forked from sethhall/bro-scripts
-
Notifications
You must be signed in to change notification settings - Fork 7
/
generate_splunk_configs.py
executable file
·72 lines (58 loc) · 2.02 KB
/
generate_splunk_configs.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/env python
import sys
import os
import glob
field_renames = {
'host': 'src',
'source': 'src',
}
def rename_field(f):
return field_renames.get(f, f)
def read_log_file(log_file):
f = open(log_file)
header = [f.readline().strip() for _ in range(10)]
header = [l for l in header if l.startswith("#")]
if not header:
return
fields = [ l for l in header if l.startswith("#fields")][0]
fields = fields.replace("#fields\t",'').split("\t")
return fields
def read_log_files(log_files):
logs = {}
for f in log_files:
info = read_log_file(f)
if info:
logs[f] = info
return logs
def generate(log_dir, out_dir):
log_files = glob.glob(os.path.join(log_dir, "*.log"))
data = read_log_files(log_files)
i = open(os.path.join(out_dir, "inputs.conf"),'w')
p = open(os.path.join(out_dir, "props.conf"),'w')
t = open(os.path.join(out_dir, "transforms.conf"),'w')
for fn, fields in sorted(data.items()):
print fn
sourcetype = "bro_" + os.path.basename(fn).replace(".log",'')
fields_str = ', '.join(['"%s"' % rename_field(f) for f in fields])
i.write('[monitor://%s]\n' % fn)
i.write('disabled = false\n')
i.write('sourcetype = %s\n' % sourcetype )
i.write('index=security\n\n')
p.write('[%s]\n' % sourcetype)
p.write('KV_MODE = none\n')
p.write('SHOULD_LINEMERGE = false\n')
p.write('given_type = csv\n')
p.write('pulldown_type = true\n')
p.write('TRANSFORMS-commentsToNull = bro-ignore-comments\n')
p.write('REPORT-AutoHeader = AutoHeader-%s\n\n' % sourcetype)
t.write('[AutoHeader-%s]\n' % sourcetype)
t.write('DELIMS = "\t"\n')
t.write('FIELDS = %s\n\n' % fields_str)
t.write('[bro-ignore-comments]\n')
t.write('REGEX = "^#.*"\n')
t.write('DEST_KEY = queue\n')
t.write('FORMAT = nullQueue\n')
if __name__ == "__main__":
log_dir = sys.argv[1]
out_dir = sys.argv[2]
generate(log_dir, out_dir)