diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh
old mode 100755
new mode 100644
diff --git a/pillar/firewall/addfirewall.sh b/pillar/firewall/addfirewall.sh
old mode 100755
new mode 100644
diff --git a/pillar/masters/example.sls b/pillar/masters/example.sls
new file mode 100644
index 000000000..28c9ed139
--- /dev/null
+++ b/pillar/masters/example.sls
@@ -0,0 +1,10 @@
+# Example Pillar file for a master
+master:
+ esaccessip: 127.0.0.1
+ esheap: CHANGEME
+ esclustername: {{ grains.host }}
+ freq: 0
+ domainstats: 0
+ lsheap: 1500m
+ lsaccessip: 127.0.0.1
+ elastalert: 1
\ No newline at end of file
diff --git a/pillar/nodes/example.sls b/pillar/nodes/example.sls
new file mode 100644
index 000000000..5516e7052
--- /dev/null
+++ b/pillar/nodes/example.sls
@@ -0,0 +1,5 @@
+# Example Pillar file for a sensor
+node:
+ ls_heapsize: CHANGEME
+ es_heapsize: CHANGEME
+ node_type: CHANGEME
diff --git a/pillar/sensors/example.sls b/pillar/sensors/example.sls
new file mode 100644
index 000000000..753acf1de
--- /dev/null
+++ b/pillar/sensors/example.sls
@@ -0,0 +1,14 @@
+# Example Pillar file for a sensor
+sensor:
+ interface: CHANGEME
+ bro_pins:
+ - 1
+ - 2
+ - 3
+ - 4
+ brobpf:
+ pcapbpf:
+ nidsbpf:
+ s3bucket:
+ s3key:
+
diff --git a/salt/auth/init.sls b/salt/auth/init.sls
new file mode 100644
index 000000000..abbe514d3
--- /dev/null
+++ b/salt/auth/init.sls
@@ -0,0 +1,30 @@
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
+so-auth-api-dir:
+ file.directory:
+ - name: /opt/so/conf/auth/api
+ - user: 939
+ - group: 939
+ - makedirs: True
+
+so-auth-api:
+ docker_container.running:
+ - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
+ - hostname: so-auth-api
+ - name: so-auth-api
+ - environment:
+ - BASE_PATH: "/so-auth/api"
+ - AUTH_TOKEN_TIMEOUT: 32400
+ - binds:
+ - /opt/so/conf/auth/api:/data
+ - port_bindings:
+ - 0.0.0.0:5656:5656
+
+so-auth-ui:
+ docker_container.running:
+ - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
+ - hostname: so-auth-ui
+ - name: so-auth-ui
+ - port_bindings:
+ - 0.0.0.0:4242:80
diff --git a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
new file mode 100644
index 000000000..8e35246eb
--- /dev/null
+++ b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
@@ -0,0 +1,3937 @@
+{
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "This Dashboard provides a general overview of Sensors",
+ "editable": true,
+ "gnetId": 2381,
+ "graphTooltip": 0,
+ "id": 9,
+ "iteration": 1543542047346,
+ "links": [],
+ "panels": [
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "percent",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": true,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_idle"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "* -1 + 100"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "cpu",
+ "operator": "=",
+ "value": "cpu-total"
+ }
+ ]
+ }
+ ],
+ "thresholds": "60,80,90",
+ "title": "{{ SERVERNAME }} - CPU",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "bytes",
+ "gauge": {
+ "maxValue": "{{ ROOTFS }}",
+ "minValue": 0,
+ "show": true,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 4,
+ "y": 0
+ },
+ "id": 12,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": false
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "disk",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "used"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "path",
+ "operator": "=",
+ "value": "/"
+ }
+ ]
+ }
+ ],
+ "thresholds": "{{ ROOTFS * '.80'|float }},{{ ROOTFS * '.90'|float }}",
+ "title": "{{ SERVERNAME }} - Disk Used(/)",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "bytes",
+ "gauge": {
+ "maxValue": "{{ NSMFS }}",
+ "minValue": 0,
+ "show": true,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 8,
+ "y": 0
+ },
+ "id": 31,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": false
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "disk",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "used"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "path",
+ "operator": "=",
+ "value": "/nsm"
+ }
+ ]
+ }
+ ],
+ "thresholds": "{{ NSMFS * '.80'|float }},{{ NSMFS * '.90'|float }}",
+ "title": "{{ SERVERNAME }} - Disk Used(/nsm)",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "percent",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": true,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 12,
+ "y": 0
+ },
+ "id": 20,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "brodrop",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "drop"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "* 100"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": "5,10",
+ "title": "{{ SERVERNAME }} -Zeek Packet Loss",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "percent",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": true,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 16,
+ "y": 0
+ },
+ "id": 21,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "suridrop",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "drop"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "* 100"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": "5,10",
+ "title": "{{ SERVERNAME }} - Suricata Packet Loss",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "percent",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": true,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 20,
+ "y": 0
+ },
+ "id": 19,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "stenodrop",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "drop"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": "5,10",
+ "title": "{{ SERVERNAME }} - PCAP Packet Loss",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "aliasColors": {
+ "Interrupt": "#70DBED",
+ "Nice": "#629E51",
+ "SoftIRQ": "#EA6460",
+ "System": "#BF1B00",
+ "User": "#1F78C1",
+ "Wait": "#F2C96D",
+ "cpu.mean": "#629E51"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 4,
+ "grid": {},
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 5
+ },
+ "id": 4,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 2,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "System",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_system"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "cpu",
+ "operator": "=",
+ "value": "cpu-total"
+ }
+ ]
+ },
+ {
+ "alias": "User",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_user"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "cpu",
+ "operator": "=",
+ "value": "cpu-total"
+ }
+ ]
+ },
+ {
+ "alias": "Nice",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "C",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_nice"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "cpu",
+ "operator": "=",
+ "value": "cpu-total"
+ }
+ ]
+ },
+ {
+ "alias": "Interrupt",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "D",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_irq"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "cpu",
+ "operator": "=",
+ "value": "cpu-total"
+ }
+ ]
+ },
+ {
+ "alias": "Wait",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "E",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_iowait"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "cpu",
+ "operator": "=",
+ "value": "cpu-total"
+ }
+ ]
+ },
+ {
+ "alias": "SoftIRQ",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "F",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_softirq"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "cpu",
+ "operator": "=",
+ "value": "cpu-total"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - CPU Usage",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "percent",
+ "label": "Percent(%)",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": true,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "s",
+ "gauge": {
+ "maxValue": 1209600,
+ "minValue": 0,
+ "show": true,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 8,
+ "y": 5
+ },
+ "id": 22,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "pcapage",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "seconds"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": "259200,432000",
+ "title": "{{ SERVERNAME }} - PCAP Retention",
+ "type": "singlestat",
+ "valueFontSize": "70%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current",
+ "decimals": 1
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "percent",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 12,
+ "y": 5
+ },
+ "id": 26,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_percent"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ " / {{ CPUS }}"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-zeek"
+ }
+ ]
+ }
+ ],
+ "thresholds": "",
+ "title": "{{ SERVERNAME }} - Zeek CPU Usage",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "percent",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 16,
+ "y": 5
+ },
+ "id": 27,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_percent"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ " / {{ CPUS }}"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-suricata"
+ }
+ ]
+ }
+ ],
+ "thresholds": "",
+ "title": "{{ SERVERNAME }} - Suri CPU Usage",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "percent",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 20,
+ "y": 5
+ },
+ "id": 28,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_cpu",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage_percent"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ " / {{ CPUS }}"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-steno"
+ }
+ ]
+ }
+ ],
+ "thresholds": "",
+ "title": "{{ SERVERNAME }} - Steno CPU Usage",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "bits",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 8,
+ "y": 10
+ },
+ "id": 3,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": false,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "mem",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "active"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": "",
+ "title": "{{ SERVERNAME }} - Memory(Used)",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "decbytes",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 12,
+ "y": 10
+ },
+ "id": 23,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_mem",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-zeek"
+ }
+ ]
+ }
+ ],
+ "thresholds": "",
+ "title": "{{ SERVERNAME }} - Zeek Memory Usage",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "decbytes",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 16,
+ "y": 10
+ },
+ "id": 24,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_mem",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-suricata"
+ }
+ ]
+ }
+ ],
+ "thresholds": "",
+ "title": "{{ SERVERNAME }} - Suri Memory Usage",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "format": "decbytes",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 20,
+ "y": 10
+ },
+ "id": 25,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_mem",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "usage"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-steno"
+ }
+ ]
+ }
+ ],
+ "thresholds": "",
+ "title": "{{ SERVERNAME }} - Steno Memory Usage",
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "aliasColors": {
+ "Buffered": "#6ED0E0",
+ "Cached": "#F9934E",
+ "Free": "#629E51",
+ "Used": "#58140C"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "decimals": null,
+ "editable": true,
+ "error": false,
+ "fill": 6,
+ "grid": {},
+ "gridPos": {
+ "h": 10,
+ "w": 8,
+ "x": 0,
+ "y": 11
+ },
+ "id": 5,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "hideEmpty": false,
+ "hideZero": false,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 0,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": true,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "Used",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "mem",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "used"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "Buffered",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "mem",
