diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index bc95c5428..ce8923e90 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -182,6 +182,37 @@ check_airgap() { fi } +# {% raw %} + +check_local_mods() { + local salt_local=/opt/so/saltstack/local + + local_mod_arr=() + + while IFS= read -r -d '' local_file; do + stripped_path=${local_file#"$salt_local"} + default_file="${DEFAULT_SALT_DIR}${stripped_path}" + if [[ -f $default_file ]]; then + file_diff=$(diff "$default_file" "$local_file" ) + if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then + local_mod_arr+=( "$local_file" ) + fi + fi + done< <(find $salt_local -type f -print0) + + if [[ ${#local_mod_arr} -gt 0 ]]; then + echo "Potentially breaking changes found in the following files (check ${DEFAULT_SALT_DIR} for original copy):" + for file_str in "${local_mod_arr[@]}"; do + echo " $file_str" + done + echo "" + echo "To reference this list later, check $SOUP_LOG" + sleep 10 + fi +} + +# {% endraw %} + check_sudoers() { if grep -q "so-setup" /etc/sudoers; then echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"." @@ -956,6 +987,8 @@ main() { fi fi + check_local_mods + check_sudoers if [[ -n $lsl_msg ]]; then diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec index 868de2798..69bca3003 100644 --- a/salt/elasticsearch/files/ingest/ossec +++ b/salt/elasticsearch/files/ingest/ossec @@ -33,6 +33,7 @@ { "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "data.win.system", "target_field": "winlog", "ignore_missing": true } }, { "rename": { "field": "data.win.eventdata", "target_field": "winlog.event_data", "ignore_missing": true } }, + { "rename": { "field": "data", "target_field": "wazuh.data", "ignore_missing": true } }, { "rename": { "field": "winlog.eventID", "target_field": "winlog.event_id", "ignore_missing": true } }, { "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } }, { "rename": { "field": "decoder.name", "target_field": "event.dataset", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index e5e8560f8..fbcf1252a 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -8,6 +8,7 @@ { "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } }, { "rename": { "field": "scan.exiftool", "target_field": "exiftool", "ignore_missing": true } }, { "grok": { "if": "ctx.request?.attributes?.filename != null", "field": "request.attributes.filename", "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } }, + { "gsub": { "if": "ctx.request?.attributes?.filename != null", "field": "request.attributes.filename", "pattern": "\/nsm\/strelka\/staging", "replacement": "\/nsm\/strelka\/processed" } }, { "foreach": { "if": "ctx.exiftool?.keys !=null", diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns index 85229ee92..2f5958e2e 100644 --- a/salt/elasticsearch/files/ingest/suricata.dns +++ b/salt/elasticsearch/files/ingest/suricata.dns @@ -12,7 +12,7 @@ { "rename": { "field": "message2.dns.qr", "target_field": "dns.qr", "ignore_missing": true } }, { "rename": { "field": "message2.dns.rd", "target_field": "dns.recursion.desired", "ignore_missing": true } }, { "rename": { "field": "message2.dns.ra", "target_field": "dns.recursion.available", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code", "ignore_missing": true } }, + { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code_name", "ignore_missing": true } }, { "rename": { "field": "message2.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } }, { "rename": { "field": "message2.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } }, { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } }, diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 26a5f2ec7..8afac271c 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -65,7 +65,8 @@ { "port": { "path_match": "*.port", - "mapping": { + "path_unmatch": "*.data.port", + "mapping": { "type": "integer", "fields" : { "keyword" : { @@ -680,6 +681,10 @@ "redis":{ "type":"object", "dynamic": true + }, + "wazuh":{ + "type":"object", + "dynamic": true } } } diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 2a86b486f..f904ccfa6 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -16,6 +16,7 @@ {%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%} {%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%} {%- set FBLSBULKMAXSIZE = salt['pillar.get']('filebeat:ls_bulk_max_size', 2048) -%} +{%- set FBLOGGINGLEVEL = salt['pillar.get']('filebeat:logging:level', 'warning') -%} name: {{ HOSTNAME }} @@ -25,7 +26,7 @@ name: {{ HOSTNAME }} # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -logging.level: warning +logging.level: {{ FBLOGGINGLEVEL }} # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service"