CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #943 from Security-Onion-Solutions/issue/825

Browse Source 
Pillarize filebeat inputs and output
This commit is contained in:
Josh Patterson
2020-07-07 15:51:08 -04:00
committed by GitHub
parent f4f189cc50 fff713db85
commit 07cc89e4d6
2 changed files with 154 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

297
salt/filebeat/etc/filebeat.yml
View File

@@ -75,177 +75,181 @@ filebeat.modules:
filebeat.inputs: filebeat.inputs:
#------------------------------ Log prospector -------------------------------- #------------------------------ Log prospector --------------------------------
{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %} {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %}
- type: udp
enabled: true
host: "0.0.0.0:514"
fields:
module: syslog
dataset: syslog
pipeline: "syslog"
index: "so-syslog-%{+yyyy.MM.dd}"
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
- type: udp - type: tcp
enabled: true enabled: true
host: "0.0.0.0:514" host: "0.0.0.0:514"
fields: fields:
module: syslog module: syslog
dataset: syslog dataset: syslog
pipeline: "syslog" pipeline: "syslog"
index: "so-syslog-%{+yyyy.MM.dd}" index: "so-syslog-%{+yyyy.MM.dd}"
processors: processors:
- drop_fields: - drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
{%- if BROVER != 'SURICATA' %}
- type: tcp {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}
enabled: true - type: log
host: "0.0.0.0:514" paths:
fields: - /nsm/zeek/logs/current/{{ LOGNAME }}.log
module: syslog fields:
dataset: syslog module: zeek
pipeline: "syslog" dataset: {{ LOGNAME }}
index: "so-syslog-%{+yyyy.MM.dd}"
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
{%- if BROVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}
- type: log
paths:
- /nsm/zeek/logs/current/{{ LOGNAME }}.log
fields:
module: zeek
dataset: {{ LOGNAME }}
category: network
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
- type: log
paths:
- /nsm/import/*/zeek/logs/{{ LOGNAME }}.log
fields:
module: zeek
dataset: {{ LOGNAME }}
category: network
imported: true
processors:
- dissect:
tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
field: "log.file.path"
target_prefix: ""
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
{%- endfor %}
{%- endif %}
- type: log
paths:
- /nsm/suricata/eve*.json
fields:
module: suricata
dataset: common
category: network category: network
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
processors: - type: log
- drop_fields: paths:
fields: ["source", "prospector", "input", "offset", "beat"] - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log
fields:
fields_under_root: true module: zeek
clean_removed: false dataset: {{ LOGNAME }}
close_removed: false
- type: log
paths:
- /nsm/import/*/suricata/eve*.json
fields:
module: suricata
dataset: common
category: network category: network
imported: true imported: true
processors: processors:
- dissect: - dissect:
tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
field: "log.file.path" field: "log.file.path"
target_prefix: "" target_prefix: ""
- drop_fields: - drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
{%- endfor %}
{%- endif %}
fields_under_root: true - type: log
clean_removed: false paths:
close_removed: false - /nsm/suricata/eve*.json
fields:
module: suricata
dataset: common
category: network
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
- type: log
paths:
- /nsm/import/*/suricata/eve*.json
fields:
module: suricata
dataset: common
category: network
imported: true
processors:
- dissect:
tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
field: "log.file.path"
target_prefix: ""
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
{%- if STRELKAENABLED == 1 %} {%- if STRELKAENABLED == 1 %}
- type: log - type: log
paths: paths:
- /nsm/strelka/log/strelka.log - /nsm/strelka/log/strelka.log
fields: fields:
module: strelka module: strelka
category: file category: file
dataset: file dataset: file
processors: processors:
- drop_fields: - drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- endif %} {%- endif %}
{%- endif %} {%- endif %}
{%- if WAZUHENABLED == 1 %} {%- if WAZUHENABLED == 1 %}
- type: log - type: log
paths: paths:
- /wazuh/alerts/alerts.json - /wazuh/alerts/alerts.json
fields: fields:
module: ossec module: ossec
dataset: alert dataset: alert
category: host category: host
processors: processors:
- drop_fields: - drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
# - type: log
# paths:
# - /wazuh/archives/archives.json
# fields:
# type: ossec_archive
# fields_under_root: true
# clean_removed: false
# close_removed: false
{%- endif %} {%- endif %}
{%- if FLEETMASTER or FLEETNODE %} {%- if FLEETMASTER or FLEETNODE %}
- type: log - type: log
paths: paths:
- /nsm/osquery/fleet/result.log - /nsm/osquery/fleet/result.log
fields: fields:
module: osquery module: osquery
dataset: query_result dataset: query_result
category: host category: host
processors: processors:
- drop_fields: - drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- endif %} {%- endif %}
{%- if INPUTS %}
# USER PILLAR DEFINED INPUTS
{{ INPUTS | yaml(False) }}
{%- endif %}
{% if OUTPUT -%}
# USER PILLAR DEFINED OUTPUT
{%- set types = OUTPUT.keys() | list %}
{%- set type = types[0] %}
output.{{ type }}:
{%- for i in OUTPUT[type].items() %}
{{ i[0] }}: {{ i[1]}}
{%- endfor %}
{%- else %}
#----------------------------- Elasticsearch/Logstash output --------------------------------- #----------------------------- Elasticsearch/Logstash output ---------------------------------
{%- if grains['role'] == "so-eval" %} {%- if grains['role'] == "so-eval" %}
output.elasticsearch: output.elasticsearch:
enabled: true enabled: true
hosts: ["{{ MASTER }}:9200"] hosts: ["{{ MASTER }}:9200"]
@@ -269,7 +273,7 @@ output.elasticsearch:
module: "strelka" module: "strelka"
setup.template.enabled: false setup.template.enabled: false
{%- else %} {%- else %}
output.logstash: output.logstash:
# Boolean flag to enable or disable the output module. # Boolean flag to enable or disable the output module.
@@ -320,7 +324,8 @@ setup.template.enabled: false
# https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
#_source: #_source:
#enabled: false #enabled: false
{%- endif %} {%- endif %}
{% endif %}
#============================== Kibana ===================================== #============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

3
salt/filebeat/init.sls
View File

@@ -46,6 +46,9 @@ filebeatconfsync:
- user: 0 - user: 0
- group: 0 - group: 0
- template: jinja - template: jinja
- defaults:
INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }}
OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
so-filebeat: so-filebeat:
docker_container.running: docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }} - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}