CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix zeek logs in filebeat

Browse Source
This commit is contained in:
Mike Reeves
2022-09-26 17:11:10 -04:00
parent aa7dd47b00
commit 37c98c14cd
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/filebeat/defaults.yaml
View File

@@ -1,6 +1,5 @@
filebeat: filebeat:
config: config:
zeek_logs_enabled: zeek_logs_enabled:
- conn - conn
- dce_rpc - dce_rpc

6
salt/filebeat/etc/filebeat.yml
View File

@@ -131,7 +131,11 @@ filebeat.inputs:
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %}
{%- if ZEEKVER != 'SURICATA' %} {%- if ZEEKVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('filebeat:zeek_logs_enabled', '') %} {% import_yaml 'filebeat/defaults.yaml' as FBD with context %}
{% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %}
{%- for LOGNAME in FBCONFIG.zeek_logs_enabled %}
- type: filestream - type: filestream
id: zeek-{{ LOGNAME }} id: zeek-{{ LOGNAME }}
paths: paths: