Run Identity Reports with FlyScript

The FlyScript SDK includes built-in support to run Active Directory Reports against Profiler appliances and with the programmability of FlyScript, this allows for some pretty nifty aggregated reports.  Chris has written up a great walkthrough on Profiler reporting and creating a helpful commandline application in the post Profiler Reporting via FlyScript and here we will leverage much of that to show how we can tie separate report types together.

 

On Profiler, you can run the Active Directory report and get a listing of all login events for users in the network with details of specific hosts, time of event, user ID, and whether the login was successful or not.Screen Shot 2013-07-03 at 9.19.37 AM.png

 

The Basic Script

 

Let's generate the same thing using FlyScript:

 

#!/usr/bin/env python

import rvbd.profiler
from rvbd.common.service import UserAuth
from rvbd.common.utils import Formatter
from rvbd.profiler.filters import TimeFilter
from rvbd.profiler.report import IdentityReport

host = '<insert_hostname_here>'
auth = UserAuth('<username>', '<password>')

profiler = rvbd.profiler.Profiler(host, auth)

tf = TimeFilter.parse_range('last 10 minutes')

report = IdentityReport(profiler)
report.run(timefilter=tf)
data = report.get_data()
legend = report.get_legend()

Formatter.print_table(data, [c.key for c in legend])

 

Running this short script will provide text output like the following:

 

> python identity.py

time          username         full_username  login_ok  host_ip       host_dns       host_switch                    host_switch_dns                domain    

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

1372858243.0  ted-nugent                      t         10.99.17.12   10.99.17.12|   10.99.17.251:FastEthernet0/13  10.99.17.251:FastEthernet0/13  riverbed.com

1372858242.0  ted-nugent                      t         10.99.16.44   10.99.16.44|                                                                 riverbed.com

1372858242.0  julianna-small                  t         10.99.15.142  10.99.15.142|                                                                riverbed.com

1372858242.0  jack-bean                       t         10.99.14.93   10.99.14.93|                                                                 riverbed.com

1372858242.0  bob-sellers                     t         10.99.16.35   10.99.16.35|                                                                 riverbed.com

1372858242.0  sam-smeltzer                    t         10.99.13.134  10.99.13.134|                                                                riverbed.com

1372858242.0  jack-bean                       t         10.99.16.6    10.99.16.6|    10.99.16.251:FastEthernet0/23  10.99.16.251:FastEthernet0/23  riverbed.com

... <continues> ...

 

This is great, as we have seen with the other FlyScript examples, with only a few lines of python code, we were able to quickly extract meaningful data from our Riverbed appliance giving us the flexibility to process it through other data pipelines.

 

Tie it together with a Traffic Report

 

We can quickly expand this simple script to run a traffic report against a particular username for a host that he has logged into.  The code below runs the identity report above, but then searches through the results and finds the first instance of our user of interest, 'don-corleone'.  Then it will use the host of that login event as the basis of a traffic report from that login time up until now.

 

#!/usr/bin/env python

import datetime

import rvbd.profiler
from rvbd.common.service import UserAuth
from rvbd.common.utils import Formatter
from rvbd.profiler.filters import TimeFilter, TrafficFilter
from rvbd.profiler.report import IdentityReport, TrafficOverallTimeSeriesReport

host = '<insert_hostname_here>'
auth = UserAuth('<username>', '<password>')

# this is the username we will search for in the Active Directory results
username = 'don-corleone'

# setup a new Profiler instance, and initialize an Identity Report
profiler = rvbd.profiler.Profiler(host, auth=auth)
report = IdentityReport(profiler)

# choose a timeframe to look at and run the report
tf = TimeFilter.parse_range('last 20 minutes')
report.run(timefilter=tf)
data = report.get_data()

legend = report.get_legend()
legend_keys = [c.key for c in legend]

# lets loop through all the data results
for login in data[::-1]:
    # each of the entries is a list of data
    # this line will make it easier to reference the data elements
    # by turning it into a dictionary
    login = dict(zip(legend_keys, login))

    user = login['username']

    # look for the username we assigned above
    if login['username'] == username:
        time = datetime.datetime.fromtimestamp(login['time'])
        host = login['host_dns'].strip('|')

        # setup the filters for a new traffic report
        traffic_expr = TrafficFilter('host %s' % host)
        timefilter = TimeFilter(time, datetime.datetime.now())
        columns = ['time', 'total_bytes', 'avg_bytes']

        # intialize the report and run it
        timeseries = TrafficOverallTimeSeriesReport(profiler)
        timeseries.run(columns, timefilter=timefilter, trafficexpr=traffic_expr)

        tdata = timeseries.get_data()

        # print out the results
        print 'Login found for user %s' % username
        print login
        print '-' * 80
        print 'Traffic Summary on host %s during timeframe %s to %s:' % (host,
                                                                         timefilter.start,
                                                                         timefilter.end)
        Formatter.print_table(tdata, columns)

        # and stop looking through the data, we only care about the first
        # login event for our user
        break

 

Saving this as a file and running that with your Profiler data filled in will give something like the following:

 

> python blog_identity2.py

Login found for user don-corleone

{'username': 'don-corleone', 'host_switch_dns': '10.99.13.251:FastEthernet0/0',

'host_switch': '10.99.13.251:FastEthernet0/0', 'host_ip': '10.99.13.112', 'full_username': '',

'domain': 'riverbed.com', 'time': 1372860612.0, 'login_ok': 't', 'host_dns': '10.99.13.112|'}

--------------------------------------------------------------------------------

Traffic Summary on host 10.99.13.112 during timeframe 2013-07-03 10:10:12 to 2013-07-03 10:24:02:

 

time            total_bytes    avg_bytes     

------------------------------------------------

1372860600.0    531043         8850.71666667 

1372860660.0    1065272        17754.5333333 

1372860720.0    416674         6944.56666667 

1372860780.0    958705         15978.4166667 

1372860840.0    476504         7941.73333333 

 

The traffic columns have been fixed to only three here, and the overall script doesn't include a whole lot of flexibility -- but it can be easily expanded in a variety of ways.  In fact, included with the FlyScript SDK is an example script called `identity_report.py` which has many options available to perform advanced correlations with traffic reports.  Be sure to take a look!