Splunk HEC token not HEC key

This commit is contained in:
Sean Whalen
2018-09-25 14:21:03 -04:00
parent ba3c9de9b7
commit c964241cba
3 changed files with 31 additions and 15 deletions
+15 -1
View File
@@ -51,6 +51,19 @@ CLI help
[-s] [--debug] [-v]
[file_path [file_path ...]]
usage: cli.py [-h] [-o OUTPUT] [-n NAMESERVERS [NAMESERVERS ...]] [-t TIMEOUT]
[-H HOST] [-u USER] [-p PASSWORD] [-r REPORTS_FOLDER]
[-a ARCHIVE_FOLDER] [-d]
[-E [ELASTICSEARCH_HOST [ELASTICSEARCH_HOST ...]]] [--hec HEC]
[--hec-token HEC_TOKEN] [--hec-index HEC_INDEX]
[--save-aggregate] [--save-forensic] [-O OUTGOING_HOST]
[-U OUTGOING_USER] [-P OUTGOING_PASSWORD]
[--outgoing-port OUTGOING_PORT] [--outgoing-SSL OUTGOING_SSL]
[-F OUTGOING_FROM] [-T OUTGOING_TO [OUTGOING_TO ...]]
[-S OUTGOING_SUBJECT] [-A OUTGOING_ATTACHMENT]
[-M OUTGOING_MESSAGE] [-w] [--test] [-s] [--debug] [-v]
[file_path [file_path ...]]
Parses DMARC reports
positional arguments:
@@ -80,7 +93,8 @@ CLI help
A list of one or more Elasticsearch hostnames or URLs
to use (e.g. localhost:9200)
--hec HEC URL to a Splunk HTTP Event Collector (HEC)
--hec-key HEC_KEY The authorization key for a Splunk HTTP event
--hec-token HEC_TOKEN
The authorization token for a Splunk HTTP event
collector (HEC)
--hec-index HEC_INDEX
The index to use when sending events to the Splunk
+11 -9
View File
@@ -45,17 +45,17 @@ CLI help
::
usage: cli.py [-h] [-o OUTPUT] [-n NAMESERVERS [NAMESERVERS ...]] [-t TIMEOUT]
usage: cli.py [-h] [-o OUTPUT] [-n NAMESERVERS [NAMESERVERS ...]] [-t TIMEOUT]
[-H HOST] [-u USER] [-p PASSWORD] [-r REPORTS_FOLDER]
[-a ARCHIVE_FOLDER] [-d]
[-E [ELASTICSEARCH_HOST [ELASTICSEARCH_HOST ...]]] [--hec HEC]
[--hec-key HEC_KEY] [--hec-index HEC_INDEX] [--save-aggregate]
[--save-forensic] [-O OUTGOING_HOST] [-U OUTGOING_USER]
[-P OUTGOING_PASSWORD] [--outgoing-port OUTGOING_PORT]
[--outgoing-SSL OUTGOING_SSL] [-F OUTGOING_FROM]
[-T OUTGOING_TO [OUTGOING_TO ...]] [-S OUTGOING_SUBJECT]
[-A OUTGOING_ATTACHMENT] [-M OUTGOING_MESSAGE] [-w] [--test]
[-s] [--debug] [-v]
[--hec-token HEC_TOKEN] [--hec-index HEC_INDEX]
[--save-aggregate] [--save-forensic] [-O OUTGOING_HOST]
[-U OUTGOING_USER] [-P OUTGOING_PASSWORD]
[--outgoing-port OUTGOING_PORT] [--outgoing-SSL OUTGOING_SSL]
[-F OUTGOING_FROM] [-T OUTGOING_TO [OUTGOING_TO ...]]
[-S OUTGOING_SUBJECT] [-A OUTGOING_ATTACHMENT]
[-M OUTGOING_MESSAGE] [-w] [--test] [-s] [--debug] [-v]
[file_path [file_path ...]]
Parses DMARC reports
@@ -87,7 +87,8 @@ CLI help
A list of one or more Elasticsearch hostnames or URLs
to use (e.g. localhost:9200)
--hec HEC URL to a Splunk HTTP Event Collector (HEC)
--hec-key HEC_KEY The authorization key for a Splunk HTTP event
--hec-token HEC_TOKEN
The authorization token for a Splunk HTTP event
collector (HEC)
--hec-index HEC_INDEX
The index to use when sending events to the Splunk
@@ -123,6 +124,7 @@ CLI help
-v, --version show program's version number and exit
SPF and DMARC record validation
===============================
+5 -5
View File
@@ -96,9 +96,9 @@ def _main():
"localhost:9200)")
arg_parser.add_argument("--hec", help="URL to a Splunk HTTP Event "
"Collector (HEC)")
arg_parser.add_argument("--hec-key", help="The authorization key for a "
"Splunk HTTP event collector "
"(HEC)")
arg_parser.add_argument("--hec-token", help="The authorization token for "
"a Splunk "
"HTTP event collector (HEC)")
arg_parser.add_argument("--hec-index", help="The index to use when "
"sending events to the "
"Splunk HTTP Events")
@@ -165,8 +165,8 @@ def _main():
elastic.set_hosts(args.elasticsearch_host)
elastic.create_indexes()
if args.hec:
if args.hec_key is None or args.hec_index is None:
logger.error("HEC key and HEC index are required when "
if args.hec_token is None or args.hec_index is None:
logger.error("HEC token and HEC index are required when "
"using HEC URL")
exit(1)
hec_client = splunk.HECClient(args.hec, args.hec_token,