This script will get Cognitive Intelligence incidents from a Stealthwatch Enterprise SMC and send them as syslog to a specified destination. It is designed to be run as a cronjob, to ensure new alerts and updates are constantly being pushed to the destinations. On the initial run, it will fetch the last 1000 events and record the time the script was run. After that, it will only pull events that are new or modified since the previous run's timestamp.
This script is available for use by the Cisco DevNet community through Code Exchange. For more information on the Stealthwatch Enterprise REST API, please see the following link: https://developer.cisco.com/docs/stealthwatch/enterprise/
Global Settings -> User Management
pip install -r requirements.txt
pip
executable for your instance of Python 3Alternatively, advanced users can also use git to checkout / clone this project.
The file env.conf
will be generated upon your first run of the script, and will contain the following fields:
[STEALTHWATCH]
SMC = (The IP address of the SMC)
USER = (The username on the SMC to use, with 'Master Admin' role)
PASSWORD = (Encrypted password string [encryption handled on initial config])
[SYSLOG]
DESTINATION = (The IP address to send the UDP syslog to)
PORT = (The port to send the UDP syslog to)
The Cognitive Intelligence Incidents REST API is disabled by default. To enable the API:
/lancope/tomcat/webapps/cta-events-collector/WEB-INF/classes/app.properties
file on your SMC system#CTA_ENABLED
section set the cta.api.enabled
option to true
systemctl restart lc-tomcat
cd /lancope/manifests
docker-compose.prod.yml
file, search for cta.api.enabled
option and change it to true
docker-compose down
and then docker-compose up -d
python
or python3
$ <PYTHON-PATH> cognitive-intelligence-syslog-exporter.py
$ /usr/bin/python ./cognitive-intelligence-syslog-exporter.py
crontab -e
and add a new line containing: 0 0/10 * * * <path-to-python-script>
A log file will be generated and updated with each run... it will be stored in a logs
directory in the same directory as the python executable... please reference this log file for troubleshooting
No known issues
Use this project at your own risk (support not provided)... If you need technical support with Cisco Stealthwatch APIs, do one of the following:
Check out our forum to pose a question or to see if any questions have already been answered by our community... we monitor these forums on a best effort basis and will periodically post answers
Contributions to this code are welcome and appreciated... see CONTRIBUTING for details...
Please adhere to our Code of Conduct at all times
This code is licensed under the BSD 3-Clause License... see LICENSE for details
Owner
Contributors
Categories
Products
Secure Network AnalyticsProgramming Languages
PythonLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community