+ "policy": "default",
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "buffered"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "Cached",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "mem",
+ "policy": "default",
+ "refId": "C",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "cached"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "Free",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "mem",
+ "policy": "default",
+ "refId": "D",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "free"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Memory",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "transparent": false,
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bytes",
+ "label": "Bytes",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {
+ "InBound": "#629E51",
+ "OutBound": "#5195CE",
+ "net.derivative": "#1F78C1"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 1,
+ "grid": {},
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 8,
+ "y": 15
+ },
+ "id": 18,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 2,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "InBound",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "net",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "query": "SELECT 8 * derivative(mean(\"bytes_recv\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
+ "rawQuery": false,
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "bytes_recv"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "1s"
+ ],
+ "type": "derivative"
+ },
+ {
+ "params": [
+ "*8"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "interface",
+ "operator": "=",
+ "value": "{{ MONINT }}"
+ }
+ ]
+ },
+ {
+ "alias": "OutBound",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "net",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "query": "SELECT 8 * derivative(mean(\"bytes_sent\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
+ "rawQuery": false,
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "bytes_sent"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "1s"
+ ],
+ "type": "derivative"
+ },
+ {
+ "params": [
+ "*8"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "interface",
+ "operator": "=",
+ "value": "{{ MONINT }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Monitor Traffic",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bps",
+ "label": "Bits/Sec",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 1,
+ "grid": {},
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 15
+ },
+ "id": 13,
+ "legend": {
+ "avg": false,
+ "current": true,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 2,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "Read",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "diskio",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "read_bytes"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [],
+ "type": "difference"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "Write",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "diskio",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "write_bytes"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [],
+ "type": "difference"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Disk I/O",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bytes",
+ "label": "",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {
+ "1 Minute Average": "#EAB839",
+ "15 Minute Average": "#BF1B00",
+ "5 Minute Average": "#E0752D"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 1,
+ "grid": {},
+ "gridPos": {
+ "h": 8,
+ "w": 8,
+ "x": 0,
+ "y": 21
+ },
+ "id": 6,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 2,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "1 Minute Average",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "system",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "load1"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "5 Minute Average",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "system",
+ "policy": "default",
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "load5"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "15 Minute Average",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "system",
+ "policy": "default",
+ "refId": "C",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "load15"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Load Average",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {
+ "Blocked": "#BF1B00",
+ "Running": "#7EB26D"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 7,
+ "grid": {},
+ "gridPos": {
+ "h": 8,
+ "w": 8,
+ "x": 16,
+ "y": 21
+ },
+ "id": 14,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 0,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": true,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "Blocked",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "hide": false,
+ "measurement": "processes",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "blocked"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "Running",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "processes",
+ "policy": "default",
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "running"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ },
+ {
+ "alias": "Sleep",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "processes",
+ "policy": "default",
+ "refId": "C",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "sleeping"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Processes",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {
+ "InBound": "#629E51",
+ "OutBound": "#5195CE",
+ "net.derivative": "#1F78C1"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 1,
+ "grid": {},
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 8,
+ "y": 22
+ },
