Created
December 27, 2019 13:52
-
-
Save johnybradshaw/e9be5447c479e89787037d879c3163f0 to your computer and use it in GitHub Desktop.
Simple python script to create a log source configured to work with Skytap audit logs (courtesy Ken Reycraft)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import json | |
import requests | |
import datetime | |
import hashlib | |
import hmac | |
import base64 | |
# Update the customer ID to your Log Analytics workspace ID | |
customer_id = 'XXXXXXXXXXXXXXXXXX' | |
# For the shared key, use either the primary or the secondary Connected Sources client authentication key | |
shared_key = "XXXXXXXXXXXXXXXXXX" | |
# The log type is the name of the event that is being submitted | |
log_type = 'SkytapAuditLog' | |
# An example JSON web monitor object | |
json_data = [{ | |
"version": 1, | |
"message_id": "456", | |
"category": "auditing", | |
"timestamp": "2000-01-01T00:00:00Z", | |
"Payload": [{ | |
"id": 98765432, | |
"type": "Shutdown Environment", | |
"type_code": "ShutdownConfigurationHistory", | |
"date": "2019-01-27T12:34:56Z", | |
"region": "us-east", | |
"payload": {}, | |
"user": {"id": "null", "name": "auto_power_options"}, | |
"department": {"id": "null", "name": "null"}, | |
"project": {"id": "null", "name": "null"}, | |
"operation_id": "trn.a1b2c3456d78987654ef3edc210b1234.56789.876/trn.5a5432b10c1d234567ef8e9d8cb7654a.3210.123.4", | |
"customer": {"id": "666", "name": "Administrators"}, | |
"operated_on": [ | |
{"resource_type": "environment", "name": "Jason VM", "id": 9876543, "guid": "configuration-1234567"}, | |
{"resource_type": "vm", "name": "Ubuntu 10.04 desktop", "id": 2832140, "guid": "vm-1234567-8987654"} | |
] | |
}] | |
} | |
] | |
body = json.dumps(json_data) | |
##################### | |
######Functions###### | |
##################### | |
# Build the API signature | |
def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource): | |
x_headers = 'x-ms-date:' + date | |
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource | |
bytes_to_hash = bytes(string_to_hash).encode('utf-8') | |
decoded_key = base64.b64decode(shared_key) | |
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()) | |
authorization = "SharedKey {}:{}".format(customer_id,encoded_hash) | |
return authorization | |
# Build and send a request to the POST API | |
def post_data(customer_id, shared_key, body, log_type): | |
method = 'POST' | |
content_type = 'application/json' | |
resource = '/api/logs' | |
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') | |
content_length = len(body) | |
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource) | |
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01' | |
headers = { | |
'content-type': content_type, | |
'Authorization': signature, | |
'Log-Type': log_type, | |
'x-ms-date': rfc1123date | |
} | |
response = requests.post(uri,data=body, headers=headers) | |
if (response.status_code >= 200 and response.status_code <= 299): | |
print 'Accepted' | |
else: | |
print "Response code: {}".format(response.status_code) | |
post_data(customer_id, shared_key, body, log_type) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment