Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5564
Views
15
Helpful
5
Replies

Event Streams

Go to solution
ericl42
Level 1
Level 1

‎03-19-2018 07:36 AM - edited ‎03-08-2019 05:47 PM

Hello,

 

Previously I was using the AMP API and just pulling down all events on a 10 minute interval but it's not a very pretty process since you have to set bookmarks whenever you pull down the data. Therefore I'd like to move to the event stream process but I'm not as familiar with AMQPS and was wondering if anyone has some examples I could use. 

 

I've already setup the event stream on AMP's side with all of the relevant groups/IDs that I want. My issue now is figuring out how to pull down that data and put it into my syslog server. I've taken a look at some Python Pika code but still struggling through it right now so any help would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
majacob2
Cisco Employee
Cisco Employee

‎03-19-2018 08:42 AM

ericl42,

I might have something to help. I work in TAC and I have a github with python code for this particular purpose. This code is something we designed in TAC, but is provided as-is.

https://github.com/walbit/AMP_API

There is a readme and some instructions for the additional libraries needed. I hope this helps you out!

View solution in original post

5 Replies 5

Go to solution
neipatel
Cisco Employee
Cisco Employee

‎03-19-2018 07:42 AM

ericl42,

 

Check out the code @ https://github.com/QuiLoxx/ATS-APIs/tree/master/amp4e/neipatel_event-stream

 

That is a functional example which dumps event data do the screen from AMP for endpoints, that may be a start and instead of dumping to the screen it could be adapted to push via syslog.

0 Helpful

Go to solution
ericl42
Level 1
Level 1
In response to neipatel

‎03-19-2018 08:13 AM

neipatel,

 

Thanks for the link. One quick question regarding the parameters.json file. Is there a way for me to use the same original API call I created for this? Basically I want all groups and all event IDs and I was able to do that with the string below. I didn't know if I could put in all event names and all groups names with your code and it accept it.

 

curl -X POST \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'authorization: Basic XXXXXXXXXXXXXXXXX' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-d '{"name":"Syslog_Feed","event_type":[553648130, 554696714, 554696715, 1091567628, 2165309453, 1090519054, 553648143, 2164260880, 553648145, 570425394, 553648149, 2164260884, 2181038130, 553648152, 2164260889, 553648151, 553648154, 553648155, 2164260892, 2164260893, 553648158, 2164260895, 553648166, 2164260903, 1003, 1004, 1005, 2164260866, 553648146, 553648147, 553648168, 553648150, 570425396, 570425397, 570425398, 570425399, 1090524040, 1090524041, 1090519084, 1107296257, 1107296258, 1107296260, 1107296261, 1107296262, 1107296263, 1107296264, 1107296265, 1107296266, 1107296267, 1107296268, 1107296269, 1107296270, 1107296271, 1107296272, 1107296273, 553648170, 553648171, 1107296274, 1107296275, 1107296276, 553648173, 2164260910, 554696756, 554696757, 1091567670, 2165309495, 2164260914, 553648179, 2164260911, 553648176, 1090519089, 1107296277, 1107296278, 1107296279, 1107296280, 1107296281, 1107296282, 1090519096, 1090519097, 2164260922, 553648137, 553648135, 553648136, 1107296284, 1107296283, 1090519103, 2164260931, 1090519107, 553648195, 553648196, 553648197, 1090519081, 1090519105]}' \
-u YYYYYYYYYYYYYY \
'https://api.amp.cisco.com/v1/event_streams'

0 Helpful

Go to solution
neipatel
Cisco Employee
Cisco Employee
In response to ericl42

‎03-19-2018 08:44 AM

Pull the code down again from the github, it can handle multiple events enter them in the parameters.json as you see in the readme (as an array). And make sure the value for "id_or_name" is equal to "id".

0 Helpful

Go to solution
majacob2
Cisco Employee
Cisco Employee

‎03-19-2018 08:42 AM

ericl42,

I might have something to help. I work in TAC and I have a github with python code for this particular purpose. This code is something we designed in TAC, but is provided as-is.

https://github.com/walbit/AMP_API

There is a readme and some instructions for the additional libraries needed. I hope this helps you out!

Go to solution
ericl42
Level 1
Level 1
In response to majacob2

‎03-19-2018 12:58 PM

Thank you very much. That is exactly what I needed. I made a slight modification to send it only to syslog and from there I'll have syslog-ng pick it up.

 

 

my_logger = logging.getLogger('MyLogger')
my_logger.setLevel(logging.INFO)
handler = logging.handlers.SysLogHandler(address = '/dev/log')
my_logger.addHandler(handler)

def callback(ch, method, properties, body):
    my_logger.info(body)

 

Top