From 0622c77a7f51dda93ddce0bbf2f12b2b8cbb925f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 4 May 2021 10:50:13 -0400 Subject: [PATCH] Add filebeat modules --- salt/filebeat/modules/activemq.yml.disabled | 19 ++ salt/filebeat/modules/apache.yml.disabled | 19 ++ salt/filebeat/modules/auditd.yml.disabled | 10 + salt/filebeat/modules/aws.yml.disabled | 255 ++++++++++++++++++ salt/filebeat/modules/azure.yml.disabled | 45 ++++ salt/filebeat/modules/barracuda.yml.disabled | 41 +++ salt/filebeat/modules/bluecoat.yml.disabled | 22 ++ salt/filebeat/modules/cef.yml.disabled | 17 ++ salt/filebeat/modules/checkpoint.yml.disabled | 24 ++ salt/filebeat/modules/cisco.yml.disabled | 142 ++++++++++ salt/filebeat/modules/coredns.yml.disabled | 11 + .../filebeat/modules/crowdstrike.yml.disabled | 11 + salt/filebeat/modules/cyberark.yml.disabled | 22 ++ salt/filebeat/modules/cylance.yml.disabled | 22 ++ .../modules/elasticsearch.yml.disabled | 35 +++ salt/filebeat/modules/envoyproxy.yml.disabled | 11 + salt/filebeat/modules/f5.yml.disabled | 41 +++ salt/filebeat/modules/fortinet.yml.disabled | 83 ++++++ salt/filebeat/modules/gcp.yml.disabled | 76 ++++++ .../modules/google_workspace.yml.disabled | 53 ++++ .../filebeat/modules/googlecloud.yml.disabled | 58 ++++ salt/filebeat/modules/gsuite.yml.disabled | 53 ++++ salt/filebeat/modules/haproxy.yml.disabled | 14 + salt/filebeat/modules/ibmmq.yml.disabled | 11 + salt/filebeat/modules/icinga.yml.disabled | 27 ++ salt/filebeat/modules/iis.yml.disabled | 20 ++ salt/filebeat/modules/imperva.yml.disabled | 22 ++ salt/filebeat/modules/infoblox.yml.disabled | 22 ++ salt/filebeat/modules/iptables.yml.disabled | 13 + salt/filebeat/modules/juniper.yml.disabled | 54 ++++ salt/filebeat/modules/kafka.yml.disabled | 15 ++ salt/filebeat/modules/kibana.yml.disabled | 19 ++ salt/filebeat/modules/logstash.yml.disabled | 18 ++ salt/filebeat/modules/microsoft.yml.disabled | 49 ++++ salt/filebeat/modules/misp.yml.disabled | 17 ++ salt/filebeat/modules/mongodb.yml.disabled | 11 + salt/filebeat/modules/mssql.yml.disabled | 11 + salt/filebeat/modules/mysql.yml.disabled | 19 ++ .../modules/mysqlenterprise.yml.disabled | 14 + salt/filebeat/modules/nats.yml.disabled | 11 + salt/filebeat/modules/netflow.yml.disabled | 14 + salt/filebeat/modules/netscout.yml.disabled | 22 ++ salt/filebeat/modules/nginx.yml.disabled | 27 ++ salt/filebeat/modules/o365.yml.disabled | 48 ++++ salt/filebeat/modules/okta.yml.disabled | 10 + salt/filebeat/modules/oracle.yml.disabled | 13 + salt/filebeat/modules/osquery.yml.disabled | 15 ++ salt/filebeat/modules/panw.yml.disabled | 22 ++ salt/filebeat/modules/pensando.yml.disabled | 13 + salt/filebeat/modules/postgresql.yml.disabled | 11 + salt/filebeat/modules/proofpoint.yml.disabled | 22 ++ salt/filebeat/modules/rabbitmq.yml.disabled | 11 + salt/filebeat/modules/radware.yml.disabled | 22 ++ salt/filebeat/modules/redis.yml.disabled | 21 ++ salt/filebeat/modules/santa.yml.disabled | 9 + salt/filebeat/modules/snort.yml.disabled | 22 ++ salt/filebeat/modules/snyk.yml.disabled | 112 ++++++++ salt/filebeat/modules/sonicwall.yml.disabled | 22 ++ salt/filebeat/modules/sophos.yml.disabled | 46 ++++ salt/filebeat/modules/squid.yml.disabled | 22 ++ salt/filebeat/modules/suricata.yml.disabled | 11 + salt/filebeat/modules/system.yml.disabled | 19 ++ .../filebeat/modules/threatintel.yml.disabled | 105 ++++++++ salt/filebeat/modules/tomcat.yml.disabled | 22 ++ salt/filebeat/modules/traefik.yml.disabled | 11 + salt/filebeat/modules/zeek.yml.disabled | 84 ++++++ salt/filebeat/modules/zoom.yml.disabled | 22 ++ salt/filebeat/modules/zscaler.yml.disabled | 22 ++ 68 files changed, 2237 insertions(+) create mode 100644 salt/filebeat/modules/activemq.yml.disabled create mode 100644 salt/filebeat/modules/apache.yml.disabled create mode 100644 salt/filebeat/modules/auditd.yml.disabled create mode 100644 salt/filebeat/modules/aws.yml.disabled create mode 100644 salt/filebeat/modules/azure.yml.disabled create mode 100644 salt/filebeat/modules/barracuda.yml.disabled create mode 100644 salt/filebeat/modules/bluecoat.yml.disabled create mode 100644 salt/filebeat/modules/cef.yml.disabled create mode 100644 salt/filebeat/modules/checkpoint.yml.disabled create mode 100644 salt/filebeat/modules/cisco.yml.disabled create mode 100644 salt/filebeat/modules/coredns.yml.disabled create mode 100644 salt/filebeat/modules/crowdstrike.yml.disabled create mode 100644 salt/filebeat/modules/cyberark.yml.disabled create mode 100644 salt/filebeat/modules/cylance.yml.disabled create mode 100644 salt/filebeat/modules/elasticsearch.yml.disabled create mode 100644 salt/filebeat/modules/envoyproxy.yml.disabled create mode 100644 salt/filebeat/modules/f5.yml.disabled create mode 100644 salt/filebeat/modules/fortinet.yml.disabled create mode 100644 salt/filebeat/modules/gcp.yml.disabled create mode 100644 salt/filebeat/modules/google_workspace.yml.disabled create mode 100644 salt/filebeat/modules/googlecloud.yml.disabled create mode 100644 salt/filebeat/modules/gsuite.yml.disabled create mode 100644 salt/filebeat/modules/haproxy.yml.disabled create mode 100644 salt/filebeat/modules/ibmmq.yml.disabled create mode 100644 salt/filebeat/modules/icinga.yml.disabled create mode 100644 salt/filebeat/modules/iis.yml.disabled create mode 100644 salt/filebeat/modules/imperva.yml.disabled create mode 100644 salt/filebeat/modules/infoblox.yml.disabled create mode 100644 salt/filebeat/modules/iptables.yml.disabled create mode 100644 salt/filebeat/modules/juniper.yml.disabled create mode 100644 salt/filebeat/modules/kafka.yml.disabled create mode 100644 salt/filebeat/modules/kibana.yml.disabled create mode 100644 salt/filebeat/modules/logstash.yml.disabled create mode 100644 salt/filebeat/modules/microsoft.yml.disabled create mode 100644 salt/filebeat/modules/misp.yml.disabled create mode 100644 salt/filebeat/modules/mongodb.yml.disabled create mode 100644 salt/filebeat/modules/mssql.yml.disabled create mode 100644 salt/filebeat/modules/mysql.yml.disabled create mode 100644 salt/filebeat/modules/mysqlenterprise.yml.disabled create mode 100644 