From 15bfce07e8e3447b9b27f837017737d63f94cf85 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 1 Jan 2019 11:13:05 -0500 Subject: [PATCH] Move osquery parsers from custom to dynamic --- .../files/dynamic/7100_osquery_wel.conf | 23 +++++++++++++++++++ .../files/dynamic/9100_output_osquery.conf | 19 +++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 salt/logstash/files/dynamic/7100_osquery_wel.conf create mode 100644 salt/logstash/files/dynamic/9100_output_osquery.conf diff --git a/salt/logstash/files/dynamic/7100_osquery_wel.conf b/salt/logstash/files/dynamic/7100_osquery_wel.conf new file mode 100644 index 000000000..b4d77d83f --- /dev/null +++ b/salt/logstash/files/dynamic/7100_osquery_wel.conf @@ -0,0 +1,23 @@ +# Author: Josh Brower +# Last Update: 12/28/2018 +# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column + +filter { + if "osquery" in [tags] and [osquery][columns][eventid] { + + mutate { + gsub => ["[osquery][columns][data]", "\\x0A", ""] + } + + json { + source => "[osquery][columns][data]" + target => "[osquery][columns][data]" + } + + mutate { + merge => { "[osquery][columns]" => "[osquery][columns][data]" } + remove_field => ["[osquery][columns][data]"] + } + + } +} \ No newline at end of file diff --git a/salt/logstash/files/dynamic/9100_output_osquery.conf b/salt/logstash/files/dynamic/9100_output_osquery.conf new file mode 100644 index 000000000..e95119562 --- /dev/null +++ b/salt/logstash/files/dynamic/9100_output_osquery.conf @@ -0,0 +1,19 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- endif %} +# Author: Josh Brower +# Last Update: 12/29/2018 +# Output to ES for osquery tagged logs + + +output { + if "osquery" in [tags] { + elasticsearch { + hosts => "{{ ES }}" + index => "logstash-osquery-%{+YYYY.MM.dd}" + template => "/logstash-template.json" + } + } +} \ No newline at end of file