+ "id": 10,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 2,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "InBound",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "net",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "query": "SELECT 8 * derivative(mean(\"bytes_recv\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
+ "rawQuery": false,
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "bytes_recv"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "1s"
+ ],
+ "type": "derivative"
+ },
+ {
+ "params": [
+ "*8"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "interface",
+ "operator": "=",
+ "value": "{{ MANINT }}"
+ }
+ ]
+ },
+ {
+ "alias": "OutBound",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "net",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "query": "SELECT 8 * derivative(mean(\"bytes_sent\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
+ "rawQuery": false,
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "bytes_sent"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "1s"
+ ],
+ "type": "derivative"
+ },
+ {
+ "params": [
+ "*8"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "interface",
+ "operator": "=",
+ "value": "{{ MANINT }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Management Traffic",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bps",
+ "label": "Bits/Sec",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 1,
+ "grid": {},
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 0,
+ "y": 29
+ },
+ "id": 15,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 2,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "Threads",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "processes",
+ "policy": "default",
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "total_threads"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Total Threads",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {
+ "InBound": "#629E51",
+ "OutBound": "#5195CE",
+ "net.derivative": "#1F78C1"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "InfluxDB",
+ "editable": true,
+ "error": false,
+ "fill": 1,
+ "grid": {},
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 8,
+ "y": 29
+ },
+ "id": 29,
+ "legend": {
+ "alignAsTable": true,
+ "avg": true,
+ "current": true,
+ "max": true,
+ "min": true,
+ "show": true,
+ "total": false,
+ "values": true
+ },
+ "lines": true,
+ "linewidth": 2,
+ "links": [],
+ "nullPointMode": "connected",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "alias": "InBound",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_net",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "query": "SELECT 8 * derivative(mean(\"bytes_recv\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
+ "rawQuery": false,
+ "refId": "A",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "rx_bytes"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "1s"
+ ],
+ "type": "derivative"
+ },
+ {
+ "params": [
+ "*8"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-filebeat"
+ }
+ ]
+ },
+ {
+ "alias": "OutBound",
+ "dsType": "influxdb",
+ "groupBy": [
+ {
+ "params": [
+ "$Interval"
+ ],
+ "type": "time"
+ },
+ {
+ "params": [
+ "null"
+ ],
+ "type": "fill"
+ }
+ ],
+ "measurement": "docker_container_net",
+ "orderByTime": "ASC",
+ "policy": "default",
+ "query": "SELECT 8 * derivative(mean(\"bytes_sent\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
+ "rawQuery": false,
+ "refId": "B",
+ "resultFormat": "time_series",
+ "select": [
+ [
+ {
+ "params": [
+ "tx_bytes"
+ ],
+ "type": "field"
+ },
+ {
+ "params": [],
+ "type": "mean"
+ },
+ {
+ "params": [
+ "1s"
+ ],
+ "type": "derivative"
+ },
+ {
+ "params": [
+ "*8"
+ ],
+ "type": "math"
+ }
+ ]
+ ],
+ "tags": [
+ {
+ "key": "host",
+ "operator": "=",
+ "value": "{{ SERVERNAME }}"
+ },
+ {
+ "condition": "AND",
+ "key": "container_name",
+ "operator": "=",
+ "value": "so-filebeat"
+ }
+ ]
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "{{ SERVERNAME }} - Filebeat Traffic",
+ "tooltip": {
+ "msResolution": true,
+ "shared": true,
+ "sort": 0,
+ "value_type": "cumulative"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bps",
+ "label": "Bits/Sec",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ }
+ ],
+ "refresh": false,
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": [
+ {
+ "auto": true,
+ "auto_count": 30,
+ "auto_min": "10s",
+ "current": {
+ "text": "10s",
+ "value": "10s"
+ },
+ "hide": 0,
+ "label": null,
+ "name": "Interval",
+ "options": [
+ {
+ "selected": false,
+ "text": "auto",
+ "value": "$__auto_interval_Interval"
+ },
+ {
+ "selected": true,
+ "text": "10s",
+ "value": "10s"
+ },
+ {
+ "selected": false,
+ "text": "1m",
+ "value": "1m"
+ },
+ {
+ "selected": false,
+ "text": "10m",
+ "value": "10m"
+ },
+ {
+ "selected": false,
+ "text": "30m",
+ "value": "30m"
+ },
+ {
+ "selected": false,
+ "text": "1h",
+ "value": "1h"
+ },
+ {
+ "selected": false,
+ "text": "6h",
+ "value": "6h"
+ },
+ {
+ "selected": false,
+ "text": "12h",
+ "value": "12h"
+ },
+ {
+ "selected": false,
+ "text": "1d",
+ "value": "1d"
+ },
+ {
+ "selected": false,
+ "text": "7d",
+ "value": "7d"
+ },
+ {
+ "selected": false,
+ "text": "14d",
+ "value": "14d"
+ },
+ {
+ "selected": false,
+ "text": "30d",
+ "value": "30d"
+ }
+ ],
+ "query": "10s, 1m,10m,30m,1h,6h,12h,1d,7d,14d,30d",
+ "refresh": 2,
+ "skipUrlSync": false,
+ "type": "interval"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-30m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "browser",
+ "title": "Forward Node - {{ SERVERNAME }} Overview",
+ "uid": "{{ UID }}",
+ "version": 12
+}
diff --git a/salt/common/nginx/index.html b/salt/common/nginx/index.html
new file mode 100644
index 000000000..2f832e2c0
--- /dev/null
+++ b/salt/common/nginx/index.html
@@ -0,0 +1,130 @@
+
+
+
+Security Onion - Hybrid Hunter
+
+
+
+
+
+
+
Hybrid Hunter Alpha 1.1.4 - Feature Parity Release
+
Changes:
+
+ Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).
