in Solutions/VMware SD-WAN and SASE/Data Connectors/Function App Connector/vmw_sdwan_sase_funcapp/sdwan_auditlogs/__init__.py [0:0]
def EventCompiler(j_rawevent, event_type, metadata={}):
# event_type is a new variable so that we can do two things:
# 1. the def knows how to process data
# 2. it keeps the changes required for a new event type relatively compact
# metadata is a dynamic variable that can be anything in JSON format. Combined with the event type this can be used to pass additional data
# Event logs (Audit and other)
# Check if "event" is found in metadata. If yes, send to log ingestion
# Multipage support needed
if event_type == "eventlog":
# CWS Access logs - pagination, JSON array of events
# This var is just for the feedback loop, we send events to the tables page by page
j_multipage_processed = []
multi_page_result = False
# Do while loop intro
while True:
# This is the array that will contain the final formatting
j_array_processing = []
# Event counter for statistics
events = 0
for log_item in j_rawevent["data"]:
j_log_event = {
"eventTime": log_item["eventTime"],
"event": log_item["event"],
"category": log_item["category"],
"severity": log_item["severity"],
"message": log_item["message"],
"detail": log_item["detail"]
}
# Check if the message detail contains "username" or it's an interesting event type.
for event_category in metadata:
logging.info("Searching for events category: " + str(event_category))
j_event_category = metadata[event_category]
for event_type in j_event_category:
logging.info("Searching for event type: " + str(event_type))
if (("username" in j_log_event) or (j_log_event["event"] == event_type)):
# Update the array object-by-object
j_array_processing.append(j_log_event)
events = events + 1
if events > 0:
logging.info("FUNCTION-EVENTCOMPILER: Extracted " + str(events) + " events, sending it over for processing")
j_processed_events=callLogAnalyticsAPI(j_array_processing, j_config_list["logingestion_api"]["dce"], j_config_list["logingestion_api"]["sdwan"]["audit"]["imi"], j_config_list["logingestion_api"]["sdwan"]["audit"]["stream"])
else:
logging.info("FUNCTION-EVENTCOMPILER: Extracted " + str(events) + " events, skip processing...")
if j_rawevent["metaData"]["more"] != False:
# Multi-page response found
# Run a new API call, and...
logging.info("FUNCTION-EVENTCOMPILER: API Metadata provided with nextpage token, processing")
nextpage_params = "/logs?nextPageLink=" + j_rawevent["metaData"]["nextPageLink"]
header = {
"Authorization": j_config_list["token"]
}
query = craftAPIurl(j_config_list["host"], "/api/cws/v1/enterprises/", j_config_list["token"], True, nextpage_params)
logging.info("FUNCTION-EVENTCOMPILER: API call to: " + query)
nextpage_response = requests.get(url=query, headers=header)
if nextpage_response.status_code != 200:
# If the API call fails, skip next steps
logging.error("FUNCTION-EVENTCOMPILER: Unexpected error when sending API call")
break
else:
# If the API call succeeds, do two things:
# 1. Add events we have sent to the event processing from this page to a larger reporting array
j_multipage_processed.append(j_processed_events)
# 2. Reset input event list to new page, start processing again
logging.info("FUNCTION-EVENTCOMPILER: Next page of the results loaded, starting processing...")
multi_page_result = True
j_rawevent = nextpage_response.json()
else:
# This clause is single paged, update main def and quit
if multi_page_result == False:
logging.info("FUNCTION-EVENTCOMPILER: Single-page response, processing complete.")
j_processed_events = []
else:
logging.info("FUNCTION-EVENTCOMPILER: Last page reached, stopping the recursive processing.")
j_multipage_processed.append(j_processed_events)
j_processed_events = j_multipage_processed
break
return j_processed_events