C# (CSharp) SIPSplunk2 SIPSplunk2 Exemples

Exemple #1

        public async Task SplunkGetCallsAsync(CancellationToken cancelToken = new CancellationToken())
        {
            await Task.Run(() =>
            {
                ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
                ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) =>
                {
                    return(true);
                };
                SelectedCallsEarliestTime = DateTime.Now;
                SelectedCallsLatestTime   = DateTime.Parse("2000-01-01T00:00:00.000-05:00");
                splunkExceptions          = false;
                using (Service service = new Service(new Uri(splunkUrl)))
                {
                    //login to splunk server and call SplunkQuery
                    try
                    {
                        SplunkReadDone = false;
                        Status("Connecting to splunk server " + splunkUrl.ToString());
                        service.LogOnAsync(user, SecureStringToString(password)).Wait();
                        Status("Creating splunk job " + searchStrg);
                        switch (logMode)
                        {
                        case "tcpdump":
                            SplunkCallLegsQuery(service, cancelToken).Wait();
                            break;

                        case "audiocodes":
                            AcSplunkCallLegsQuery(service).Wait();
                            break;

                        case "audiocodesSyslog":
                            AcSyslogSplunkCallLegsQuery(service).Wait();
                            break;
                        }
                        SplunkReadDone = true;
                    }
                    catch (AggregateException ex)
                    {
                        //if the wrong splunk URL
                        if (ex.ToString().Contains("System.Net.Sockets.SocketException"))
                        {
                            Status(Regex.Match(ex.InnerException.ToString(), @"(?<=System.Net.Sockets.SocketException:).*").ToString());
                        }
                        //if the wrong user or password
                        else if (ex.ToString().Contains("Splunk.Client.AuthenticationFailureException"))
                        {
                            Status(Regex.Match(ex.ToString(), @"(?<=Splunk.Client.AuthenticationFailureException).*").ToString());
                        }
                        else if (ex.InnerException.Message.Contains("Unknown search command"))
                        {
                            Status(Regex.Match(ex.InnerException.Message, @"(?<=Search Factory: ).*\s*").ToString());
                        }
                        else if (ex.ToString().Contains("System.Net.WebException:"))
                        {
                            Status(Regex.Match(ex.ToString(), @"(?<=System.Net.WebException: ).*\s*").ToString());
                        }
                        else
                        {
                            Status(ex.ToString());
                        }
                        SIPSplunk2.Log(ex.ToString());
                        splunkExceptions = true;
                        SplunkReadDone   = true;
                    }
                    finally
                    {
                        try
                        {
                            if (!splunkExceptions)
                            {
                                service.LogOffAsync().Wait();
                            }
                        }
                        catch (Exception ex)
                        {
                            SIPSplunk2.Log(ex.ToString());
                        }
                    }
                    CancelSplunkJob = false;
                }
            });
        }

Exemple #2

        async Task AcSyslogSplunkSIPMessagesQuery(Service service)
        {
            string msgSearchString = searchStrg +
                                     "| rex field=_raw \"" + @"(?<SIP_Req>ACK.*SIP\/2\.0|BYE.*SIP\/2\.0|CANCEL.*SIP\/2\.0|INFO.*SIP\/2\.0|INVITE.*SIP\/2\.0|MESSAGE.*SIP\/2\.0|NOTIFY.*SIP\/2\.0|OPTIONS.*SIP\/2\.0|PRACK.*SIP\/2\.0|PUBLISH.*SIP\/2\.0|REFER.*SIP\/2\.0|REGISTER.*SIP\/2\.0|SUBSCRIBE.*SIP\/2\.0|UPDATE.*SIP\/2\.0|SIP\/2\.0 \d{3}(\s*\w*))" + "\" | " +
                                     "rex field=_raw \"" + @"(?<!-.{8})(?<=Call-ID:)\s*(?<SIP_CallId>\S*)" + "\" | " +
                                     "rex field=SIP_Req \"(?<SIP_method>^[a-zA-Z]+)\" | " +
                                     "rex field=_raw \"" + @"\d{2}:\d{2}:\d{2}.\d{3}\s*(?<MGIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" + "\" | " +
                                     "rex field=_raw \"(?<=Incoming SIP Message from)\\s*(?<SrcIP>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | " +
                                     "rex field=_raw \"(?<=Outgoing SIP Message to)\\s*(?<DstIP>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | " +
                                     "reverse |streamstats current=f window=5 last(DstIP) as prev_DstIP last(SrcIP) as prev_SrcIP | " +
                                     "eval SIP_dstIP=if(prev_DstIP != \"\",prev_DstIP,MGIP) | eval SIP_srcIP=if(prev_SrcIP != \"\",prev_SrcIP,MGIP) | " +
                                     "search ";
            string msgSearchStringEnd = " | eval srcIpOut=\"srcip=\"+SIP_srcIP | eval dstIpOut=\"dstip=\"+SIP_dstIP |" +
                                        "table srcIpOut,dstIpOut,_raw | ";

            for (int i = 0; i < callIDsOfIntrest.Count; i++)
            {
                string callId = callIDsOfIntrest[i];
                msgSearchString += ("SIP_CallId=" + callId);
                if (i < callIDsOfIntrest.Count - 1)
                {
                    msgSearchString += " OR ";
                }
            }

            // create splunk job
            try
            {
                var splunkJob = await service.Jobs.CreateAsync(msgSearchString + msgSearchStringEnd, 0, ExecutionMode.Normal,
                                                               new JobArgs()
                {
                    EarliestTime = SelectedCallsEarliestTime.ToString("O"),
                    LatestTime   = SelectedCallsLatestTime.ToString("O"),
                    MaxCount     = splunkMaxEvents
                });

                //loop until Job is done or cancelled
                Stopwatch elapsedTime = new Stopwatch();
                elapsedTime.Start();
                for (int count = 1; ; ++count)
                {
                    if (Console.KeyAvailable)
                    {
                        if (Console.ReadKey(true).Key == ConsoleKey.Escape)
                        {
                            break;
                        }
                    }
                    if (count >= splunkMaxTime / splunkStatusInterval)
                    {
                        await splunkJob.FinalizeAsync();

                        Status("Exceeded maximum wait time of " + splunkMaxTime / 1000 + " seconds. Finalizing...");
                        SIPSplunk2.Log("Exceeded maximum wait time of " + splunkMaxTime / 1000 + " seconds. Finalizing...");
                        break;
                    }
                    if (splunkJob.IsFinalized)
                    {
                        Status("Splunk query is finalized");
                        break;
                    }
                    if (splunkJob.DispatchState == DispatchState.Finalizing)
                    {
                        string formatedString = String.Format("Splunk job " + splunkJob.Sid + " Finalizing. Time elapsed: {0:hh\\:mm\\:ss} ", elapsedTime.Elapsed);
                    }
                    try
                    {
                        await splunkJob.TransitionAsync(DispatchState.Done, splunkStatusInterval);

                        break;
                    }
                    catch (TaskCanceledException)
                    {
                        string formatedString = String.Format("Waiting on splunk job " + splunkJob.Sid + " to complete. " + splunkJob.DoneProgress * 100 + "% Time elapsed: {0:hh\\:mm\\:ss} Press Esc to quit.", elapsedTime.Elapsed);
                        Status(formatedString);
                    }
                }
                elapsedTime.Restart();
                //Get results of job as stream instantiate streamreader splunkSR to read it
                if (splunkJob.IsFinalized || splunkJob.IsDone)
                {
                    using (var message = await splunkJob.GetSearchResponseMessageAsync(outputMode: OutputMode.Csv))
                    {
                        Stream splunkStream = await message.Content.ReadAsStreamAsync();

                        sipMessageReader.AcSyslogReadData(splunkStream);
                    }
                    if (!splunkExceptions)
                    {
                        Status("Completed splunk query with  lines of data");
                    }
                    SplunkReadDone = true;
                }
                else
                {
                    Status("Splunk query failed");
                }
            }
            catch (Exception ex)
            {
                SIPSplunk2.Log(ex.ToString());
                splunkExceptions = true;
            }
        }

Exemple #3

        void SplunkGetSIPMessages()
        {
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
            ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => {
                return(true);
            };

            splunkExceptions = false;
            using (Service service = new Service(new Uri(splunkUrl)))
            {//login to splunk server and call SplunkQuery
                try
                {
                    SplunkReadDone = false;
                    Status("Connecting to splunk");
                    service.LogOnAsync(user, SecureStringToString(password)).Wait();
                    Status("Creating splunk job  for SIP messages " + searchStrg);
                    switch (logMode)
                    {
                    case "tcpdump":
                        SplunkSIPMessagesQuery(service).Wait();
                        break;

                    case "audiocodes":
                        AcSplunkSIPMessagesQuery(service).Wait();
                        break;

                    case "audiocodesSyslog":
                        AcSyslogSplunkSIPMessagesQuery(service).Wait();
                        break;
                    }
                }
                catch (Exception ex)
                {
                    //if the wrong splunk URL
                    if (ex.ToString().Contains("System.Net.Sockets.SocketException"))
                    {
                        Status(Regex.Match(ex.InnerException.ToString(), @"(?<=System.Net.Sockets.SocketException:).*").ToString());
                    }
                    //if the wrong user or password
                    else if (ex.ToString().Contains("Splunk.Client.AuthenticationFailureException"))
                    {
                        Status(Regex.Match(ex.ToString(), @"(?<=Splunk.Client.AuthenticationFailureException).*").ToString());
                    }
                    else if (ex.InnerException.Message.Contains("Unknown search command"))
                    {
                        Status(Regex.Match(ex.InnerException.Message, @"(?<=Search Factory: ).*\s*").ToString());
                    }
                    else
                    {
                        Status(ex.InnerException.Message);
                        SIPSplunk2.Log(ex.ToString());
                    }
                    splunkExceptions = true;
                    SplunkReadDone   = true;
                }
                finally
                {
                    try
                    {
                        if (!splunkExceptions)
                        {
                            service.LogOffAsync().Wait();
                        }
                    }
                    catch (Exception ex)
                    {
                        SIPSplunk2.Log(ex.ToString());
                    }
                }
            }
        }

Exemple #4

        async Task SplunkSIPMessagesQuery(Service service)
        {
            string msgSearchString = searchStrg + "|rex field=_raw \"(?<!-.{8})(?<=Call-ID:)\\s*(?<SIP_CallId>\\S*)\"| search ";

            for (int i = 0; i < callIDsOfIntrest.Count; i++)
            {
                string callId = callIDsOfIntrest[i];
                msgSearchString += ("SIP_CallId=" + callId);
                if (i < callIDsOfIntrest.Count - 1)
                {
                    msgSearchString += " OR ";
                }
            }

            // create splunk job
            try
            {
                var splunkJob = await service.Jobs.CreateAsync(msgSearchString + " | dedup _raw | reverse", 0, ExecutionMode.Normal,
                                                               new JobArgs()
                {
                    EarliestTime = SelectedCallsEarliestTime.ToString("O"),
                    LatestTime   = SelectedCallsLatestTime.ToString("O"),
                    MaxCount     = splunkMaxEvents
                });

                //loop until Job is done or cancelled
                Stopwatch elapsedTime = new Stopwatch();
                elapsedTime.Start();
                for (int count = 1; ; ++count)
                {
                    if (Console.KeyAvailable)
                    {
                        if (Console.ReadKey(true).Key == ConsoleKey.Escape)
                        {
                            break;
                        }
                    }
                    if (count >= splunkMaxTime / splunkStatusInterval)
                    {
                        await splunkJob.FinalizeAsync();

