Merge pull request #3358 from Security-Onion-Solutions/delta

FEATURE: Initial support for viewing Osquery Live Query results in Hunt

salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja

@@ -0,0 +1,19 @@
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+
+input {
+	redis {
+		host => '{{ MANAGER }}'
+		port => 6379
+		data_type => 'pattern_channel'
+		key => 'results_*'
+		type => 'live_query'
+        add_field => {
+        "module" => "osquery"
+          "dataset" => "live_query"
+          }        
+		threads => {{ THREADS }}
+		batch_count => {{ BATCH }}
+	}
+}

salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja

@@ -4,7 +4,7 @@
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 output {
-  if [module] =~ "osquery" {
+  if [module] =~ "osquery" and "live_query" not in [dataset] {
     elasticsearch {
       pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"

salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja

@@ -0,0 +1,43 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
+{%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+
+filter {
+  if [type] =~ "live_query" {
+
+    mutate {
+        rename => {
+            "[host][hostname]" => "computer_name"
+        }
+    }
+
+ prune {
+        blacklist_names => ["host"]
+      }
+    
+ split {
+   field => "rows"
+  }
+ }
+}
+
+
+output {
+  if [type] =~ "live_query" {
+    elasticsearch {
+      pipeline => "osquery.live_query" 
+      hosts => "{{ ES }}"
+      index => "so-osquery"
+      template_name => "so-osquery"
+      template => "/templates/so-osquery-template.json"
+      template_overwrite => true
+      {%- if grains['role'] in ['so-node','so-heavynode'] %}
+      ssl => true
+      ssl_certificate_verification => false
+      {%- endif %}
+    }
+  }
+}