Skip to content
A plugin that lets you import CloudPassage Halo events into Splunk, Sumo Logic, and other SIEM/log processors
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CloudPassage_Halo_CEF_Config Guide_2013.pdf Adding documentation for the ArcSight integration. Oct 1, 2013
Halo-Event-Connector_Splunk.pdf
Halo-Event-Connector_SumoLogic.pdf Add documentation for the SumoLogic Event Connector Apr 19, 2013
LICENSE.txt
README.md
cpapi.py Added support for LEEF format, multithreaded streaming, and bug fixes Nov 10, 2014
cpsyslog.py Added support for LEEF format, multithreaded streaming, and bug fixes Nov 10, 2014
cputils.py Added support for LEEF format, multithreaded streaming, and bug fixes Nov 10, 2014
haloEvents.py Adding Apurv Singh's changes Dec 9, 2014
remote_syslog.py

README.md

Halo Event Connector Script - Python

In this repo we have included the pdf documentation for using these scripts to pull Halo event alerts into either Sumo Logic or Splunk - however, you will just as easily be able to integrate Halo events into other popular SIEM tools, such as ArcSight, or with your Syslog infrastructure.

In addition, there are several ways you can run this script to stream event data to your desired target.

For example, let’s say, you wanted to setup this script to be run from cron, emit Halo events as key-value name pairs and append them to a file on the local filesystem. And you wanted to pull only those events that were logged since Nov 10, 2012 onwards. And instead of using the script defaults where the files are expected to be in the program directory, let’s say you wanted to use a different working directory /opt/cloudpassage, for example.

For that, you would do something like this:

Run crontab -e and add a line with the desired schedule, such as the following to run, say every 5 minutes

*/5 * * * * /opt/cloudpassage/bin/haloEvents.py --starting=2012-11-10 --auth=/opt/cloudpassage/config/myHaloKeys.auth --configdir=/opt/cloudpassage/config --kvfile=/opt/cloudpassage/logs/eventsInKVFormat >/dev/null 2>&1

Save your changes before you exit.

If you are extracting events from more than one (supports up to 5) Halo account, you can specify those in your myHaloKeys.auth file like this:

key_id_1|secret_1
key_id_2|secret_2
…
…
key_id_5|secret_5
You can’t perform that action at this time.