                        Status("Exceeded maximum wait time of " + splunkMaxTime / 1000 + " seconds. Finalizing...");
                        SIPSplunk2.Log("Exceeded maximum wait time of " + splunkMaxTime / 1000 + " seconds. Finalizing...");
                        break;
                    }
                    if (splunkJob.IsFinalized)
                    {
                        Status("Splunk query is finalized");
                        SIPSplunk2.Log("Splunk query is finalized");
                        break;
                    }
                    if (splunkJob.DispatchState == DispatchState.Finalizing)
                    {
                        string formatedString = String.Format("Splunk job " + splunkJob.Sid + " Finalizing. Time elapsed: {0:hh\\:mm\\:ss} ", elapsedTime.Elapsed);
                    }
                    try
                    {
                        await splunkJob.TransitionAsync(DispatchState.Done, splunkStatusInterval);

                        break;
                    }
                    catch (TaskCanceledException)
                    {
                        string formatedString = String.Format("Waiting on splunk job " + splunkJob.Sid + " to complete. " + splunkJob.DoneProgress * 100 + "% Time elapsed: {0:hh\\:mm\\:ss} Press Esc to quit.", elapsedTime.Elapsed);
                        Status(formatedString);
                    }
                }
                elapsedTime.Restart();
                //Get results of job as stream instantiate streamreader splunkSR to read it
                if (splunkJob.IsFinalized || splunkJob.IsDone)
                {
                    using (var message = await splunkJob.GetSearchResponseMessageAsync(outputMode: OutputMode.Raw))
                    {
                        Stream splunkStream = await message.Content.ReadAsStreamAsync();

                        sipMessageReader.ReadData(splunkStream);
                    }

                    SplunkReadDone = true;
                }
                else
                {
                    Status("Splunk query failed");
                }
            }
            catch (Exception ex)
            {
                SIPSplunk2.Log(ex.ToString());
                splunkExceptions = true;
            }
        }

Exemple #5

        async Task AcSyslogSplunkCallLegsQuery(Service service, CancellationToken cancelToken = new CancellationToken())
        {
            try
            {
                string query = searchStrg + " | rex field=_raw \"" + @"(?<SIP_Req>ACK.*SIP\/2\.0|BYE.*SIP\/2\.0|CANCEL.*SIP\/2\.0|INFO.*SIP\/2\.0|INVITE.*SIP\/2\.0|MESSAGE.*SIP\/2\.0|NOTIFY.*SIP\/2\.0|OPTIONS.*SIP\/2\.0|PRACK.*SIP\/2\.0|PUBLISH.*SIP\/2\.0|REFER.*SIP\/2\.0|REGISTER.*SIP\/2\.0|SUBSCRIBE.*SIP\/2\.0|UPDATE.*SIP\/2\.0|SIP\/2\.0 \d{3}(\s*\w*))" + "\" | " +
                               "rex field=_raw \"" + @"(?<!-.{8})(?<=Call-ID:)\s*(?<SIP_CallId>\S*)" + "\" | " +
                               "rex field=SIP_Req \"(?<SIP_method>^[a-zA-Z]+)\" | " +
                               "rex field=_raw \"" + @"\d{2}:\d{2}:\d{2}.\d{3}\s*(?<MGIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" + "\" | " +
                               "rex field=_raw \"(?<=Incoming SIP Message from)\\s*(?<SrcIP>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | " +
                               "rex field=_raw \"(?<=Outgoing SIP Message to)\\s*(?<DstIP>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | " +
                               "rex field=_raw \"" + @"(?<=To:) *(\x22.+\x22)? *<?(sip:)(?<SIP_To>[^@>]+)" + "\" | " +
                               "rex field=_raw \"" + @"(?<=From:) *(\x22.+\x22)? *<?(sip:)(?<SIP_From>[^@>]+)" + "\" | " +
                               "eval timeForamted = strftime(_time, \"%Y-%m-%d %H:%M:%S.%6N%:z\") |" +
                               "eval UTC = \"\" |" +
                               "eval selected = \"\" |" +
                               "eval filtered = \"\" |" +
                               "reverse | streamstats current=f window=5 last(DstIP) as prev_DstIP last(SrcIP) as prev_SrcIP |" +
                               "eval SIP_dstIP =if (prev_DstIP != \"\",prev_DstIP,MGIP) | eval SIP_srcIP =if (prev_SrcIP != \"\",prev_SrcIP,MGIP) |" +
                               "search SIP_Req = *INVITE* OR SIP_Req = *NOTIFY* OR SIP_Req = *REGISTER* OR SIP_Req = *SUBSCRIBE* |" +
                               "stats first(SIP_To) as To, first(SIP_From) as From, first(SIP_srcIP) as Source_IP, first(SIP_dstIP) as Destination_IP, first(timeForamted) as DateTime first(SIP_method) as Method by SIP_CallId|" +
                               "table DateTime,UTC,To,From,SIP_CallId,selected,Source_IP,Destination_IP,filtered,Method |" +
                               "sort DateTime";

