From 4bf1d2a78597c1205f4ae8a84be4dbc2ab82777d Mon Sep 17 00:00:00 2001 From: Mike Schiessl <77062930+MikeSchiessl@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:44:57 +0200 Subject: [PATCH] v1.7.4 (#62) --- Dockerfile | 10 ++++-- README.md | 2 ++ bin/modules/UlsInputCli.py | 32 +++++++++++++++++++ bin/modules/UlsTools.py | 17 ++++++---- bin/uls_config/global_config.py | 14 ++++---- docs/ARGUMENTS_ENV_VARS.md | 24 +++++++------- docs/CHANGELOG.md | 18 +++++++++++ docs/LOG_OVERVIEW.md | 15 +++++++++ docs/SIEM/HYDROLIX/README.md | 26 +++++++++++++++ docs/SIEM/SIEM_OVERVIEW.md | 1 + .../kubernetes/helm/akamai-uls/Chart.yaml | 2 +- scripts/get-uls.sh | 18 ++++++++--- scripts/update-uls.sh | 10 ++++++ test/positive_test.bats | 12 +++++++ 14 files changed, 168 insertions(+), 33 deletions(-) create mode 100644 docs/SIEM/HYDROLIX/README.md diff --git a/Dockerfile b/Dockerfile index f37924a..ad2213d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.2-slim-bookworm +FROM python:3.12.4-slim-bookworm LABEL MAINTAINER="Mike Schiessl - mike.schiessl@akamai.com" LABEL APP_LONG="Akamai Universal Log Streamer" LABEL APP_SHORT="ULS" @@ -11,10 +11,11 @@ ARG ULS_DIR="$HOMEDIR/uls" ARG EXT_DIR="$ULS_DIR/ext" ARG ETP_CLI_VERSION="0.4.7" -ARG EAA_CLI_VERSION="0.6.3" +ARG EAA_CLI_VERSION="0.6.9" ARG MFA_CLI_VERSION="0.1.1" ARG GC_CLI_VERSION="v0.0.4(beta)" ARG LINODE_CLI_VERSION="dev" +ARG ACC_CLI_VERSION="v0.0.1-alpha" # ENV VARS ENV ULS_DIR=$ULS_DIR @@ -77,6 +78,11 @@ ENV LINODE_CLI_VERSION=$LINODE_CLI_VERSION RUN git clone --depth 1 -b "${LINODE_CLI_VERSION}" --single-branch https://github.com/MikeSchiessl/ln-logs.git ${EXT_DIR}/cli-linode && \ pip3 install --no-cache-dir -r ${EXT_DIR}/cli-linode/bin/requirements.txt +## ACC CLI +ENV ACC_CLI_VERSION=$ACC_CLI_VERSION +RUN git clone --depth 1 -b "${ACC_CLI_VERSION}" --single-branch https://github.com/MikeSchiessl/acc-logs.git ${EXT_DIR}/acc-logs && \ + pip3 install --no-cache-dir -r ${EXT_DIR}/acc-logs/bin/requirements.txt + # ENTRYPOINTS / CMD VOLUME ["${ULS_DIR}/var"] ENTRYPOINT ["/usr/local/bin/python3","-u","bin/uls.py"] diff --git a/README.md b/README.md index 4254867..b663906 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,8 @@ It can be run directly as Python code, as a provided Docker container, through - AUDIT - [Linode](https://www.linode.com/) (experimental) - [AUDIT](docs/LOG_OVERVIEW.md#audit-logs) + - Akamai Control Center (experimental) + - [EVENTS](docs/LOG_OVERVIEW.md#events) - Supported data outputs diff --git a/bin/modules/UlsInputCli.py b/bin/modules/UlsInputCli.py index 5faf067..a18c72a 100644 --- a/bin/modules/UlsInputCli.py +++ b/bin/modules/UlsInputCli.py @@ -333,6 +333,38 @@ def proc_create(self): cli_command = [self.bin_python, product_path] +\ self._uls_useragent(self.product, "rawcmd") +\ shlex.split(self.rawcmd) + + # Akamai Control Center config + elif