def __init__(self, config_file):
print('[*] Getting config...')
self.conf = dict()
self.get_conf(config_file)
print('[+] Done!\n')
# Check if CEF_Syslog is enabled
if self.conf['cef_syslog_enable']:
print '[+] Syslog Enabled'
self.syslog = syslog.Syslog(self.conf['cef_syslog_server'])
# Check if Telegram is enabled
if self.conf['telegram_enable']:
print '[+] Telegram Enabled'
self.bot = telepot.Bot(self.conf['api'])
# Check if Zabbix is enabled
if self.conf['zabbix_enable']:
print '[+] Zabbix Enabled'
print
print('[*] Getting rules...')
self.get_file_rules()
print('[+] Done!\n')
self.rules = json.loads(open(self.conf['rules']).read())
# List of all senders, enabled or not
self.senders = [
self.send_zabbix, self.send_cef_syslog, self.send_telegram
]
print('[*] A.R.T.L.A.S Started!\n')
def __init__(self, config_file):
print('[*] Getting config...')
self.conf = dict()
self.get_conf(config_file)
print('[+] Done!\n')
# Check if CEF_Syslog is enabled
if self.conf['cef_syslog_enable']:
print('[+] Syslog Enabled')
self.syslog = syslog.Syslog(self.conf['cef_syslog_server'])
# Check if Telegram is enabled
if self.conf['telegram_enable']:
print('[+] Telegram Enabled')
self.bot = telepot.Bot(self.conf['api'])
# Check if Slack is enabled
if self.conf['slack_enable']:
print('[+] Slack Enabled')
# Check if Zabbix is enabled
if self.conf['zabbix_enable']:
print('[+] Zabbix Enabled')
print('Notifications ', self.conf['notifications'])
print('Advanced ', self.conf['zabbix_advantage_keys'])
print()
print('[*] Getting rules...')
self.get_file_rules()
print('[+] Done!\n')
self.rules = json.loads(open(self.conf['rules']).read())
self.white_rules = open(
self.conf['whitelist']).read().strip().split(',')
# List of all senders, enabled or not
self.senders = [
self.send_zabbix, self.send_cef_syslog, self.send_telegram,
self.send_slack
]
print('[*] A.R.T.L.A.S Started!\n')
def sendlog_message(message, clientip, fullrequest, typ):
str_from_time_now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
if "on" in settings.SYSLOG_ACTIVATE:
#send to syslog
log = syslog_client.Syslog(settings.SYSLOG_IP)
log.send(
str_from_time_now + " " + str(clientip) + " " + message + " " +
fullrequest + "\r\n", syslog_client.Level.WARNING)
if 'info' in typ:
print bcolors.OKGREEN + str_from_time_now + " " + str(
clientip) + " " + message + bcolors.ENDC
if 'warn' in typ:
print bcolors.FAIL + str_from_time_now + " " + str(
clientip) + " " + message + bcolors.ENDC
f = open(settings.LOGFILE, 'a')
f.write(str_from_time_now + " " + str(clientip) + " " + message + "\r\n")
f.close()
def render(self, grid: interfaces.renderers.TreeGrid) -> None:
"""Renders each row to syslog server.
Args:
grid: The TreeGrid object to render
"""
log = syslog_client.Syslog(self.host, self.port)
outfd = sys.stdout
#line = ['"TreeDepth"']
#for column in grid.columns:
# # Ignore the type because namedtuples don't realize they have accessible attributes
# line.append("{}".format('"' + column.name + '"'))
#outfd.write("{}".format(",".join(line)))
buffer = []
def visitor(node, accumulator):
#accumulator.write("\n")
# Nodes always have a path value, giving them a path_depth of at least 1, we use max just in case
#accumulator.write(str(max(0, node.path_depth - 1)) + ",")
# line = []
for column_index in range(len(grid.columns)):
column = grid.columns[column_index]
renderer = self._type_renderers.get(
column.type, self._type_renderers['default'])
# line.append(renderer(node.values[column_index]))
buffer.append(renderer(node.values[column_index]))
#accumulator.write("{} ".format(",".join(line)))
return accumulator
if not grid.populated:
grid.populate(visitor, log)
else:
grid.visit(node=None, function=visitor, initial_accumulator=log)
log.write("{}".format(",".join(buffer)))
outfd.write("\n")
def process_event(helper, *args, **kwargs):
"""
