New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SplunkHECStore plugin #57
Conversation
Rebased this pull request on One thing I noticed is that the earlier commit message (from commit 544e6a5) lines were wrapped to 51 characters. While rebasing, I have updated this commit message too to wrap at 72 characters. |
cloudmarker/stores/splunkhecstore.py
Outdated
token (str): Splunk HEC token. | ||
index_name (str): Splunk HEC token accessible index. | ||
ca_cert (str): Location of cetificate file to verify the identity | ||
of host in URI, or Flase to disable verification |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Flase
-> False
cloudmarker/stores/splunkhecstore.py
Outdated
|
||
Arguments: | ||
record_type (str): Record type (source name in Splunk). | ||
records (list): List of records of type dict to index. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove the arguments list from the docstring. This method does not take any arguments anymore.
This commit introduces a SplunkHECStore plugin that can index records to Splunk using HTTP Event Collector token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested this pull request with the following steps:
Setup
-
Enter the following command:
docker run -p 8000:8000 -p 8088:8088 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=admin123" -e "SPLUNK_HEC_TOKEN=token123" splunk/splunk
-
Send a test event to Splunk:
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk token123" -d '{"event": "hello, world"}'
-
Visit http://localhost:8000/ with a web browser.
-
Log in with the username as
admin
and password as the password specified in thedocker
command. -
Click on Search & Reporting.
-
In the search box, enter
*
(asterisk) and click the search button. There should be 1 result.
Test
-
Create the following
config.yaml
in the top-level directory of this project:stores: splunkstore: plugin: cloudmarker.stores.splunkhecstore.SplunkHECStore params: uri: https://localhost:8088/services/collector token: token123 index_name: main ca_cert: false audits: mockaudit: stores: - filestore - splunkstore
-
Run the project:
. ./venv python3 -m cloudmarker -f
-
Visit http://localhost:8000/ with a web browser.
-
Log in with the username as
admin
and password as the password specified in thedocker
command. -
Click on Search & Reporting.
-
In the search box, enter
*
(asterisk) and click the search button. There should be 10 or more results.
References:
This plugin is capable of indexing records to Splunk using HTTP Event Collector(HEC) token.