salt/filebeat/modules/nats.yml.disabled create mode 100644 salt/filebeat/modules/netflow.yml.disabled create mode 100644 salt/filebeat/modules/netscout.yml.disabled create mode 100644 salt/filebeat/modules/nginx.yml.disabled create mode 100644 salt/filebeat/modules/o365.yml.disabled create mode 100644 salt/filebeat/modules/okta.yml.disabled create mode 100644 salt/filebeat/modules/oracle.yml.disabled create mode 100644 salt/filebeat/modules/osquery.yml.disabled create mode 100644 salt/filebeat/modules/panw.yml.disabled create mode 100644 salt/filebeat/modules/pensando.yml.disabled create mode 100644 salt/filebeat/modules/postgresql.yml.disabled create mode 100644 salt/filebeat/modules/proofpoint.yml.disabled create mode 100644 salt/filebeat/modules/rabbitmq.yml.disabled create mode 100644 salt/filebeat/modules/radware.yml.disabled create mode 100644 salt/filebeat/modules/redis.yml.disabled create mode 100644 salt/filebeat/modules/santa.yml.disabled create mode 100644 salt/filebeat/modules/snort.yml.disabled create mode 100644 salt/filebeat/modules/snyk.yml.disabled create mode 100644 salt/filebeat/modules/sonicwall.yml.disabled create mode 100644 salt/filebeat/modules/sophos.yml.disabled create mode 100644 salt/filebeat/modules/squid.yml.disabled create mode 100644 salt/filebeat/modules/suricata.yml.disabled create mode 100644 salt/filebeat/modules/system.yml.disabled create mode 100644 salt/filebeat/modules/threatintel.yml.disabled create mode 100644 salt/filebeat/modules/tomcat.yml.disabled create mode 100644 salt/filebeat/modules/traefik.yml.disabled create mode 100644 salt/filebeat/modules/zeek.yml.disabled create mode 100644 salt/filebeat/modules/zoom.yml.disabled create mode 100644 salt/filebeat/modules/zscaler.yml.disabled diff --git a/salt/filebeat/modules/activemq.yml.disabled b/salt/filebeat/modules/activemq.yml.disabled new file mode 100644 index 000000000..43536ecbc --- /dev/null +++ b/salt/filebeat/modules/activemq.yml.disabled @@ -0,0 +1,19 @@ +# Module: activemq +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-activemq.html + +- module: activemq + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Application logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/apache.yml.disabled b/salt/filebeat/modules/apache.yml.disabled new file mode 100644 index 000000000..b923dd581 --- /dev/null +++ b/salt/filebeat/modules/apache.yml.disabled @@ -0,0 +1,19 @@ +# Module: apache +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-apache.html + +- module: apache + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/auditd.yml.disabled b/salt/filebeat/modules/auditd.yml.disabled new file mode 100644 index 000000000..76296ec85 --- /dev/null +++ b/salt/filebeat/modules/auditd.yml.disabled @@ -0,0 +1,10 @@ +# Module: auditd +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-auditd.html + +- module: auditd + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/aws.yml.disabled b/salt/filebeat/modules/aws.yml.disabled new file mode 100644 index 000000000..904bd976c --- /dev/null +++ b/salt/filebeat/modules/aws.yml.disabled @@ -0,0 +1,255 @@ +# Module: aws +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-aws.html + +- module: aws + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Process CloudTrail logs + # default is true, set to false to skip Cloudtrail logs + # var.process_cloudtrail_logs: false + + # Process CloudTrail Digest logs + # default true, set to false to skip CloudTrail Digest logs + # var.process_digest_logs: false + + # Process CloudTrail Insight logs + # default true, set to false to skip CloudTrail Insight logs + # var.process_insight_logs: false + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + cloudwatch: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + ec2: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + elb: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + s3access: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + vpcflow: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 diff --git a/salt/filebeat/modules/azure.yml.disabled b/salt/filebeat/modules/azure.yml.disabled new file mode 100644 index 000000000..3b2bc1ecf --- /dev/null +++ b/salt/filebeat/modules/azure.yml.disabled @@ -0,0 +1,45 @@ +# Module: azure +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-azure.html + +- module: azure + # All logs + activitylogs: + enabled: true + var: + # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub + eventhub: "insights-operational-logs" + # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module + consumer_group: "$Default" + # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string + connection_string: "" + # the name of the storage account the state/offsets will be stored and updated + storage_account: "" + # the storage account key, this key will be used to authorize access to data in your storage account + storage_account_key: "" + + platformlogs: + enabled: false + # var: + # eventhub: "" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" + + + auditlogs: + enabled: false + # var: + # eventhub: "insights-logs-auditlogs" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" + signinlogs: + enabled: false + # var: + # eventhub: "insights-logs-signinlogs" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" diff --git a/salt/filebeat/modules/barracuda.yml.disabled b/salt/filebeat/modules/barracuda.yml.disabled new file mode 100644 index 000000000..99ff85036 --- /dev/null +++ b/salt/filebeat/modules/barracuda.yml.disabled @@ -0,0 +1,41 @@ +# Module: barracuda +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-barracuda.html + +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + spamfirewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9524 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/bluecoat.yml.disabled b/salt/filebeat/modules/bluecoat.yml.disabled new file mode 100644 index 000000000..6550c8eed --- /dev/null +++ b/salt/filebeat/modules/bluecoat.yml.disabled @@ -0,0 +1,22 @@ +# Module: bluecoat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-bluecoat.html + +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/cef.yml.disabled b/salt/filebeat/modules/cef.yml.disabled new file mode 100644 index 000000000..2de22edcc --- /dev/null +++ b/salt/filebeat/modules/cef.yml.disabled @@ -0,0 +1,17 @@ +# Module: cef +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cef.html + +- module: cef + log: + enabled: true + var: + syslog_host: localhost + syslog_port: 9003 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/checkpoint.yml.disabled b/salt/filebeat/modules/checkpoint.yml.disabled new file mode 100644 index 000000000..9d34b8d72 --- /dev/null +++ b/salt/filebeat/modules/checkpoint.yml.disabled @@ -0,0 +1,24 @@ +# Module: checkpoint +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-checkpoint.html + +- module: checkpoint + firewall: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9001. + #var.syslog_port: 9001 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/cisco.yml.disabled b/salt/filebeat/modules/cisco.yml.disabled new file mode 100644 index 000000000..9e4658045 --- /dev/null +++ b/salt/filebeat/modules/cisco.yml.disabled @@ -0,0 +1,142 @@ +# Module: cisco +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cisco.html + +- module: cisco + asa: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9001. + #var.syslog_port: 9001 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html + #var.log_level: 7 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + + ios: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9002. + #var.syslog_port: 9002 + + # Set custom paths for the log files when using file input. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + meraki: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9525 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + umbrella: + enabled: true + + #var.input: aws-s3 + # AWS SQS queue url + #var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue + # Access ID to authenticate with the S3 input + #var.access_key_id: 123456 + # Access key to authenticate with the S3 input + #var.secret_access_key: PASSWORD + # The duration that the received messages are hidden from ReceiveMessage request + #var.visibility_timeout: 300s + # Maximum duration before AWS API request will be interrupted + #var.api_timeout: 120s + + amp: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + + # The API URL + #var.url: https://api.amp.cisco.com/v1/events + # The client ID used as a username for the API requests. + #var.client_id: + # The API key related to the client ID. + #var.api_key: + # How far to look back the first time the module is started. Expects an amount of hours. + #var.first_interval: 24h + # Overriding the default request timeout, optional. + #var.request_timeout: 60s diff --git a/salt/filebeat/modules/coredns.yml.disabled b/salt/filebeat/modules/coredns.yml.disabled new file mode 100644 index 000000000..46e9e55c1 --- /dev/null +++ b/salt/filebeat/modules/coredns.yml.disabled @@ -0,0 +1,11 @@ +# Module: coredns +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-coredns.html + +- module: coredns + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/crowdstrike.yml.disabled b/salt/filebeat/modules/crowdstrike.yml.disabled new file mode 100644 index 000000000..8d2c8531d --- /dev/null +++ b/salt/filebeat/modules/crowdstrike.yml.disabled @@ -0,0 +1,11 @@ +# Module: crowdstrike +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-crowdstrike.html + +- module: crowdstrike + + falcon: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/cyberark.yml.disabled b/salt/filebeat/modules/cyberark.yml.disabled new file mode 100644 index 000000000..e97955adf --- /dev/null +++ b/salt/filebeat/modules/cyberark.yml.disabled @@ -0,0 +1,22 @@ +# Module: cyberark +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberark.html + +- module: cyberark + corepas: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9527 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/cylance.yml.disabled b/salt/filebeat/modules/cylance.yml.disabled new file mode 100644 index 000000000..342d654d2 --- /dev/null +++ b/salt/filebeat/modules/cylance.yml.disabled @@ -0,0 +1,22 @@ +# Module: cylance +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cylance.html + +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/elasticsearch.yml.disabled b/salt/filebeat/modules/elasticsearch.yml.disabled new file mode 100644 index 000000000..e6074c05e --- /dev/null +++ b/salt/filebeat/modules/elasticsearch.yml.disabled @@ -0,0 +1,35 @@ +# Module: elasticsearch +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-elasticsearch.html + +- module: elasticsearch + # Server log + server: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + gc: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + audit: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + slowlog: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + deprecation: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/envoyproxy.yml.disabled b/salt/filebeat/modules/envoyproxy.yml.disabled new file mode 100644 index 000000000..543b17be5 --- /dev/null +++ b/salt/filebeat/modules/envoyproxy.yml.disabled @@ -0,0 +1,11 @@ +# Module: envoyproxy +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-envoyproxy.html + +- module: envoyproxy + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/f5.yml.disabled b/salt/filebeat/modules/f5.yml.disabled new file mode 100644 index 000000000..959842174 --- /dev/null +++ b/salt/filebeat/modules/f5.yml.disabled @@ -0,0 +1,41 @@ +# Module: f5 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-f5.html + +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + bigipafm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9528 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/fortinet.yml.disabled b/salt/filebeat/modules/fortinet.yml.disabled new file mode 100644 index 000000000..281b7d788 --- /dev/null +++ b/salt/filebeat/modules/fortinet.yml.disabled @@ -0,0 +1,83 @@ +# Module: fortinet +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-fortinet.html + +- module: fortinet + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9004 + + # Set internal interfaces. used to override parsed network.direction + # based on a tagged interface. Both internal and external interfaces must be + # set to leverage this functionality. + #var.internal_interfaces: [ "LAN" ] + + # Set external interfaces. used to override parsed network.direction + # based on a tagged interface. Both internal and external interfaces must be + # set to leverage this functionality. + #var.external_interfaces: [ "WAN" ] + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + fortimail: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9529 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + fortimanager: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9530 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/gcp.yml.disabled b/salt/filebeat/modules/gcp.yml.disabled new file mode 100644 index 000000000..a09d0fe36 --- /dev/null +++ b/salt/filebeat/modules/gcp.yml.disabled @@ -0,0 +1,76 @@ +# Module: gcp +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gcp.html + +- module: gcp + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: gcp-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + # Set internal networks. This is used to classify network.direction based + # off of what networks are considered "internal" either base off of a CIDR + # block or named network conditions. If this is not specified, then traffic + # direction is determined by whether it is between source and destination + # instance information rather than IP. + # + # For a full list of network conditions see: + # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network + #var.internal_networks: [ "private" ] + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + # Set internal networks. This is used to classify network.direction based + # off of what networks are considered "internal" either base off of a CIDR + # block or named network conditions. If this is not specified, then traffic + # is taken from the direction data in the rule_details event payload. + # + # For a full list of network conditions see: + # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network + #var.internal_networks: [ "private" ] + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-audit + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/google_workspace.yml.disabled b/salt/filebeat/modules/google_workspace.yml.disabled new file mode 100644 index 000000000..6d364af98 --- /dev/null +++ b/salt/filebeat/modules/google_workspace.yml.disabled @@ -0,0 +1,53 @@ +# Module: google_workspace +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-google_workspace.html + +- module: google_workspace + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + diff --git a/salt/filebeat/modules/googlecloud.yml.disabled b/salt/filebeat/modules/googlecloud.yml.disabled new file mode 100644 index 000000000..9a28dc036 --- /dev/null +++ b/salt/filebeat/modules/googlecloud.yml.disabled @@ -0,0 +1,58 @@ +# Module: googlecloud +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-googlecloud.html + +# googlecloud module is deprecated, please use gcp instead +- module: gcp + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: gcp-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-audit + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/gsuite.yml.disabled b/salt/filebeat/modules/gsuite.yml.disabled new file mode 100644 index 000000000..6aec3b65d --- /dev/null +++ b/salt/filebeat/modules/gsuite.yml.disabled @@ -0,0 +1,53 @@ +# Module: gsuite +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gsuite.html + +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. +- module: gsuite + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/salt/filebeat/modules/haproxy.yml.disabled b/salt/filebeat/modules/haproxy.yml.disabled new file mode 100644 index 000000000..b2615dbb8 --- /dev/null +++ b/salt/filebeat/modules/haproxy.yml.disabled @@ -0,0 +1,14 @@ +# Module: haproxy +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-haproxy.html + +- module: haproxy + # All logs + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/ibmmq.yml.disabled b/salt/filebeat/modules/ibmmq.yml.disabled new file mode 100644 index 000000000..bfaf3792d --- /dev/null +++ b/salt/filebeat/modules/ibmmq.yml.disabled @@ -0,0 +1,11 @@ +# Module: ibmmq +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-ibmmq.html + +- module: ibmmq + # All logs + errorlog: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/icinga.yml.disabled b/salt/filebeat/modules/icinga.yml.disabled new file mode 100644 index 000000000..a7c3ac6e1 --- /dev/null +++ b/salt/filebeat/modules/icinga.yml.disabled @@ -0,0 +1,27 @@ +# Module: icinga +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-icinga.html + +- module: icinga + # Main logs + main: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Debug logs + debug: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Startup logs + startup: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/iis.yml.disabled b/salt/filebeat/modules/iis.yml.disabled new file mode 100644 index 000000000..44c200ba1 --- /dev/null +++ b/salt/filebeat/modules/iis.yml.disabled @@ -0,0 +1,20 @@ +# Module: iis +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iis.html + +- module: iis + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + \ No newline at end of file diff --git a/salt/filebeat/modules/imperva.yml.disabled b/salt/filebeat/modules/imperva.yml.disabled new file mode 100644 index 000000000..8e53deaa6 --- /dev/null +++ b/salt/filebeat/modules/imperva.yml.disabled @@ -0,0 +1,22 @@ +# Module: imperva +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-imperva.html + +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/infoblox.yml.disabled b/salt/filebeat/modules/infoblox.yml.disabled new file mode 100644 index 000000000..9e82f8340 --- /dev/null +++ b/salt/filebeat/modules/infoblox.yml.disabled @@ -0,0 +1,22 @@ +# Module: infoblox +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-infoblox.html + +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/iptables.yml.disabled b/salt/filebeat/modules/iptables.yml.disabled new file mode 100644 index 000000000..1147e14dd --- /dev/null +++ b/salt/filebeat/modules/iptables.yml.disabled @@ -0,0 +1,13 @@ +# Module: iptables +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iptables.html + +- module: iptables + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/juniper.yml.disabled b/salt/filebeat/modules/juniper.yml.disabled new file mode 100644 index 000000000..71112679d --- /dev/null +++ b/salt/filebeat/modules/juniper.yml.disabled @@ -0,0 +1,54 @@ +# Module: juniper +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-juniper.html + +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + netscreen: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9523 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 diff --git a/salt/filebeat/modules/kafka.yml.disabled b/salt/filebeat/modules/kafka.yml.disabled new file mode 100644 index 000000000..23362c8a1 --- /dev/null +++ b/salt/filebeat/modules/kafka.yml.disabled @@ -0,0 +1,15 @@ +# Module: kafka +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kafka.html + +- module: kafka + # All logs + log: + enabled: true + + # Set custom paths for Kafka. If left empty, + # Filebeat will look under /opt. + #var.kafka_home: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/kibana.yml.disabled b/salt/filebeat/modules/kibana.yml.disabled new file mode 100644 index 000000000..a4956c4b6 --- /dev/null +++ b/salt/filebeat/modules/kibana.yml.disabled @@ -0,0 +1,19 @@ +# Module: kibana +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kibana.html + +- module: kibana + # Server logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/logstash.yml.disabled b/salt/filebeat/modules/logstash.yml.disabled new file mode 100644 index 000000000..f14229409 --- /dev/null +++ b/salt/filebeat/modules/logstash.yml.disabled @@ -0,0 +1,18 @@ +# Module: logstash +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-logstash.html + +- module: logstash + # logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Slow logs + slowlog: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/microsoft.yml.disabled b/salt/filebeat/modules/microsoft.yml.disabled new file mode 100644 index 000000000..b0a1b10c6 --- /dev/null +++ b/salt/filebeat/modules/microsoft.yml.disabled @@ -0,0 +1,49 @@ +# Module: microsoft +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-microsoft.html + +- module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/misp.yml.disabled b/salt/filebeat/modules/misp.yml.disabled new file mode 100644 index 000000000..9a489fa0f --- /dev/null +++ b/salt/filebeat/modules/misp.yml.disabled @@ -0,0 +1,17 @@ +# Module: misp +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-misp.html + +- module: misp + threat: + enabled: true + # API key to access MISP + #var.api_key + + # Array object in MISP response + #var.http_request_body.limit: 1000 + + # URL of the MISP REST API + #var.url + + # You can also pass SSL options. For example: + #var.ssl.verification_mode: none diff --git a/salt/filebeat/modules/mongodb.yml.disabled b/salt/filebeat/modules/mongodb.yml.disabled new file mode 100644 index 000000000..266d2e4e8 --- /dev/null +++ b/salt/filebeat/modules/mongodb.yml.disabled @@ -0,0 +1,11 @@ +# Module: mongodb +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mongodb.html + +- module: mongodb + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/mssql.yml.disabled b/salt/filebeat/modules/mssql.yml.disabled new file mode 100644 index 000000000..bfe4c6e64 --- /dev/null +++ b/salt/filebeat/modules/mssql.yml.disabled @@ -0,0 +1,11 @@ +# Module: mssql +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mssql.html + +- module: mssql + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*'] diff --git a/salt/filebeat/modules/mysql.yml.disabled b/salt/filebeat/modules/mysql.yml.disabled new file mode 100644 index 000000000..e6be4045b --- /dev/null +++ b/salt/filebeat/modules/mysql.yml.disabled @@ -0,0 +1,19 @@ +# Module: mysql +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysql.html + +- module: mysql + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Slow logs + slowlog: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/mysqlenterprise.yml.disabled b/salt/filebeat/modules/mysqlenterprise.yml.disabled new file mode 100644 index 000000000..37e10d0eb --- /dev/null +++ b/salt/filebeat/modules/mysqlenterprise.yml.disabled @@ -0,0 +1,14 @@ +# Module: mysqlenterprise +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysqlenterprise.html + +- module: mysqlenterprise + audit: + enabled: true + + # Sets the input type. Currently only supports file + #var.input: file + + # Set paths for the log files when file input is used. + # Should only be used together with file input + # var.paths: + # - /home/user/mysqlauditlogs/audit.*.log diff --git a/salt/filebeat/modules/nats.yml.disabled b/salt/filebeat/modules/nats.yml.disabled new file mode 100644 index 000000000..65e44962d --- /dev/null +++ b/salt/filebeat/modules/nats.yml.disabled @@ -0,0 +1,11 @@ +# Module: nats +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nats.html + +- module: nats + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/netflow.yml.disabled b/salt/filebeat/modules/netflow.yml.disabled new file mode 100644 index 000000000..781748b00 --- /dev/null +++ b/salt/filebeat/modules/netflow.yml.disabled @@ -0,0 +1,14 @@ +# Module: netflow +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netflow.html + +- module: netflow + log: + enabled: true + var: + netflow_host: localhost + netflow_port: 2055 + # internal_networks specifies which networks are considered internal or private + # you can specify either a CIDR block or any of the special named ranges listed + # at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network + internal_networks: + - private diff --git a/salt/filebeat/modules/netscout.yml.disabled b/salt/filebeat/modules/netscout.yml.disabled new file mode 100644 index 000000000..215349046 --- /dev/null +++ b/salt/filebeat/modules/netscout.yml.disabled @@ -0,0 +1,22 @@ +# Module: netscout +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netscout.html + +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/nginx.yml.disabled b/salt/filebeat/modules/nginx.yml.disabled new file mode 100644 index 000000000..e2fa44a78 --- /dev/null +++ b/salt/filebeat/modules/nginx.yml.disabled @@ -0,0 +1,27 @@ +# Module: nginx +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nginx.html + +- module: nginx + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs + ingress_controller: + enabled: false + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/o365.yml.disabled b/salt/filebeat/modules/o365.yml.disabled new file mode 100644 index 000000000..578ff365d --- /dev/null +++ b/salt/filebeat/modules/o365.yml.disabled @@ -0,0 +1,48 @@ +# Module: o365 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-o365.html + +- module: o365 + audit: + enabled: true + + # Set the application_id (also known as client ID): + var.application_id: "" + + # Configure the tenants to monitor: + # Use the tenant ID (also known as directory ID) and the domain name. + # var.tenants: + # - id: "tenant_id_1" + # name: "mydomain.onmicrosoft.com" + # - id: "tenant_id_2" + # name: "mycompany.com" + var.tenants: + - id: "" + name: "mytenant.onmicrosoft.com" + + # List of content-types to fetch. By default all known content-types + # are retrieved: + # var.content_type: + # - "Audit.AzureActiveDirectory" + # - "Audit.Exchange" + # - "Audit.SharePoint" + # - "Audit.General" + # - "DLP.All" + + # Use the following settings to enable certificate-based authentication: + # var.certificate: "/path/to/certificate.pem" + # var.key: "/path/to/private_key.pem" + # var.key_passphrase: "myPrivateKeyPassword" + + # Client-secret based authentication: + # Comment the following line if using certificate authentication. + var.client_secret: "" + + # Advanced settings, use with care: + # var.api: + # # Settings for custom endpoints: + # authentication_endpoint: "https://login.microsoftonline.us/" + # resource: "https://manage.office365.us" + # + # max_retention: 168h + # max_requests_per_minute: 2000 + # poll_interval: 3m diff --git a/salt/filebeat/modules/okta.yml.disabled b/salt/filebeat/modules/okta.yml.disabled new file mode 100644 index 000000000..4fc943592 --- /dev/null +++ b/salt/filebeat/modules/okta.yml.disabled @@ -0,0 +1,10 @@ +# Module: okta +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-okta.html + +- module: okta + system: + enabled: true + # You must configure the URL with your Okta domain and provide an + # API token to access the logs API. + #var.url: https://yourOktaDomain/api/v1/logs + #var.api_key: 'yourApiTokenHere' diff --git a/salt/filebeat/modules/oracle.yml.disabled b/salt/filebeat/modules/oracle.yml.disabled new file mode 100644 index 000000000..3bd576ee1 --- /dev/null +++ b/salt/filebeat/modules/oracle.yml.disabled @@ -0,0 +1,13 @@ +# Module: oracle +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-oracle.html + +- module: oracle + database_audit: + enabled: true + + # Set which input to use between syslog or file (default). + #var.input: file + + # Set paths for the log files when file input is used. + # Should only be used together with file input + # var.paths: /home/user/oracleauditlogs/*.aud diff --git a/salt/filebeat/modules/osquery.yml.disabled b/salt/filebeat/modules/osquery.yml.disabled new file mode 100644 index 000000000..7a9a09dd8 --- /dev/null +++ b/salt/filebeat/modules/osquery.yml.disabled @@ -0,0 +1,15 @@ +# Module: osquery +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-osquery.html + +- module: osquery + result: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # If true, all fields created by this module are prefixed with + # `osquery.result`. Set to false to copy the fields in the root + # of the document. The default is true. + #var.use_namespace: true diff --git a/salt/filebeat/modules/panw.yml.disabled b/salt/filebeat/modules/panw.yml.disabled new file mode 100644 index 000000000..eb094a25a --- /dev/null +++ b/salt/filebeat/modules/panw.yml.disabled @@ -0,0 +1,22 @@ +# Module: panw +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-panw.html + +- module: panw + panos: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: + diff --git a/salt/filebeat/modules/pensando.yml.disabled b/salt/filebeat/modules/pensando.yml.disabled new file mode 100644 index 000000000..66bd60d76 --- /dev/null +++ b/salt/filebeat/modules/pensando.yml.disabled @@ -0,0 +1,13 @@ +# Module: pensando +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-pensando.html + +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: diff --git a/salt/filebeat/modules/postgresql.yml.disabled b/salt/filebeat/modules/postgresql.yml.disabled new file mode 100644 index 000000000..804b7f34f --- /dev/null +++ b/salt/filebeat/modules/postgresql.yml.disabled @@ -0,0 +1,11 @@ +# Module: postgresql +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-postgresql.html + +- module: postgresql + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/proofpoint.yml.disabled b/salt/filebeat/modules/proofpoint.yml.disabled new file mode 100644 index 000000000..9aeebd5fe --- /dev/null +++ b/salt/filebeat/modules/proofpoint.yml.disabled @@ -0,0 +1,22 @@ +# Module: proofpoint +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-proofpoint.html + +- module: proofpoint + emailsecurity: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9531 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/rabbitmq.yml.disabled b/salt/filebeat/modules/rabbitmq.yml.disabled new file mode 100644 index 000000000..e61a0a0c9 --- /dev/null +++ b/salt/filebeat/modules/rabbitmq.yml.disabled @@ -0,0 +1,11 @@ +# Module: rabbitmq +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-rabbitmq.html + +- module: rabbitmq + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] diff --git a/salt/filebeat/modules/radware.yml.disabled b/salt/filebeat/modules/radware.yml.disabled new file mode 100644 index 000000000..f9ab3e519 --- /dev/null +++ b/salt/filebeat/modules/radware.yml.disabled @@ -0,0 +1,22 @@ +# Module: radware +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-radware.html + +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/redis.yml.disabled b/salt/filebeat/modules/redis.yml.disabled new file mode 100644 index 000000000..9b621dc2d --- /dev/null +++ b/salt/filebeat/modules/redis.yml.disabled @@ -0,0 +1,21 @@ +# Module: redis +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-redis.html + +- module: redis + # Main logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/redis/redis-server.log*"] + + # Slow logs, retrieved via the Redis API (SLOWLOG) + slowlog: + enabled: true + + # The Redis hosts to connect to. + #var.hosts: ["localhost:6379"] + + # Optional, the password to use when connecting to Redis. + #var.password: diff --git a/salt/filebeat/modules/santa.yml.disabled b/salt/filebeat/modules/santa.yml.disabled new file mode 100644 index 000000000..1a7363547 --- /dev/null +++ b/salt/filebeat/modules/santa.yml.disabled @@ -0,0 +1,9 @@ +# Module: santa +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-santa.html + +- module: santa + log: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the the default path. + #var.paths: diff --git a/salt/filebeat/modules/snort.yml.disabled b/salt/filebeat/modules/snort.yml.disabled new file mode 100644 index 000000000..8c9bcc471 --- /dev/null +++ b/salt/filebeat/modules/snort.yml.disabled @@ -0,0 +1,22 @@ +# Module: snort +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snort.html + +- module: snort + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9532 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/snyk.yml.disabled b/salt/filebeat/modules/snyk.yml.disabled new file mode 100644 index 000000000..0b13f8155 --- /dev/null +++ b/salt/filebeat/modules/snyk.yml.disabled @@ -0,0 +1,112 @@ +# Module: snyk +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snyk.html + +- module: snyk + audit: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + # + # What audit type to collect, can be either "group" or "organization". + #var.audit_type: organization + # + # The ID related to the audit_type. If audit type is group, then this value should be + # the group ID and if it is organization it should be the organization ID to collect from. + #var.audit_id: 1235432-asdfdf-2341234-asdgjhg + + # How often the API should be polled, defaults to 1 hour. + #var.interval: 1h + # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). + #var.first_interval: 24h + + # The API token that is created for a specific user, found in the Snyk management dashboard. + #var.api_token: + + # Event filtering. + # All configuration items below is OPTIONAL and the default options will be overwritten + # for each entry that is not commented out. + + # Will return only logs for this specific project. + #var.project_id: "" + # User public ID. Will fetch only audit logs originated from this user's actions. + #var.user_id: "" + # Will return only logs for this specific event. + #var.event: "" + # User email address. Will fetch only audit logs originated from this user's actions. + #var.email_address: "" + + vulnerabilities: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + + # How often the API should be polled. Data from the Snyk API is automatically updated + # once per day, so the default interval is 24 hours. + #var.interval: 24h + + # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). + #var.first_interval: 24h + + # The API token that is created for a specific user, found in the Snyk management dashboard. + #var.api_token: + + # The list of org IDs to filter the results by. + # One organization ID per line, starting with a - sign + #var.orgs: + # - 12354-asdfdf-123543-asdsdfg + # - 76554-jhggfd-654342-hgrfasd + + + # Event filtering. + # All configuration items below is OPTIONAL and the default options will be overwritten + # for each entry that is not commented out. + + # The severity levels of issues to filter the results by. + #var.included_severity: + # - high + # - medium + # - low + # + # The exploit maturity levels of issues to filter the results by. + #var.exploit_maturity: + # - mature + # - proof-of-concept + # - no-known-exploit + # - no-data + # + # The type of issues to filter the results by. + #var.types: + # - vuln + # - license + # + # The type of languages to filter the results by. + #var.languages: + # - javascript + # - ruby + # - java + # - scala + # - python + # - golang + # - php + # - dotnet + # - swift + # - docker + # + # Search term to filter issue name by, or an exact CVE or CWE. + #var.identifier: + # - "" + # + # If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored. + #var.ignored: false + #var.patched: false + #var.fixable: false + #var.is_fixed: false + #var.is_patchable: false + #var.is_pinnable: false + # + # The priority score ranging between 0-1000 + #var.min_priority_score: 0 + #var.max_priority_score: 1000 + diff --git a/salt/filebeat/modules/sonicwall.yml.disabled b/salt/filebeat/modules/sonicwall.yml.disabled new file mode 100644 index 000000000..de457109d --- /dev/null +++ b/salt/filebeat/modules/sonicwall.yml.disabled @@ -0,0 +1,22 @@ +# Module: sonicwall +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sonicwall.html + +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/sophos.yml.disabled b/salt/filebeat/modules/sophos.yml.disabled new file mode 100644 index 000000000..8fc346540 --- /dev/null +++ b/salt/filebeat/modules/sophos.yml.disabled @@ -0,0 +1,46 @@ +# Module: sophos +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sophos.html + +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + + + utm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9533 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/squid.yml.disabled b/salt/filebeat/modules/squid.yml.disabled new file mode 100644 index 000000000..a47807253 --- /dev/null +++ b/salt/filebeat/modules/squid.yml.disabled @@ -0,0 +1,22 @@ +# Module: squid +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-squid.html + +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/suricata.yml.disabled b/salt/filebeat/modules/suricata.yml.disabled new file mode 100644 index 000000000..1edd3f832 --- /dev/null +++ b/salt/filebeat/modules/suricata.yml.disabled @@ -0,0 +1,11 @@ +# Module: suricata +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html + +- module: suricata + # All logs + eve: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/system.yml.disabled b/salt/filebeat/modules/system.yml.disabled new file mode 100644 index 000000000..d633bac04 --- /dev/null +++ b/salt/filebeat/modules/system.yml.disabled @@ -0,0 +1,19 @@ +# Module: system +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-system.html + +- module: system + # Syslog + syslog: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Authorization logs + auth: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/threatintel.yml.disabled b/salt/filebeat/modules/threatintel.yml.disabled new file mode 100644 index 000000000..b461d91e2 --- /dev/null +++ b/salt/filebeat/modules/threatintel.yml.disabled @@ -0,0 +1,105 @@ +# Module: threatintel +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-threatintel.html + +- module: threatintel + abuseurl: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ + + # The interval to poll the API for updates. + var.interval: 10m + + abusemalware: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + + # The interval to poll the API for updates. + var.interval: 10m + + misp: + enabled: true + + # Input used for ingesting threat intel data, defaults to JSON. + var.input: httpjson + + # The URL of the MISP instance, should end with "/events/restSearch". + var.url: https://SERVER/events/restSearch + + # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. + var.api_token: API_KEY + + # Configures the type of SSL verification done, if MISP is running on self signed certificates + # then the certificate would either need to be trusted, or verification_mode set to none. + #var.ssl.verification_mode: none + + # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. + # For examples please reference the filebeat module documentation. + #var.filters: + # - threat_level: [4, 5] + # - to_ids: true + + # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer + # than the last event that was already ingested. + var.first_interval: 300h + + # The interval to poll the API for updates. + var.interval: 5m + + otx: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for OTX Threat Intel API calls. + var.url: https://otx.alienvault.com/api/v1/indicators/export + + # The authentication token used to contact the OTX API, can be found on the OTX UI. + var.api_token: API_KEY + + # Optional filters that can be applied to retrieve only specific indicators. + #var.types: "domain,IPv4,hostname,url,FileHash-SHA256" + + # The timeout of the HTTP client connecting to the OTX API + #var.http_client_timeout: 120s + + # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module. + var.lookback_range: 1h + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 400h + + # The interval to poll the API for updates + var.interval: 5m + + anomali: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for Threat Intel API calls. Limo has multiple different possibilities for URL's depending + # on the type of threat intel source that is needed. + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects + + # The Username used by anomali Limo, defaults to guest. + #var.username: guest + + # The password used by anomali Limo, defaults to guest. + #var.password: guest + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 400h + + # The interval to poll the API for updates + var.interval: 5m diff --git a/salt/filebeat/modules/tomcat.yml.disabled b/salt/filebeat/modules/tomcat.yml.disabled new file mode 100644 index 000000000..84f4619d5 --- /dev/null +++ b/salt/filebeat/modules/tomcat.yml.disabled @@ -0,0 +1,22 @@ +# Module: tomcat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-tomcat.html + +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/traefik.yml.disabled b/salt/filebeat/modules/traefik.yml.disabled new file mode 100644 index 000000000..657d5ccd9 --- /dev/null +++ b/salt/filebeat/modules/traefik.yml.disabled @@ -0,0 +1,11 @@ +# Module: traefik +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-traefik.html + +- module: traefik + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/zeek.yml.disabled b/salt/filebeat/modules/zeek.yml.disabled new file mode 100644 index 000000000..0667c6e35 --- /dev/null +++ b/salt/filebeat/modules/zeek.yml.disabled @@ -0,0 +1,84 @@ +# Module: zeek +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html + +- module: zeek + capture_loss: + enabled: true + connection: + enabled: true + dce_rpc: + enabled: true + dhcp: + enabled: true + dnp3: + enabled: true + dns: + enabled: true + dpd: + enabled: true + files: + enabled: true + ftp: + enabled: true + http: + enabled: true + intel: + enabled: true + irc: + enabled: true + kerberos: + enabled: true + modbus: + enabled: true + mysql: + enabled: true + notice: + enabled: true + ntlm: + enabled: true + ocsp: + enabled: true + pe: + enabled: true + radius: + enabled: true + rdp: + enabled: true + rfb: + enabled: true + signature: + enabled: true + sip: + enabled: true + smb_cmd: + enabled: true + smb_files: + enabled: true + smb_mapping: + enabled: true + smtp: + enabled: true + snmp: + enabled: true + socks: + enabled: true + ssh: + enabled: true + ssl: + enabled: true + stats: + enabled: true + syslog: + enabled: true + traceroute: + enabled: true + tunnel: + enabled: true + weird: + enabled: true + x509: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/zoom.yml.disabled b/salt/filebeat/modules/zoom.yml.disabled new file mode 100644 index 000000000..15fa9d4b2 --- /dev/null +++ b/salt/filebeat/modules/zoom.yml.disabled @@ -0,0 +1,22 @@ +# Module: zoom +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zoom.html + +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN diff --git a/salt/filebeat/modules/zscaler.yml.disabled b/salt/filebeat/modules/zscaler.yml.disabled new file mode 100644 index 000000000..accdec9ea --- /dev/null +++ b/salt/filebeat/modules/zscaler.yml.disabled @@ -0,0 +1,22 @@ +# Module: zscaler +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zscaler.html + +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local