wip

Author: ykoer

.github/actions/log_to_splunk/Dockerfile

@@ -0,0 +1,14 @@
+# Container image that runs your code
+FROM python:3-slim AS builder
+
+# Copies your code file from your action repository to the filesystem path `/` of the container
+ADD . /app
+WORKDIR /app
+
+RUN pip install --target=/app requests
+
+# Code file to execute when the docker container starts up (`entrypoint.sh`)
+FROM gcr.io/distroless/python3-debian10
+COPY --from=builder /app /app
+ENV PYTHONPATH /app
+CMD ["/app/main.py"]

.github/actions/log_to_splunk/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Splunk GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

.github/actions/log_to_splunk/README.md

@@ -0,0 +1,2 @@
+# POST GitHub Workflow Logs to Splunk HTTP Event Collector
+test

.github/actions/log_to_splunk/action.yml

@@ -0,0 +1,28 @@
+# action.yml
+name: 'Send Workflow Logs to Splunk'
+description: 'Upload GitHub Workflow logs to Splunk HEC'
+inputs:
+  splunk-url:
+    description: 'Full URL for Splunk HEC endpoint'
+    required: true
+  hec-token:
+    description: 'Splunk HEC Token'
+    required: true
+  github-token:
+    description: 'Github PAT'
+    required: true
+  sourcetype:
+    description: 'Splunk Sourcetype'
+    default: 'github_workflow_log_action'
+  source:
+    description: 'GitHub Workflow name'
+    default: ${{ github.workflow }}
+  workflowID:
+    description: 'The Workflow Run number'
+    default: ${{ github.run_number}}
+outputs:
+  status:
+    description: 'value is success/fail based on POST result'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'

