def createMetadataEvent(metadata, index, sessionKey):
input.submit(json.dumps(metadata, sort_keys=True),
hostname=socket.gethostname(),
sourcetype='alert_metadata',
source='alert_handler.py',
index=index)
log.info("Alert metadata written to index={}".format(index))
def autoPreviousResolve(alert, job_id):
# Auto Previous resolve
log.info("auto_previous_resolve is active for alert %s, searching for incidents to resolve..." % alert)
query = '{ "alert": "'+ alert +'", "$or": [ { "status": "auto_assigned" } , { "status": "new" } ], "job_id": { "$ne": "'+ job_id +'"} }'
log.debug("Filter for auto_previous_resolve: %s" % query)
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(query)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey)
incidents = json.loads(serverContent)
if len(incidents):
log.info("Got %s incidents to auto-resolve" % len(incidents))
for incident in incidents:
log.info("Auto-resolving incident with key=%s" % incident['_key'])
previous_status = incident["status"]
previous_job_id = incident["job_id"]
previous_incident_id = incident["incident_id"]
incident['status'] = 'auto_previous_resolved'
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/%s' % incident['_key']
incident = json.dumps(incident)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=incident)
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
log.debug("event_id=%s now=%s incident=%s" % (event_id, now, incident))
event = 'time=%s severity=INFO origin="alert_handler" event_id="%s" user="******" action="auto_previous_resolve" previous_status="%s" status="auto_previous_resolved" incident_id="%s" job_id="%s"' % (now, event_id, previous_status, previous_incident_id, previous_job_id)
log.debug("Resolve event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_handler.py', index = config['index'])
else:
log.info("No incidents with matching criteria for auto_previous_resolve found.")
def logCreateEvent(alert, incident_id, job_id, result_id, owner, urgency, ttl, alert_time):
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
user = '******'
event = 'time=%s severity=INFO origin="alert_handler" event_id="%s" user="******" action="create" alert="%s" incident_id="%s" job_id="%s" result_id="%s" owner="%s" status="new" urgency="%s" ttl="%s" alert_time="%s"' % (now, event_id, user, alert, incident_id, job_id, result_id, owner, urgency, ttl, alert_time)
log.debug("Create event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_handler.py', index = config['index'])
def logCreateEvent(alert, incident_id, job_id, result_id, owner, urgency, ttl, alert_time):
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
user = '******'
event = 'time=%s severity=INFO origin="alert_handler" event_id="%s" user="******" action="create" alert="%s" incident_id="%s" job_id="%s" result_id="%s" owner="%s" status="new" urgency="%s" ttl="%s" alert_time="%s"' % (now, event_id, user, alert, incident_id, job_id, result_id, owner, urgency, ttl, alert_time)
log.debug("Create event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_handler.py', index = config['index'])
def autoPreviousResolve(alert, job_id, title):
# Auto Previous resolve
log.info(
"auto_previous_resolve is active for alert %s, searching for incidents to resolve..."
% alert)
if title == "":
query = '{ "alert": "' + alert + '", "$or": [ { "status": "auto_assigned" } , { "status": "new" } ], "job_id": { "$ne": "' + job_id + '"} }'
else:
log.debug(
"Using title (%s) to search for incidents to auto previous resolve."
% title)
query = '{ "title": "' + title + '", "$or": [ { "status": "auto_assigned" } , { "status": "new" } ], "job_id": { "$ne": "' + job_id + '"} }'
log.debug("Filter for auto_previous_resolve: %s" % query)
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
query)
serverResponse, serverContent = rest.simpleRequest(uri,
sessionKey=sessionKey)
incidents = json.loads(serverContent)
if len(incidents) > 0:
log.info("Got %s incidents to auto-resolve" % len(incidents))
for incident in incidents:
log.info("Auto-resolving incident with key=%s" % incident['_key'])
previous_status = incident["status"]
previous_job_id = incident["job_id"]
previous_incident_id = incident["incident_id"]
previous_owner = incident["owner"]
incident['status'] = 'auto_previous_resolved'
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/%s' % incident[
'_key']
incident = json.dumps(incident)
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=incident)
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
log.debug("event_id=%s now=%s incident=%s" %
(event_id, now, incident))
event = 'time=%s severity=INFO origin="alert_handler" event_id="%s" user="******" action="auto_previous_resolve" previous_status="%s" status="auto_previous_resolved" incident_id="%s" job_id="%s"' % (
now, event_id, previous_status, previous_incident_id,
previous_job_id)
log.debug("Resolve event will be: %s" % event)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='alert_handler.py',
index=config['index'])
ic = IncidentContext(sessionKey, previous_incident_id)
eh.handleEvent(alert=alert,
event="incident_auto_previous_resolved",
incident={"owner": previous_owner},
context=ic.getContext())
else:
log.info(
"No incidents with matching criteria for auto_previous_resolve found."