self.product == "ACC": + product_path = self.root_path + "/" + uls_config.bin_acc_logs + product_feeds = uls_config.acc_logs_feeds + if not self.cliformat == "JSON": + aka_log.log.warning(f"{self.name} - Selected LOG Format ({self.cliformat}) " + f"not available for {product_path}, continuing with JSON.") + if not self.rawcmd: + self.edgerc_hostname = UlsTools.uls_check_edgerc(self.credentials_file, + self.credentials_file_section, + uls_config.edgerc_openapi) + my_feed = self._feed_selector(self.feed, product_feeds) + if my_feed == "EVENTS": + my_feed = "getevents" + cli_command = [self.bin_python, '-u', product_path, 'events', my_feed.lower(), '-f'] + cli_command[3:3] = self._uls_useragent(self.product, my_feed) + cli_command[3:3] = edgegrid_auth + cli_command[3:3] = self._prep_proxy(self.inproxy) + + # Append End and Starttime + if self.endtime: + # We need to remove "-f" from the end of the cli cmd if we work with endtime + cli_command = cli_command[:-1] + cli_command.extend(self._prep_start_endtime('--end', self.endtime)) + if self.starttime: + cli_command.extend(self._prep_start_endtime('--start', self.starttime)) + else: + cli_command = [self.bin_python, product_path] +\ + self._uls_useragent(self.product, "rawcmd") +\ + shlex.split(self.rawcmd) + # Mocked output elif self.product == "MOCK": print ("Not yet there") diff --git a/bin/modules/UlsTools.py b/bin/modules/UlsTools.py index 92d190d..53afa6c 100644 --- a/bin/modules/UlsTools.py +++ b/bin/modules/UlsTools.py @@ -56,6 +56,8 @@ def _check_cli_installed(cli_bin): _check_cli_installed(root_path + "/" + uls_config.bin_gc_cli) elif uls_input == "LINODE": _check_cli_installed(root_path + "/" + uls_config.bin_linode_cli) + elif uls_input == "ACC": + _check_cli_installed(root_path + "/" + uls_config.bin_acc_logs) else: aka_log.log.critical(f"No input specified: {uls_input} - exiting") sys.exit(1) @@ -100,7 +102,8 @@ def _get_cli_version(cli_bin, edgerc_mock_file): f"SIA/ETP Version\t\t{_get_cli_version(root_path + '/' + uls_config.bin_etp_cli, my_edgerc_mock_file)}\n" f"MFA Version\t\t{_get_cli_version(root_path + '/' + uls_config.bin_mfa_cli, my_edgerc_mock_file)}\n" f"GC Version\t\t{_get_cli_version(root_path + '/' + uls_config.bin_gc_cli, my_edgerc_mock_file)}\n" - f"LINODE Version\t\t{_get_cli_version(root_path + '/' + uls_config.bin_linode_cli, my_edgerc_mock_file)}\n\n" + f"LINODE Version\t\t{_get_cli_version(root_path + '/' + uls_config.bin_linode_cli, my_edgerc_mock_file)}\n" + f"ACC-LOGS Version\t{_get_cli_version(root_path + '/' + uls_config.bin_linode_cli, my_edgerc_mock_file)}\n\n" f"OS Plattform\t\t{platform.platform()}\n" f"OS Version\t\t{platform.release()}\n" f"Python Version\t\t{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}\n" @@ -224,11 +227,11 @@ def check_autoresume(input, feed, checkpoint_dir=uls_config.autoresume_checkpoin aka_log.log.debug(f"Autoresume