                var splunkJob = await service.Jobs.CreateAsync(query, splunkMaxEvents, ExecutionMode.Normal, new JobArgs()
                {
                    EarliestTime = earliest.ToString("u"),
                    LatestTime   = latest.ToString("u"),
                    MaxCount     = splunkMaxEvents
                });

                //loop until Job is done or cancelled
                Stopwatch elapsedTime = new Stopwatch();
                elapsedTime.Start();
                for (int count = 1; ; ++count)
                {
                    if (cancelToken.IsCancellationRequested)
                    {
                        await splunkJob.CancelAsync();

                        Status("Splunk query is canceled.");
                        break;
                    }
                    if (count >= splunkMaxTime / splunkStatusInterval)
                    {
                        await splunkJob.FinalizeAsync();

                        Status("Exceeded maximum wait time of " + splunkMaxTime / 1000 + " seconds. Finalizing...");
                        break;
                    }
                    if (splunkJob.IsFinalized)
                    {
                        Status("Splunk query is finalized");
                        break;
                    }
                    if (splunkJob.DispatchState == DispatchState.Finalizing)
                    {
                        string formatedString = String.Format("Splunk job " + splunkJob.Sid + " Finalizing. Time elapsed: {0:hh\\:mm\\:ss} ", elapsedTime.Elapsed);
                    }
                    try
                    {
                        await splunkJob.TransitionAsync(DispatchState.Done, splunkStatusInterval);

                        break;
                    }
                    catch (TaskCanceledException)
                    {
                        string formatedString = String.Format("Waiting on splunk job " + splunkJob.Sid + " to complete. " + splunkJob.DoneProgress * 100 + "% Time elapsed: {0:hh\\:mm\\:ss} ", elapsedTime.Elapsed);
                        Status(formatedString);
                    }
                }
                elapsedTime.Restart();
                using (var results = await splunkJob.GetSearchResponseMessageAsync(outputMode: OutputMode.Csv))
                {
                    Stream contentstream = await results.Content.ReadAsStreamAsync();

                    StreamReader contentSR = new StreamReader(contentstream);
                    //Console.WriteLine(content);
                    String[] line          = new String[5];
                    long     lastElapsedMs = elapsedTime.ElapsedMilliseconds;
                    while (!contentSR.EndOfStream && !CancelSplunkJob)
                    {
                        if ((elapsedTime.ElapsedMilliseconds - lastElapsedMs) > 5000)
                        {
                            lastElapsedMs = elapsedTime.ElapsedMilliseconds;
                            string formatedString = String.Format("Fetching results from splunk job " + splunkJob.ResultCount + " results. Time elapsed: {0:hh\\:mm\\:ss}", elapsedTime.Elapsed);
                            Status(formatedString);
                        }
                        line = contentSR.ReadLine().Replace("\"", "").Split(',');

                        //if line has a valid time stamp collect it
                        if (Regex.IsMatch(line[0], @"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{6}-\d{2}:\d{2}"))
                        {
                            line[1] = DateTime.Parse(line[0]).ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ss.ffffff", CultureInfo.InvariantCulture);
                            Calls.Add(line);
                        }
                    }
                    elapsedTime.Stop();
                    Status("Completed splunk query with " + splunkJob.ResultCount + " results out of " + splunkJob.EventCount + " Events found");
                    //TODO update display
                }
            }
            catch (AggregateException ex)
            {
                Status(ex.Message);
                SIPSplunk2.Log(ex.ToString());
                splunkExceptions = true;
            }
        }