forked from pwnlandia/hpfeeds-logger
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hpfeeds_logger-arcsight.sh
65 lines (54 loc) · 1.56 KB
/
hpfeeds_logger-arcsight.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/bin/bash
set -e
apt-get update
apt-get install -y git python-pip python-dev
pip install virtualenv
SCRIPTS=`dirname $0`
cd /opt/
git clone https://github.com/keepwatch/hpfeeds-arcsight.git
cd hpfeeds-arcsight
virtualenv env
. env/bin/activate
pip install -r requirements.txt
chmod 755 -R .
IDENT=hpfeeds-arcsight
SECRET=`python -c 'import uuid;print str(uuid.uuid4()).replace("-","")'`
CHANNELS='amun.events,dionaea.connections,dionaea.capture,glastopf.events,beeswarm.hive,kippo.sessions,conpot.events,snort.alerts,wordpot.events,shockpot.events,p0f.events'
cat > /opt/hpfeeds-arcsight/arcsight.json <<EOF
{
"host": "localhost",
"port": 10000,
"ident": "${IDENT}",
"secret": "${SECRET}",
"channels": [
"amun.events",
"dionaea.connections",
"dionaea.capture",
"glastopf.events",
"beeswarm.hive",
"kippo.sessions",
"conpot.events",
"snort.alerts",
"wordpot.events",
"shockpot.events",
"p0f.events"
],
"log_file": "/var/log/mhn-arcsight.log",
"formatter_name": "arcsight"
}
EOF
deactivate
. /opt/hpfeeds/env/bin/activate
python /opt/hpfeeds/broker/add_user.py "$IDENT" "$SECRET" "" "$CHANNELS"
apt-get install -y supervisor
cat >> /etc/supervisor/conf.d/hpfeeds-arcsight.conf <<EOF
[program:hpfeeds-arcsight]
command=/opt/hpfeeds-arcsight/env/bin/python logger.py arcsight.json
directory=/opt/hpfeeds-arcsight
stdout_logfile=/var/log/hpfeeds-arcsight.log
stderr_logfile=/var/log/hpfeeds-arcsight.err
autostart=true
autorestart=true
startsecs=1
EOF
supervisorctl update