Checkpoint successfully loaded. Checkpoint Time: {data['checkpoint']}, Creation_time: {data['creation_time']}") creation_time = data['creation_time'] # Convert the Checkpoint to "epoch Timestamp", depending on the input - if data['input'] == "ETP": + if data['input'] == "ETP" or data['input'] == "SIA": mytime = data['checkpoint'].split("Z")[0] elif data['input'] == "EAA": mytime = data['checkpoint'].split("+")[0] - elif data['input'] == "GC": + elif data['input'] == "GC" or data['input'] == "ACC": mytime = data['checkpoint'].split(".")[0] else: aka_log.log.critical( @@ -270,13 +273,13 @@ def write_autoresume_ckpt(input, feed, autoresume_file, logline, current_count): # Adopt the field to the stream / feed checkpoint_line = logline.decode() - if input == "ETP" and (feed == "THREAT" or feed =="PROXY" or feed == "AUP"): + if (input == "ETP" or input == "SIA") and (feed == "THREAT" or feed =="PROXY" or feed == "AUP"): checkpoint_timestamp = json.loads(checkpoint_line)['event']['detectionTime'] - elif input == "ETP" and feed == "DNS": + elif (input == "ETP" or input == "SIA") and feed == "DNS": checkpoint_timestamp = json.loads(checkpoint_line)['query']['time'] elif input == "EAA" and feed == "ACCESS": checkpoint_timestamp = json.loads(checkpoint_line)['datetime'] - elif input == "ETP" and feed == "NETCON": + elif (input == "ETP" or input == "SIA") and feed == "NETCON": checkpoint_timestamp = json.loads(checkpoint_line)['connStartTime'] elif input == "GC" and feed == "AUDIT": checkpoint_timestamp = json.loads(checkpoint_line)['time'] @@ -284,6 +287,8 @@ def write_autoresume_ckpt(input, feed, autoresume_file, logline, current_count): checkpoint_timestamp = json.loads(checkpoint_line)['closed_time'] elif input == "GC" and feed == "NETLOG": checkpoint_timestamp = json.loads(checkpoint_line)['db_insert_time'] + elif input == "ACC" and feed == "EVENTS": + checkpoint_timestamp = json.loads(checkpoint_line)['eventTime'] else: aka_log.log.critical( f"AUTORESUME - Unhandled Input / Feed detected: '{input} / {feed}' (this should never happen !!)- Exiting") diff --git a/bin/uls_config/global_config.py b/bin/uls_config/global_config.py index e1f0360..8557531 100644 --- a/bin/uls_config/global_config.py +++ b/bin/uls_config/global_config.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # Common global variables / constants -__version__ = "1.7.3" +__version__ = "1.7.4" __tool_name_long__ = "Akamai Unified Log Streamer" __tool_name_short__ = "ULS" @@ -16,15 +16,11 @@ # EAA - # Path to the EAA CLI Executable bin_eaa_cli = "ext/cli-eaa/bin/akamai-eaa" - # Available EAA CLI feeds eaa_cli_feeds = ['ACCESS', 'ADMIN', 'CONHEALTH', 'DEVINV', 'DIRHEALTH'] # ETP - # Path to the ETP CLI Executable bin_etp_cli = "ext/cli-etp/bin/akamai-etp" - # Available ETP CLI feeds etp_cli_feeds = ['THREAT', 'AUP', 'DNS', 'PROXY', 'NETCON'] # MFA @@ -39,8 +35,12 @@ bin_linode_cli = "ext/cli-linode/bin/akamai-linode" # Path to the LINODE CLI Executable linode_cli_feeds = ['AUDIT'] # Available LINODE CLI feeds + # ACC-LOGS +bin_acc_logs = "ext/acc-logs/bin/akamai-acc" +acc_logs_feeds = ['EVENTS'] + # INPUT Choices -input_choices = ['EAA', 'ETP', 'SIA', 'MFA', 'GC', 'LINODE'] # Available input types +input_choices = ['EAA', 'ETP', 'SIA', 'MFA', 'GC', 'LINODE', 'ACC'] # Available input types input_format_choices = ['JSON', 'TEXT'] # Available input format choices (need to be supported by cli) # OUTPUT Choices @@ -107,6 +107,6 @@ # Autoresume Configuration autoresume_checkpoint_path = "var/" # (Default) Path, where the checkpointfiles should be stored to -autoresume_supported_inputs = ['ETP', 'EAA', 'GC'] # Internal Var only, to adjust supported inputs +autoresume_supported_inputs = ['ETP', 'EAA', 'GC', 'SIA', 'ACC'] # Internal Var only, to adjust supported inputs autoresume_write_after = 1000 # Write checkpoint only every ${autoresume_write_every} loglines diff --git a/docs/ARGUMENTS_ENV_VARS.md b/docs/ARGUMENTS_ENV_VARS.md index c55b5ce..f793646 100644 --- a/docs/ARGUMENTS_ENV_VARS.md +++ b/docs/ARGUMENTS_ENV_VARS.md @@ -21,18 +21,18 @@ The following tables list all available command line parameters and their corres ## INPUT -| Parameter | Env - Var | Options | Default | Description | -|---------------------------|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| -i
--input | ULS_INPUT | 'EAA', 'ETP', 'MFA', 'GC', 'LINODE' | None | Specify the desired INPUT source | -| --feed | ULS_FEED | EAA: 'ACCESS', 'ADMIN', 'CONHEALTH', 'DEVINV'

ETP: 'THREAT', 'AUP', 'DNS', 'PROXY'

MFA: 'EVENT'

GC: 'NETLOG', 'INCIDENT', 'AGENT', 'SYSTEM', 'AUDIT'

LINODE: 'AUDIT' | None | Specify the desired INPUT feed | -| --format | ULS_FORMAT | 'JSON', 'TEXT' | JSON | Specify the desired INPUT (=OUTPUT) format | -| --inproxy
--inputproxy | ULS_INPUT_PROXY | HOST:PORT | None | Adjust proxy usage for INPUT data collection (cli)
If this parameter does not work as expected, [please read more about it here](./FAQ.md#--inputproxy-proxy-does-not-work-as-expected) | -| --rawcmd | ULS_RAWCMD | \ | None | USE with caution /!\
This is meant only to be used when told by AKAMAI [Click here for more information](ADDITIONAL_FEATURES.md#rawcmd---rawcmd-feature) | -| --edgerc | ULS_EDGERC | /path/to/your/.edgerc | '~/.edgerc' | Specify the location of the .edgerc EDGE GRID AUTH file | -| --section | ULS_SECTION | edgerc_config_section | 'default' | Specify the desired section within the .edgerc file | -| --starttime | ULS_STARTTIME | EPOCH timestamp (in seconds) | `cli_default` | Specify an EPOCH timestamp from where to start the log collection. | -| --endtime | ULS_ENDTIME | EPOCH timestamp (in seconds) | None | Specify an EPOCH timestamp up until where to fetch logs. ULS will exit after reaching this point.