+ Web user creation is done via the browser now instead of so-user-add.
+ New Logstash pipeline setup. Now uses multiple pipelines.
+ New Master + Search node type and well as a Heavy Node type in the install.
+ Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.
+ Zeek 3.0.1
+ Elastic 6.8.6
+ New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).
+ BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).
+ Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.
+ Added so-status script which gives an easy to read look at container status.
+ Manage threshold.conf for Suricata using the thresholding pillar.
+ The ISO now includes all the docker containers for faster install speeds.
+ You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.
+ Updated Helix parsers for better compatibility.
+ Updated telegraf docker to include curl and jq.
+ CVE-2020-0601 Zeek Detection Script.
+ ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.
+ Check out the Hybrid Hunter Quick Start Guide .
+
+
+
+
+
+
Security Onion - Hybrid Hunter
+
+
+
Osquery Packages
+
+
Notes
+
+ These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from osquery.io
+ Packages are not signed.
+
+
Downloads
+
+
+
Known Issues
+
+
+
%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+ # Server 2003
+ match => { "message" => "%{DATA:id},%{DATE_US:date},(?%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+ match => { "message" => "%{DATA:id},%{DATA:date},(?%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+ }
+ # This section below translates the message ID into something humans can understand.
+ if [id] == "00" {
+ mutate {
+ add_field => [ "event", "The log was started"]
+ }
+ }
+ if [id] == "01" {
+ mutate {
+ add_field => [ "event", "The log was stopped"]
+ }
+ }
+ if [id] == "02" {
+ mutate {
+ add_field => [ "event", "The log was temporarily paused due to low disk space"]
+ }
+ }
+ if [id] == "10" {
+ mutate {
+ add_field => [ "event", "A new IP address was leased to a client"]
+ }
+ }
+ if [id] == "11" {
+ mutate {
+ add_field => [ "event", "A lease was renewed by a client"]
+ }
+ }
+ if [id] == "12" {
+ mutate {
+ add_field => [ "event", "A lease was released by a client"]
+ }
+ }
+ if [id] == "13" {
+ mutate {
+ add_field => [ "event", "An IP address was found to be in use on the network"]
+ }
+ }
+ if [id] == "14" {
+ mutate {
+ add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+ }
+ }
+ if [id] == "15" {
+ mutate {
+ add_field => [ "event", "A lease was denied"]
+ }
+ }
+ if [id] == "16" {
+ mutate {
+ add_field => [ "event", "A lease was deleted"]
+ }
+ }
+ if [id] == "17" {
+ mutate {
+ add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+ }
+ }
+ if [id] == "18" {
+ mutate {
+ add_field => [ "event", "A lease was expired and DNS records were deleted"]
+ }
+ }
+ if [id] == "20" {
+ mutate {
+ add_field => [ "event", "A BOOTP address was leased to a client"]
+ }
+ }
+ if [id] == "21" {
+ mutate {
+ add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+ }
+ }
+ if [id] == "22" {
+ mutate {
+ add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+ }
+ }
+ if [id] == "23" {
+ mutate {
+ add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+ }
+ }
+ if [id] == "24" {
+ mutate {
+ add_field => [ "event", "IP address cleanup operation has began"]
+ }
+ }
+ if [id] == "25" {
+ mutate {
+ add_field => [ "event", "IP address cleanup statistics"]
+ }
+ }
+ if [id] == "30" {
+ mutate {
+ add_field => [ "event", "DNS update request to the named DNS server"]
+ }
+ }
+ if [id] == "31" {
+ mutate {
+ add_field => [ "event", "DNS update failed"]
+ }
+ }
+ if [id] == "32" {
+ mutate {
+ add_field => [ "event", "DNS update successful"]
+ }
+ }
+ if [id] == "33" {
+ mutate {
+ add_field => [ "event", "Packet dropped due to NAP policy"]
+ }
+ }
+ # If the message failed to parse correctly keep the message for debugging. Otherwise, drop it.
