' in prefix_maps:
cef_prefix.append("1.0")
else:
cef_prefix.append(str(prefix_maps['d_version']))
if not 'sig_id' in prefix_maps.keys():
cef_prefix.append("1")
elif prefix_maps['sig_id'] == '""':
cef_prefix.append("")
else:
cef_prefix.append(prefix_maps['sig_id'])
if not 'name' in prefix_maps:
cef_prefix.append("generic event -- address me ASAP")
else:
cef_prefix.append(str(prefix_maps['name']))
if not 'severity' in prefix_maps:
cef_prefix.append('5')
else:
cef_prefix.append( ("%s %s") % (prefix_maps['severity'], "|") )
'''
map our custom CEF static maps -
format: <splunk_field>:CEF_field, <another_splunk_field>:another_CEF_field
example: outcome:/Success, _time:end, host:src
'''
my_s_maps = []
for k,v in cef_static_map.iteritems():
my_s_maps.append( ( "%s=%s " ) % (k,v) )
'''
map our Custom String Labels
format: <cef_field>:<string>, <cef_field>:<string>
example: cslabel1:some_custom_string, cslabel2:some other string
'''
my_cs_maps = []
for k,v in custom_labels.iteritems():
my_cs_maps.append( ( "%s=%s " ) % ( k,v ) )
# map our custom cef fields, this would be the splunk_field => arcsight_field mapping
my_maps = []
for item in custom_maps:
if item['data']:
my_maps.append( ( "%s=%s ") % ( item['as_cef_field'], escape_cef_chars(item['data']) ) )
# for debugging
if not my_maps:
logger.error( 'message="not everything is here", custom_maps="%s", my_s_maps="%s", my_cs_maps="%s"' % ( custom_maps, my_s_maps, my_cs_maps ) )
# If we were not able to map our custom CEF fields, then there was an issue
return False
try:
cef_msg = "|".join(cef_prefix) + " ".join(my_cs_maps) + " ".join(my_s_maps) + " ".join(my_maps)
except Exception, e:
logger.error('message="Unable to create CEF message", cef_prefix="%s", cs_maps="%s", s_maps="%s", my_data="%s"' % ( cef_prefix, my_cs_maps, my_s_maps, my_data ))
try:
stanza = splunk.clilib.cli_common.getConfStanza(CEFLY_OUTPUTS, app)
except Exception, e:
logger.error('message="Unable to open stanza in cefly.conf for app/search", app="%s"' % app)
sys.exit()
# If we are inheriting from another stanza, lets load it and combine the two stanzas together
if 'inherits' in stanza:
try:
inherited = load_conf( stanza['inherits'] )
stanza = _dmerge(inherited,stanza)
except Exception, e:
logger.error("Unable to load inherited stanza: %e" % (e))
logger.exception(e)
# We have have a disabled config, no need to go any further
if 'disabled' in stanza:
if stanza['disabled'].lower() in ('1','true'):
logger.info('message="loading a configuration for a disabled app/stanza, will now exit", app="%s"' % ( app ))
sys.exit()
return stanza
def _dmerge(d1, d2):
'''
