| skipped 12 lines |
13 | 13 | | import argparse |
14 | 14 | | import datetime |
15 | 15 | | import subprocess |
| 16 | + | from ssl import create_default_context |
16 | 17 | | |
17 | 18 | | try: |
18 | 19 | | from lxml import etree |
| skipped 76 lines |
95 | 96 | | ES_INDEX = "winlogbeat-*" |
96 | 97 | | # Elastic prefix |
97 | 98 | | ES_PREFIX = "winlog" |
| 99 | + | # Elastic auth user |
| 100 | + | ES_USER = "elastic" |
98 | 101 | | |
99 | 102 | | # Check Event Id |
100 | 103 | | EVENT_ID = [4624, 4625, 4662, 4768, 4769, 4776, 4672, 4720, 4726, 4728, 4729, 4732, 4733, 4756, 4757, 4719, 5137, 5141] |
| skipped 102 lines |
203 | 206 | | help="Elastic Search index to search. (default: winlogbeat-*)") |
204 | 207 | | parser.add_argument("--es-prefix", dest="esprefix", action="store", type=str, metavar="ESPREFIX", |
205 | 208 | | help="Elastic Search event object prefix. (default: winlog)") |
| 209 | + | parser.add_argument("--es-user", dest="esuser", action="store", type=str, metavar="ESUSER", |
| 210 | + | help="Elastic Search ssl authentication user. (default: elastic)") |
| 211 | + | parser.add_argument("--es-pass", dest="espassword", action="store", type=str, metavar="ESPASSWORD", |
| 212 | + | help="Elastic Search ssl authentication password.") |
| 213 | + | parser.add_argument("--es-cafile", dest="escafile", action="store", type=str, metavar="ESCAFILE", |
| 214 | + | help="Elastic Search ssl cert file.") |
206 | 215 | | parser.add_argument("--es", action="store_true", default=False, |
207 | 216 | | help="Import data from Elastic Search. (default: False)") |
208 | 217 | | parser.add_argument("--postes", action="store_true", default=False, |
| skipped 111 lines |
320 | 329 | | if args.esprefix: |
321 | 330 | | ES_PREFIX = args.esprefix |
322 | 331 | | |
| 332 | + | if args.esuser: |
| 333 | + | ES_USER = args.esuser |
| 334 | + | |
| 335 | + | if args.espassword: |
| 336 | + | ES_PASSWORD = args.espassword |
| 337 | + | |
| 338 | + | if args.escafile: |
| 339 | + | ES_CAFILE = args.escafile |
323 | 340 | | |
324 | 341 | | # Web application index.html |
325 | 342 | | @app.route('/') |
| skipped 827 lines |
1153 | 1170 | | print("[+] Start sending the ES.") |
1154 | 1171 | | |
1155 | 1172 | | # Create a new ES client |
1156 | | - | client = Elasticsearch(ES_SERVER) |
| 1173 | + | if args.espassword and args.escafile: |
| 1174 | + | context = create_default_context(cafile=FPATH + ES_CAFILE) |
| 1175 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https", ssl_context=context) |
| 1176 | + | elif args.espassword: |
| 1177 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https") |
| 1178 | + | else: |
| 1179 | + | client = Elasticsearch(ES_SERVER) |
1157 | 1180 | | |
1158 | 1181 | | if client.indices.exists(index="logontracer-user-index") and client.indices.exists(index="logontracer-host-index") : |
1159 | 1182 | | print("[+] Already created index mappings to ES.") |
| skipped 157 lines |
1317 | 1340 | | print("[+] Start searching the ES.") |
1318 | 1341 | | |
1319 | 1342 | | # Create a new ES client |
1320 | | - | client = Elasticsearch(ES_SERVER) |
| 1343 | + | if args.espassword and args.escafile: |
| 1344 | + | context = create_default_context(cafile=FPATH + ES_CAFILE) |
| 1345 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https", ssl_context=context) |
| 1346 | + | elif args.espassword: |
| 1347 | + | client = Elasticsearch(ES_SERVER, http_auth=(ES_USER, ES_PASSWORD), scheme="https") |
| 1348 | + | else: |
| 1349 | + | client = Elasticsearch(ES_SERVER) |
1321 | 1350 | | |
1322 | 1351 | | # Create the search |
1323 | 1352 | | s = Search(using=client, index=ES_INDEX) |
| skipped 512 lines |