+ #if "_grokparsefailure" not in [tags] {
+ # mutate {
+ # remove_field => [ "message"]
+ # }
+ #}
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them. There is no input as the logs would have came in via syslog
+filter {
+ # This is an example of using an IP address range to classify a syslog message to a specific type of log
+ # This is helpful as so many devices only send logs via syslog
+ if [host] =~ "10\.[0-1]\.9\." {
+ mutate {
+ replace => ["type", "esxi"]
+ }
+ }
+ if [host] =~ "\.234$" {
+ mutate {
+ replace => ["type", "esxi"]
+ }
+ }
+ if [type] == "esxi" {
+ grok {
+ match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?(?:\[(?[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+# pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?(?:\[(?[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+ }
+ mutate {
+ #add_tag => [ "conf_file_1029"]
+ }
+ }
+}
+
diff --git a/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "greensql" {
+ # This section is parsing out the fields for GreenSQL syslog data
+ grok {
+ match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+ match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+ }
+ # Remove the message field as it is unnecessary
+ #mutate {
+ # remove_field => [ "message"]
+ #}
+ mutate {
+ #add_tag => [ "conf_file_1030"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "iis" {
+ # The log is expected to have come from NXLog and in JSON format. This allows for automatic parsing of fields
+ json {
+ source => "message"
+ }
+ # This removes the message field as it is unneccesary and tags the packet as web
+ mutate {
+ # remove_field => [ "message"]
+ add_tag => [ "web" ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_1031"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+ if [type] == "mcafee" {
+ # NXLog should be sending the logs in JSON format so they auto parse
+ json {
+ source => "message"
+ }
+ # This section converts the UTC fields to the proper time format
+ date {
+ match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+ target => [ "ReceivedUTC" ]
+ }
+ date {
+ match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+ target => [ "DetectedUTC" ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_1032"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+ if [type] == "ids" {
+ # This is the initial parsing of the log
+ if [engine] == "suricata" {
+ json {
+ source => "message"
+ }
+ mutate {
+ rename => { "alert" => "orig_alert" }
+ rename => { "[orig_alert][gid]" => "gid" }
+ rename => { "[orig_alert][signature_id]" => "sid" }
+ rename => { "[orig_alert][rev]" => "rev" }
+ rename => { "[orig_alert][signature]" => "alert" }
+ rename => { "[orig_alert][category]" => "classification" }
+ rename => { "[orig_alert][severity]" => "priority" }
+ rename => { "[orig_alert][rule]" => "rule_signature" }
+ rename => { "app_proto" => "application_protocol" }
+ rename => { "dest_ip" => "destination_ip" }
+ rename => { "dest_port" => "destination_port" }
+ rename => { "in_iface" => "interface" }
+ rename => { "proto" => "protocol" }
+ rename => { "src_ip" => "source_ip" }
+ rename => { "src_port" => "source_port" }
+ #rename => { "[fileinfo][filename]" => "filename" }
+ #rename => { "[fileinfo][gaps]" => "gaps" }
+ #rename => { "[fileinfo][size]" => "size" }
+ #rename => { "[fileinfo][state]" => "state" }
+ #rename => { "[fileinfo][stored]" => "stored" }
+ #rename => { "[fileinfo][tx_id]" => "tx_id" }
+ #rename => { "[flow][age]" => "duration" }
+ #rename => { "[flow][alerted]" => "flow_alerted" }
+ #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+ #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+ #rename => { "[flow][end]" => "flow_end" }
+ #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+ #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+ #rename => { "[flow][reason]" => "reason" }
+ #rename => { "[flow][start]" => "flow_start" }
+ #rename => { "[flow][state]" => "state" }
+ #rename => { "[netflow][age]" => "duration" }
+ #rename => { "[netflow][bytes]" => "bytes" }
+ #rename => { "[netflow][end]" => "netflow_end" }
+ #rename => { "[netflow][start]" => "netflow_start" }
+ #rename => { "[netflow][pkts]" => "packets" }
+ rename => { "[alert][action]" => "action" }
+ rename => { "[alert][category]" => "category" }
+ rename => { "[alert][gid]" => "gid" }
+ rename => { "[alert][rev]" => "rev" }
+ rename => { "[alert][severity]" => "severity" }
+ rename => { "[alert][signature]" => "signature" }
+ rename => { "[alert][signature_id]" => "sid" }
+ #rename => { "[dns][aa]" => "aa" }
+ #rename => { "[dns][flags]" => "flags" }
+ #rename => { "[dns][id]" => "id" }
+ #rename => { "[dns][qr]" => "qr" }
+ #rename => { "[dns][rcode]" => "rcode_name" }
+ #rename => { "[dns][rrname]" => "rrname" }
+ #rename => { "[dns][rrtype]" => "rrtype" }
+ #rename => { "[dns][tx_id]" => "tx_id" }
+ #rename => { "[dns][type]" => "record_type" }
+ #rename => { "[dns][version]" => "version" }
+ rename => { "[http][hostname]" => "virtual_host" }
+ rename => { "[http][http_content_type]" => "content_type" }
+ rename => { "[http][http_port]" => "http_port" }
+ rename => { "[http][http_method]" => "method" }
+ rename => { "[http][http_user_agent]" => "useragent" }
+ #rename => { "[http][length]" => "payload_length" }
+ #rename => { "[http][protocol]" => "http_version" }
+ rename => { "[http][status]" => "status_message" }
+ rename => { "[http][url]" => "url" }
+ #rename => { "[metadata][flowbits]" => "flowbits" }
+ rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+ rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+ rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+ rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+ rename => { "[tls][subject]" => "certificate_common_name" }
+ rename => { "[tls][version]" => "tls_version" }
+ rename => { "event_type" => "ids_event_type" }
+ remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+ remove_tag => [ "beats_input_codec_plain_applied" ]
+ add_tag => [ "eve" ]
+
+ }
+ } else {
+ grok {
+ match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+ "message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+ "message", "%{GREEDYDATA:alert}"]
+ }
+ }
+ if [timestamp] {
+ mutate {
+ add_field => { "logstash_timestamp" => "%{@timestamp}" }
+ }
+ mutate {
+ convert => { "logstash_timestamp" => "string" }
+ }
+ date {
+ match => [ "timestamp", "ISO8601" ]
+ }
+ mutate {
+ rename => { "logstash_timestamp" => "timestamp" }
+ }
+ }
+
+ # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+ if [alert] =~ "GPL " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "alert" => "GPL\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Snort GPL" }
+ lowercase => [ "category"]
+ }
+ }
+ # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+ if [alert] =~ "ET " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "alert" => "ET\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Emerging Threats" }
+ lowercase => [ "category"]
+ }
+ }
+ # I recommend changing the field types below to integer so searches can do greater than or less than
+ # and also so math functions can be ran against them
+ mutate {
+ convert => [ "source_port", "integer" ]
+ convert => [ "destination_port", "integer" ]
+ convert => [ "gid", "integer" ]
+ convert => [ "sid", "integer" ]
+ # remove_field => [ "message"]
+ }
+ # This will translate the priority field into a severity field of either High, Medium, or Low
+ if [priority] == 1 {
+ mutate {
+ add_field => { "severity" => "High" }
+ }
+ }
+ if [priority] == 2 {
+ mutate {
+ add_field => { "severity" => "Medium" }
+ }
+ }
+ if [priority] == 3 {
+ mutate {
+ add_field => { "severity" => "Low" }
+ }
+ }
+ # This section adds URLs to lookup information about a rule online
+ if [sid] and [sid] > 0 and [sid] < 1000000 {
+ mutate {
+ add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+ }
+ }
+ if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+ mutate {
+ add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+ }
+ }
+# mutate {
+ #add_tag => [ "conf_file_1033"]
+# }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+ if [type] == "syslog" {
+ # This drops syslog messages regarding license messages. You may want to comment it out.
