CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make new ECS changes Elastic-auth compatible

Browse Source
This commit is contained in:
Jason Ertel
2021-06-14 12:13:50 -04:00
parent fca1c6e957
commit 37f4caf536
3 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/common/tools/sbin/so-elastalert-create
View File

@@ -145,9 +145,9 @@ EOF
rulename=$(echo ${raw_rulename,,} | sed 's/ /_/g') rulename=$(echo ${raw_rulename,,} | sed 's/ /_/g')
cat << EOF >> "$rulename.yaml" cat << EOF >> "$rulename.yaml"
# Elasticsearch Host # Elasticsearch Host Override (optional)
es_host: elasticsearch # es_host: elasticsearch
es_port: 9200 # es_port: 9200
# (Required) # (Required)
# Rule name, must be unique # Rule name, must be unique

6
salt/common/tools/sbin/so-filebeat-module-setup
View File

@@ -31,7 +31,7 @@ echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
ELASTICSEARCH_CONNECTED="no" ELASTICSEARCH_CONNECTED="no"
while [[ "$COUNT" -le 240 ]]; do while [[ "$COUNT" -le 240 ]]; do
curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
ELASTICSEARCH_CONNECTED="yes" ELASTICSEARCH_CONNECTED="yes"
echo "connected!" echo "connected!"
@@ -48,8 +48,8 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo echo
fi fi
echo "Testing to see if the pipelines are already applied" echo "Testing to see if the pipelines are already applied"
ESVER=$(curl -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \")
PIPELINES=$(curl -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c) PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c)
if [[ "$PIPELINES" -lt 5 ]]; then if [[ "$PIPELINES" -lt 5 ]]; then
echo "Setting up ingest pipeline(s)" echo "Setting up ingest pipeline(s)"

4
salt/filebeat/etc/module-setup.yml
View File

@@ -3,8 +3,12 @@
{%- else %} {%- else %}
{%- set MANAGER = salt['grains.get']('master') %} {%- set MANAGER = salt['grains.get']('master') %}
{%- endif %} {%- endif %}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', '') %}
output.elasticsearch: output.elasticsearch:
enabled: true enabled: true
hosts: ["https://{{ MANAGER }}:9200"] hosts: ["https://{{ MANAGER }}:9200"]
username: "{{ ES_USER }}"
password: "{{ ES_PASS }}"
ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]