# IMPORTANT
# Do not remove the anchor macro:start and macro:end lines.
# These lines are used to generate sample code. If they are
# removed, the sample code will not be updated when configurations
# are updated.
[sample_code_macro:start]
# The following example gets the alert action parameters and prints them to the log
ata_server_ip = helper.get_param("ata_server_ip")
helper.log_info("ata_server_ip={}".format(ata_server_ip))
ata_server_port = helper.get_param("ata_server_port")
helper.log_info("ata_server_port={}".format(ata_server_port))
hostname = helper.get_param("hostname")
helper.log_info("hostname={}".format(hostname))
# The following example adds two sample events ("hello", "world")
# and writes them to Splunk
# NOTE: Call helper.writeevents() only once after all events
# have been added
helper.addevent("hello", sourcetype="sample_sourcetype")
helper.addevent("world", sourcetype="sample_sourcetype")
helper.writeevents(index="summary", host="localhost", source="localhost")
# The following example gets the events that trigger the alert
events = helper.get_events()
for event in events:
helper.log_info("event={}".format(event))
# helper.settings is a dict that includes environment configuration
# Example usage: helper.settings["server_uri"]
helper.log_info("server_uri={}".format(helper.settings["server_uri"]))
[sample_code_macro:end]
"""
helper.log_info(
"Alert action microsoft_ata_syslog_alert_for_splunk started.")
# The following example gets and sets the log level
helper.set_log_level(helper.log_level)
# The following example gets the alert action parameters and prints them to the log
ata_server_ip = helper.get_param("ata_server_ip")
#helper.log_info("ata_server_ip={}".format(ata_server_ip))
ata_server_port = helper.get_param("ata_server_port")
#helper.log_info("ata_server_port={}".format(ata_server_port))
hostname = helper.get_param("hostname")
# helper.log_info("hostname={}".format(hostname))
syslogClient = syslog_client.Syslog(host=str(ata_server_ip),
port=int(ata_server_port))
syslogFields = OrderedDict()
#get Search results
searchResults = helper.get_events()
for entry in searchResults:
if hostname:
header_host = str(hostname)
else:
header_host = entry.get('host')
#time_zone = time.strftime('%z',gmtime(float(entry.get('_time'))))
time_zone = "-000"
base_time = datetime.datetime.fromtimestamp(float(
entry.get('_time'))).strftime('%Y%m%d%H%M%S.%f')
event_time = base_time + time_zone
header = header_host + " " + event_time + "\r\n"
syslogFields['Logfile'] = entry.get('LogName', "-")
syslogFields['SourceName'] = entry.get('SourceName', "-")
syslogFields['EventCode'] = entry.get('EventCode', "-")
syslogFields['TimeGenerated'] = event_time
syslogFields['Type'] = entry.get('Type', "-")
syslogFields['ComputerName'] = entry.get('ComputerName', "-")
syslogFields['TaskCategory'] = entry.get('TaskCategory', "-")
syslogFields['OpCode'] = entry.get('OpCode', "-")
syslogFields['RecordNumber'] = entry.get('RecordNumber', "-")
syslogFields['Keywords'] = entry.get('Keywords', "-")
syslogFields['Message'] = entry.get('Message', "-")
toSend = header
for k, v in syslogFields.items():
toSend = toSend + k + "=" + v + "\r\n"
logs = syslogClient.send(str(toSend), syslog_client.Level.WARNING)
helper.log_info(logs)
return 0
import syslog_client
log = syslog_client.Syslog(host="<your-test-host>", port=514)
