From 1e5b9ef0bf64804c001033cba99e0b26b9929ff5 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 10 Feb 2022 11:37:10 -0500 Subject: [PATCH] IDH - Enable Filebeat --- salt/filebeat/etc/filebeat.yml | 44 +++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index f18a72752..0061aefc1 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -264,6 +264,48 @@ filebeat.inputs: {%- endif %} +{%- if grains.role == 'so-idh' %} +- type: log + paths: + - /nsm/idh/opencanary.log + fields: + module: opencanary + dataset: idh + category: host + tags: beat-ext + processors: + - decode_json_fields: + fields: ["message"] + target: "" + add_error_key: true + - drop_fields: + when: + equals: + logtype: 1001 + fields: ["src_host", "src_port", "dst_host", "dst_port" ] + ignore_missing: true + - rename: + fields: + - from: "src_host" + to: "source.ip" + - from: "src_port" + to: "source.port" + - from: "dst_host" + to: "destination.host" + - from: "dst_port" + to: "destination.port" + ignore_missing: true + - convert: + fields: + - {from: "logtype", to: "event.code", type: "string"} + ignore_missing: true + - drop_fields: + fields: '["prospector", "input", "offset", "beat"]' + fields_under_root: true + clean_removed: false + close_removed: false +{%- endif %} + {%- if INPUTS %} # USER PILLAR DEFINED INPUTS {{ INPUTS | yaml(False) }} @@ -322,7 +364,7 @@ output.logstash: # The Logstash hosts hosts: -{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node'] %} +{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %} {%- set LOGSTASH = namespace() %} {%- set LOGSTASH.count = 0 %} {%- set LOGSTASH.loadbalance = false %}