security_monkey
security_monkey copied to clipboard
Netflix
Feature Request: Ability to send events to SIEM
It'd be nice if there was an ability to send newly discovered issues as events to a SIEM.
The syslog mechanism may be one way to facilitate such a feature for multiple SIEM vendor types.
So I took a stab at this feature, but ran into a snag. Per issue12168, python's syslog handler sends requests delimited with a null terminator. The result is that syslog messages transmitted in quick succession are received in one block rather than as individual lines. This makes parsing the events nearly impossible. It appears that the issue is fixed in cpython 3.1, but SM is currently compatible with 2.7. My observations:
- I don't think this is a big enough feature to warrant a bump in the version of python SM is dependent on and,
- Hacking around the bug would require cherry-picking a bunch of code from the newer python which could lead to bugs in the future.
- I'm not able to find any decent alternatives to python's SysLogHandler to use instead.
I'm happy to submit a PR with the code that I wrote already, but it won't be useful for connecting SM to any newer system that isn't expecting null-terminated messages.
It would be nice if you could share the code you wrote even if it cannot be used right now until Python is updated in the future when it is appropriate.
That way down the line someone can hopefully apply the code.
Here's the relevant commit with the work I did.
https://github.com/AlexCline/security_monkey/commit/d47629d260a6154fcb08c84273345797d7292509
I can submit a PR if someone on the SM team thinks it would be OK to have a unused PR sitting around with non-working code.
Hey @AlexCline - Netflix OSS is now actually being tracked for number of open PR's, so I'm not suppose to have unmerged PR's around anymore.. (and I still have a few to deal with)
The re-architecture is also in python2.7 (as that's the only thing lambda currently supports). I'll keep this PR open so we can reference your commit in the future.
