Remove old modules

salt/common/tools/sbin/so-filebeat-module-setup

@@ -49,6 +49,12 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
 fi
 
 echo "Setting up ingest pipeline(s)"
-docker exec -it so-filebeat filebeat setup modules -pipelines -modules activemq,apache,auditd,aws,azure,barracuda,bluecoat,cef,checkpoint,cisco,coredns,crowdstrike,cyberark,cylance,elasticsearch,envoyproxy,f5,fortinet,gcp,google_workspace,googlecloud,gsuite,haproxy,ibmmq,icinga,iis,imperva,infoblox,iptables,juniper,kafka,kibana,logstash,microsoft,misp,mondogb,mssql,mysql,mysqlenterprise,nats,netflow,netscout,nginx,o365,okta,osquery,panw,pensando,postgresql,rabbitmq,radware,redis,santa,snort,snyk,sonicwall,sophos,squid,suricata,system,threatintel,tomcat,traefik,zeek,zoom,zscaler -c $FB_MODULE_YML
+
+for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler
+do
+  echo "Loading $MODULE"
+  docker exec -it so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML
+  sleep 2
+done
 
 

salt/common/tools/sbin/so-zeek-logs

@@ -14,7 +14,6 @@ whiptail_manager_adv_service_zeeklogs() {
   "conn" "Connection Logging" ON \
   "dce_rpc" "RPC Logs" ON \
   "dhcp" "DHCP Logs" ON \
-  "dhcpv6" "DHCP IPv6 Logs" ON \
   "dnp3" "DNP3 Logs" ON \
   "dns" "DNS Logs" ON \
   "dpd" "DPD Logs" ON \
@@ -25,25 +24,20 @@ whiptail_manager_adv_service_zeeklogs() {
   "irc" "IRC Chat Logs" ON \
   "kerberos" "Kerberos Logs" ON \
   "modbus" "MODBUS Logs" ON \
-  "mqtt" "MQTT Logs" ON \
   "notice" "Zeek Notice Logs" ON \
   "ntlm" "NTLM Logs" ON \
-  "openvpn" "OPENVPN Logs" ON \
   "pe" "PE Logs" ON \
   "radius" "Radius Logs" ON \
   "rfb" "RFB Logs" ON \
   "rdp" "RDP Logs" ON \
-  "signatures" "Signatures Logs" ON \
   "sip" "SIP Logs" ON \
   "smb_files" "SMB Files Logs" ON \
   "smb_mapping" "SMB Mapping Logs" ON \
   "smtp" "SMTP Logs" ON \
   "snmp" "SNMP Logs" ON \
-  "software" "Software Logs" ON \
   "ssh" "SSH Logs" ON \
   "ssl" "SSL Logs" ON \
   "syslog" "Syslog Logs" ON \
-  "telnet" "Telnet Logs" ON \
   "tunnel" "Tunnel Logs" ON \
   "weird" "Zeek Weird Logs" ON \
   "mysql" "MySQL Logs" ON \

salt/filebeat/etc/module_config.yml.jinja

@@ -3,7 +3,7 @@
 - module: {{ module }}
   {%- for fileset in MODULES.modules[module] %}
   {{ fileset }}:
-    enabled: {{ MODULES.modules[module][fileset].enabled }}
+    enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }}
     {#- only manage the settings if the fileset is enabled #}
     {%- if MODULES.modules[module][fileset].enabled %}
       {%- for var, value in MODULES.modules[module][fileset].items() %}

salt/filebeat/securityoniondefaults.yaml

@@ -21,6 +21,8 @@ securityonion_filebeat:
       log:
         enabled: true
         var.paths: ["/logs/redis.log"]
+      slowlog:
+        enabled: false
     suricata:
       eve:
         enabled: true

salt/filebeat/thirdpartydefaults.yaml

@@ -199,12 +199,6 @@ third_party_filebeat:
     okta:
       system:
         enabled: false
-    pesando:
-      dfw:
-        enabled: false 
-        var.input: udp
-        var.syslog_host: 0.0.0.0
-        var.syslog_port: 9001
     proofpoint:
       emailsecurity:
         enabled: false 
@@ -251,17 +245,6 @@ third_party_filebeat:
         var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9520
-    threatintel:
-      abuseurl:
-        enabled: false
-      abusemalware:
-        enabled: false
-      misp: 
-        enabled: false
-      otx:
-        enabled: false 
-      anomali:
-        enabled: false
     tomcat:
       log:
         enabled: false 

salt/zeek/init.sls

@@ -183,6 +183,8 @@ so-zeek:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
     - start: {{ START }}
     - privileged: True
+    - ulimits:
+      - core=0
     - binds:
       - /nsm/zeek/logs:/nsm/zeek/logs:rw
       - /nsm/zeek/spool:/nsm/zeek/spool:rw

setup/so-functions

@@ -2827,7 +2827,6 @@ zeek_logs_enabled() {
 			"    - conn"\
 			"    - dce_rpc"\
 			"    - dhcp"\
-			"    - dhcpv6"\
 			"    - dnp3"\
 			"    - dns"\
 			"    - dpd"\
@@ -2838,25 +2837,20 @@ zeek_logs_enabled() {
 			"    - irc"\
 			"    - kerberos"\
 			"    - modbus"\
-			"    - mqtt"\
 			"    - notice"\
 			"    - ntlm"\
-			"    - openvpn"\
 			"    - pe"\
 			"    - radius"\
 			"    - rfb"\
 			"    - rdp"\
-			"    - signatures"\
 			"    - sip"\
 			"    - smb_files"\
 			"    - smb_mapping"\
 			"    - smtp"\
 			"    - snmp"\
-			"    - software"\
 			"    - ssh"\
 			"    - ssl"\
 			"    - syslog"\
-			"    - telnet"\
 			"    - tunnel"\
 			"    - weird"\
 			"    - mysql"\

setup/so-whiptail

@@ -1154,7 +1154,6 @@ whiptail_manager_adv_service_zeeklogs() {
 	"conn" "Connection Logging" ON \
 	"dce_rpc" "RPC Logs" ON \
 	"dhcp" "DHCP Logs" ON \
-	"dhcpv6" "DHCP IPv6 Logs" ON \
 	"dnp3" "DNP3 Logs" ON \
 	"dns" "DNS Logs" ON \
 	"dpd" "DPD Logs" ON \
@@ -1165,25 +1164,20 @@ whiptail_manager_adv_service_zeeklogs() {
 	"irc" "IRC Chat Logs" ON \
 	"kerberos" "Kerberos Logs" ON \
 	"modbus" "MODBUS Logs" ON \
-	"mqtt" "MQTT Logs" ON \
 	"notice" "Zeek Notice Logs" ON \
 	"ntlm" "NTLM Logs" ON \
-	"openvpn" "OPENVPN Logs" ON \
 	"pe" "PE Logs" ON \
 	"radius" "Radius Logs" ON \
 	"rfb" "RFB Logs" ON \
 	"rdp" "RDP Logs" ON \
-	"signatures" "Signatures Logs" ON \
 	"sip" "SIP Logs" ON \
 	"smb_files" "SMB Files Logs" ON \
 	"smb_mapping" "SMB Mapping Logs" ON \
 	"smtp" "SMTP Logs" ON \
 	"snmp" "SNMP Logs" ON \
-	"software" "Software Logs" ON \
 	"ssh" "SSH Logs" ON \
 	"ssl" "SSL Logs" ON \
 	"syslog" "Syslog Logs" ON \
-	"telnet" "Telnet Logs" ON \
 	"tunnel" "Tunnel Logs" ON \
 	"weird" "Zeek Weird Logs" ON \
 	"mysql" "MySQL Logs" ON \