Skip to content

Commit

Permalink
config outputs are now obj rather than dict
Browse files Browse the repository at this point in the history
  • Loading branch information
Thomas Bray committed Aug 17, 2020
1 parent 50d547f commit e79e7cd
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 10 deletions.
8 changes: 4 additions & 4 deletions config.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@
"mapping_file" : "welm/welm_map.json"
}
},
"outputs" : [
{
"outputs" : {
"elasticsearch" : {
"name" : "elastic_nom",
"enabled" : true,
"es_host" : "localhost",
Expand All @@ -29,9 +29,9 @@
"ecs_map_file" : "es_stuff/ecs_map.json",
"ecs_mode" : true
},
{
"standard_out" : {
"name" : "stdout_nom",
"enabled" : false
}
]
}
}
3 changes: 2 additions & 1 deletion evtx_nom_cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@
print("found {} source files".format(len(target_list)))
print("=" * 24)
# Open Plugins
for output in config['outputs']:
for output_plugin in config['outputs']:
output = config['outputs'][output_plugin]
if output['enabled']:
#es output
try:
Expand Down
18 changes: 13 additions & 5 deletions lib/nom.py
Original file line number Diff line number Diff line change
Expand Up @@ -135,10 +135,10 @@ def process_ecs(self,source):
return source
# Take the source document, check if we have an ECS map for it and then if so do the things
key = make_key(
source['winlog']['channel'],
source['winlog']['provider']['name'],
source['winlog']['eventid']
)
source['winlog']['channel'],
source['winlog']['provider']['name'],
source['winlog']['eventid']
)
# check if we have a map
if key in self.ecs_map:
# for each ecs field key in the map add it to the source
Expand Down Expand Up @@ -194,7 +194,9 @@ def get_value(item):
if isinstance(item,dict):
output = {}
# XML Peeps
if '#attributes' in item:
if '#text' in item:
output = str(item['#text'])
elif '#attributes' in item:
for attr in item['#attributes']:
output[attr.lower()] = item['#attributes'][attr]
# Regular Object
Expand Down Expand Up @@ -232,6 +234,12 @@ def nom_file(filename,welm_map):
event.update(get_section(data['Event']['System']))
if data['Event'].get('EventData'):
event['event_data'] = get_section(data['Event']['EventData'])
if isinstance(event['eventid'], dict):
print(event['eventid'])
print("#"*20)
print(json.dumps(event,indent=3))
print("#"*20)
print(json.dumps(data,indent=3))
key = make_key(
event['channel'],
event['provider']['name'],
Expand Down

0 comments on commit e79e7cd

Please sign in to comment.