Update all configs to pass user/pass to ES

salt/curator/files/curator.yml

@@ -3,6 +3,8 @@
 {% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %}
   {%- set elasticsearch = salt['pillar.get']('manager:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %})
 
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
@@ -11,6 +13,8 @@ client:
   hosts:
     - {{elasticsearch}}
   port: 9200
+  username: {{ ES_USER }}
+  password: {{ ES_PASS }}
   url_prefix:
   use_ssl: True
   certificate:

salt/elastalert/defaults.yaml

@@ -1,3 +1,5 @@
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %})
 elastalert:
   config:
     rules_folder: /opt/elastalert/rules/
@@ -19,8 +21,8 @@ elastalert:
     use_ssl: true
     verify_certs: false
     #es_send_get_body_as: GET
-    #es_username: someusername
+    es_username: {{ ES_USER }}
-    #es_password: somepassword
+    es_password: {{ ES_PASS }}
     writeback_index: elastalert_status
     alert_time_limit:
       days: 2

salt/filebeat/etc/filebeat.yml

@@ -3,6 +3,8 @@
 {%- else %}
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', '') %})
 
 
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
@@ -261,6 +263,8 @@ output.{{ type }}:
 output.elasticsearch:
   enabled: true
   hosts: ["https://{{ MANAGER }}:9200"]
+  username: "{{ ES_USER }}"
+  password: "{{ ES_PASS }}"
   ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
   pipelines:
     - pipeline: "%{[module]}.%{[dataset]}"

salt/kibana/etc/kibana.yml

@@ -1,14 +1,16 @@
 ---
 # Default Kibana configuration from kibana-docker.
 {%- set ES = salt['pillar.get']('manager:mainip', '') -%}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass', '') %})
 server.name: kibana
 server.host: "0"
 server.basePath: /kibana
 elasticsearch.hosts: [ "https://{{ ES }}:9200" ]
 elasticsearch.ssl.verificationMode: none
 #kibana.index: ".kibana"
-#elasticsearch.username: elastic
+elasticsearch.username: {{ ES_USER }}
-#elasticsearch.password: changeme
+elasticsearch.password: {{ ES_PASS }}
 #xpack.monitoring.ui.container.elasticsearch.enabled: true
 elasticsearch.requestTimeout: 90000
 logging.dest: /var/log/kibana/kibana.log

salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [module] =~ "zeek" and "import" not in [tags] {
     elasticsearch {
       pipeline => "%{module}.%{dataset}"
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-zeek"
       template_name => "so-zeek"
       template => "/templates/so-zeek-template.json"

salt/logstash/pipelines/config/so/9002_output_import.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if "import" in [tags] {
     elasticsearch {
       pipeline => "%{module}.%{dataset}"
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-import"
       template_name => "so-import"
       template => "/templates/so-import-template.json"

salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja

@@ -3,10 +3,14 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [event_type] == "sflow" {
     elasticsearch {
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-flow"
       template_name => "so-flow"
       template => "/templates/so-flow-template.json"

salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja

@@ -3,10 +3,14 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [event_type] == "ids" and "import" not in [tags] {
     elasticsearch {
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-ids"
       template_name => "so-ids"
       template => "/templates/so-ids-template.json"

salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [module] =~ "syslog" {
     elasticsearch {
       pipeline => "%{module}"
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-syslog"
       template_name => "so-syslog"
       template => "/templates/so-syslog-template.json"

salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_pass:pass', '') %})
 output {
   if [module] =~ "osquery" and "live_query" not in [dataset] {
     elasticsearch {
       pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-osquery"
       template_name => "so-osquery"
       template => "/templates/so-osquery-template.json"

salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja

@@ -3,6 +3,8 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 
 filter {
@@ -30,6 +32,8 @@ output {
     elasticsearch {
       pipeline => "osquery.live_query" 
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-osquery"
       template_name => "so-osquery"
       template => "/templates/so-osquery-template.json"

salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja

@@ -3,10 +3,14 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [dataset] =~ "firewall" {
     elasticsearch {
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-firewall"
       template_name => "so-firewall"
       template => "/templates/so-firewall-template.json"

salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [module] =~ "suricata" and "import" not in [tags] {
     elasticsearch {
       pipeline => "%{module}.%{dataset}"
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-ids"
       template_name => "so-ids" 
       template => "/templates/so-ids-template.json"

salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if "beat-ext" in [tags] and "import" not in [tags] {
     elasticsearch {
       pipeline => "beats.common" 
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-beats"
       template_name => "so-beats"
       template => "/templates/so-beats-template.json"

salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [module] =~ "ossec" {
     elasticsearch {
       pipeline => "%{module}"
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-ossec"
       template_name => "so-ossec"
       template => "/templates/so-ossec-template.json"

salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja

@@ -3,11 +3,15 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', '') %})
 output {
   if [module] =~ "strelka" {
     elasticsearch {
       pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"
+      username => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
       index => "so-strelka"
       template_name => "so-strelka"
       template => "/templates/so-strelka-template.json"

salt/soc/files/soc/soc.json

@@ -18,6 +18,8 @@
 {%- import_json "soc/files/soc/menu.actions.json" as menu_actions %}
 {%- import_json "soc/files/soc/tools.json" as tools %}
 {%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}) 
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}) 
 
 {
   "logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
@@ -47,8 +49,8 @@
         {%- endfor %}
         ],
         {%- endif %}
-        "username": "",
+        "username": "{{ ES_USER }}",
-        "password": "",
+        "password": "{{ ES_PASS }}",
         "cacheMs": {{ ES_FIELDCAPS_CACHE }},
         "verifyCert": false,
         "timeoutMs": {{ API_TIMEOUT }}

salt/soctopus/files/SOCtopus.conf

@@ -3,13 +3,14 @@
 {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %}
 {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %}
 {%- set PLAYBOOK_KEY = salt['pillar.get']('playbook:api_key', '') %}
-
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %})
 
 [es]
 es_url = https://{{MANAGER}}:9200
 es_ip = {{MANAGER}}
-es_user = 
+es_user = {{ ES_USER }}
-es_pass = 
+es_pass = {{ ES_PASS }}
 es_index_pattern = so-*
 es_verifycert = no
 

salt/telegraf/etc/telegraf.conf

@@ -14,6 +14,8 @@
 # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR)
 
 {%- set MANAGER = salt['grains.get']('master') %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %})
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %})
 {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %}
 {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
 {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
@@ -620,10 +622,14 @@
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone']   %}
  [[inputs.elasticsearch]]
    servers = ["https://{{ MANAGER }}:9200"]
+   username = "{{ ES_USER }}"
+   password = "{{ ES_PASS }}"
    insecure_skip_verify = true
 {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']  %}
  [[inputs.elasticsearch]]
    servers = ["https://{{ NODEIP }}:9200"]
+   username = "{{ ES_USER }}"
+   password = "{{ ES_PASS }}"
    insecure_skip_verify = true
 {% endif %}