def execute(event):
if not event.adHoc:
if hasattr(event, "ip_address"):
event._include = event.detectInputCases(event.ip_address, yes=True, trailingChar="\\b")
else:
event._include = event.detectInputCases(ip_address, yes=True, trailingChar="\\b")
ils = ISOLogSource(event)
if event.adHoc:
ils.pullDaily(
egrepInclude=event._include,
egrepExclude=None,
startDate=event._startDate,
endDate=event._endDate,
server=confVars.server,
logpath=confVars.logpath,
outputExtension=confVars.outputExtension,
compressionDelay=confVars.compressionDelay,
compressionExtension=confVars.compressionExtension,
formalName=FORMAL_NAME,
toFile=True,
toStdOut=False,
collect=False,
formatter=None,
retResults=False,
)
else:
results = ils.pullDaily(
egrepInclude=event._include,
egrepExclude=None,
startDate=event._startDate,
endDate=event._endDate,
server=confVars.server,
logpath=confVars.logpath,
outputExtension=confVars.outputExtension,
compressionDelay=confVars.compressionDelay,
compressionExtension=confVars.compressionExtension,
formalName=FORMAL_NAME,
toFile=True,
toStdOut=False,
collect=True,
formatter=None,
retResults=True,
)
event._splunk.push(
sourcetype=confVars.splunkSourcetype, filename="%s.%s" % (event._baseFilePath, confVars.outputExtension)
)
if not event.adHoc:
before, after = getTimeBisect(event._DT, results, yearlessTimeExtract)
befuser = "******"
afuser = "******"
for bef, af in map(lambda *s: tuple(s), reversed(before), after):
if bef:
befDict = dict([y for y in [token.split("=", 1) for token in shlex.split(bef)] if len(y) == 2])
if "user" in befDict:
befuser = befDict["user"]
if af:
afDict = dict([y for y in [token.split("=", 1) for token in shlex.split(af)] if len(y) == 2])
if "user" in afDict:
afuser = afDict["user"]
if befuser != "guest":
event.setAttribute("username", befuser.lower())
break
elif afuser != "guest":
event.setAttribute("username", afuser.lower())
break
print("")
stdOutLines = uniq([x for x in before if "type=utm" in x if "subtype=webfilter" in x])[-10:]
stdOutLines.extend(uniq([x for x in after if "type=utm" in x if "subtype=webfilter" in x])[:10])
for line in stdOutLines:
l = dict([y for y in [token.split("=", 1) for token in shlex.split(line)] if len(y) == 2])
if "user" not in l:
l["user"] = "******"
if "hostname" not in l:
if "dstip" in l:
l["hostname"] = l["dstip"]
else:
l["hostname"] = "-"
print("%(date)sT%(time)s %(srcip)s %(user)s %(status)s %(hostname)s%(url)s" % l)
def execute(event):
if not event.adHoc:
if hasattr(event, "ip_address"):
event._include = event.detectInputCases(event.ip_address, yes=True, trailingChar="\\b")
else:
event._include = event.detectInputCases(ip_address, yes=True, trailingChar="\\b")
def dhcpFormatter(inputText):
remove = ["to ", "for ", "on ", "from "]
formatted = ["%-20s %-8s %s" % ("Date/Time", "Type", "Message")]
formatted.append("-" * 80)
for line in uniq(inputText.splitlines()):
sline = line.split("]:")
time = datetime.datetime.strptime(sline[0][:15], "%b %d %H:%M:%S")
msg = sline[1].strip()
for r in remove:
msg = msg.replace(r, "")
msg = msg.split("via")[0].split()
formatted.append(
"%s %-8s %s" % (time.strftime("%b %d %H:%M:%S"), msg[0].split("DHCP")[1], " ".join(msg[1:]))
)
formatted.append("")
return "\n".join(uniq(formatted))
def getHostName(inputText):
hostname = re.search(r"\([a-zA-Z0-9_\-]+\) via", inputText)
if hostname:
return hostname.group().split()[0].strip("()").lower()
else:
return None
event.setAttribute(
"_customDHCPCmd",
value='egrep "DHCPREQUEST|DHCPACK|DHCPNACK|DHCPRELEASE|DHCPOFFER" | egrep "%s"' % event._include,
)
ils = ISOLogSource(event)
if event.adHoc:
results = ils.pullDaily(
egrepInclude=None,
egrepExclude=None,
startDate=event._startDate,
endDate=event._endDate,
server=confVars.server,
logpath=confVars.logpath,
outputExtension=confVars.outputExtension,
compressionDelay=confVars.compressionDelay,
compressionExtension=confVars.compressionExtension,
formalName=FORMAL_NAME,
toFile=True,
toStdOut=True,
collect=True,
formatter=dhcpFormatter,
customCmd=event._customDHCPCmd,
retResults=True,
)
else:
results = ils.pullDaily(
egrepInclude=None,
egrepExclude=None,
startDate=event._startDate,
endDate=event._endDate,
server=confVars.server,
logpath=confVars.logpath,
outputExtension=confVars.outputExtension,
compressionDelay=confVars.compressionDelay,
compressionExtension=confVars.compressionExtension,
formalName=FORMAL_NAME,
toFile=True,
toStdOut=False,
collect=True,
formatter=dhcpFormatter,
customCmd=event._customDHCPCmd,
retResults=True,
)
if not event.adHoc:
event._splunk.push(
sourcetype=confVars.splunkSourcetype, filename="%s.%s" % (event._baseFilePath, confVars.outputExtension)
)
before, after = getTimeBisect(event._DT, results, yearlessTimeExtract)
for line in reversed(before):
hostname = getHostName(line)
if hostname:
event.setAttribute("hostname", hostname)
break
for line in reversed(before):
if "DHCPACK" in line:
if getIPAddress(line.split("]:")[-1]) == event.ip_address:
event.setAttribute("mac_address", getMACAddress(line))
return
for line in after:
if "DHCPACK" in line:
if getIPAddress(line.split("]:")[-1]) == event.ip_address:
event.setAttribute("mac_address", getMACAddress(line))
return