Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.2 - Splunk app v2.0.0 #16

Merged
merged 35 commits into from
Apr 2, 2018
Merged

3.2 - Splunk app v2.0.0 #16

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
0385fc0
Trying to avoid TA-wazuh-api-connector
manuasir Mar 21, 2018
9d94f27
Returning data from own backend more efficiently
manuasir Mar 22, 2018
0660b46
Fetching ruleset data from API on demand and avoiding indexation clos…
manuasir Mar 22, 2018
3e6244b
Deleting TA api connector plugin
manuasir Mar 22, 2018
c88d48a
Changin source of ruleset search tab
manuasir Mar 22, 2018
3ca1074
Merge pull request #10 from wazuh/3.2-dev-indexing-agents
manuasir Mar 22, 2018
7489e26
Merge pull request #11 from wazuh/3.2-dev-ruleset-search
manuasir Mar 22, 2018
7525fa6
Splunk indexes are not needed anymore for any Ruleset or Decoders fun…
manuasir Mar 22, 2018
24e39be
Merge pull request #12 from wazuh/3.2-dev-decoders
manuasir Mar 22, 2018
016fc9f
Setting new Agents Summary endpooint in backend
manuasir Mar 22, 2018
33ba3c2
New agents summary controller
manuasir Mar 22, 2018
c2a9a8a
Opening up new Agents endpoint
manuasir Mar 22, 2018
81e1a63
Deleting unnecessary backup file
manuasir Mar 22, 2018
0604c58
Setting new Agents Summary endpoint in backend
manuasir Mar 22, 2018
27e9209
Adapting Agent summary tabs to use data from API
manuasir Mar 22, 2018
afd2006
Agent status backend endpoint
manuasir Mar 22, 2018
dda2f75
Modifying the Splunk Query in order to adapt it to own backend instea…
manuasir Mar 22, 2018
aeb10fc
Cleaning and writing some comments over the backend code
manuasir Mar 22, 2018
eab6d3f
Merge pull request #13 from wazuh/3.2-dev-indexing-agents
manuasir Mar 22, 2018
0863927
Implementing new endpoints in backend for fetch manager status and ba…
manuasir Mar 23, 2018
11a9201
adding controllers for fetching data from new endpoints
manuasir Mar 23, 2018
383d793
Deleting TA, commited by error before
manuasir Mar 23, 2018
628db9f
Merge pull request #14 from wazuh/3.2-dev-basic-info
manuasir Mar 23, 2018
754accf
Backend endpoints for Agent list data
manuasir Mar 23, 2018
76ef41a
Agent list backend
manuasir Mar 23, 2018
7e666a6
Agent list backend
manuasir Mar 23, 2018
57a6172
Agent list backend
manuasir Mar 23, 2018
6d48ba2
Modifying Agents queries for getting data from API
manuasir Mar 23, 2018
9d28727
correcting some queries
manuasir Mar 23, 2018
8293ccc
Merge pull request #15 from wazuh/3.2-agents-api
manuasir Mar 23, 2018
bc59a7f
Quick hotfix, an index stayed without being removed
manuasir Mar 23, 2018
80dff05
Preparing the app for being deployed on demo machine
manuasir Apr 2, 2018
e6be344
Adding LF,not CRLF in readme.md
manuasir Apr 2, 2018
fff0406
Adding CHANGELOG.md to the project
manuasir Apr 2, 2018
ed8a12c
Updating app version in changelog
manuasir Apr 2, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 36 additions & 2 deletions SplunkAppForWazuh/appserver/controllers/manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,40 @@ def setup_logger(level):
return logger
logger = setup_logger(logging.DEBUG)
class manager(controllers.BaseController):
# /custom/wazuh/manager/status
@expose_page(must_login=False, methods=['GET'])
def status(self, **kwargs):
opt_username = 'foo'
opt_password = 'bar'
opt_base_url = 'http://192.168.0.157:55000'
auth = requests.auth.HTTPBasicAuth(opt_username, opt_password)
verify = False
request = requests.get(opt_base_url + '/manager/status', auth=auth, verify=verify)
manager_status = json.loads(request.text)['data']
data = {}
for key in manager_status:
data['manager-status_' + key.lower()] = manager_status[key]
data = [data]
result = json.dumps(data)
return result

# /custom/wazuh/manager/info
@expose_page(must_login=False, methods=['GET'])
def info(self, **kwargs):
opt_username = 'foo'
opt_password = 'bar'
opt_base_url = 'http://192.168.0.157:55000'
auth = requests.auth.HTTPBasicAuth(opt_username, opt_password)
verify = False
request = requests.get(opt_base_url + '/manager/info', auth=auth, verify=verify)
manager_info = json.loads(request.text)['data']
data = {}
for key in manager_info:
data['manager-info_' + key.lower()] = manager_info[key]
data = [data]
result = json.dumps(data)
return result

# /custom/wazuh/manager/logs
@expose_page(must_login=False, methods=['GET'])
def logs(self, **kwargs):
Expand All @@ -32,8 +66,8 @@ def logs(self, **kwargs):
auth = requests.auth.HTTPBasicAuth(opt_username, opt_password)
verify = False
request = requests.get(opt_base_url + '/manager/logs', auth=auth, verify=verify)
manager_info = json.loads(request.text)['data']['items']
result = json.dumps(manager_info)
manager_logs = json.loads(request.text)['data']['items']
result = json.dumps(manager_logs)
return result