ULS will not continue reading logs on CLI errors !!! | -| --inputqueuesize | ULS_INPUT_QUEUESIZE | INPUT_QUEUE_SIZE(int) | 15000 | Maximum threshold of the input queue. When threshold is reached, ULS will stop operations and exit "Capacity exceeded, too many incoming data vs. slow output" | +| Parameter | Env - Var | Options | Default | Description | +|---------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| -i
--input | ULS_INPUT | 'EAA', 'ETP', 'MFA', 'GC', 'LINODE', 'ACC' | None | Specify the desired INPUT source | +| --feed | ULS_FEED | EAA: 'ACCESS', 'ADMIN', 'CONHEALTH', 'DEVINV'

ETP: 'THREAT', 'AUP', 'DNS', 'PROXY'

MFA: 'EVENT'

GC: 'NETLOG', 'INCIDENT', 'AGENT', 'SYSTEM', 'AUDIT'

LINODE: 'AUDIT'

ACC: 'EVENTS' | None | Specify the desired INPUT feed | +| --format | ULS_FORMAT | 'JSON', 'TEXT' | JSON | Specify the desired INPUT (=OUTPUT) format | +| --inproxy
--inputproxy | ULS_INPUT_PROXY | HOST:PORT | None | Adjust proxy usage for INPUT data collection (cli)
If this parameter does not work as expected, [please read more about it here](./FAQ.md#--inputproxy-proxy-does-not-work-as-expected) | +| --rawcmd | ULS_RAWCMD | \ | None | USE with caution /!\
This is meant only to be used when told by AKAMAI [Click here for more information](ADDITIONAL_FEATURES.md#rawcmd---rawcmd-feature) | +| --edgerc | ULS_EDGERC | /path/to/your/.edgerc | '~/.edgerc' | Specify the location of the .edgerc EDGE GRID AUTH file | +| --section | ULS_SECTION | edgerc_config_section | 'default' | Specify the desired section within the .edgerc file | +| --starttime | ULS_STARTTIME | EPOCH timestamp (in seconds) | `cli_default` | Specify an EPOCH timestamp from where to start the log collection. | +| --endtime | ULS_ENDTIME | EPOCH timestamp (in seconds) | None | Specify an EPOCH timestamp up until where to fetch logs. ULS will exit after reaching this point.
ULS will not continue reading logs on CLI errors !!! | +| --inputqueuesize | ULS_INPUT_QUEUESIZE | INPUT_QUEUE_SIZE(int) | 15000 | Maximum threshold of the input queue. When threshold is reached, ULS will stop operations and exit "Capacity exceeded, too many incoming data vs. slow output" | ## OUTPUT diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 9489c04..c6a4c3a 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -1,4 +1,22 @@ # Version History +## v1.7.4 +||| +|---|---| +|Date|2024-06-17 +|Kind| MINOR release +|Author|mschiess@akamai.com, androcho@akamai.com +- **Features** + - New Input & Feed available - Akamai Control Center Events + +- **Minor improvements** + - [docker] Bumped Python version to 3.12.4 + - [docker] bumped CLI-EAA to "0.6.9" + - [HYDROLIX documentation](SIEM/HYDROLIX/README.md) added to the SIEM integrations + +- **BUGFIX** + - Fixed a bug in the autoresume function where SIA does not equal it's alias ETP properly + + ## v1.7.3 ||| |---|---| diff --git a/docs/LOG_OVERVIEW.md b/docs/LOG_OVERVIEW.md index 456eecf..7191c27 100644 --- a/docs/LOG_OVERVIEW.md +++ b/docs/LOG_OVERVIEW.md @@ -28,6 +28,8 @@ Here are some examples (per product) and links to additional information. - [INCIDENT](#incident) - [Linode](#linode) - [AUDIT Logs](#audit-logs) + - [AKAMAI ACC](#akamai-acc) + - [Events](#events) --- ## Enterprise Application Access (EAA) @@ -2694,3 +2696,16 @@ Additional information regarding the log fields can be found on [here](https://w } ``` + + +--- +## Akamai ACC +### EVENTS +Additional information regarding the log fields can be found on [here](https://techdocs.akamai.com/event-viewer/reference/get-events) +
