#######################################################
## First time Install of sek_ase_auditor
#######################################################

## as "root" or "sybase"
mkdir /opt/sek_ase_auditor
chown sybase:sybase /opt/sek_ase_auditor

## Become 'sybase'
su - sybase

## Download first time to '/tmp/sek_ase_auditor'
## Copy 1 file (which will be used to do the install)
wget -P /tmp/sek_ase_auditor https://gorans.org/www/sek_ase_auditor/tmp/sek_ase_auditor_2023-06-11.zip 
cd /tmp/sek_ase_auditor
unzip sek_ase_auditor_2023-06-11.zip 
cp /tmp/sek_ase_auditor/resources/xtract_install_auditor.sh /opt/sek_ase_auditor/

## Goto the "real" install dir, and make an install
cd /opt/sek_ase_auditor/
rm -rf /tmp/sek_ase_auditor
chmod 755 xtract_install_auditor.sh
./xtract_install_auditor.sh  ## This is what we will use in the future to install a new release

## Copy the config file and edit it...
cp 0/conf/sek_ase_auditor.properties .
## edit the config file
vi sek_ase_auditor.properties

## Copy Start/Stop script
cp 0/resources/start_auditor.sh .         ; chmod 755 start_auditor.sh
cp 0/resources/stop_auditor.sh .          ; chmod 755 stop_auditor.sh
cp 0/resources/list_auditor.sh .          ; chmod 755 list_auditor.sh
cp 0/resources/tail_auditor_console.sh .  ; chmod 755 tail_auditor_console.sh

## Now lets start and test




----
grant role mon_role to audit_user 
--probably: master..sp_adduser audit_user
grant select on sysloginroles to audit_user

-- new: 16.0  SP2 PL8
-- new: 16.0  SP2 PL8


test send to Splunk:
curl -k -H "Authorization: Splunk e3276d6d-1fd2-430b-9cca-9907ce34fa9a" http://sek-splunktest.sek.se:8088/services/collector/event -d '{"sourcetype": "some-fields", "fields":"$asset"}'
curl -k -H "Authorization: Splunk e3276d6d-1fd2-430b-9cca-9907ce34fa9a" http://sek-splunktest.sek.se:8088/services/collector/raw -d '{"sourcetype": "some-fields", "fields":"dummy-test"}'

curl -k -H "Authorization: Splunk e3276d6d-1fd2-430b-9cca-9907ce34fa9a" http://sek-splunktest.sek.se:8088/services/collector/event -d '{"event": { "dummyField":"DummyValue" } }'


curl -X POST http://sek-splunktest.sek.se:8088/services/collector -H "Authorization: Splunk e3276d6d-1fd2-430b-9cca-9907ce34fa9a" -H 'Content-Type: application/json' -d '{"event":"Hello, World2!"}'




## AT HOME test
curl -k -H "Authorization: Splunk 4bccb251-43f7-413b-8a03-029040d2e330" http://splunk-1-gs:8088/services/collector/raw -d '{"sourcetype": "some-fields", "fields":"dummy-test"}'

curl -k -X GET  -H "Authorization: Splunk 4bccb251-43f7-413b-8a03-029040d2e330" http://splunk-1-gs:8088/services/collector/event -d '{"event": { "dummyField":"DummyValue" } }'
curl -k -X POST -H "Authorization: Splunk 4bccb251-43f7-413b-8a03-029040d2e330" http://splunk-1-gs:8088/services/collector/event -d '{"event": { "dummyField":"DummyValue" } }'


TODO: Splunk Writer... write ResponceCode to text explaination...






403 -- Forbidden ifrån: http://sek-splunktest.sek.se:8088/services/collector/event

Lasse: Detta för jag i loggen 
06-12-2023 14:46:54.844 +0200 ERROR HttpInputDataHandler [21315 HttpDedicatedIoThread-0] - Failed processing http input, token name=n/a, channel=n/a, source_IP=10.46.30.136, reply=4, events_processed=0, http_input_body_size=2738, parsing_err=""
06-12-2023 14:46:54.844 +0200 ERROR HttpInputDataHandler [21315 HttpDedicatedIoThread-0] - 
Failed processing http input, 
	token name=n/a, 
	channel=n/a, 
	source_IP=10.46.30.136, 
	reply=4, 
	events_processed=0, 
	http_input_body_size=2738, 
	parsing_err=""



Possibly check file: .../splunk/var/log/