)
def createIncidentChangeEvent(event, job_id, index):
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
event_prefix = 'time=%s event_id="%s" ' % (now, event_id)
event = event_prefix + event
input.submit(
event, hostname=socket.gethostname(), sourcetype="incident_change", source="alert_handler.py", index=index
)
def writeAlertMetadataToIndex(job, incident_id, result_id):
log.info("Attempting Alert metadata write to index=%s" % config['index'])
fjob = {}
fjob['incident_id'] = incident_id
fjob['result_id'] = result_id
fjob.update(job)
input.submit(json.dumps(fjob), hostname = socket.gethostname(), sourcetype = 'alert_metadata', source = 'alert_handler.py', index = config['index'])
log.info("Alert metadata written to index=%s" % config['index'])
def logSuppressEvent(alert, incident_id, job_id, result_id, rule_names):
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
user = '******'
rules = ' '.join(['suppression_rule="'+ rule_name +'"' for rule_name in rule_names])
event = 'time=%s severity=INFO origin="alert_handler" event_id="%s" user="******" action="suppress" alert="%s" incident_id="%s" job_id="%s" result_id="%s" %s' % (now, event_id, user, alert, incident_id, job_id, result_id, rules)
log.debug("Suppress event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_handler.py', index = config['index'])
def createMetadataEvent(metadata, index, sessionKey):
input.submit(
json.dumps(metadata),
hostname=socket.gethostname(),
sourcetype="alert_metadata",
source="alert_handler.py",
index=index,
)
log.info("Alert metadata written to index=%s" % index)
def createIncidentEvent(results, index, sessionKey, incident_id, alerttime, alert_title):
alert_results = {}
alert_results['incident_id'] = incident_id
# Switching back to iso formatted timestamp to avoid misinterpreation
# alert_results['alert_time'] = int(float(sutil.dt2epoch(sutil.parseISO(alerttime, True))))
# alert_results['timestamp'] = str(time.strftime('%Y-%m-%d %T %Z', time.gmtime(alert_results['alert_time'])))
alert_results['alert_time'] = alerttime
alert_results['title'] = alert_title
alert_results.update(results)
input.submit(json.dumps(alert_results, sort_keys=True), hostname = socket.gethostname(), sourcetype = 'alert_data_results', source = 'alert_manager.py', index = index)
def createIncidentEvent(results, index, sessionKey, incident_id, alerttime, alert_title):
alert_results = {}
alert_results['incident_id'] = incident_id
# Switching back to iso formatted timestamp to avoid misinterpreation
# alert_results['alert_time'] = int(float(sutil.dt2epoch(sutil.parseISO(alerttime, True))))
# alert_results['timestamp'] = str(time.strftime('%Y-%m-%d %T %Z', time.gmtime(alert_results['alert_time'])))
alert_results['alert_time'] = alerttime
alert_results['title'] = alert_title
alert_results.update(results)
input.submit(json.dumps(alert_results, sort_keys=True), hostname = socket.gethostname(), sourcetype = 'alert_data_results', source = 'alert_manager.py', index = index)
def createIncidentChangeEvent(event, job_id, index):
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
event_prefix = 'time=%s event_id="%s" ' % (now, event_id)
event = event_prefix + event
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='alert_handler.py',
index=index)
def save_risks(self, contents, **kwargs):
logger.info("Saving risks...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
config = {}
config['index'] = 'risks'
restconfig = entity.getEntities('configs/risk_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
parsed_contents = json.loads(contents)
logger.debug("Contents: %s" % contents)
for entry in parsed_contents:
if '_key' in entry and entry['_key'] != None:
uri = '/servicesNS/nobody/risk_manager/storage/collections/data/risks/' + entry['_key']
# Get current risk
serverResponse, risk = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Current risk: %s" % risk)
risk = json.loads(risk)
# Update risk if score has changed
if int(risk['risk_score']) != int(entry['risk_score']):
logger.info("Updating risk_object_type=%s risk_object=%s to score=%s." % (entry['risk_object_type'], entry['risk_object'], entry['risk_score']))
del entry['_key']
if 'risk_id' in risk:
entry['risk_id'] = risk['risk_id']
else:
entry['risk_id'] = str(uuid.uuid4())
risk['risk_id'] = entry['risk_id']
entryStr = json.dumps(entry)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=entryStr)
logger.debug("Updated entry. serverResponse was ok")
now = datetime.datetime.now().isoformat()
event = 'time="%s" risk_id="%s" action="update_risk_score" alert="Risk Score Tuner" user="******" risk_object_type="%s" risk_object="%s" risk_score="%s" previous_risk_score="%s"' % (now, risk['risk_id'], user, entry['risk_object_type'], entry['risk_object'], entry['risk_score'], risk['risk_score'])
logger.debug("Event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'risk_scoring', source = 'helpers.py', index = config['index'])
else:
logger.info("Won't update risk_object_type=%s risk_object=%s, since score didn't change." % (entry['risk_object_type'], entry['risk_object']))
return 'Done'
def _write_log_entry(self, sessionKey, user, post_data):
logger.debug("START _write_log_entry()")
required = ['incident_id', 'log_action', 'origin']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
incident_id = post_data.pop('incident_id')
log_action = post_data.pop('log_action')
comment = post_data.get('comment', '')
origin = post_data.get('origin', '')
severity = post_data.get('severity', 'INFO')
owner = post_data.get('owner', '')
previous_owner = post_data.get('previous_owner', '')
status = post_data.get('status', '')
previous_status = post_data.get('status', '')
job_id = post_data.get('job_id', '')
result_id = post_data.get('result_id', '')
now = datetime.datetime.now().isoformat()
# Get Index
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
comment = comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident_id + now).hexdigest()
event = ''
if (log_action == "comment"):
event = 'time=%s severity="%s" origin="%s" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, severity, origin, event_id, user, incident_id, comment)
elif (log_action == "change"):
event = 'time=%s severity="%s" origin="%s" event_id="%s" user="******" action="comment" incident_id="%s" job_id="%s" result_id="%s" status="%s" previous_status="%s"' % (now, severity, origin, event_id, user, incident_id, job_id, result_id, status, previous_status)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'helper.py', index = config['index'])
return self.response('Action logged', httplib.OK)
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, httplib.INTERNAL_SERVER_ERROR)
def logAutoAssignEvent(incident_id, job_id, result_id, owner):
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(job_id + now).hexdigest()
event = 'time=%s severity=INFO origin="alert_handler" event_id="%s" user="******" action="change" incident_id="%s" job_id="%s" result_id="%s" owner="%s" previous_owner="unassigned"' % (now, event_id, incident_id, job_id, result_id, owner)
log.debug("Auto assign (owner change) event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_handler.py', index = config['index'])
event = 'time=%s severity=INFO origin="alert_handler" event_id="%s" user="******" action="change" incident_id="%s" job_id="%s" result_id="%s" status="auto_assigned" previous_status="new"' % (now, event_id, incident_id, job_id, result_id)
log.debug("Auto assign (status change) event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_handler.py', index = config['index'])
def createIncidentChangeEvent(event, job_id, index):
now = time.strftime("%Y-%m-%dT%H:%M:%S+0000", time.gmtime())
event_id = hashlib.md5(job_id.encode('utf-8') +
now.encode('utf-8')).hexdigest()
event_prefix = 'time={} event_id="{}" '.format(now, event_id)
event = event_prefix + event
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='alert_handler.py',
index=index)
def writeRiskScoringEventToIndex(risk_id, alert, job_id, risk_object_type, risk_object, risk_score , current_risk_score):
log.info("Attempting Risk Scoring Event write to index=%s" % config['index'])
now = datetime.datetime.now().isoformat()
risk_score = risk_score + current_risk_score
if (risk_score < 0):
risk_score = 0
risk_scoring_event=('time="%s" risk_id="%s" alert="%s" job_id="%s" action="update_risk_score" risk_object_type="%s" risk_object="%s" risk_score="%s" previous_risk_score="%s"' % (now, risk_id, alert, job_id, risk_object_type, risk_object, risk_score , current_risk_score))
input.submit(risk_scoring_event, hostname = socket.gethostname(), sourcetype = 'risk_scoring', source = 'risk_handler.py', index = config['index'])
log.info("Risk Scoring Event written to index=%s" % config['index'])
def stream(self, records):
#self.logger.debug('ModifyIncidentsCommand: {}'.format(self)) # logs command line
user = self._input_header.get('owner')
sessionKey = self._input_header.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
sessionKey = self._input_header.get('sessionKey')
self.config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
self.config['index'] = restconfig['settings']['index']
self.logger.debug("Global settings: {}".format(self.config))
self.logger.debug("Started")
for record in records:
if 'incident_id' in record:
attrs = {}
if self.status:
attrs.update({"status": self.status})
if self.owner:
attrs.update({"owner": self.owner})
if self.urgency:
attrs.update({"urgency": self.urgency})
self.logger.debug("Attrs: {}".format(attrs))
if len(attrs) > 0 or self.comment:
# Get incident
query = {}
query['incident_id'] = record['incident_id']
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query={}'.format(urllib.parse.quote(json.dumps(query)))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
incident = json.loads(incident.decode('utf-8'))
self.logger.debug("Read incident from collection: {}".format(json.dumps(incident[0])))
now = time.strftime("%Y-%m-%dT%H:%M:%S+0000", time.gmtime())
changed_keys = []
for key in incident[0].keys():
if (key in attrs) and (incident[0][key] != attrs[key]):
changed_keys.append(key)
event_id = hashlib.md5(incident[0]['incident_id'].encode('utf-8') + now.encode('utf-8')).hexdigest()
event = 'time="{}" severity=INFO origin="ModifyIncidentsCommand" event_id="{}" user="******" action="change" incident_id="{}" {}="{}" previous_{}="{}"'.format(now, event_id, user, incident[0]['incident_id'], key, attrs[key], key, incident[0][key])
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
incident[0][key] = attrs[key]
if len(changed_keys) > 0:
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
if self.comment:
self.comment = self.comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'].encode('utf-8') + now.encode('utf-8')).hexdigest()
event = 'time="{}" severity=INFO origin="ModifyIncidentsCommand" event_id="{}" user="******" action="comment" incident_id="{}" comment="{}"'.format(now, event_id, user, incident[0]['incident_id'], self.comment)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
else:
self.logger.warn("No attributes to modify found, aborting.")
else:
self.logger.warn("No incident_id field found in event, aborting.")
yield record
if len(incidents) > 0:
log.info("Found %s incidents of alert %s to check for reached ttl..." % (len(incidents), alert['alert']))
for incident in incidents:
log.info("Checking incident: %s" % incident['incident_id'])
if (incident['alert_time'] + incident['ttl']) <= time.time():
log.info("Incident %s (%s) should be resolved. alert_time=%s ttl=%s now=%s" % (incident['incident_id'], incident['_key'], incident['alert_time'], incident['ttl'], time.time()))
old_status = incident['status']
incident['status'] = 'auto_ttl_resolved'
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/%s' % incident['_key']
incidentStr = json.dumps(incident)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=incidentStr)
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(incident['incident_id'] + now).hexdigest()
log.debug("event_id=%s now=%s" % (event_id, now))
event = 'time=%s severity=INFO origin="alert_manager_scheduler" event_id="%s" user="******" action="auto_ttl_resolve" previous_status="%s" status="auto_ttl_resolved" incident_id="%s"' % (now, event_id, old_status, incident['incident_id'])
log.debug("Event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_manager_scheduler.py', index = config['index'])
else:
log.info("Incident %s has not ttl reached yet." % incident['incident_id'])
else:
log.info("No incidents of alert %s to check for reached ttl." % alert['alert'])
# TODO: Addtl. scheduler scenarios
end = time.time()
duration = round((end-start), 3)
log.info("Alert manager scheduler finished. duration=%ss" % duration)
def _update_item(self, sessionKey, user, post_data):
logger.debug("START _update_item()")
logger.debug('post_data: %s', post_data)
required = ['item_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
item_data = post_data.pop('item_data')
item_data = json.loads(item_data)
logger.debug("item_data: %s" % item_data)
splunk.setDefault('sessionKey', sessionKey)
required = ['_key', 'id']
missing = [r for r in required if r not in item_data]
if len(missing) > 1:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items?output_mode=json'
# Get item json
serverResponse, serverContent = rest.simpleRequest(
items_uri, sessionKey=sessionKey, method='GET')
logger.debug("items: %s" % serverContent)
all_items = json.loads(serverContent)
provided_keys = item_data
for item in all_items:
if '_key' in item_data:
if item["_key"] == item_data["_key"]:
updated_item = item
del provided_keys["_key"]
elif 'id' in item_data:
if item["id"] == item_data["id"]:
updated_item = item
del provided_keys["id"]
logger.debug("updated_item: %s" % updated_item)
for key in provided_keys:
updated_item[key] = provided_keys[key]
item_id = updated_item["_key"]
updated_item = json.dumps(updated_item)
logger.debug("updated_item: %s" % updated_item)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items/%s' % item_id
# Get incident json
serverResponse, serverContent = rest.simpleRequest(
items_uri,
sessionKey=sessionKey,
jsonargs=updated_item,
method='POST')
logger.debug("items: %s" % serverContent)
if int(serverResponse['status']) == 200:
# Get Index
config = {}
config['index'] = 'main'
config['enable'] = 'false'
restconfig = entity.getEntities('freezer_inventory/settings',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['indexing']:
config['index'] = restconfig['indexing']['index']
if 'index' in restconfig['indexing']:
config['enable'] = restconfig['indexing']['enable']
if config['enable'].lower() in ("true", "1"):
event = json.loads(updated_item)
event['action'] = "updated"
event = json.dumps(event)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='freezer:item',
source='items_rest_endpoint.py',
index=config['index'])
logger.debug("Event successfully added")
items = json.loads(serverContent)
return self.response(items, httplib.OK)
def _delete_item(self, sessionKey, query_params):
logger.debug("START _delete_item()")
required = ['_key', 'id']
missing = [r for r in required if r not in query_params]
if len(missing) > 1:
return self.response("Missing a required argument: %s" % missing,
httplib.BAD_REQUEST)
splunk.setDefault('sessionKey', sessionKey)
if '_key' in query_params:
item_id = query_params.pop('_key')
else:
item_id = query_params.pop('id')
all_items = self._get_items(sessionKey, query_params)
logger.debug("all_items: %s" % all_items)
for item in all_items['payload']:
if item['id'] == item_id:
item_id = item['_key']
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items/%s' % item_id
logger.debug("items_uri: %s" % items_uri)
items = {'_key': item_id, 'action': "removed"}
# Get item json
serverResponse, serverContent = rest.simpleRequest(
items_uri, sessionKey=sessionKey, method='DELETE')
if int(serverResponse['status']) == 200:
# Get Index
config = {}
config['index'] = 'main'
config['enable'] = 'false'
restconfig = entity.getEntities('freezer_inventory/settings',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['indexing']:
config['index'] = restconfig['indexing']['index']
if 'index' in restconfig['indexing']:
config['enable'] = restconfig['indexing']['enable']
if config['enable'].lower() in ("true", "1"):
event = items
event['action'] = "deleted"
event = json.dumps(event)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='freezer:item',
source='items_rest_endpoint.py',
index=config['index'])
logger.debug("Event successfully added")
logger.debug("items: %s" % json.dumps(items))
return self.response(items, httplib.OK)
def stream(self, records):
#self.logger.debug('ModifyIncidentsCommand: %s', self) # logs command line
user = self._input_header.get('owner')
sessionKey = self._input_header.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
self.logger.debug("Started")
for record in records:
if 'incident_id' in record:
attrs = {}
if self.status:
attrs.update({"status": self.status})
if self.owner:
attrs.update({"owner": self.owner})
if self.urgency:
attrs.update({"urgency": self.urgency})
self.logger.debug("Attrs: %s" % attrs)
if len(attrs) > 0 or self.comment:
# Get incident
query = {}
query['incident_id'] = record['incident_id']
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
json.dumps(query))
serverResponse, incident = rest.simpleRequest(
uri, sessionKey=sessionKey)
incident = json.loads(incident)
self.logger.debug("Read incident from collection: %s" %
json.dumps(incident[0]))
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in attrs) and (incident[0][key] != attrs[key]):
changed_keys.append(key)
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="ModifyIncidentsCommand" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (
now, event_id, user,
incident[0]['incident_id'], key, attrs[key],
key, incident[0][key])
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='modifyincidents.py',
index='alerts')
incident[0][key] = attrs[key]
if len(changed_keys) > 0:
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[
0]['_key']
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=contentsStr)
else:
self.logger.warn(
"No changed attributes found, aborting.")