+EVENT logs example (json) + +```json +{"eventId": "1234567890-abcd-efab-badc-1234567890abcdef", "eventTime": "2024-06-17T09:23:17.976Z", "eventData": [{"key": "userIdAttributeName", "value": "uid"}, {"key": "method", "value": "sp_init"}, {"key": "authenticationMethod", "value": "https://sso.akamai.com/saml2/idp"}, {"key": "requestId", "value": "_12345667890-abcd-efab-cdef-1234567890abcd"}, {"key": "domain", "value": "control.akamai.com"}, {"key": "notOnOrAfter", "value": "2024-06-17T09:28:17.669Z"}, {"key": "entityId", "value": "https://sso.akamai.com/saml2/idp"}, {"key": "details", "value": "User testuser has been successfully logged in using https://sso.akamai.com/saml2/idp IDP"}, {"key": "notBefore", "value": "2024-06-17T09:18:17.669Z"}, {"key": "pulsar_host", "value": "10.10.10.10"}, {"key": "arrivalDate", "value": "2024-06-17T09:23:17.901497Z"}], "eventType": {"eventTypeId": "16", "eventTypeName": "All Logins", "eventDefinition": {"eventDefinitionId": "1234567", "eventName": "Successful SSO Login", "eventDescription": "A user successfully authenticated using Single Sign-on (SSO)"}}, "impersonator": true, "username": "testuser"} +``` +
\ No newline at end of file diff --git a/docs/SIEM/HYDROLIX/README.md b/docs/SIEM/HYDROLIX/README.md new file mode 100644 index 0000000..bb85a36 --- /dev/null +++ b/docs/SIEM/HYDROLIX/README.md @@ -0,0 +1,26 @@ +# Hydrolix integration + +ULS is able to send any [supported feeds](../../LOG_OVERVIEW.md) to Hydrolix with HTTP Output. +Make sure you turn off the HTTP Liveness check since Hydrolix Ingestion endpoints do not accept HTTP HEAD requests. + +## Example ULS pushing to Hydrolix + +Docker example with Guardicore netlog feed: + +```bash +docker run -d --name uls_gc_netlog -ti \ + --mount type=bind,source="/path/to/your/.edgerc",target="/opt/akamai-uls/.edgerc",readonly \ + --env ULS_INPUT=GC \ + --env ULS_FEED=NETLOG \ + --env ULS_OUTPUT=HTTP \ + --env GC_SKIP_TLS_VALIDATION=True \ + --env ULS_HTTP_URL='https://iad.trafficpeak.live/ingest/event?table=xxxxx' \ + --env ULS_HTTP_AUTH_HEADER='{"Authorization": "Basic xxxx=="}' \ + --env ULS_HTTP_LIVNESS_CHECK=false \ + --env ULS_HTTP_FORMAT="%s" \ + akamai/uls +``` + +## More information + +See Hydrolix website [https://www.hydrolix.io](https://hydrolix.io/) \ No newline at end of file diff --git a/docs/SIEM/SIEM_OVERVIEW.md b/docs/SIEM/SIEM_OVERVIEW.md index b70e3bb..a46f8ee 100644 --- a/docs/SIEM/SIEM_OVERVIEW.md +++ b/docs/SIEM/SIEM_OVERVIEW.md @@ -6,6 +6,7 @@ All contributions in terms of documentation a welcome. ## SIEM Integration guides (alphabetical) - [GRAYLOG](./GRAYLOG/README.md) +- [HYDROLIX](HYDROLIX/README.md) - [MICROSOFT SENTINEL](./SENTINEL/Readme.md) - [QRADAR](./QRADAR/README.md) - [SPLUNK](./SPLUNK/README.md) diff --git a/docs/examples/kubernetes/helm/akamai-uls/Chart.yaml b/docs/examples/kubernetes/helm/akamai-uls/Chart.yaml index 577d52e..23a775f 100644 --- a/docs/examples/kubernetes/helm/akamai-uls/Chart.yaml +++ b/docs/examples/kubernetes/helm/akamai-uls/Chart.yaml @@ -4,4 +4,4 @@ description: Akamai Universal Log Streamer Helm installation type: application version: 2.0.0 -appVersion: "1.7.3" +appVersion: "1.7.4" diff --git a/scripts/get-uls.sh b/scripts/get-uls.sh index 93da53c..6f6c6c5 100755 --- a/scripts/get-uls.sh +++ b/scripts/get-uls.sh @@ -2,7 +2,7 @@ # This file will install the latest ULS including all of its modules (latest version) into the current directory/uls # curl -O https://raw.githubusercontent.com/akamai/uls/main/scripts/get-uls.sh && bash get-uls.sh -default_modules="eaa,etp,mfa,gc,ln" +default_modules="eaa,etp,mfa,gc,ln,acc" default_install_dir="$(pwd)/uls" function min_version() { @@ -201,15 +201,23 @@ echo "Installing GC-CLI" pip3 install -q -r ${install_dir}/ext/cli-gc/bin/requirements.txt fi - ## GRAB LINODE-CLI -if [[ "$install_modules" == *"ln"* ]] ; then -echo "Installing LINODE-CLI" - git clone -q --depth 1 -b dev --single-branch https://github.com/MikeSchiessl/ln-logs.git ${install_dir}/ext/cli-linode +if [[ "$install_modules" == *"acc"* ]] ; then +echo "Installing ACC-CLI" + git clone -q --depth 1 -b dev --single-branch https://github.com/MikeSchiessl/acc-logs.git ${install_dir}/ext/cli-linode py_reqs ${install_dir}/ext/cli-linode/bin/requirements.txt pip3 install -q -r ${install_dir}/ext/cli-linode/bin/requirements.txt fi +## GRAB GC-CLI +if [[ "$install_modules" == *"gc"* ]] ; then +echo "Installing ACC-CLI" + git clone -q --depth 1 -b dev --single-branch https://github.com/MikeSchiessl/gc-logs.git ${install_dir}/ext/acc-logs + py_reqs ${install_dir}/ext/acc-logs/bin/requirements.txt + pip3 install -q -r ${install_dir}/ext/acc-logs/bin/requirements.txt +fi + + # Finishing off echo -e "\n\n\n" echo "ULS has been successfully installed" diff --git a/scripts/update-uls.sh b/scripts/update-uls.sh index c12415c..7d359e4 100755 --- a/scripts/update-uls.sh +++ b/scripts/update-uls.sh @@ -105,6 +105,16 @@ else fi +## ACC +if [[ -d "${uls_dir}/ext/acc-logs" ]] ; then + echo "ACC-CLI detected, updating" + git -C ${uls_dir}/ext/acc-logs pull -q + pip3 install -q -r ${uls_dir}/ext/acc-logs/bin/requirements.txt +else + echo "NO ACC-CLI detected - skipping" +fi + + echo -e "\n\n\nUpdate is complete." echo "Updated versions (post update)" ${uls_dir}/bin/uls.py --version diff --git a/test/positive_test.bats b/test/positive_test.bats index 7e0b45c..89912d4 100644 --- a/test/positive_test.bats +++ b/test/positive_test.bats @@ -205,6 +205,18 @@ load 'bats/bats-assert/load.bash' [ "$status" -eq 100 ] || [ "$status" -eq 130 ] || [ "$status" -eq 137 ] #return value from uls when interrupted --> with --preserve status on timeout } +## ACC-LOGS +@test "ACC - EVENTS" { + run timeout ${uls_timeout_params} ${uls_bin} --input acc --feed events --output raw --edgerc $uls_edgerc --loglevel info + #assert_output --partial $gc_assert + assert_line --partial "UlsInputCli - started PID" + refute_line --partial "was found stale -" + #assert_output --partial "The specified directory tmp does not exist or privileges are missing - exiting" + #[ "$status" -eq 124 ] #return value from timeout without --preserve status + [ "$status" -eq 100 ] || [ "$status" -eq 130 ] || [ "$status" -eq 137 ] #return value from uls when interrupted --> with --preserve status on timeout +} + + ## FILE OUTPUT @test "FILE: ETP - THREAT" { run timeout ${uls_timeout_params} ${uls_bin} --input etp --feed threat --output file --filename "/tmp/uls_tmplogfile1.log" --edgerc $uls_edgerc --section $uls_section --loglevel info