-
Notifications
You must be signed in to change notification settings - Fork 0
/
tohecwitit.py
executable file
·97 lines (80 loc) · 2.94 KB
/
tohecwitit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env python3
###############################################################################
# @author : Jeffrey Stone
# @date : 03/08/2019
# @script : toHecWitIt.py
# @description : Simple Python script to send events to Splunk when envoked. AKA Tiny Splunker.
###############################################################################
import os
import time
import sys
import argparse
import json
import requests
from splunk_http_event_collector import http_event_collector
from dotenv import load_dotenv
load_dotenv()
app_mode = os.getenv("app_mode")
http_event_collector_key = os.getenv("splunk_hec_key")
http_event_collector_host = os.getenv("splunk_server")
http_event_collector_ssl = os.getenv("splunk_hec_ssl")
http_event_collector_port = int(os.getenv("splunk_hec_port"))
splunk_host = os.getenv("splunk_host")
splunk_version = os.getenv("splunk_version")
splunk_source = os.getenv("splunk_source")
splunk_sourcetype = os.getenv("splunk_sourcetype")
splunk_index = os.getenv("splunk_index")
parser = argparse.ArgumentParser(prog='tohecwitit',epilog='tohecwittt is part of Tiny Splunker',description='Python based Splunk HEC logger')
parser.add_argument('-i','--idx',help='Splunk Index', required=False)
parser.add_argument('-s','--src',help='Source of Event', required=False)
parser.add_argument('-st','--srctype',help='Event Sourcetype', required=False)
parser.add_argument('-e','--event',help='Event to be logged in json', type=json.loads, required=True)
args = parser.parse_args()
if http_event_collector_ssl == "False":
http_event_collector_ssl = False
else:
http_event_collector_ssl = True
# Get Args
if args.idx:
splunk_index = args.idx
else:
splunk_index = os.getenv("splunk_index")
if args.src:
splunk_source = args.src
else:
splunk_source = os.getenv("splunk_source")
if args.srctype:
splunk_sourcetype = args.srctype
else:
splunk_sourcetype = os.getenv("splunk_sourcetype")
def splunkIt():
# Splunk it
payload = {}
payload.update({"index":splunk_index})
payload.update({"sourcetype":splunk_sourcetype})
payload.update({"source":splunk_source})
payload.update({"host":splunk_host})
payload.update({"event":args.event})
if splunk_version == 'enterprise':
logevent = http_event_collector(http_event_collector_key, http_event_collector_host, http_event_port = http_event_collector_port, http_event_server_ssl = http_event_collector_ssl)
logevent.popNullFields = True
try:
logevent.sendEvent(payload)
except Exception as e:
print(e)
sys.exit()
logevent.flushBatch()
if splunk_version == 'cloud':
# Will just post it via requests
headers = {'Authorization': 'Splunk {}'.format(http_event_collector_key),}
data = payload
response = requests.post(http_event_collector_host, headers=headers, json=payload)
if response == 200:
sys.exit()
else:
print("Attempt returned {}".format(response))
sys.exit()
def main():
splunkIt()
if __name__ == "__main__":
main()