Fixes #60 Splunk logger by:

- Adding index, source and source type to data. - Properly formatting the JSON to parse using the _json source type in Splunk. - Use token authentication instead of username/password - Follow the Splunk Common Information Model with properly formed key names.
foospidy · Aug 26, 2019 · d3be428 · d3be428
1 parent 1c84642
commit d3be428
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 28 deletions.
diff --git a/etc/honeypy.cfg b/etc/honeypy.cfg
@@ -84,10 +84,15 @@ custom_source_category =
 
 [splunk]
 enabled = No
-# /services/receivers/simple api endpoint
-url = https://localhost:8089/services/receivers/simple
-username =
-password =
+# In Splunk; Under "Settings" > "Data inputs" create a new HTTP Event Collector
+# When finished, add the token, correct source type and index here.
+# Your URL changes depending on if you use a self-serviced or managed Splunk.
+# See here for details; https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector
+url = https://<URL>/services/collector
+token =
+index = main
+source = HoneyPy
+sourcetype = _json
 
 [rabbitmq]
 enabled = No

diff --git a/loggers/splunk/honeypy_splunk.py b/loggers/splunk/honeypy_splunk.py
@@ -1,10 +1,11 @@
-# HoneyPy Copyright (C) 2013-2017 foospidy
+# HoneyPy Copyright (C) 2013-2019 foospidy
 # https://github.com/foospidy/HoneyPy
 # See LICENSE for details
 
 import sys
 import hashlib
 from datetime import datetime
+import time
 from twisted.python import log
 import requests
 
@@ -44,50 +45,66 @@ def process(config, section, parts, time_parts):
         if len(parts) == 11:
             parts.append('')  # no data for CONNECT events
 
-        post(config, parts[0], time_parts[0], parts[0] + ' ' + time_parts[0], time_parts[1], parts[3], parts[4], parts[5], parts[6], parts[7], parts[8], parts[9], parts[10], parts[11])
+        post(config, parts[0] + ' ' + time_parts[0], time_parts[1], parts[3], parts[4], parts[5], parts[6], parts[7], parts[8], parts[9], parts[10], parts[11])
     else:
         # UDP splits differently (see comment section above)
         if len(parts) == 12:
             parts.append('')  # no data sent
 
-        post(config, parts[0], time_parts[0], parts[0] + ' ' + time_parts[0], time_parts[1], parts[4], parts[5], parts[6], parts[7], parts[8], parts[9], parts[10], parts[11], parts[12])
+        post(config, parts[0] + ' ' + time_parts[0], time_parts[1], parts[4], parts[5], parts[6], parts[7], parts[8], parts[9], parts[10], parts[11], parts[12])
 
-
-def post(config, date, time, date_time, millisecond, session, protocol, event, local_host, local_port, service, remote_host, remote_port, data):
+def post(config, date_time, millisecond, session, protocol, event, local_host, local_port, service, remote_host, remote_port, data):
     useragent = config.get('honeypy', 'useragent')
+    host = config.get('honeypy', 'nodename') or 'honeypy'
     url = config.get('splunk', 'url')
-    username = config.get('splunk', 'username')
-    password = config.get('splunk', 'password')
+    token = config.get('splunk', 'token')
+
+    index = config.get('splunk', 'index')
+    source = config.get('splunk', 'source')
+    sourcetype = config.get('splunk', 'sourcetype')
 
     h = hashlib.md5()
     h.update(data)
 
-    date_time = datetime.strptime(date_time, "%Y-%m-%d %H:%M:%S").isoformat()
+    date_time_w_millisecond = date_time + '.' + str(millisecond)
+    complete_date_time = datetime.strptime(date_time_w_millisecond, "%Y-%m-%d %H:%M:%S.%f").isoformat() + 'Z'
 
-    headers = {'User-Agent': useragent, "Content-Type": "application/json"}
-    # applying [:-3] to time to truncate millisecond
-    data = {
-        'date': date,
-        'time': time,
-        'date_time': date_time,
-        'millisecond': str(millisecond)[:-3],
-        'session': session,
+    epoch = str(int(time.mktime(time.strptime(date_time_w_millisecond, "%Y-%m-%d %H:%M:%S.%f")))) + '.' + str(millisecond)
+
+    headers = {
+        'User-Agent': useragent,
+        "Content-Type": "application/json",
+        "Authorization": "Splunk " + token
+    }
+
+    eventdata = {
+        'date_time': complete_date_time,
+        'session_id': session,
         'protocol': protocol,
         'event': event,
-        'local_host': local_host,
-        'local_port': local_port,
+        'dest_ip': local_host,
+        'dest_port': local_port,
         'service': service,
-        'remote_host': remote_host,
-        'remote_port': remote_port,
+        'src_ip': remote_host,
+        'src_port': remote_port,
         'data': data,
         'bytes': str(len(data)),
         'data_hash': h.hexdigest()
     }
 
+    parentdata = {
+        'time': epoch,
+        'index': index,
+        'source': source,
+        'sourcetype': sourcetype,
+        'host': host,
+        'event': eventdata
+    }
+
     try:
-        r = requests.post(url, headers=headers, data=data, auth=(username, password), verify=False, timeout=3)
-        page = r.text
+        r = requests.post(url, headers=headers, json=parentdata, verify=False, timeout=3)
+        resp = r.text
 
-        log.msg('Post event to splunk, response: %s' % (str(page).strip()))
+        log.msg('Post event to Splunk, response: %s' % (str(resp).strip()))
     except Exception as e:
-        log.msg('Error posting to splunk: %s' % (str(e.message).strip()))
+        log.msg('Error posting to Splunk: %s' % (str(e.message).strip()))