Merge pull request #120 from Achiefs/119-splunk-integration

Splunk integration
Achiefs · Jul 27, 2023 · e76dc13 · e76dc13
2 parents c022122 + 54f6a88
commit e76dc13
Show file tree

Hide file tree

Showing 19 changed files with 373 additions and 99 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fim"
-version = "0.4.7"
+version = "0.4.8"
 authors = ["José Fernández <´[email protected]´>"]
 edition = "2021"
 

diff --git a/pkg/deb/debian/changelog b/pkg/deb/debian/changelog
@@ -1,3 +1,9 @@
+fim (0.4.8-1) xenial; urgency=medium
+
+  * More info: https://github.com/Achiefs/fim/releases/tag/v0.4.8
+
+ -- Jose Fernandez <[email protected]>  Fri, 21 Jul 2023 10:00:00 +0000
+
 fim (0.4.7-1) xenial; urgency=medium
 
   * More info: https://github.com/Achiefs/fim/releases/tag/v0.4.7

diff --git a/pkg/fim.1 b/pkg/fim.1
@@ -19,7 +19,7 @@
 .\" *
 .\" **************************************************************************
 .\"
-.TH fim 1 "01 Jun 2022" "FIM 0.4.7" "FIM Manual"
+.TH fim 1 "01 Jun 2022" "FIM 0.4.8" "FIM Manual"
 
 .SH NAME
 .B FIM

diff --git a/pkg/msi/fim.wxs b/pkg/msi/fim.wxs
@@ -2,7 +2,7 @@
 <Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
     <Product Name='File Integrity Monitor' Manufacturer='Achiefs LLC.' Id='*'
         UpgradeCode='5b9136b1-f19d-4af0-9efe-356fabdf1467'
-        Language='1033' Codepage='1252' Version='0.4.7'>
+        Language='1033' Codepage='1252' Version='0.4.8'>
         <Package Id='*' Keywords='Installer'
             Description="FIM is a Host-based file monitoring tool that performs file system analysis and real time alerting."
             Comments='FIM is an open source application, coded in Rust.'

diff --git a/pkg/rpm/fim.spec b/pkg/rpm/fim.spec
@@ -99,6 +99,9 @@ rm -fr %{buildroot}
 # -----------------------------------------------------------------------------
 
 %changelog
+* Fri Jul 21 2023 support <[email protected]> - 0.4.8
+- More info: https://github.com/Achiefs/fim/releases/tag/v0.4.8
+
 * Fri May 26 2023 support <[email protected]> - 0.4.7
 - More info: https://github.com/Achiefs/fim/releases/tag/v0.4.7
 

diff --git a/src/auditevent.rs b/src/auditevent.rs
@@ -353,23 +353,52 @@ impl Event {
     // ------------------------------------------------------------------------
 
     // Function to send events through network
-    pub async fn send(&self, index: String, address: String, user: String, pass: String, insecure: bool) {
-        let data = self.get_json();
-
-        let request_url = format!("{}/{}/_doc/{}", address, index, self.id);
-        let client = Client::builder()
-            .danger_accept_invalid_certs(insecure)
-            .timeout(Duration::from_secs(30))
-            .build().unwrap();
-        match client
-            .post(request_url)
-            .basic_auth(user, Some(pass))
-            .json(&data)
-            .send()
-            .await{
-            Ok(response) => debug!("Response received: {:?}", response),
-            Err(e) => debug!("Error on request: {:?}", e)
-        };
+    pub async fn send(&self, index: String) {
+        let event = self.get_json();
+        let config = unsafe { super::GCONFIG.clone().unwrap() };
+
+        // Splunk endpoint integration
+        if config.endpoint_type == "Splunk" {
+            let data = json!({
+                "source": self.node.clone(),
+                "sourcetype": "_json",
+                "event": event,
+                "index": "fim_events"
+            });
+            debug!("Sending received event to Splunk integration, event: {}", data);
+            let request_url = format!("{}/services/collector/event", config.endpoint_address);
+            let client = Client::builder()
+                .danger_accept_invalid_certs(config.insecure)
+                .timeout(Duration::from_secs(30))
+                .build().unwrap();
+            match client
+                .post(request_url)
+                .header("Authorization", format!("Splunk {}", config.endpoint_token))
+                .json(&data)
+                .send()
+                .await {
+                    Ok(response) => debug!("Response received: {:?}",
+                        response.text().await.unwrap()),
+                    Err(e) => debug!("Error on request: {:?}", e)
+            }
+        // Elastic endpoint integration
+        } else {
+            let request_url = format!("{}/{}/_doc/{}", config.endpoint_address, index, self.id);
+            let client = Client::builder()
+                .danger_accept_invalid_certs(config.insecure)
+                .timeout(Duration::from_secs(30))
+                .build().unwrap();
+            match client
+                .post(request_url)
+                .basic_auth(config.endpoint_user, Some(config.endpoint_pass))
+                .json(&event)
+                .send()
+                .await {
+                    Ok(response) => debug!("Response received: {:?}",
+                        response.text().await.unwrap()),
+                    Err(e) => debug!("Error on request: {:?}", e)
+            }
+        }
     }
 
     // ------------------------------------------------------------------------
@@ -379,10 +408,10 @@ impl Event {
         match destination {
             config::BOTH_MODE => {
                 self.log(&config.events_file);
-                self.send( index_name, config.endpoint_address, config.endpoint_user, config.endpoint_pass, config.insecure).await;
+                self.send(index_name).await;
             },
             config::NETWORK_MODE => {
-                self.send( index_name, config.endpoint_address, config.endpoint_user, config.endpoint_pass, config.insecure).await;
+                self.send(index_name).await;
             },
             _ => self.log(&config.events_file)
         }
@@ -492,6 +521,12 @@ mod tests {
         fs::remove_file(filename).unwrap()
     }
 
+    fn initialize() {
+        unsafe{
+            super::super::GCONFIG = Some(config::Config::new(&utils::get_os(), None)); 
+        }
+    }
+
     fn create_empty_event() -> Event {
         Event {
             id: String::from(""), timestamp: String::from(""),
@@ -911,16 +946,28 @@ mod tests {
 
     #[test]
     fn test_send() {
+        initialize();
         let event = create_test_event();
-        block_on( event.send(
-            String::from("test"), String::from("https://127.0.0.1:9200"),
-            String::from("admin"), String::from("admin"), true) );
+        block_on( event.send(String::from("test")) );
+    }
+
+    // ------------------------------------------------------------------------
+
+    #[test]
+    fn test_send_splunk() {
+        initialize();
+        let evt = create_test_event();
+        unsafe {
+            super::super::GCONFIG = Some(config::Config::new(&utils::get_os(), Some("test/unit/config/common/test_send_splunk.yml")));
+        }
+        block_on( evt.send(String::from("test")) );
     }
 
     // ------------------------------------------------------------------------
 
     #[test]
     fn test_process() {
+        initialize();
         let config = Config::new(&utils::get_os(), None);
         let event = create_test_event();