From f5c044e3e34a35e804f4df77f0788ef4e998a2ff Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 26 Jan 2021 16:07:34 -0500
Subject: [PATCH 1/2] [fix] Log directory fixes

* The playbook log dir is owned by the socore group, so we can use `su root socore`
* Addresses https://github.com/Security-Onion-Solutions/securityonion/pull/2681#issuecomment-767761670
---
* influxdb runs as root, so we can set the log directory permissions to 755 for this service
---
 pillar/logrotate/init.sls         |  4 +++-
 salt/common/files/log-rotate.conf | 11 ++++++++++-
 salt/influxdb/init.sls            |  2 +-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/pillar/logrotate/init.sls b/pillar/logrotate/init.sls
index 1b27ffca9..f8a54f442 100644
--- a/pillar/logrotate/init.sls
+++ b/pillar/logrotate/init.sls
@@ -8,4 +8,6 @@ logrotate:
     create
     extension .log
     dateext
-    dateyesterday
\ No newline at end of file
+    dateyesterday
+  group_conf: |
+    su root socore
\ No newline at end of file
diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf
index 04c89c9d9..061b76271 100644
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -1,4 +1,6 @@
 {%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
+{%- set group_conf = salt['pillar.get']('logrotate:group_conf') %}
+
 
 /opt/so/log/aptcacher-ng/*.log
 /opt/so/log/idstools/*.log
@@ -13,7 +15,6 @@
 /opt/so/log/fleet/*.log
 /opt/so/log/suricata/*.log
 /opt/so/log/mysql/*.log
-/opt/so/log/playbook/*.log
 /opt/so/log/telegraf/*.log
 /opt/so/log/redis/*.log
 /opt/so/log/sensoroni/*.log
@@ -24,3 +25,11 @@
 {
     {{ logrotate_conf | indent(width=4) }}
 }
+
+# Playbook's log directory needs additional configuration
+# because Playbook requires a more permissive directory
+/opt/so/log/playbook/*.log
+{
+    {{ logrotate_conf | indent(width=4) }}
+    {{ group_conf | indent(width=4) }}
+}
diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls
index 6d178e77c..aace4e827 100644
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -17,7 +17,7 @@ influxconfdir:
 influxlogdir:
   file.directory:
     - name: /opt/so/log/influxdb
-    - dir_mode: 775
+    - dir_mode: 755
     - user: 939
     - group: 939
     - makedirs: True

From 13ab4c66eb833fed72443ef0238aabd80585f03e Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 27 Jan 2021 09:15:54 -0500
Subject: [PATCH 2/2] Update Osquery Windows Eventlog Parsing

---
 salt/elasticsearch/files/ingest/osquery.query_result | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result
index 67a0b39f8..b6b4f22ef 100644
--- a/salt/elasticsearch/files/ingest/osquery.query_result
+++ b/salt/elasticsearch/files/ingest/osquery.query_result
@@ -2,16 +2,15 @@
   "description" : "osquery",
   "processors" : [
     { "json":        { "field": "message",                                            "target_field": "message2",             "ignore_failure": true  } },
-
     { "gsub":        { "field": "message2.columns.data",                              "pattern": "\\\\xC2\\\\xAE",             "replacement": "", "ignore_missing": true  } },
     { "rename":      { "if": "ctx.message2.columns?.eventid != null", "field": "message2.columns",  "target_field": "winlog",       "ignore_missing": true  } },
-    { "json":        { "field": "winlog.data",                              "target_field": "temp",             "ignore_failure": true  } },
-    { "rename":      { "field": "temp.EventData",               "target_field": "winlog.event_data",       "ignore_missing": true  } },   
+    { "json":        { "field": "winlog.data",    "target_field": "unparsed",      "ignore_failure": true} },
+    { "set":         { "if": "!(ctx.unparsed?.EventData instanceof Map)", "field": "error.eventdata_parsing", "value": true, "ignore_failure": true  } },     
+    { "rename":      { "if": "!(ctx.error?.eventdata_parsing == true)", "field": "unparsed.EventData", "target_field": "winlog.event_data",       "ignore_missing": true, "ignore_failure": true  } },   
     { "rename":      { "field": "winlog.source",               "target_field": "winlog.channel",       "ignore_missing": true  } },    
     { "rename":      { "field": "winlog.eventid",               "target_field": "winlog.event_id",       "ignore_missing": true  } },   
-    { "pipeline":      { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon"  }  },
-    { "pipeline":      { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'",  "name":"win.eventlogs" }  },
-
+    { "pipeline":    { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon"  }  },
+    { "pipeline":    { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'",  "name":"win.eventlogs" }  },
     {
       "script": {
         "lang": "painless",