POL1TC@L HOOK
  • Home
  • About
  • Cyber Security
  • Politics
  • Sports
  • Contact

Splunk/Python  Web Application

12/11/2022

0 Comments

 
Link to my Github
​I created a little web application in python which can retrieve search results from splunk, displaying them neatly on the webpage.
 
I envision it being used by engineers to check whether devices/Universal forwarders are logging to splunk. Code available on my Github

​
Let’s begin
​
Picture
​I wrote the webapp in python using the flask web framework. My reasoning for this was that flask is lightweight and fast with little complications. This is in contrast to what I’ve heard with other frameworks such as Django, which is not ideal for small application as it can be quite cumbersome.
 
Intro
 
The application is comprised of the following:
 
1)SplunkLoggingChecker.py – This is the core of the program
2)*.html files which are called upon when needed.
2.1) device_not_found.html – self explanatory
2.2) about.html – About page
2.3) search.html – Home page
 
Lets go through each file to gain an understanding of how it works.
 
SplunkLoggingChecker.py
 
The core mechanics is simple, SplunkLoggingChecker will connect into splunk, run searches and then retrieve the output. This is done by connecting into splunk web port (in my case http://localhost:8089) using an account created on splunk search head. Its best practice to limit the capabilities of this account. Failure to do so, could lead to data leak. However even this is unlikely due to the way searches are constructed (more on this later).
 
Credentials to the splunk account can be hardcoded as shown below:
​
Picture
​Password has been obfuscated and is contained within its own module:
​
Picture

Not complicated to reverse engineer but choice is yours. 
 
Next the application is where searches which will be sent to splunk are located. Notice how the hosts and hostuf inputs are concatenated into the search string. This means that wildcards can be used. There is also additional protection in the form of input validation to prevent malicious behaviour:

Picture
​The application will then attempt to connect into the splunk instance using the username and password
Picture

​It will then try to parse the results, save them to an array and iterate through them before sending them to results.html to be displayed.

Picture
Picture

​If no results are found, the following is shown

Picture

​​The application also has other pages and error handling capabilities. If presented with a 404 error, it returns page not found. It also has an about page for more detail on its usage.
 
SplunkLoggingChecker.py – Logging capability
 
The application uses Python logging module to write logs to a .log file as shown below
Picture

​Whenever a problem or logging information could occur the following is placed in to capture it:
 
app.logger.error(“[Error message of your choice]”)

The log file shown below:
​
Picture

​You can then try to ingest the log file back into splunk for bonus points:

Picture
​Results.html
 
Not as complicated as SplunkLoggingChecker.py but still deserving of its own section. This receives the results from SplunkLoggingChecker.py and prints out each element of the array using a for loop as shown below:
Picture

overview

Quick diagram for overview
Picture

conclusion

​So there’s my python flask web application to retrieve search results from splunk. Try not to critique the coding practices too hard :D. Nevertheless hope it was informative or at least entertaining.
0 Comments



Leave a Reply.

    Archives

    February 2024
    January 2023
    December 2022
    March 2020
    June 2019
    January 2019

    Categories

    All
    Malware
    Privilege Escalation
    Python
    Reverse Engineering
    Splunk

Powered by Create your own unique website with customizable templates.
  • Home
  • About
  • Cyber Security
  • Politics
  • Sports
  • Contact