search

sophos / Sophos-Central-SIEM-Integration

Simple integration script for 3rd party systems such as SIEMs. Offers command line, file or syslog output in CEF, JSON or key-value pair formats.
121 stars 70 forks source link

Error running siem.py (invalid syntax) #48

Closed syunusic closed 3 years ago

syunusic commented 3 years ago

I just clone the project, put API Access URL + Headers in config.ini and try to run siem.py, but I got this error:

Traceback (most recent call last):
  File "siem.py", line 24, in <module>
    import api_client
  File "/home/centos/Sophos-Central-SIEM-Integration/api_client.py", line 511
    whoami_url = f"https://{self.config.api_host}/whoami/v1"
                                                           ^
SyntaxError: invalid syntax

I'm using python 3.5 in a Centos 7 box:

Python 3.5.1

config.ini:

# API Access URL + Headers
# API token setup steps: https://community.sophos.com/kb/en-us/125169
token_info = url: https://api5.central.sophos.com/gateway, x-api-key: xxxxxxxxxx, Authorization: Basic xxxxxxxx=

# Client ID and Client Secret for partner
# <Copy Client ID and Client Secret from Sophos Central here>
client_id = 
client_secret = 
# Customer tenant Id
tenant_id = 

# Host URL for Oauth token
auth_url = 

# whoami API host url
api_host = 

# format can be json, cef or keyvalue
format = json

# filename can be syslog, stdout, any custom filename
filename = result.txt

# endpoint can be event, alert or all
endpoint = event

# syslog properties
# for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
# for linux local systems use /dev/log
# for MAC OSX use /var/run/syslog
#address = /var/run/syslog
address = xxx.yyy.zzz.www:514
facility = daemon
socktype = udp

# cache file full or relative path (with a ".json" extension)
state_file_path = state/siem_sophos.json

Where is my error?

ramksophos commented 3 years ago

Hi @syunusic, we are updating the minimum and recommended Python versions for this tool as Python 3.5 is now EOL. See PR https://github.com/sophos/Sophos-Central-SIEM-Integration/pull/49

Can you please try again with Python 3.6 or 3.7? Thanks

gauravm-optimus commented 3 years ago 
Traceback (most recent call last):
  File "siem.py", line 20, in <module>
    import state
  File "/opt/Sophos-Central-SIEM-Integration/state.py", line 17, in <module>
    from pathlib import Path
ImportError: No module named pathlib

I am also getting a similar error @syunusic are you able to get this error resolved.

keeely commented 3 years ago

@gauravm-optimus Looks like you're running python2 or an earlier version of python3. This hash-bang line in siem.py should almost certainly be changed from:

#!/usr/bin/env python

to

#!/usr/bin/env python3

Now that python2 is no longer supported because most people still have python as a link to python2 for historical reasons.

syunusic commented 3 years ago

Ok, so I did a couple of things: First, I completed config.ini configuration according to https://support.sophos.com/support/s/article/KB-000036372?language=en_US. I did struggle a lot with the tenant-id part.. because I didn't know if my account was a partner one, or an organization one, or whatever. So I followed instructions from https://developer.sophos.com/getting-started and I always got an error (forbidden) when it comes to list the tenants. So, at the end I let tenant-id blank. I still have errors. So I did what @keely suggested, so I changed from "python" to "python3" (which pointed to 3.5 at that time), no luck. At the end I upgrade python3 to 3.7.9 as suggested @rkamat and that did the trick (after change all the "#!/usr/bin/env python3" to "#!/usr/bin/env python3.7" in api_client-py, congif.py, siem.py, state.py and test_regression.py). Now I'm receiving data as expected. PS: In the meantime, what I did, it was to use an old version of the script (v.1.1), and worked fine.

keeely commented 3 years ago

Indeed, the fact that python3 is in the path is no guarantee it's linking to the right version of Python (could be using the brew link command or Linux equivalents). Could do this:

import sys

REQUIRED_VERSION_MAJOR = 3
REQUIRED_VERSION_MINOR = 5

if not (sys.version_info.major == REQUIRED_VERSION_MAJOR and sys.version_info.minor >= REQUIRED_VERSION_MINOR):
    print("Sophos SIEM requires Python %d.%d or higher!" % (REQUIRED_VERSION_MAJOR, REQUIRED_VERSION_MINOR))
    print("You are using Python %d.%d." % (sys.version_info.major, sys.version_info.minor))
    sys.exit(1)
  1. Drop this content into a file called vercheck.py (let's say)
  2. import vercheck into any scripts that need the check.

It should spell out what's going on for users with more complex setups.

syunusic commented 3 years ago

@keeely shouldn't be:

REQUIRED_VERSION_MINOR = 7

?

keeely commented 3 years ago

Readme currently says:

The script requires Python 3.5+ to run.

I was just going on that :).

ramksophos commented 3 years ago

Thanks @keeely, @syunusic, the PR has now been updated: https://github.com/sophos/Sophos-Central-SIEM-Integration/pull/49 with this suggestion.