.github/actions/log_to_splunk/main.py

@@ -0,0 +1,146 @@
+import os
+import requests
+import json
+import zipfile
+import io
+import glob
+import re
+from datetime import datetime
+
+def main():
+
+    GITHUB_REF=os.environ["GITHUB_REF"]
+    GITHUB_REPOSITORY=os.environ["GITHUB_REPOSITORY"]
+    GITHUB_RUN_ID=os.environ["GITHUB_RUN_ID"]
+    GITHUB_API_URL=os.environ["GITHUB_API_URL"]
+    GITHUB_WORKFLOWID=os.environ["INPUT_WORKFLOWID"]
+    GITHUB_TOKEN = os.environ.get("INPUT_GITHUB-TOKEN")
+
+    SPLUNK_HEC_URL=os.environ["INPUT_SPLUNK-URL"]+"services/collector/event"
+    SPLUNK_HEC_TOKEN=os.environ["INPUT_HEC-TOKEN"]
+    SPLUNK_SOURCE=os.environ["INPUT_SOURCE"]
+    SPLUNK_SOURCETYPE=os.environ["INPUT_SOURCETYPE"]
+
+    batch = count = 0
+    eventBatch = ""
+    headers = {"Authorization": "Splunk "+SPLUNK_HEC_TOKEN}
+    host=os.uname()[1]
+
+    summary_url = "{url}/repos/{repo}/actions/runs/{run_id}".format(url=GITHUB_API_URL,repo=GITHUB_REPOSITORY,run_id=GITHUB_WORKFLOWID)
+
+    try:
+        x = requests.get(summary_url, stream=True, auth=('token',GITHUB_TOKEN))
+        x.raise_for_status()
+    except requests.exceptions.HTTPError as errh:
+        output = "GITHUB API Http Error:" + str(errh)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return x.status_code
+    except requests.exceptions.ConnectionError as errc:
+        output = "GITHUB API Error Connecting:" + str(errc)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return x.status_code
+    except requests.exceptions.Timeout as errt:
+        output = "Timeout Error:" + str(errt)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return x.status_code
+    except requests.exceptions.RequestException as err:
+        output = "GITHUB API Non catched error conecting:" + str(err)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return x.status_code
+    except Exception as e:
+        print("Internal error", e)
+        return x.status_code
+
+    summary = x.json()
+
+    summary.pop('repository')
+
+    summary["repository"]=summary["head_repository"]["name"]
+    summary["repository_full"]=summary["head_repository"]["full_name"]
+
+    summary.pop('head_repository')
+
+    utc_time = datetime.strptime(summary["updated_at"], "%Y-%m-%dT%H:%M:%SZ")
+    epoch_time = (utc_time - datetime(1970, 1, 1)).total_seconds()
+
+    event={'event':json.dumps(summary),'sourcetype':SPLUNK_SOURCETYPE,'source':'workflow_summary','host':host,'time':epoch_time}
+    event=json.dumps(event)
+
+    x=requests.post(SPLUNK_HEC_URL, data=event, headers=headers)
+
+
+    url = "{url}/repos/{repo}/actions/runs/{run_id}/logs".format(url=GITHUB_API_URL,repo=GITHUB_REPOSITORY,run_id=GITHUB_WORKFLOWID)
+    print(url)
+
+    try:
+        x = requests.get(url, stream=True, auth=('token',GITHUB_TOKEN))
+
+    except requests.exceptions.HTTPError as errh:
+        output = "GITHUB API Http Error:" + str(errh)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return
+    except requests.exceptions.ConnectionError as errc:
+        output = "GITHUB API Error Connecting:" + str(errc)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return
+    except requests.exceptions.Timeout as errt:
+        output = "Timeout Error:" + str(errt)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return
+    except requests.exceptions.RequestException as err:
+        output = "GITHUB API Non catched error conecting:" + str(err)
+        print(f"Error: {output}")
+        print(f"::set-output name=result::{output}")
+        return
+
+    z = zipfile.ZipFile(io.BytesIO(x.content))
+    z.extractall('/app')
+
+    timestamp = batch = count = 0
+
+    for name in glob.glob('/app/*.txt'):
+        logfile = open(os.path.join(os.path.dirname(os.path.abspath(__file__)), name.replace('./','')),'r')
+        Lines = logfile.readlines()
+        for line in Lines:
+
+            if line:
+                count+=1
+                if timestamp:
+                    t2=timestamp
+                timestamp = re.search("\d{4}-\d{2}-\d{2}T\d+:\d+:\d+.\d+Z",line.strip())
+
+                if timestamp:
+                    timestamp = re.sub("\dZ","",timestamp.group())
+                    timestamp = datetime.strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%f")
+                    timestamp = (timestamp - datetime(1970,1,1)).total_seconds()
+                else:
+                    timestamp=t2
+
+                x = re.sub("\d{4}-\d{2}-\d{2}T\d+:\d+:\d+.\d+Z","",line.strip())
+                x=x.strip()
+                job_name=re.search("\/\d+\_(?P<job>.*)\.txt",name)
+                job_name=job_name.group('job')
+                fields = {'lineNumber':count,'workflowID':GITHUB_WORKFLOWID,'job':job_name}
+                if x:
+                    batch+=1
+                    event={'event':x,'sourcetype':SPLUNK_SOURCETYPE,'source':SPLUNK_SOURCE,'host':host,'time':timestamp,'fields':fields}
+                    eventBatch=eventBatch+json.dumps(event)
+                else:
+                    print("skipped line "+str(count))
+
+                if batch>=1000:
+                    batch=0
+                    x=requests.post(SPLUNK_HEC_URL, data=eventBatch, headers=headers)
+                    eventBatch=""
+
+    x=requests.post(SPLUNK_HEC_URL, data=eventBatch, headers=headers)
+
+if __name__ == '__main__':
+    main()

.github/workflows/log_to_splunk.yaml

@@ -0,0 +1,43 @@
+name: Send Workflow Logs to Splunk
+
+# Controls when the action will run.
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["*"]
+    types:
+      - completed
+
+env:
+  triggerID: ${{ github.event.workflow_run.id }}
+  triggerJob: ${{ github.event.workflow_run.name }}
+
+jobs:
+  WriteLogs:
+    runs-on: ubuntu-latest
+    # if: ${{ github.event.workflow_run.name!='WriteLogs'}}
+
+    steps:
+      - name: Debug Workflow Information
+        run: |
+          echo "Trigger ID: ${{ env.triggerID }}"
+          echo "Trigger Job: ${{ env.triggerJob }}"
+          echo "Event type: ${{ github.event_name }}"
+          echo "Workflow ID that triggered this: ${{ github.event.workflow_run.id }}"
+          echo "Workflow Name that triggered this: ${{ github.event.workflow_run.name }}"
+          echo "Workflow file: ${{ github.event.workflow_run.path }}"
+
+      - uses: actions/checkout@v2
+
+      - name: Output Job ID
+        run: echo ${{ github.event.workflow_run.id }}
+
+      - name: Send Workflow logs to Splunk
+        if: ${{ always() }}
+        uses: ./.github/actions/log_to_splunk
+        with:
+          splunk-url: ${{ secrets.HEC_URL }}
+          hec-token: ${{ secrets.HEC_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          workflowID: ${{ env.triggerID }}
+          source: ${{ env.triggerJob }}