in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/enrich_synciplists/module.py [0:0]
def sync_iplist(self, iplist="redteam"):
"""Sync data between ES iplist and config files"""
# Get data from config file iplist
cfg_iplist = self.get_cfg_ips(iplist)
# If the config file doesn't exist, skip the sync
if cfg_iplist is None:
return []
# Get data from ES iplist
query = f"iplist.name:{iplist}"
es_iplist_docs = get_query(query, size=10000, index="redelk-*")
# Check if config IP is in ES and source = config_file
es_iplist = []
for doc in es_iplist_docs:
ip = get_value("_source.iplist.ip", doc) # pylint: disable=invalid-name
if ip:
es_iplist.append((ip, doc))
for ipc, comment in cfg_iplist:
found = [item for item in es_iplist if ipc in item]
if not found:
self.logger.debug("IP not found in ES: %s", ipc)
# if not, add it
self.add_es_ip(ipc, iplist, comment)
toadd = []
for ipe, doc in es_iplist:
# Check if ES IP is in config file
found = [item for item in cfg_iplist if ipe in item]
if not found:
# if not, check if source = config_file
if get_value("_source.iplist.source", doc) == "config_file":
# if yes, remove IP from ES
self.remove_es_ip(doc, iplist)
else:
# if not, add it
comment = get_value("_source.iplist.comment", doc)
if comment:
ipa = f"{ipe} # From ES -- {comment}"
else:
ipa = f"{ipe} # From ES"
toadd.append(ipa)
self.add_cfg_ips(toadd, iplist)
return toadd