From b06c16f750fae2ead9f26d02362e9ab8b5b6d5d9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:53:00 +0000 Subject: [PATCH 1/4] Add ingest node pipeline for Kratos --- salt/elasticsearch/files/ingest/kratos | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/kratos diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos new file mode 100644 index 000000000..dc93e888d --- /dev/null +++ b/salt/elasticsearch/files/ingest/kratos @@ -0,0 +1,13 @@ +{ + "description" : "kratos", + "processors" : [ + { + "set": { + "field": "_index", + "value": "so-kratos", + "override": true + } + }, + { "pipeline": { "name": "common" } } + ] +} From 764e8688b108547158993abebb3972b1f9e6dc51 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:53:55 +0000 Subject: [PATCH 2/4] Modify Kratos input to use dedicated index and add filestream ID for all applicable inputs --- salt/filebeat/etc/filebeat.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 04a3351a3..176007bae 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -118,6 +118,7 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} - type: filestream + id: logscan paths: - /logs/logscan/alerts.log fields: @@ -135,6 +136,7 @@ filebeat.inputs: {%- if ZEEKVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - type: filestream + id: zeek-{{ LOGNAME }} paths: - /nsm/zeek/logs/current/{{ LOGNAME }}.log fields: @@ -150,6 +152,7 @@ filebeat.inputs: close_removed: false - type: filestream + id: import-zeek={{ LOGNAME }} paths: - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log fields: @@ -174,6 +177,7 @@ filebeat.inputs: {%- endif %} - type: filestream + id: suricata-eve paths: - /nsm/suricata/eve*.json fields: @@ -190,6 +194,7 @@ filebeat.inputs: close_removed: false - type: filestream + id: import-suricata paths: - /nsm/import/*/suricata/eve*.json fields: @@ -212,6 +217,7 @@ filebeat.inputs: close_removed: false {%- if STRELKAENABLED == 1 %} - type: filestream + id: strelka paths: - /nsm/strelka/log/strelka.log fields: @@ -233,6 +239,7 @@ filebeat.inputs: {%- if WAZUHENABLED == 1 %} - type: filestream + id: wazuh paths: - /wazuh/archives/archives.json fields: @@ -251,6 +258,7 @@ filebeat.inputs: {%- if FLEETMANAGER or FLEETNODE %} - type: filestream + id: osquery paths: - /nsm/osquery/fleet/result.log fields: @@ -321,12 +329,12 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} - type: filestream + id: kratos paths: - /logs/kratos/kratos.log fields: module: kratos category: host - tags: beat-ext processors: - decode_json_fields: fields: ["message"] @@ -344,6 +352,7 @@ filebeat.inputs: target: '' fields: event.dataset: access + pipeline: "kratos" fields_under_root: true clean_removed: false close_removed: false @@ -351,6 +360,7 @@ filebeat.inputs: {%- if grains.role == 'so-idh' %} - type: filestream + id: idh paths: - /nsm/idh/opencanary.log fields: From 26698cfd07c43b6ba52f5fbc71e1a6e9e16c3dd1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:55:55 +0000 Subject: [PATCH 3/4] Add Logstash output for dedicated Kratos index --- .../config/so/9802_output_kratos.conf.jinja | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja diff --git a/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja new file mode 100644 index 000000000..c57b16055 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja @@ -0,0 +1,22 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} +output { + if [module] =~ "kratos" and "import" not in [tags] { + elasticsearch { + pipeline => "kratos" + hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" +{% endif %} + index => "so-kratos" + ssl => true + ssl_certificate_verification => false + } + } +} From 5c90fce3a1d623efe599e6b80b98e0cfdcb64e6a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 8 Jul 2022 15:58:00 +0000 Subject: [PATCH 4/4] Add Kratos Logstash output to search pipeline for Logstash --- pillar/logstash/search.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index ebe133056..cd810106d 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,4 +14,5 @@ logstash: - so/9700_output_strelka.conf.jinja - so/9800_output_logscan.conf.jinja - so/9801_output_rita.conf.jinja + - so/9802_output_kratos.conf.jinja - so/9900_output_endgame.conf.jinja