amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-04-16 10:38:53 +00:00
Code Issues Projects Releases Wiki Activity

Update Splunk support

Browse Source
This commit is contained in:
Sean Whalen
2018-09-25 13:06:27 -04:00
parent a1a4cbbf28
commit 861ee7d247
4 changed files with 41 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.rst
View File

@@ -83,7 +83,7 @@ CLI help
collector (HEC)
--hec-index HEC_INDEX
The index to use when sending events to the Splunk
HTTP Events (Default: dmarc)
HTTP Events
--save-aggregate Save aggregate reports to search indexes
--save-forensic Save forensic reports to search indexes
-O OUTGOING_HOST, --outgoing-host OUTGOING_HOST

2
docs/index.rst
View File

@@ -90,7 +90,7 @@ CLI help
collector (HEC)
--hec-index HEC_INDEX
The index to use when sending events to the Splunk
HTTP Events (Default: dmarc)
HTTP Events
--save-aggregate Save aggregate reports to search indexes
--save-forensic Save forensic reports to search indexes
-O OUTGOING_HOST, --outgoing-host OUTGOING_HOST

7
parsedmarc/cli.py
View File

@@ -101,8 +101,7 @@ def _main():
"(HEC)")
arg_parser.add_argument("--hec-index", help="The index to use when "
"sending events to the "
"Splunk HTTP Events "
"(Default: dmarc)")
"Splunk HTTP Events")
arg_parser.add_argument("--save-aggregate", action="store_true",
default=False,
help="Save aggregate reports to search indexes")
@@ -160,6 +159,10 @@ def _main():
elastic.set_hosts(args.elasticsearch_host)
elastic.create_indexes()
if args.hec:
if args.hec_token is None or args.hec_index is None:
logger.error("HEC token and HEC index are required when "
"using HEC URL")
exit(1)
hec_client = splunk.HECClient(args.hec, args.hec_token,
index=args.hec_index)
except ElasticsearchException as error:

38
parsedmarc/splunk.py
View File

@@ -17,7 +17,7 @@ class HECClient(object):
# http://docs.splunk.com/Documentation/Splunk/latest/Data/AboutHEC
# http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector
def __init__(self, url, access_token,index="dmarc",
def __init__(self, url, access_token, index,
source="parsedmarc", verify=True):
"""
Initializes the HECClient
@@ -50,18 +50,48 @@ class HECClient(object):
Saves aggregate DMARC reports to Splunk
Args:
aggregate_reports (list): A list of aggregate report dictionaries
aggregate_reports: A list of aggregate report dictionaries
to save in Splunk
"""
if type(aggregate_reports) == dict:
aggregate_reports = [aggregate_reports]
data = self._common_data.copy()
json_str = ""
for report in aggregate_reports:
data = self._common_data.copy()
for record in report["records"]:
new_report = dict()
for metadata in report["report_metadata"]:
new_report[metadata] = report["report_metadata"][metadata]
new_report["policy_published"] = report["policy_published"]
new_report["source_ip_address"] = record["source"][
"ip_address"]
new_report["source_country"] = record["source"]["country"]
new_report["source_reverse_dns"] = record["source"][
"reverse_dns"]
new_report["source_base_domain"] = record["source"][
"base_domain"]
new_report["message_count"] = record["count"]
new_report["disposition"] = record["policy_evaluated"][
"disposition"
]
new_report["spf_aligned"] = record["alignment"]["spf"]
new_report["dkim_aligned"] = record["alignment"]["dkim"]
new_report["passed_dmarc"] = record["alignment"]["dmarc"]
new_report["header_from"] = record["identifiers"][
"header_from"]
new_report["envelope_from"] = record["identifiers"][
"envelope_from"]
if "dkim" in record["auth_results"]:
new_report["dkim_results"] = record["auth_results"][
"dkim"]
if "spf" in record["spf_results"]:
new_report["spf_results"] = record["auth_results"][
"spf"]
data["sourcetype"] = "dmarc:aggregate"
data["event"] = report.copy()
data["event"] = new_report.copy()
json_str += "{0}\n".format(json.dumps(data))
try: