| skipped 12 lines |
| 13 | 13 | | import argparse |
| 14 | 14 | | import datetime |
| 15 | 15 | | import subprocess |
| | 16 | + | from ssl import create_default_context |
| 16 | 17 | | |
| 17 | 18 | | try: |
| 18 | 19 | | from lxml import etree |
| skipped 76 lines |
| 95 | 96 | | ES_INDEX = "winlogbeat-*" |
| 96 | 97 | | # Elastic prefix |
| 97 | 98 | | ES_PREFIX = "winlog" |
| | 99 | + | # Elastic auth user |
| | 100 | + | ES_USER = "elastic" |
| 98 | 101 | | |
| 99 | 102 | | # Check Event Id |
| 100 | 103 | | EVENT_ID = [4624, 4625, 4662, 4768, 4769, 4776, 4672, 4720, 4726, 4728, 4729, 4732, 4733, 4756, 4757, 4719, 5137, 5141] |
| skipped 102 lines |
| 203 | 206 | | help="Elastic Search index to search. (default: winlogbeat-*)") |
| 204 | 207 | | parser.add_argument("--es-prefix", dest="esprefix", action="store", type=str, metavar="ESPREFIX", |
| 205 | 208 | | help="Elastic Search event object prefix. (default: winlog)") |
| | 209 | + | parser.add_argument("--es-user", dest="esuser", action="store", type=str, metavar="ESUSER", |
| | 210 | + | help="Elastic Search ssl authentication user. (default: elastic)") |
| | 211 | + | parser.add_argument("--es-pass", dest="espassword", action="store", type=str, metavar="ESPASSWORD", |
| | 212 | + | help="Elastic Search ssl authentication password.") |
| | 213 | + | parser.add_argument("--es-cafile", dest="escafile", action="store", type=str, metavar="ESCAFILE", |
| | 214 | + | help="Elastic Search ssl cert file.") |
| 206 | 215 | | parser.add_argument("--es", action="store_true", default=False, |
| 207 | 216 | | help="Import data from Elastic Search. (default: False)") |
| 208 | 217 | | parser.add_argument("--postes", action="store_true", default=False, |
| skipped 111 lines |
| 320 | 329 | | if args.esprefix: |
| 321 | 330 | | ES_PREFIX = args.esprefix |
| 322 | 331 | | |
| | 332 | + | if args.esuser: |
| | 333 | + | ES_USER = args.esuser |
| | 334 | + | |
| | 335 | + | if args.espassword: |
| | 336 | + | ES_PASSWORD = args.espassword |
| | 337 | + | |
| | 338 | + | if args.escafile: |
| | 339 | + | ES_CAFILE = args.escafile |
| 323 | 340 | | |
| 324 | 341 | | # Web application index.html |
| 325 | 342 | | @app.route('/') |
| skipped 827 lines |
| 1153 | 1170 | | print("[+] Start sending the ES.") |
| 1154 | 1171 | | |
| 1155 | 1172 | | # Create a new ES client |
| 1156 | | - | client = Elasticsearch(ES_SERVER) |
| | 1173 | + | if args.espassword and args.escafile: |
| | 1174 | + | context = create_default_context(cafile=FPATH + ES_CAFILE) |
| | 1175 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https", ssl_context=context) |
| | 1176 | + | elif args.espassword: |
| | 1177 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https") |
| | 1178 | + | else: |
| | 1179 | + | client = Elasticsearch(ES_SERVER) |
| 1157 | 1180 | | |
| 1158 | 1181 | | if client.indices.exists(index="logontracer-user-index") and client.indices.exists(index="logontracer-host-index") : |
| 1159 | 1182 | | print("[+] Already created index mappings to ES.") |
| skipped 157 lines |
| 1317 | 1340 | | print("[+] Start searching the ES.") |
| 1318 | 1341 | | |
| 1319 | 1342 | | # Create a new ES client |
| 1320 | | - | client = Elasticsearch(ES_SERVER) |
| | 1343 | + | if args.espassword and args.escafile: |
| | 1344 | + | context = create_default_context(cafile=FPATH + ES_CAFILE) |
| | 1345 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https", ssl_context=context) |
| | 1346 | + | elif args.espassword: |
| | 1347 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https") |
| | 1348 | + | else: |
| | 1349 | + | client = Elasticsearch(ES_SERVER) |
| 1321 | 1350 | | |
| 1322 | 1351 | | # Create the search |
| 1323 | 1352 | | s = Search(using=client, index=ES_INDEX) |
| skipped 512 lines |
shusei tomonaga
committed
4 years ago
1 parent 78be2431