# /custom/wazuh/manager/rules
Expand Down
24 changes: 24 additions & 0 deletions SplunkAppForWazuh/bin/get_manager_info.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/opt/splunk/bin/python
############################################################
#
# GET /manager/logs
#
############################################################
import sys
import splunk.Intersplunk as si
import requests
import json

try:
#pass
results = []
request = requests.get("http://192.168.0.159:8000/en-US/custom/SplunkAppForWazuh/manager/info")
# print request.text
data = json.loads(request.text)
except Exception as err:
import traceback
print err
stack = traceback.format_exc()
data = si.generateErrorResults("Error : Traceback: " + str(stack))

si.outputResults(data)
24 changes: 24 additions & 0 deletions SplunkAppForWazuh/bin/get_manager_status.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/opt/splunk/bin/python
############################################################
#
# GET /manager/logs
#
############################################################
import sys
import splunk.Intersplunk as si
import requests
import json

try:
#pass
results = []
request = requests.get("http://192.168.0.159:8000/en-US/custom/SplunkAppForWazuh/manager/status")
# print request.text
data = json.loads(request.text)
except Exception as err:
import traceback
print err
stack = traceback.format_exc()
data = si.generateErrorResults("Error : Traceback: " + str(stack))

si.outputResults(data)
9 changes: 8 additions & 1 deletion SplunkAppForWazuh/default/commands.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,18 @@
[getmanagerlogs]
filename = get_manager_logs.py

[getmanagerinfo]
filename = get_manager_info.py

[getmanagerstatus]
filename = get_manager_status.py

[getruleset]
filename = get_ruleset.py

[getdecoders]
filename = get_decoders.py

[getagentsummary]
filename = get_agents_summary.py
filename = get_agents_summary.py

28 changes: 14 additions & 14 deletions SplunkAppForWazuh/default/data/ui/views/manager_status.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,63 +1,63 @@
<dashboard stylesheet="wazuh_decorations.css">
<label>Manager Status</label>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-analysisd as analysisd | eval value=if(analysisd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-analysisd as analysisd | eval value=if(analysisd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value1">$result.value$</set>
<set token="range1">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-execd as execd| eval value=if(execd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-execd as execd| eval value=if(execd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value2">$result.value$</set>
<set token="range2">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-logcollector as logcollector| eval value=if(logcollector="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-logcollector as logcollector| eval value=if(logcollector="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value3">$result.value$</set>
<set token="range3">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-monitord as monitord | eval value=if(monitord="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-monitord as monitord | eval value=if(monitord="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value4">$result.value$</set>
<set token="range4">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-remoted as remoted | eval value=if(remoted="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-remoted as remoted | eval value=if(remoted="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value5">$result.value$</set>
<set token="range5">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-maild as maild | eval value=if(maild="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-maild as maild | eval value=if(maild="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value6">$result.value$</set>
<set token="range6">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-authd as authd | eval value=if(authd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-authd as authd | eval value=if(authd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value7">$result.value$</set>
<set token="range7">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_wazuh-modulesd as modulesd | eval value=if(modulesd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_wazuh-modulesd as modulesd | eval value=if(modulesd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value8">$result.value$</set>
<set token="range8">$result.range$</set>
</progress>
</search>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename manager-status_ossec-syscheckd as syscheckd | eval value=if(syscheckd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<query>| getmanagerstatus | rename manager-status_ossec-syscheckd as syscheckd | eval value=if(syscheckd="running","1","0") | top value showcount=f showperc=f | rangemap field=value up=1-1 down=0-0 none=2-2 default=none</query>
<progress>
<set token="value9">$result.value$</set>
<set token="range9">$result.range$</set>
Expand Down Expand Up @@ -135,7 +135,7 @@
<single>
<title>Total Agents</title>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | stats latest(agent_summary_total) as "Total Agents"</query>
<query>| getagentsummary | stats first(agent_summary_total) as "Total Agents"</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
Expand All @@ -147,7 +147,7 @@
<single>
<title>Active</title>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | stats latest(agent_summary_active) as "Active Agents"</query>
<query>| getagentsummary | stats first(agent_summary_active) as "Active Agents"</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
Expand All @@ -159,7 +159,7 @@
<single>
<title>Disconnected</title>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | stats latest(agent_summary_disconnected) as "Disconnected"</query>
<query>| getagentsummary | stats first(agent_summary_disconnected) as "Disconnected"</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
Expand All @@ -171,7 +171,7 @@
<single>
<title>Never connected</title>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | stats latest(agent_summary_neverconnected) as "Never"</query>
<query>| getagentsummary | stats first(agent_summary_neverconnected) as "Never"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
Expand All @@ -183,7 +183,7 @@
<single>
<title>Agent Coverage</title>
<search>
<query>index="wazuh_api" sourcetype="wazuh:api:info:basic" | rename agent_summary_active as Active, agent_summary_total as Total | eval Coverage=round((Active*100)/Total,2) | eval Coverage=Coverage + " %" | top Coverage showcount=f showperc=f</query>
<query>| getagentsummary | rename agent_summary_active as Active, agent_summary_total as Total | eval Coverage=round((Active*100)/Total,2) | eval Coverage=Coverage + " %" | top Coverage showcount=f showperc=f</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
Expand Down