admingit
/
SH-Deployer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
SH-Deployer/apps/SA-ITOA/bin/itsi_notable_event_hec_init.py

133 lines
4.7 KiB
Raw Permalink Blame History

# Copyright (C) 2005-2025 Splunk Inc. All Rights Reserved.
"""
Modular Input that runs on startup. It does the following:
1. Initializes HEC on this Search Head.
2. Creates and chowns pertinent HEC tokens.
"""
import sys
from splunk.clilib.bundle_paths import make_splunkhome_path
sys.path.append(make_splunkhome_path(['etc', 'apps', 'SA-ITOA', 'lib']))
sys.path.append(make_splunkhome_path(['etc', 'apps', 'SA-ITOA', 'lib', 'SA_ITOA_app_common']))
from common_util_hec_initializer import initialize_hec
import itsi_path
from ITOA.setup_logging import getLogger4ModInput
from ITOA.mod_input_utils import skip_run_during_migration
from itsi.itsi_utils import ItsiMacroReader
from SA_ITOA_app_common.solnlib.modular_input import ModularInput
class ITSINotableEventHECInit(ModularInput):
"""
Class that implements all the required steps. See method `do_run`.
"""
title = 'IT Service Intelligence HEC Initializer'
description = 'Initializes Splunk HEC, creates and sets the right ACL values for HEC tokens consumed by ITSI Episode Review.'
handlers = None
app = 'SA-ITOA'
name = 'itsi_notable_event_hec_init'
use_single_instance = False
use_kvstore_checkpointer = False
use_hec_event_writer = False
def extra_arguments(self):
return [{
'name': "log_level",
'title': "Logging Level",
'description': ("This is the level at which the modular input will log data; "
"DEBUG, INFO, WARN, ERROR. Defaults to WARN.")
}]
@skip_run_during_migration
def do_run(self, input_config):
"""
This is the method called by splunkd when mod input is enabled.
It initializes Splunk HEC on this SH and acquires the token.
@param input_config: config passed down by splunkd
"""
logger = getLogger4ModInput(input_config)
# this modular input must run on all search heads in a SHC, so we will
# not do any SHC specific checks.
TOKEN = 'token'
INDEX = 'index'
HOST = 'host'
SOURCE = 'source'
SOURCETYPE = 'sourcetype'
APP = 'app'
ISUSEACK = 'is_use_ack'
itsi_tracked_alerts_macro = ItsiMacroReader(self.session_key, 'itsi_event_management_index_with_close_events')
itsi_grouped_alerts_macro = ItsiMacroReader(self.session_key, 'itsi_event_management_group_index')
itsi_notable_audit_macro = ItsiMacroReader(self.session_key, 'itsi_notable_audit_index')
itsi_notable_archive_macro = ItsiMacroReader(self.session_key, 'itsi_notable_archive_index')
tokens_info = [
{
TOKEN: 'Auto Generated ITSI Event Management Token',
INDEX: itsi_tracked_alerts_macro.index,
HOST: None,
SOURCE: None,
SOURCETYPE: 'itsi_notable:event',
APP: 'itsi',
ISUSEACK: False,
},
{
TOKEN: 'Auto Generated ITSI Notable Event Retention Policy Token',
INDEX: itsi_notable_archive_macro.index,
HOST: None,
SOURCE: None,
SOURCETYPE: 'itsi_notable:archive',
APP: 'itsi',
ISUSEACK: False,
},
{
TOKEN: 'Auto Generated ITSI Notable Index Audit Token',
INDEX: itsi_notable_audit_macro.index,
HOST: None,
SOURCE: 'Notable Event Audit',
SOURCETYPE: 'itsi_notable:audit',
APP: 'itsi',
ISUSEACK: False,
},
{
TOKEN: 'itsi_group_alerts_token',
INDEX: itsi_grouped_alerts_macro.index,
HOST: None,
SOURCE: 'itsi_group_alerts',
SOURCETYPE: 'itsi_notable:group',
APP: 'itsi',
ISUSEACK: False,
},
{
TOKEN: 'itsi_group_alerts_sync_token',
INDEX: itsi_grouped_alerts_macro.index,
HOST: None,
SOURCE: 'itsi_group_alerts',
SOURCETYPE: 'itsi_notable:group',
APP: 'itsi',
ISUSEACK: True,
},
{
TOKEN: 'itsi_group_comments_token',
INDEX: itsi_grouped_alerts_macro.index,
HOST: None,
SOURCE: 'Notable Event Comment',
SOURCETYPE: 'itsi_notable:comment',
APP: 'itsi',
ISUSEACK: False,
}
]
initialize_hec(self.session_key, logger, tokens_info)
if __name__ == "__main__":
worker = ITSINotableEventHECInit()
worker.execute()
Reference in new issue View Git Blame Copy Permalink