if self.comment:
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (
now, event_id, user, incident[0]['incident_id'],
self.comment)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='modifyincidents.py',
index='alerts')
else:
self.logger.warn(
"No attributes to modify found, aborting.")
else:
self.logger.warn(
"No incident_id field found in event, aborting.")
yield record
def save(self, contents, **kwargs):
"""
Save the contents of a lookup file
"""
logger.info("Saving incident settings contents...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
config = {}
config['index'] = 'alerts'
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query['job_id'] = contents['job_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri,
sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[
0]['_key']
logger.debug("URI for incident update: %s" % uri)
# Prepared new entry
now = datetime.datetime.now().isoformat()
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
logger.info(
"%s for incident %s changed. Writing change event to index %s."
% (key, incident[0]['job_id'], config['index']))
event_id = hashlib.md5(incident[0]['job_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" job_id="%s" %s="%s" previous_%s="%s" comment="%s"' % (
now, event_id, user, incident[0]['job_id'], key,
contents[key], key, incident[0][key], contents['comment'])
logger.debug("Event will be: %s" % event)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." %
(key, incident[0]['job_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " %
serverResponse)
return 'Data has been saved'
def _do_update_incidents(self, sessionKey, config, eh, incident_data,
user):
# Get key
query = {}
logger.debug("Filter: {}".format(json.dumps(query)))
logger.info("_do_update_incidents")
logger.debug("incident_data: {}".format(incident_data))
incident_ids = incident_data.pop('incident_ids')
# Prepared new entry
now = datetime.datetime.now().isoformat()
# Setting a filter batch size of max. 100 incidents
filter_batchsize = 100
incidents = []
for i in range(0, len(incident_ids), filter_batchsize):
filter_batch = incident_ids[i:i + filter_batchsize]
filter = ''
for incident_id in filter_batch:
filter += ' {{"incident_id": "{}"}},'.format(incident_id)
# Remove last commma for valid json
filter = filter[:-1]
logger.debug("filter: {}".format(filter))
query = '{"$or": [' + filter + ']}'
logger.info("Incident filter query starting:")
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query={}'.format(
urllib.parse.quote(query))
serverResponse, incident_batch = rest.simpleRequest(
uri, sessionKey=sessionKey)
if serverResponse['status'] == "200":
logger.info("Incident filter query finished successfully:")
else:
logger.info(
"Incident filter query failed: {}".format(serverResponse))
incidents += (json.loads(incident_batch))
logger.info("Number of all incidents: {}".format(len(incidents)))
events = ''
# List of notification
notification = {}
notifications = []
# Loop through all incidents and replace changed keys
for attribute_key, attribute_value in incident_data.items():
logger.debug("Update attribute key: {}".format(attribute_key))
if attribute_key != "comment":
for incident in incidents:
event_id = hashlib.md5(
incident['incident_id'].encode('utf-8') +
now.encode('utf-8')).hexdigest()
event = ''
if (attribute_value != incident.get(attribute_key)):
event = 'time={} severity=INFO origin="incident_posture" event_id="{}" user="******" action="change" incident_id="{}" {}="{}" previous_{}="{}"'.format(
now, event_id, user, incident['incident_id'],
attribute_key, attribute_value, attribute_key,
incident.get(attribute_key))
# Event handling cases for owner and status changes
if attribute_key == "owner":
notification['incident'] = incident['incident_id']
notification['alert'] = incident["alert"]
notification['event'] = "incident_assigned"
notifications.append(notification.copy())
elif attribute_key == "status" and attribute_value == "resolved":
notification['incident'] = incident['incident_id']
notification['alert'] = incident["alert"]
notification['event'] = "incident_resolved"
notifications.append(notification.copy())
else:
notification['incident'] = incident['incident_id']
notification['alert'] = incident["alert"]
notification['event'] = "incident_changed"
notifications.append(notification.copy())
# Replace old value
incident[attribute_key] = attribute_value
# Send log event to index
if (event != ''):
events += event + "\n"
# Reset event
else:
event = ''
notification = {}
# Logging and event handling cases for comments
elif attribute_key == "comment" and attribute_value != "":
for incident in incidents:
event_id = hashlib.md5(
incident['incident_id'].encode('utf-8') +
now.encode('utf-8')).hexdigest()
event = ''
event = 'time={} severity=INFO origin="incident_posture" event_id="{}" user="******" action="comment" incident_id="{}" comment="{}"'.format(
now, event_id, user, incident['incident_id'],
attribute_value)
notification['incident'] = incident['incident_id']
notification['alert'] = incident["alert"]
notification['event'] = "incident_commented"
notifications.append(notification.copy())
logger.debug("Comment event will be: {}".format(event))
# Send log event to index
if (event != ''):
if type(event) == 'byte':
event = event.decode("utf-8")
events += event + "\n"
notification = {}
logger.debug("Events: {}".format(events))
if events != '':
input.submit(events,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
logger.debug("Notifications: {}".format(notifications))
self._send_notifications(sessionKey, eh, notifications)
# Setting a batch size of max. 1000 incidents
batchsize = 1000
incident_batch_counter = 0
for i in range(0, len(incidents), batchsize):
incident_batch = incidents[i:i + batchsize]
# Finally batch save updated incidents
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/batch_save'
logger.info("Batchsave starting")
serverResponse, serverContent = rest.simpleRequest(
uri,
sessionKey=sessionKey,
method='POST',
jsonargs=json.dumps(incident_batch))
logger.debug("Batchsave serverResponse: {}".format(serverResponse))
logger.debug("Batchsave serverResponse Status: {}".format(
serverResponse['status']))
logger.debug("Batchsave serverContent: {}".format(
serverContent.decode('utf-8')))
logger.info("Batchsave serverContent incident count: {}".format(
len(json.loads(serverContent.decode('utf-8')))))
if serverResponse['status'] == "200":
logger.info("Batchsave finished successfully")
else:
logger.info(
"Batchsave finished failed: {}".format(serverResponse))
incident_batch_counter += len(incident_batch)
logger.info("Bulk update total of {} incidents finished".format(
incident_batch_counter))
logger.debug("Updated incidents: {}".format(incidents))
logger.info("Bulk update finished")
def _do_update_incident(self, sessionKey, config, eh, incident_id,
incident_data, user):
# Get key
query = {}
query['incident_id'] = incident_id
logger.debug("Filter: {}".format(json.dumps(query)))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query={}'.format(
urllib.parse.quote(json.dumps(query)))
serverResponse, incident = rest.simpleRequest(uri,
sessionKey=sessionKey)
logger.debug("Settings for incident: {}".format(
incident.decode('utf-8')))
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[
0]['_key']
logger.debug("URI for incident update: {}".format(uri))
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
# Add synthetic group_id if attribute is still null in incident[0] dict
if 'group_id' not in incident[0] and 'group_id' in incident_data:
incident[0]['group_id'] = ''
for key in list(incident[0].keys()):
if (key in incident_data) and (incident[0][key] !=
incident_data[key]):
changed_keys.append(key)
logger.info(
"{} for incident {} changed. Writing change event to index {}."
.format(key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(
incident[0]['incident_id'].encode('utf-8') +
now.encode('utf-8')).hexdigest()
event = 'time={} severity=INFO origin="incident_posture" event_id="{}" user="******" action="change" incident_id="{}" {}="{}" previous_{}="{}"'.format(
now, event_id, user, incident[0]['incident_id'], key,
incident_data[key], key, incident[0][key])
logger.debug("Change event will be: {}".format(event))
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
incident[0][key] = incident_data[key]
# Set flag to prevent manual owner/urgency override to be overwritten by subsequent alerts
if key == "owner":
incident[0]['preserve_owner'] = True
logger.info('preserve_owner')
elif key == "urgency":
incident[0]['preserve_urgency'] = True
logger.info('preserve_urgency')
else:
logger.info("{} for incident {} didn't change.".format(
key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: {}".format(contentsStr))
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was {} ".format(
serverResponse))
logger.debug("Changed keys: {}".format(changed_keys))
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, incident_id)
if "owner" in changed_keys:
eh.handleEvent(alert=incident[0]["alert"],
event="incident_assigned",
incident=incident[0],
context=ic.getContext())
elif "status" in changed_keys and incident_data[
"status"] == "resolved":
eh.handleEvent(alert=incident[0]["alert"],
event="incident_resolved",
incident=incident[0],
context=ic.getContext())
else:
eh.handleEvent(alert=incident[0]["alert"],
event="incident_changed",
incident=incident[0],
context=ic.getContext())
if incident_data['comment'] != "":
incident_data['comment'] = incident_data['comment'].replace(
'\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'].encode('utf-8') +
now.encode('utf-8')).hexdigest()
event = 'time={} severity=INFO origin="incident_posture" event_id="{}" user="******" action="comment" incident_id="{}" comment="{}"'.format(
now, event_id, user, incident[0]['incident_id'],
incident_data['comment'])
logger.debug("Comment event will be: {}".format(event))
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
ic = IncidentContext(sessionKey, incident_id)
eh.handleEvent(alert=incident[0]["alert"],
event="incident_commented",
incident=incident[0],
context=ic.getContext())
query = '{"job_id":"%s"}' % job_id
log.debug("Filter: %s" % query)
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
query)
log.debug("Incident query: %s" % uri)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey)
incident_list = json.loads(serverContent)
if len(incident_list) == 0:
# Write alert metadata to index
log.info("Attempting Alert metadata write to index=%s" % config['index'])
input.submit(json.dumps(job),
hostname=socket.gethostname(),
sourcetype='alert_metadata',
source='alert_handler.py',
index=config['index'])
log.info("Alert metadata written to index=%s" % config['index'])
#if config['save_results'] == 0:
# # Get alert results
# job = search.getJob(job_id, sessionKey=sessionKey, message_level='warn')
# feed = job.getFeed(mode='results', outputMode='json')
# feed = json.loads(feed)
# feed['job_id'] = job_id
# feed['published'] = alert_time
#
# # Write results to index
# input.submit(json.dumps(feed), hostname = socket.gethostname(), sourcetype = 'alert_results', source = 'alert_handler.py', index = config['index'])
# log.info("Alert results written to index=%s" % config['index'])
def _create_new_incident(self, sessionKey, user, post_data):
logger.debug("START _create_new_incident()")
logger.debug("post_data: {}".format(post_data))
config = {}
config['index'] = 'main'
config['collect_data_results'] = False
config['index_data_results'] = False
# Get config data
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
# Get index
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
# Check if results have be written to collection
if 'collect_data_results' in restconfig['settings']:
if restconfig['settings']['collect_data_results'].lower() in (
'1', 'true'):
config['collect_data_results'] = True
else:
config['collect_data_results'] = False
# Check if results have be indexed
if 'index_data_results' in restconfig['settings']:
if restconfig['settings']['index_data_results'].lower() in (
'1', 'true'):
config['index_data_results'] = True
else:
config['index_data_results'] = False
logger.info("Global settings: {}".format(config))
# Create timestamp for event
gmtime = time.gmtime()
now = time.strftime("%Y-%m-%dT%H:%M:%S.000+0000", gmtime)
now_epoch = time.strftime("%s", gmtime)
required = ['title', 'urgency', 'impact', 'owner']
missing = [r for r in required if r not in post_data]
if missing:
return self.response(
"Missing required arguments: {}".format(missing),
http.client.BAD_REQUEST)
title = post_data.get('title')
category = post_data.get('category')
subcategory = post_data.get('subcategory')
tags = post_data.get('tags')
urgency = post_data.get('urgency')
impact = post_data.get('impact')
owner = post_data.get('owner')
origin = post_data.get('origin')
group_id = post_data.get('group_id')
fields = post_data.get('fields')
earliest_time = post_data.get('earliest_time')
latest_time = post_data.get('latest_time')
event_search = post_data.get('event_search')
if not category:
category = 'unknown'
if not subcategory:
subcategory = 'unknown'
if not tags:
tags = '[Untagged]'
if not event_search:
event_search = '|noop'
if not earliest_time:
earliest_time = int(now_epoch) - 1
if not latest_time:
latest_time = now
# Field validation and formatting
if fields:
fields = fields.rstrip()
try:
fields = (dict(item.split("=") for item in fields.split("\n")))
# Remove double-quotes
for key, value in fields.items():
fields[key] = value.replace('"', '')
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
# Create unique id
incident_id = str(uuid.uuid4())
# Create event_id
event_id = hashlib.md5(
incident_id.encode('utf-8') + now.encode('utf-8')).hexdigest()
# Defaults
ttl = 3600
alert_time = now
search_name = 'Manual Alert'
result_id = 0
job_id = event_id
alert = title
display_fields = ''
external_reference_id = ''
priority = ''
status = 'new'
app = 'alert_manager'
logger.debug("title: {}".format(title))
# Create metadata event
metadata = '{{"alert":"{}", "alert_time": "{}", "origin": "{}", "app": "{}", "category": "{}", "display_fields": "{}", "entry":[{{"content": "earliestTime": "{}", "eventSearch": "{}","latestTime": "{}"}}], "external_reference_id": "{}", "impact": "{}", "incident_id": "{}", "job_id": "{}", "owner": "{}", "priority": "{}", "result_id": "{}", "subcategory": "{}", "tags": "{}", "title": "{}", "ttl": "{}", "urgency": "{}"}}'.format(
alert, now, origin, app, category, display_fields, earliest_time,