# some old simulation data from Wildfire
msg1 = "<134>1 2018-03-11T08:02:22.00Z-04:00 10.0.1.20 - - - Mar 11 2018 08:02:22,Traps Agent,4.1.3.33176,Threat,Prevention Event,w10,W10\Demo,New prevention event. Prevention Key: cc9cc24e-06a9-4e72-905f-1e76df05e859,9,WildFire,wildfire-test-pe-file.exe,0a752ca47654a3e8ccd2babedecc6e7c7dbd52acbb0f0177e2efe8bf3678414c,36-2416,10.0.1.51,,Mar 11 2018 08:02:22,"
msg2 = "<134>1 2018-03-11T08:02:22.00Z-04:00 10.0.1.20 - - - Mar 11 2018 08:02:22,Traps Agent,4.1.3.33176,Threat,Prevention Event,w10,W10\Demo,New prevention event. Prevention Key: cc9cc24e-06a9-4e72-905f-1e76df05e859,9,WildFire,wildfire-test-pe-file1.exe,0a752ca47654a3e8ccd2babedecc6e7c7dbd52acbb0f0177e2efe8bf3678414c,36-2416,10.0.1.54,,Mar 11 2018 08:02:22,"
msg3 = "<134>1 2018-03-11T08:02:22.00Z-04:00 10.0.1.20 - - - Mar 11 2018 08:02:22,Traps Agent,4.1.3.33176,Threat,Prevention Event,w10,W10\Demo,New prevention event. Prevention Key: cc9cc24e-06a9-4e72-905f-1e76df05e859,9,WildFire,wildfire-test-pe-file2.exe,0a752ca47654a3e8ccd2babedecc6e7c7dbd52acbb0f0177e2efe8bf3678414c,36-2416,10.0.1.58,,Mar 11 2018 08:02:22,"
msgs = [msg1, msg2, msg3]
for _msg in msgs:
log.send(_msg, syslog_client.Level.WARNING)
:return:
"""
if not request.json:
log.error('received non-json data')
abort(400)
log.debug(request.json)
handle_alert(request.json)
return 'OK'
@app.route("/health", methods=['GET'])
def health():
"""
health check endpoint for external service to monitor
:return:
"""
return 'OK'
if __name__ == "__main__":
log = init_logger()
sclient = syslog_client.Syslog(host=SYSLOG_HOST)
# read user's config to get desired alert targets
setup_alert_targets()
log.info('Starting server')
http_server = HTTPServer(WSGIContainer(app))
http_server.listen(BIND_PORT)
IOLoop.instance().start()
def output_graylog(msg):
graylog = syslog_client.Syslog("127.0.0.1")
graylog.send(json.dumps(msg), syslog_client.Level.INFO)
import syslog_client
from random import randint
log = syslog_client.Syslog("202.55.91.162")
log.facility = syslog_client.Facility.SYSLOG
log.port = 10514
longstr1000 = "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
log.send("this is short syslog", 1)
log.send("this is short syslog", 1)
for x in range(0, 20):
log.send("Uji coba kirim syslog " + str(x), randint(0, 8))
# log.send ( longstr1000+longstr1000+longstr1000+longstr1000, randint(0,8) )
print(x)
print('long syslog now')
log.send("this is now long syslog 1000", 1)
log.send("AAA " + longstr1000, randint(0, 8))
log.send("this is now long syslog 2000", 1)
log.send("FFF " + longstr1000 + longstr1000, randint(0, 8))
log.send("this is now long syslog 3000", 1)
log.send("ZZZZ " + longstr1000 + longstr1000 + longstr1000, randint(0, 8))
#for x in range(0,20):
# log.send ("Uji coba kirim syslog "+str(x), randint(0,8) )
# log.send ( longstr1000, randint(0,8) )
import syslog_client
if __name__ == "__main__":
print("Start testing syslog")
log = syslog_client.Syslog()
log.send("Ciao mondo", syslog_client.Level.WARNING)
print("Stopping test syslog")
import syslog_client
log_level_text = ["WARNING", "NOTICE", "ERROR"]
log_message = input("Enter the message you want to send to the server: ")
log_level_choice = int(
input(
"Enter the log level you want to test, 0 - warning, 1 - notification, or 2 - error: "
))
log_level = log_level_text[log_level_choice]
print(log_level)
log = syslog_client.Syslog('10.2.1.4')
log.send(log_message, syslog_client.Level.log_level)