Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SplunkHECStore plugin #57

Merged
merged 1 commit into from Mar 30, 2019
Merged

SplunkHECStore plugin #57

merged 1 commit into from Mar 30, 2019

Conversation

rosehgal
Copy link
Member

This plugin is capable of indexing records to Splunk using HTTP Event Collector(HEC) token.

@rosehgal rosehgal requested a review from susam March 24, 2019 10:27
@susam
Copy link
Member

susam commented Mar 25, 2019

Rebased this pull request on master. Now the pull request shows only one commit.

One thing I noticed is that the earlier commit message (from commit 544e6a5) lines were wrapped to 51 characters. While rebasing, I have updated this commit message too to wrap at 72 characters.

@susam susam added the enhancement New feature or request label Mar 25, 2019
susam
susam requested changes Mar 27, 2019
View reviewed changes
cloudmarker/stores/splunkhecstore.py Outdated
token (str): Splunk HEC token.
index_name (str): Splunk HEC token accessible index.
ca_cert (str): Location of cetificate file to verify the identity
of host in URI, or Flase to disable verification
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flase -> False

cloudmarker/stores/splunkhecstore.py Outdated

Arguments:
record_type (str): Record type (source name in Splunk).
records (list): List of records of type dict to index.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the arguments list from the docstring. This method does not take any arguments anymore.

@rosehgal
Add SplunkHECStore plugin
867f746 
This commit introduces a SplunkHECStore plugin that can index records to
Splunk using HTTP Event Collector token.
susam
susam approved these changes Mar 30, 2019
View reviewed changes
Copy link
Member

@susam susam left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this pull request with the following steps:

Setup

  • Enter the following command:

    docker run -p 8000:8000 -p 8088:8088 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=admin123" -e "SPLUNK_HEC_TOKEN=token123" splunk/splunk

  • Send a test event to Splunk:

    curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk token123" -d '{"event": "hello, world"}'

  • Visit http://localhost:8000/ with a web browser.

  • Log in with the username as admin and password as the password specified in the docker command.

  • Click on Search & Reporting.

  • In the search box, enter * (asterisk) and click the search button. There should be 1 result.

Test

  • Create the following config.yaml in the top-level directory of this project:

    stores:
  splunkstore:
    plugin: cloudmarker.stores.splunkhecstore.SplunkHECStore
    params:
      uri: https://localhost:8088/services/collector
      token: token123
      index_name: main
      ca_cert: false

audits:
  mockaudit:
    stores:
      - filestore
      - splunkstore

  • Run the project:

    . ./venv
python3 -m cloudmarker -f

  • Visit http://localhost:8000/ with a web browser.

  • Log in with the username as admin and password as the password specified in the docker command.

  • Click on Search & Reporting.

  • In the search box, enter * (asterisk) and click the search button. There should be 10 or more results.

References:

@susam susam merged commit 867f746 into master Mar 30, 2019
@susam susam deleted the splunkstore branch March 30, 2019 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susam susam susam approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rosehgal @susam