daniel.g/intesa_splunk_main
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
intesa_splunk_main/README.md
daniel.g fa0d76d216 Update README.md
2025-09-28 09:55:37 +00:00

49 lines
2.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Intesa Logs Local Docker Setup (Azure bits left empty)
This repo runs a local pipeline that mimics production **end-to-end**, but **without any active Azure dependencies**.
All “Azure things” are left as **placeholders** so this same repo can later be deployed to Azure.
## What runs locally (currently)
1. **Splunk** (container) receives events via HEC.
2. **Poller** (`splunk_poller.py`) queries Splunk and writes newline-delimited JSON **chunks** to a shared volume.
3. **Agent API** (`flask_app.py`) reads chunks and produces a concise compliance/ops report (optionally emails it via Mailtrap).
> Local mode uses `SINK=file` and a shared Docker volume. **No Azure Storage or Queues** are used in this mode.
## What runs on Azure (currently)
1. **Queue-worker**
2. **Agent API**
---
## Quick start (TL;DR)
```bash
# 1) Create a .env (see sample below)
# 2) Make sure compose.yaml has SINK=file for the poller
# 3) Start the stack
docker compose up -d
# 4) Check health
curl -sS http://localhost:8080/health
# 5) Send test events to Splunk HEC
for i in {1..5}; do
curl -k https://localhost:8088/services/collector/event \
-H "Authorization: Splunk dev-0123456789abcdef" \
-H "Content-Type: application/json" \
-d '{"event":{"event_type":"bonifico","step":"esito","status":"accepted","importo": '"$((RANDOM%5000+50))"',"divisa":"EUR","transaction_id":"TX-'$RANDOM'"},"sourcetype":"intesa:bonifico","index":"intesa_payments"}' >/dev/null 2>&1
done
# 6) Add a couple of anomalies to exercise the analyzer
curl -k https://localhost:8088/services/collector/event \
-H "Authorization: Splunk dev-0123456789abcdef" \
-H "Content-Type: application/json" \
-d '{"event":{"event_type":"bonifico","step":"esito","status":"rejected","importo":12500,"divisa":"EUR","vop_check":"no_match","iban_origin_masked":"IT1998*2*4*6*8*10*12*14*16*9375","iban_dest_masked":"IT1171*2*4*6*8*10*12*14*16*0000","bic_swift":"TESTBICX"},"sourcetype":"intesa:bonifico","index":"intesa_payments"}'
# 7) Ask the Agent API to analyze the latest local chunks
curl -sS -X POST http://localhost:8080/analyze \
-H 'Content-Type: application/json' \
-d '{"question":"Scan latest chunks. Flag rejected EUR >= 10000, vop_no_match, invalid IBAN/BIC.","email":{"send":false}}' | jq .
Reference in New Issue View Git Blame Copy Permalink