Exemplo n.º 1
0
    def get_headlines_detail(self, headlines, app, user, count, earliest, severity=None, srtd=None):
        search_string = "" 
        sorted_list = []
        if earliest is not None: 
            search_string = search_string + ' trigger_time > ' + str(self.get_time(earliest))

        for headline in headlines:
            try:
                s = SavedSearch.get(SavedSearch.build_id(headline.alert_name, app, user))
                alerts = None
                if s.alert.severity in severity:
                    alerts = s.get_alerts()
                if alerts is not None:
                    if len(search_string) > 0:
                        alerts.search(search_string)
                    for alert in alerts:
                        h = {'message'   : self.replace_tokens(headline.message, alert.sid), 
                             'job_id'    : alert.sid,
                             'severity'  : s.alert.severity,
                             'count'     : alert.triggered_alerts,
                             'time'      : alert.trigger_time.strftime('%s'),
                             'timesince' : timesince(alert.trigger_time)}
                        sorted_list.append(h)
            except Exception, ex:
                logger.warn('problem retreiving alerts for saved search %s' % headline.alert_name) 
                logger.debug(ex)
Exemplo n.º 2
0
    def isSearchEnabled(searchName, sessionKey):

        try:
            saved_search = SavedSearch.get(
                SavedSearch.build_id(searchName, None, None), sessionKey)

            return not saved_search.is_disabled
        except splunk.ResourceNotFound:
            return None  # Search was not found!
Exemplo n.º 3
0
    def get_headlines_detail(self,
                             headlines,
                             app,
                             user,
                             count,
                             earliest,
                             severity=None,
                             srtd=None):
        search_string = ""
        sorted_list = []
        if earliest is not None:
            search_string = search_string + ' trigger_time > ' + str(
                self.get_time(earliest))

        for headline in headlines:
            try:
                s = SavedSearch.get(
                    SavedSearch.build_id(headline.alert_name, app, user))
                alerts = None
                if s.alert.severity in severity:
                    alerts = s.get_alerts()
                if alerts is not None:
                    if len(search_string) > 0:
                        alerts.search(search_string)
                    for alert in alerts:
                        h = {
                            'message':
                            self.replace_tokens(headline.message, alert.sid),
                            'job_id':
                            alert.sid,
                            'severity':
                            s.alert.severity,
                            'count':
                            alert.triggered_alerts,
                            'time':
                            alert.trigger_time.strftime('%s'),
                            'timesince':
                            timesince(alert.trigger_time)
                        }
                        sorted_list.append(h)
            except Exception, ex:
                logger.warn('problem retreiving alerts for saved search %s' %
                            headline.alert_name)
                logger.debug(ex)
Exemplo n.º 4
0
def run(*args, **kwargs):
    """
    This function checks for related searches that are not enabled even though the correlation search is.
    """

    sessionKey = kwargs.get('sessionKey')
    correlation_searches = CorrelationSearch.all(sessionKey=sessionKey)

    # Determine if the search is enabled
    def isSearchEnabled(searchName, sessionKey):

        try:
            saved_search = SavedSearch.get(
                SavedSearch.build_id(searchName, None, None), sessionKey)

            return not saved_search.is_disabled
        except splunk.ResourceNotFound:
            return None  # Search was not found!

    def checkRelatedSearch(main_search, related_search, sessionKey, messages):

        if main_search is not None:
            enabled = isSearchEnabled(related_search, sessionKey)

            # The related search could not be found
            if enabled is None:
                messages.append((logging.ERROR,
                                 MSG_RELATED_SEARCH_NOT_FOUND.format(
                                     main_search, related_search)))

            # The related search is disabled
            elif not enabled:
                messages.append((logging.ERROR,
                                 MSG_RELATED_SEARCH_DISABLED.format(
                                     main_search, related_search)))

    messages = []

    # Check the related searches for each correlation search
    for correlation_search in correlation_searches:

        saved_search = None
        # Make sure the correlation search is enabled
        try:
            ## SOLNESS-9934: using owner='nobody' to mitigate false positives as a result of owner differences
            saved_search = SavedSearch.get(
                SavedSearch.build_id(correlation_search.name,
                                     correlation_search.namespace, 'nobody'),
                sessionKey)
        except splunk.ResourceNotFound:
            ## SOLNESS-7123: Adding exception for the manual notable event correlation search entry
            if correlation_search.name != "Manual Notable Event - Rule":
                # Possibly an orphaned correlationsearches.conf stanza.
                messages.append(
                    (logging.ERROR,
                     MSG_CORRELATION_SEARCH_ERR.format(
                         correlation_search.name, correlation_search.namespace,
                         SEARCHLINK_CORRELATION_SEARCH_ERR)))

        if saved_search and not saved_search.is_disabled:

            # If the search is enabled, check the related searches to make sure they are enabled too
            for i in ['', '_0', '_1', '_2', '_3', '_4']:
                if getattr(correlation_search,
                           'related_search_name' + i) is not None:
                    checkRelatedSearch(
                        correlation_search.name,
                        getattr(correlation_search, 'related_search_name' + i),
                        sessionKey, messages)

    return messages