From 06a28c435d7a82fa36c8a5b8e3f9de13bb417d93 Mon Sep 17 00:00:00 2001
From: Michel Oosterhof <micheloosterhof@users.noreply.github.com>
Date: Thu, 19 Sep 2024 11:40:40 +0800
Subject: [PATCH] add prototype axiom output (#2323)

---
 etc/cowrie.cfg.dist        |  7 ++++-
 src/cowrie/output/axiom.py | 61 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 src/cowrie/output/axiom.py

diff --git a/etc/cowrie.cfg.dist b/etc/cowrie.cfg.dist
index 7319f02c..e3241400 100644
--- a/etc/cowrie.cfg.dist
+++ b/etc/cowrie.cfg.dist
@@ -1092,4 +1092,9 @@ host = 127.0.0.1
 port = 514
 # protocol options: udp or tcp
 # (default: udp)
-protocol = udp
\ No newline at end of file
+protocol = udp
+
+[output_axiom]
+enabled = false
+api_token = fill_out_your_token_here
+dataset = cowrie
diff --git a/src/cowrie/output/axiom.py b/src/cowrie/output/axiom.py
new file mode 100644
index 00000000..75b07a65
--- /dev/null
+++ b/src/cowrie/output/axiom.py
@@ -0,0 +1,61 @@
+# Simple Telegram Bot logger
+
+import json
+
+from twisted.internet import defer
+from twisted.python import log
+from twisted.web import http_headers
+
+import treq
+
+import cowrie.core.output
+from cowrie.core.config import CowrieConfig
+
+
+AXIOM_URL = "https://api.axiom.co/v1"
+
+
+class Output(cowrie.core.output.Output):
+    """
+    axiom.co output
+    """
+
+    def start(self) -> None:
+        self.api_token = CowrieConfig.get("output_axiom", "api_token")
+        self.dataset = CowrieConfig.get("output_axiom", "dataset")
+        self.headers = http_headers.Headers(
+            {
+                b"Content-Type": [b"application/json"],
+                b"Authorization": [f"Bearer {self.api_token}".encode()],
+            }
+        )
+        self.url = f"{AXIOM_URL}/datasets/{self.dataset}/ingest"
+
+    def stop(self) -> None:
+        pass
+
+    def log_response(self, out):
+        print(out.text())
+
+    @defer.inlineCallbacks
+    def write(self, event):
+        event["_time"] = event.pop("timestamp")
+        for i in list(event.keys()):
+            # Remove twisted 15 legacy keys
+            if i.startswith("log_") or i == "time" or i == "system":
+                del event[i]
+
+        try:
+            msg = json.dumps(event, separators=(",", ":")).encode()
+        except TypeError:
+            msg = "jsonlog: Can't serialize: '" + repr(event) + "'".encode()
+
+        resp = yield treq.post(
+            self.url,
+            data=b"[" + msg + b"]",
+            headers=self.headers,
+        )
+
+        if resp.code != 200:
+            error = yield resp.text()
+            print(error)