michelep/alerts_json.py

## alerts_json.py
#!/usr/bin/env python3
#
#
import os
import sys
from os.path import dirname, abspath
import re
import time
import requests
import urllib3
import json

urllib3.disable_warnings()

if len(sys.argv) < 5:
    print("Require at least 5 params")
    sys.exit(1)

try:
   SELF=sys.argv[0]
   ACTION=sys.argv[1]
   USER=sys.argv[2]
   if sys.argv[3]:
      IP=sys.argv[3]
   if sys.argv[4]:
      ALERTID=sys.argv[4]
   if sys.argv[5]:
      RULEID=sys.argv[5]
except Exception:
   print("Args exception!")
   sys.exit(1)

# Fetch data from alerts log
ALERTS_LOG = '/var/ossec/logs/alerts/alerts.json'

post_data = {
    "key": "",
    "hostname": "",
}

post_args = {
     "srcip": "srcip",
     "dstip": "dstip",
     "dstport": "port",
     "user": "user",
     "app": "service",
     "msg": "reason",
     "level": "level"
}

# ===============================================================
#
def fetch_alert(alertid):
   with open(ALERTS_LOG) as fp:
      line = fp.readline()
      while line:
         data_dict = json.loads(line)
         if(data_dict["id"] == alertid):
             return data_dict

         line = fp.readline()

   return False

# ===============================================================
# MAIN()
#
def main():
    alert = fetch_alert(ALERTID)
    if(alert):
#       print(json.dumps(alert["data"],indent=4,sort_keys=True))
       # Prepare post data
       for (key,value) in post_args.items():
          if key in alert["data"]:
             post_data[value] = alert["data"][key].strip().replace(" ", "")

       print(post_data)
       # send data to my
       if ACTION == "add":
          res = requests.post('[API]', data=post_data, verify=False)
       elif ACTION == "delete":
          res = requests.post('[API]', data=post_data, verify=False)
       print(res)


if __name__ == "__main__":
    main()
	#!/usr/bin/env python3
	#
	#
	import os
	import sys
	from os.path import dirname, abspath
	import re
	import time
	import requests
	import urllib3
	import json

	urllib3.disable_warnings()

	if len(sys.argv) < 5:
	print("Require at least 5 params")
	sys.exit(1)

	try:
	SELF=sys.argv[0]
	ACTION=sys.argv[1]
	USER=sys.argv[2]
	if sys.argv[3]:
	IP=sys.argv[3]
	if sys.argv[4]:
	ALERTID=sys.argv[4]
	if sys.argv[5]:
	RULEID=sys.argv[5]
	except Exception:
	print("Args exception!")
	sys.exit(1)

	# Fetch data from alerts log
	ALERTS_LOG = '/var/ossec/logs/alerts/alerts.json'

	post_data = {
	"key": "",
	"hostname": "",
	}

	post_args = {
	"srcip": "srcip",
	"dstip": "dstip",
	"dstport": "port",
	"user": "user",
	"app": "service",
	"msg": "reason",
	"level": "level"
	}

	# ===============================================================
	#
	def fetch_alert(alertid):
	with open(ALERTS_LOG) as fp:
	line = fp.readline()
	while line:
	data_dict = json.loads(line)
	if(data_dict["id"] == alertid):
	return data_dict

	line = fp.readline()

	return False

	# ===============================================================
	# MAIN()
	#
	def main():
	alert = fetch_alert(ALERTID)
	if(alert):
	# print(json.dumps(alert["data"],indent=4,sort_keys=True))
	# Prepare post data
	for (key,value) in post_args.items():
	if key in alert["data"]:
	post_data[value] = alert["data"][key].strip().replace(" ", "")

	print(post_data)
	# send data to my
	if ACTION == "add":
	res = requests.post('[API]', data=post_data, verify=False)
	elif ACTION == "delete":
	res = requests.post('[API]', data=post_data, verify=False)
	print(res)


	if __name__ == "__main__":
	main()