event_search, latest_time, external_reference_id, impact,
incident_id, job_id, owner, priority, result_id, subcategory, tags,
title, ttl, urgency)
logger.debug("Metadata {}".format(metadata))
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(metadata,
hostname=socket.gethostname(),
sourcetype='alert_metadata',
source='helper.py',
index=config['index'])
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
# Create incident
entry = {}
entry['title'] = title
entry['category'] = category
entry['subcategory'] = subcategory
entry['tags'] = tags
entry['display_fields'] = display_fields
entry['incident_id'] = incident_id
entry['alert_time'] = now_epoch
entry['job_id'] = job_id
entry['result_id'] = result_id
entry['alert'] = alert
entry['app'] = app
entry['status'] = status
entry['ttl'] = ttl
entry['impact'] = impact
entry['urgency'] = urgency
entry['priority'] = priority
entry['owner'] = owner
entry['search'] = event_search
entry['external_reference_id'] = external_reference_id
entry['group_id'] = group_id
entry = json.dumps(entry, sort_keys=True)
logger.debug("createIncident(): Entry: {}".format(entry))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents'
rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=entry)
# Create incident results
if fields:
field_array = []
field_array.append(fields)
field_list = []
for key in fields:
field_list.append(key)
logger.debug("fields: {}".format(fields))
results = {}
results['incident_id'] = incident_id
results['fields'] = field_array
results['field_list'] = field_list
logger.debug("Entry: {}".format(results))
# Write results to incident_results collection
if config['collect_data_results'] == True:
try:
# Add job_id and result_id to collection
results['job_id'] = job_id
results['result_id'] = result_id
results = json.dumps(results, sort_keys=True)
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incident_results'
rest.simpleRequest(uri,
sessionKey=sessionKey,
jsonargs=results)
logger.info(
"Results for incident_id={} written to collection.".
format(incident_id))
except:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg,
http.client.INTERNAL_SERVER_ERROR)
# Write results to index
if config['index_data_results'] == True:
try:
results = json.dumps(results, sort_keys=True)
input.submit(results,
hostname=socket.gethostname(),
sourcetype='alert_data_results',
source='helper.py',
index=config['index'])
logger.info(
"Results for incident_id={} written to index.".format(
incident_id))
except:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg,
http.client.INTERNAL_SERVER_ERROR)
# Create incident_change events
event = 'time={} event_id={} severity=INFO origin="alert_handler" user="******" action="create" alert="{}" incident_id="{}" job_id="{}" result_id="{}" owner="{}" status="new" urgency="{}" ttl="{}" alert_time="{}"'.format(
now, event_id, user, search_name, incident_id, job_id, result_id,
owner, urgency, ttl, alert_time)
logger.debug("Event will be: {}".format(event))
event = event.encode('utf8')
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='helper.py',
index=config['index'])
return self.response('Action logged', http.client.OK)
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
return self.response('Action logged', http.client.OK)
def save(self, contents, **kwargs):
"""
Save the contents of a lookup file
"""
logger.info("Saving incident settings contents...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
config = {}
config['index'] = 'alerts'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query['incident_id'] = contents['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
logger.debug("URI for incident update: %s" % uri )
# Prepared new entry
now = datetime.datetime.now().isoformat()
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
logger.info("%s for incident %s changed. Writing change event to index %s." % (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], key, contents[key], key, incident[0][key], contents['comment'])
logger.debug("Event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
return 'Data has been saved'
log.info("Checking incident: %s" % incident['incident_id'])
if (incident['alert_time'] + incident['ttl']) <= time.time():
log.info("Incident %s (%s) should be resolved. alert_time=%s ttl=%s now=%s" % (incident['incident_id'], incident['_key'], incident['alert_time'], incident['ttl'], time.time()))
old_status = incident['status']
incident['status'] = 'auto_ttl_resolved'
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/%s' % incident['_key']
incidentStr = json.dumps(incident)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=incidentStr)
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(incident['incident_id'] + now).hexdigest()
log.debug("event_id=%s now=%s" % (event_id, now))
event = 'time=%s severity=INFO origin="alert_manager_scheduler" event_id="%s" user="******" action="auto_ttl_resolve" previous_status="%s" status="auto_ttl_resolved" incident_id="%s"' % (now, event_id, old_status, incident['incident_id'])
log.debug("Event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_manager_scheduler.py', index = config['index'])
ic = IncidentContext(sessionKey, incident["incident_id"])
eh.handleEvent(alert=alert["name"], event="incident_auto_ttl_resolved", incident={"owner": incident["owner"]}, context=ic.getContext())
else:
log.info("Incident %s has not ttl reached yet." % incident['incident_id'])
else:
log.info("No incidents of alert %s to check for reached ttl." % alert['name'])
log.debug('Alert "%s" is not configured for auto_ttl_resolve, skipping...' % alert['name'])
#
# Look for auto_suppress_resolve incidents
#
query = {}
query['auto_suppress_resolve'] = True
log.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incident_settings?query=%s' % urllib.quote(json.dumps(query))
def _update_incident(self, sessionKey, user, post_data):
logger.debug("START _update_incident()")
required = ['incident_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
incident_data = post_data.pop('incident_data')
splunk.setDefault('sessionKey', sessionKey)
eh = EventHandler(sessionKey=sessionKey)
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
incident_data = json.loads(incident_data)
# Get key
query = {}
query['incident_id'] = incident_data['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(
json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri,
sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[
0]['_key']
logger.debug("URI for incident update: %s" % uri)
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in incident_data) and (incident[0][key] !=
incident_data[key]):
changed_keys.append(key)
logger.info(
"%s for incident %s changed. Writing change event to index %s."
% (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (
now, event_id, user, incident[0]['incident_id'], key,
incident_data[key], key, incident[0][key])
logger.debug("Change event will be: %s" % event)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
incident[0][key] = incident_data[key]
else:
logger.info("%s for incident %s didn't change." %
(key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " %
serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, incident_data['incident_id'])
if "owner" in changed_keys:
eh.handleEvent(alert=incident[0]["alert"],
event="incident_assigned",
incident=incident[0],
context=ic.getContext())
elif "status" in changed_keys and incident_data[
"status"] == "resolved":
eh.handleEvent(alert=incident[0]["alert"],
event="incident_resolved",
incident=incident[0],
context=ic.getContext())
else:
eh.handleEvent(alert=incident[0]["alert"],
event="incident_changed",
incident=incident[0],
context=ic.getContext())
if incident_data['comment'] != "":
incident_data['comment'] = incident_data['comment'].replace(
'\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'] +
now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (
now, event_id, user, incident[0]['incident_id'],
incident_data['comment'])
logger.debug("Comment event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='incident_settings.py',
index=config['index'])
ic = IncidentContext(sessionKey, incident_data['incident_id'])
eh.handleEvent(alert=incident[0]["alert"],
event="incident_commented",
incident=incident[0],
context=ic.getContext())
return self.response('Successfully updated incident.', httplib.OK)
def save(self, contents, **kwargs):
logger.info("Saving incident settings contents...")
user = cherrypy.session["user"]["name"]
sessionKey = cherrypy.session.get("sessionKey")
splunk.setDefault("sessionKey", sessionKey)
eh = EventHandler(sessionKey=sessionKey)
config = {}
config["index"] = "alerts"
restconfig = entity.getEntities("configs/alert_manager", count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if "index" in restconfig["settings"]:
config["index"] = restconfig["settings"]["index"]
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query["incident_id"] = contents["incident_id"]
logger.debug("Filter: %s" % json.dumps(query))
uri = "/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s" % urllib.quote(
json.dumps(query)
)
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = "/servicesNS/nobody/alert_manager/storage/collections/data/incidents/" + incident[0]["_key"]
logger.debug("URI for incident update: %s" % uri)
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
changed_keys.append(key)
logger.info(
"%s for incident %s changed. Writing change event to index %s."
% (key, incident[0]["incident_id"], config["index"])
)
event_id = hashlib.md5(incident[0]["incident_id"] + now).hexdigest()
event = (
'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"'
% (now, event_id, user, incident[0]["incident_id"], key, contents[key], key, incident[0][key])
)
logger.debug("Change event will be: %s" % event)
input.submit(
event,
hostname=socket.gethostname(),
sourcetype="incident_change",
source="incident_settings.py",
index=config["index"],
)
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]["incident_id"]))
del incident[0]["_key"]
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, contents["incident_id"])
if "owner" in changed_keys:
eh.handleEvent(
alert=incident[0]["alert"], event="incident_assigned", incident=incident[0], context=ic.getContext()
)
elif "status" in changed_keys and contents["status"] == "resolved":
eh.handleEvent(
alert=incident[0]["alert"], event="incident_resolved", incident=incident[0], context=ic.getContext()
)
else:
eh.handleEvent(
alert=incident[0]["alert"], event="incident_changed", incident=incident[0], context=ic.getContext()
)
if contents["comment"] != "":
event_id = hashlib.md5(incident[0]["incident_id"] + now).hexdigest()
event = (
'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"'
% (now, event_id, user, incident[0]["incident_id"], contents["comment"])
)
logger.debug("Comment event will be: %s" % event)
event = event.encode("utf8")
input.submit(
event,
hostname=socket.gethostname(),
sourcetype="incident_change",
source="incident_settings.py",
index=config["index"],
)
return "Done"
def save(self, contents, **kwargs):
logger.info("Saving incident settings contents...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
eh = EventHandler(sessionKey = sessionKey)
config = {}
config['index'] = 'alerts'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
contents = json.loads(contents)
logger.debug("Contents: %s" % json.dumps(contents))
# Get key
query = {}
query['incident_id'] = contents['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
logger.debug("URI for incident update: %s" % uri )
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in contents) and (incident[0][key] != contents[key]):
changed_keys.append(key)
logger.info("%s for incident %s changed. Writing change event to index %s." % (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (now, event_id, user, incident[0]['incident_id'], key, contents[key], key, incident[0][key])
logger.debug("Change event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
incident[0][key] = contents[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, contents['incident_id'])
if "owner" in changed_keys:
eh.handleEvent(alert=incident[0]["alert"], event="incident_assigned", incident=incident[0], context=ic.getContext())
elif "status" in changed_keys and contents["status"] == "resolved":
eh.handleEvent(alert=incident[0]["alert"], event="incident_resolved", incident=incident[0], context=ic.getContext())
else:
eh.handleEvent(alert=incident[0]["alert"], event="incident_changed", incident=incident[0], context=ic.getContext())
if contents['comment'] != "":
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], contents['comment'])
logger.debug("Comment event will be: %s" % event)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
return 'Done'
def _write_log_entry(self, sessionKey, user, post_data):
logger.debug("START _write_log_entry()")
required = ['incident_id', 'log_action', 'origin']
missing = [r for r in required if r not in post_data]
if missing:
return self.response(
"Missing required arguments: {}".format(missing),
http.client.BAD_REQUEST)
incident_id = post_data.pop('incident_id')
log_action = post_data.pop('log_action')
comment = post_data.get('comment', '')
origin = post_data.get('origin', '')
severity = post_data.get('severity', 'INFO')
owner = post_data.get('owner', '')
previous_owner = post_data.get('previous_owner', '')
status = post_data.get('status', '')
previous_status = post_data.get('previous_status', '')
job_id = post_data.get('job_id', '')
result_id = post_data.get('result_id', '')
now = datetime.datetime.now().isoformat()
# Get Index
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
comment = comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(
incident_id.encode('utf-8') + now.encode('utf-8')).hexdigest()
event = ''
if (log_action == "comment"):
event = 'time={} severity="{}" origin="{}" event_id="{}" user="******" action="comment" incident_id="{}" comment="{}"'.format(
now, severity, origin, event_id, user, incident_id, comment)
elif (log_action == "change"):
event = 'time={} severity="{}" origin="{}" event_id="{}" user="******" action="change" incident_id="{}" job_id="{}" result_id="{}" status="{}" previous_status="{}"'.format(
