Question

我已经使用python写了一个portscanner，它会发送“非法端口打开”通知作为pagerduty的事件。整合工作正常，但有一个小问题让我感到困扰。我无法为每个拥有开放端口的主机发送唯一事件。让我们假设我的脚本扫描了2个主机并发现找到了非法端口，并向pagerduty发送通知，如下所示：

 for serv in host.services:
                if serv.port not in safe_port:
                  print ('Illegal Port open :'+str(serv.port)+'/'+str(serv.protocol)+' '+str(serv.service)+', on host=> '+str(host))

                  notify_slack_forbidden_port(str(serv.port),str(serv.protocol),str(serv.service),str(host))
                  ######
                  notify_pagerduty_forbidden_port(str(serv.port),str(serv.protocol),str(serv.service),str(host))
                else:

notify_pagerduty_forbidden_port的函数定义如下：

def notify_pagerduty_forbidden_port(a,b,c,d):      ## Call this when a Forbidden port has been open up 
    headers = {
        'Authorization': 'Token token={0}'.format(API_ACCESS_KEY),
        'Content-type': 'application/json',
    }
    payload = json.dumps({
      "service_key": API_ACCESS_KEY,
      "incident_key": "illegal/port",
      "event_type": "trigger",
      "description": "A Illegle port was found open"+str(a)+"/ "+str(b)+" service "+str(c)+" on "+str(d)+" Found in "+str(box_name),
    })
    print "Sending to Pagerduty",payload
    r = requests.post(
                    'https://events.pagerduty.com/generic/2010-04-15/create_event.json',
                    headers=headers,
                    data=payload,
    )
    print "Done!"

我的问题是，当这个被发送到Pagerduty时，这被视为一个事件，而不是不同的事件：

我希望每个主机中的每个开放端口都会生成不同的incedent。

Answer 1

docs：

中描述了此行为

incident_key - Identifies the incident to which this trigger event should be applied. If there's no open (i.e. unresolved) incident with this key, a new one will be created. If there's already an open incident with a matching key, this event will be appended to that incident's log. The event key provides an easy way to "de-dup" problem reports.

因此，如果您在每次插入新问题时使用其他incident_key，则会获得新的问题ID。

Pagerduty在一次事件中对事件进行分组

1 个答案: