方式:
通过python-logstash库,将读取的日志传给logstash的udp input地址。
logstash config:
input {
udp {
port => 5959
codec => json
}
}
filter {
json {
source => "message"
target => "parsed_data"
}
mutate {
rename => {
"[parsed_data][clientIp]" => "clientIp"
"[parsed_data][operationType]" => "operationType"
"[parsed_data][resourceType]" => "resourceType"
"[parsed_data][requestId]" => "requestId"
"[parsed_data][geoip]" => "geoip"
"[parsed_data][timestamp]" => "timestamp"
"[parsed_data][originValue]" => "originValue"
"[parsed_data][targetValue]" => "targetValue"
"[parsed_data][operationParam]" => "operationParam"
"[parsed_data][userAgent]" => "userAgent"
}
remove_field => ["path", "@version", "logger_name", "@timestamp", "message", "parsed_data", "level", "host"]
}
}
output {
stdout {
codec => rubydebug
}
}
python读authing审计日志:
import requests
import sys
import logging
import re
import json
import time
from datetime import datetime,timedelta
import logstash
accessKeyId = 'f3'
accessKeySecret = 'c6'
host = "https://console.authing.cn/"
userpool_id = '638'
logstashHost = "127.0.0.1"
logstashPort = 5959
def GetToken(ak=accessKeyId, sk=accessKeySecret, host=host):
host = host
header = {"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json",
"authorization": "ssss"
}
data = {
"accessKeyId": ak,
"accessKeySecret": sk
}
target = "{u}api/v3/get-management-token".format(u=host)
try:
r1 = requests.post(url=target, headers=header, data=json.dumps(data), verify=True, timeout=15)
if r1.status_code == 200:
data = json.loads(r1.text)
access_token = data['data']['access_token']
return (access_token)
else:
print("失败:" + str(r1.status_code) + r1.text + '\n')
except Exception as e:
print(e)
def GetTime():
currentTime = datetime.now()
#查询前5分钟的日志
startTime = currentTime - timedelta(seconds=5555510)
endTime = currentTime - timedelta(seconds=10)
startTimeStr = startTime.strftime("%Y-%m-%d %H:%M:%S.%f")
endTimeStr = endTime.strftime("%Y-%m-%d %H:%M:%S.%f")
# 先转换为时间数组
startTimeArray = datetime.strptime(startTimeStr, "%Y-%m-%d %H:%M:%S.%f")
endTimeArray = datetime.strptime(endTimeStr, "%Y-%m-%d %H:%M:%S.%f")
# 转换为时间戳
startTimeStamp = int(time.mktime(startTimeArray.timetuple()) * 1000.0 + startTimeArray.microsecond / 1000.0)
endTimeStamp = int(time.mktime(endTimeArray.timetuple()) * 1000.0 + endTimeArray.microsecond / 1000.0)
print("startTime:",startTimeStamp)
print("endTime:",endTimeStamp)
return(startTimeStamp,endTimeStamp)
def GetAdminPages(access_token, start, end, ak=accessKeyId, sk=accessKeySecret, host=host, pool_id=userpool_id):
host = host
header = {
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json",
"x-authing-userpool-id": pool_id,
"authorization": access_token
}
data = {
"start": start,
"end": end
}
target = "{u}api/v3/get-admin-audit-logs".format(u=host)
try:
r2 = requests.post(url=target, headers=header, data=json.dumps(data), verify=True, timeout=15)
if r2.status_code == 200:
data = json.loads(r2.text)
totalCount = data['data']['totalCount']
pages = totalCount / 10 + 1
return (int(pages))
else:
print("失败1" + str(r1.status_code) + r1.text + '\n')
except Exception as e:
print(e)
def GetAdminLog(access_token, pages, ak=accessKeyId, sk=accessKeySecret, host=host, pool_id=userpool_id):
#通过python logstash向logstash发送收到的日志
logstashLogger = logging.getLogger('python-logstash-logger')
logstashLogger.addHandler(logstash.LogstashHandler(logstashHost, logstashPort, version=1))
logstashLogger.setLevel(logging.INFO)
host = host
header = {
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json",
"x-authing-userpool-id": pool_id,
"authorization": access_token
}
target = "{u}api/v3/get-admin-audit-logs".format(u=host)
page = 1
print("total_page:", str(pages))
if pages == 1:
try:
r2 = requests.post(url=target, headers=header, verify=True, timeout=15)
print("current_page:", str(page))
if r2.status_code == 200:
data = json.loads(r2.text)
#print("page1 data:",data['data']['list'])
if len(data['data']['list']) == 0:
return 0
else:
for item in data['data']['list']:
result = json.dumps(item, ensure_ascii=False)
adminLog = result.encode('utf-8')
logstashLogger.info(adminLog.decode('utf-8'))
print(adminLog.decode('utf-8'))
else:
print("失败1" + str(r1.status_code) + r1.text + '\n')
except Exception as e:
print(e)
else:
for page in range(1,pages):
data = {
"pagination": {
"page": page,
"limit": 10
}
}
try:
r2 = requests.post(url=target, headers=header, data=json.dumps(data), verify=True, timeout=15)
print("current_page:", str(page))
if r2.status_code == 200:
data = json.loads(r2.text)
for item in data['data']['list']:
result = json.dumps(item, ensure_ascii=False)
adminLog = result.encode('utf-8')
logstashLogger.info(adminLog.decode('utf-8'))
print(adminLog.decode('utf-8'))
else:
print("失败1" + str(r1.status_code) + r1.text + '\n')
except Exception as e:
print(e)
if __name__ == '__main__':
token = GetToken()
start,end = GetTime()
pages = GetAdminPages(token,start,end)
GetAdminLog(token, pages)
标签:IAM,authing,python,text,host,json,print,data,parsed From: https://www.cnblogs.com/bonjov1/p/17581014.html