now, severity, origin, event_id, user, incident_id, job_id,
result_id, status, previous_status)
logger.debug("Event will be: {}".format(event))
event = event.encode('utf8')
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(event,
hostname=socket.gethostname(),
sourcetype='incident_change',
source='helper.py',
index=config['index'])
return self.response('Action logged', http.client.OK)
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
def _add_item(self, sessionKey, user, post_data):
logger.debug("START _add_item()")
logger.debug('post_data: %s', post_data)
required = ['item_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing,
httplib.BAD_REQUEST)
item_data = post_data.pop('item_data')
splunk.setDefault('sessionKey', sessionKey)
# Parse the JSON
#item_data = json.loads(item_data)
#logger.debug('item_data: %s', item_data)
items_uri = '/servicesNS/nobody/FreezerInventoryAppForSplunk/storage/collections/data/items'
# Get incident json
serverResponse, serverContent = rest.simpleRequest(
items_uri,
sessionKey=sessionKey,
jsonargs=item_data,
method='POST')
logger.debug("response: %s" % serverResponse)
logger.debug("item: %s" % serverContent)
item = json.loads(serverContent)
if int(serverResponse['status']) == 201:
# Get Index
config = {}
config['index'] = 'main'
config['enable'] = 'false'
restconfig = entity.getEntities('freezer_inventory/settings',
count=-1,
sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['indexing']:
config['index'] = restconfig['indexing']['index']
if 'index' in restconfig['indexing']:
config['enable'] = restconfig['indexing']['enable']
if config['enable'].lower() in ("true", "1"):
event = json.loads(item_data)
event['action'] = "added"
event['_key'] = item['_key']
event = json.dumps(event)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
input.submit(event,
hostname=socket.gethostname(),
sourcetype='freezer:item',
source='items_rest_endpoint.py',
index=config['index'])
logger.debug("Event successfully added")
return self.response(item, httplib.OK)
def stream(self, records):
#self.logger.debug('ModifyIncidentsCommand: %s', self) # logs command line
user = self._input_header.get('owner')
sessionKey = self._input_header.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
#
# Get global settings
#
sessionKey = self._input_header.get('sessionKey')
self.config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
self.config['index'] = restconfig['settings']['index']
self.logger.debug("Global settings: %s" % self.config)
self.logger.debug("Started")
for record in records:
if 'incident_id' in record:
attrs = {}
if self.status:
attrs.update({"status": self.status})
if self.owner:
attrs.update({"owner": self.owner})
if self.urgency:
attrs.update({"urgency": self.urgency})
self.logger.debug("Attrs: %s" % attrs)
if len(attrs) > 0 or self.comment:
# Get incident
query = {}
query['incident_id'] = record['incident_id']
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
incident = json.loads(incident)
self.logger.debug("Read incident from collection: %s" % json.dumps(incident[0]))
now = time.strftime("%Y-%m-%dT%H:%M:%S%z", time.localtime())
changed_keys = []
for key in incident[0].keys():
if (key in attrs) and (incident[0][key] != attrs[key]):
changed_keys.append(key)
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time="%s" severity=INFO origin="ModifyIncidentsCommand" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (now, event_id, user, incident[0]['incident_id'], key, attrs[key], key, incident[0][key])
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
incident[0][key] = attrs[key]
if len(changed_keys) > 0:
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
if self.comment:
self.comment = self.comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time="%s" severity=INFO origin="ModifyIncidentsCommand" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], self.comment)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'modifyincidents.py', index = self.config['index'])
else:
self.logger.warn("No attributes to modify found, aborting.")
else:
self.logger.warn("No incident_id field found in event, aborting.")
yield record
def _update_incident(self, sessionKey, user, post_data):
logger.debug("START _update_incident()")
required = ['incident_data']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
incident_data = post_data.pop('incident_data')
splunk.setDefault('sessionKey', sessionKey)
eh = EventHandler(sessionKey = sessionKey)
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
incident_data = json.loads(incident_data)
# Get key
query = {}
query['incident_id'] = incident_data['incident_id']
logger.debug("Filter: %s" % json.dumps(query))
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(json.dumps(query))
serverResponse, incident = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Settings for incident: %s" % incident)
incident = json.loads(incident)
# Update incident
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/' + incident[0]['_key']
logger.debug("URI for incident update: %s" % uri )
# Prepared new entry
now = datetime.datetime.now().isoformat()
changed_keys = []
for key in incident[0].keys():
if (key in incident_data) and (incident[0][key] != incident_data[key]):
changed_keys.append(key)
logger.info("%s for incident %s changed. Writing change event to index %s." % (key, incident[0]['incident_id'], config['index']))
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="change" incident_id="%s" %s="%s" previous_%s="%s"' % (now, event_id, user, incident[0]['incident_id'], key, incident_data[key], key, incident[0][key])
logger.debug("Change event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
incident[0][key] = incident_data[key]
else:
logger.info("%s for incident %s didn't change." % (key, incident[0]['incident_id']))
del incident[0]['_key']
contentsStr = json.dumps(incident[0])
logger.debug("content for update: %s" % contentsStr)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=contentsStr)
logger.debug("Response from update incident entry was %s " % serverResponse)
logger.debug("Changed keys: %s" % changed_keys)
if len(changed_keys) > 0:
ic = IncidentContext(sessionKey, incident_data['incident_id'])
if "owner" in changed_keys:
eh.handleEvent(alert=incident[0]["alert"], event="incident_assigned", incident=incident[0], context=ic.getContext())
elif "status" in changed_keys and incident_data["status"] == "resolved":
eh.handleEvent(alert=incident[0]["alert"], event="incident_resolved", incident=incident[0], context=ic.getContext())
else:
eh.handleEvent(alert=incident[0]["alert"], event="incident_changed", incident=incident[0], context=ic.getContext())
if incident_data['comment'] != "":
incident_data['comment'] = incident_data['comment'].replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident[0]['incident_id'] + now).hexdigest()
event = 'time=%s severity=INFO origin="incident_posture" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, event_id, user, incident[0]['incident_id'], incident_data['comment'])
logger.debug("Comment event will be: %s" % event)
event = event.encode('utf8')
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'incident_settings.py', index = config['index'])
ic = IncidentContext(sessionKey, incident_data['incident_id'])
eh.handleEvent(alert=incident[0]["alert"], event="incident_commented", incident=incident[0], context=ic.getContext())
return self.response('Successfully updated incident.', httplib.OK)
