Add basic Splunk via SDK (not working yet)

2026-01-06 15:54:25 +01:00 · 2015-08-09 04:39:30 -07:00
parent 9ade34c6a5
commit 16512be621
2 changed files with 53 additions and 0 deletions
--- a/cowrie.cfg.dist
+++ b/cowrie.cfg.dist
@@ -237,6 +237,19 @@ logfile = log/cowrie.json
 # [output_localsyslog]
 # facility = USER

+
+# Splunk SDK output module
+#
+# This sends logs directly to Splunk using the SDK
+#
+# [output_splunk]
+# host = localhost
+# port = 8889
+# username = admin
+# password = password
+# index = cowrie
+
+
 #[database_hpfeeds]
 #server = hpfeeds.mysite.org
 #port = 10000
--- a/cowrie/output/splunk.py
+++ b/cowrie/output/splunk.py
@@ -0,0 +1,40 @@
+import os
+import json
+
+import splunklib.client as client
+
+import cowrie.core.output
+
+class Output(cowrie.core.output.Output):
+
+    def __init__(self, cfg):
+        """ Initializing the class."""
+        cowrie.core.output.Output.__init__(self, cfg)
+        self.index = self.cfg.get('output_splunk', 'index')
+        self.username = self.cfg.get('output_splunk', 'username')
+        self.password = self.cfg.get('output_splunk', 'password')
+        self.host = self.cfg.get('output_splunk', 'host')
+        self.port = self.cfg.get('output_splunk', 'port')
+
+    def start(self):
+        self.service = client.connect(
+            host=self.host,
+            port=self.port,
+            username=self.username,
+            password=self.password)
+        self.index = self.service.indexes['cowrie']
+        pass
+
+    def stop(self):
+        pass
+
+    def write(self, logentry):
+        for i in logentry.keys():
+            # remove twisted 15 legacy keys
+            if i.startswith('log_'):
+                del logentry[i]
+
+        mysocket = self.index.attach()
+        mysocket.send(json.dumps(logentry))
+        mysocket.close()
+