+ #if [message] =~ "license" {
+ # drop { }
+ #}
+ mutate {
+ #convert => [ "status_code", "integer" ]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/2000_network_flow.conf b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "sflow" {
+ if [message] =~ /CNTR/ {
+ drop { }
+ }
+
+ grok {
+ match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+ }
+
+ if "_grokparsefailure" in [tags] {
+ drop { }
+ }
+
+ mutate {
+ add_field => {
+ "[source_hostname]" => "%{source_ip}"
+ "[destination_hostname]" => "%{destination_ip}"
+ "[sflow_source_hostname]" => "%{sflow_source_ip}"
+ }
+ }
+
+ translate {
+ field => "[source_port]"
+ destination => "[source_service]"
+ dictionary_path => "/lib/dictionaries/iana_services.yaml"
+ }
+
+ translate {
+ field => "[destination_port]"
+ destination => "[destination_service]"
+ dictionary_path => "/lib/dictionaries/iana_services.yaml"
+ }
+
+ translate {
+ field => "[protocol]"
+ destination => "[protocol_name]"
+ dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+ }
+
+ translate {
+ field => "[tcp_flags]"
+ destination => "[tcp_flag]"
+ dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+ }
+
+ mutate {
+ add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+ }
+ mutate {
+ #add_tag => [ "conf_file_2000"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6002_syslog.conf b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+ if "syslog" in [tags] {
+ mutate {
+ #convert => [ "status_code", "integer" ]
+ #add_tag => [ "conf_file_6002"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "brocade" {
+ grok {
+ match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+ }
+ grok {
+ match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+ add_field => [ "received_at", "%{@timestamp}" ]
+ }
+ if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+ grok {
+ match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+ }
+ mutate {
+ add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+ }
+ }
+ date {
+ match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
+ timezone => "America/Chicago"
+ remove_field => "syslog_timestamp"
+ remove_field => "received_at"
+ }
+ mutate {
+ #add_tag => [ "conf_file_6101"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "fortinet" {
+ mutate {
+ gsub => [ "message", "= ", "=NA " ]
+ }
+
+ grok {
+ match => ["message", "type=%{DATA:event_type}\s+"]
+ tag_on_failure => []
+ }
+ grok {
+ match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+ tag_on_failure => []
+ }
+ kv {
+ source => "kv"
+ exclude_keys => [ "type" ]
+ }
+ mutate {
+ gsub => [ "log", "= ", "=NA " ]
+ }
+ kv {
+ source => "log"
+ target => "SubLog"
+ }
+ grok {
+ match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+ tag_on_failure => [ "" ]
+ }
+ mutate {
+ rename => { "action" => "action" }
+ rename => { "addr" => "addr_ip" }
+ rename => { "age" => "age" }
+ rename => { "assigned" => "assigned_ip" }
+ rename => { "assignip" => "assign_ip" }
+ rename => { "ap" => "access_point" }
+ rename => { "app" => "application" }
+ rename => { "appcat" => "application_category" }
+ rename => { "applist" => "application_list" }
+ rename => { "apprisk" => "application_risk" }
+ rename => { "approfile" => "accessPoint_profile" }
+ rename => { "apscan" => "access_point_scan" }
+ rename => { "apstatus" => "acces_point_status" }
+ rename => { "aptype" => "access_point_type" }
+ rename => { "authproto" => "authentication_protocol" }
+ rename => { "bandwidth" => "bandwidth" }
+ rename => { "banned_src" => "banned_source" }
+ rename => { "cat" => "category" }
+ rename => { "catdesc" => "category_description" }
+ rename => { "cfgattr" => "configuration_attribute" }
+ rename => { "cfgobj" => "configuration_object" }
+ rename => { "cfgpath" => "configuration_path" }
+ rename => { "cfgtid" => "configuration_transaction_id" }
+ rename => { "channel" => "channel" }
+ rename => { "community" => "community" }
+ rename => { "cookies" => "cookies" }
+ rename => { "craction" => "cr_action" }
+ rename => { "crlevel" => "cr_level" }
+ rename => { "crscore" => "cr_score" }
+ rename => { "datarange" => "data_range" }
+ rename => { "desc" => "description" }
+ rename => { "detectionmethod" => "detection_method" }
+ rename => { "devid" => "device_id" }
+ rename => { "devname" => "device_name" }
+ rename => { "devtype" => "device_type" }
+ rename => { "dhcp_msg" => "dhcp_message" }
+ rename => { "disklograte" => "disk_lograte" }
+ rename => { "dstcountry" => "destination_country" }
+ rename => { "dstintf" => "destination_interface" }
+ rename => { "dstip" => "destination_ip" }
+ rename => { "dstport" => "destination_port" }
+ rename => { "duration" => "elapsed_time" }
+ rename => { "error_num" => "error_number" }
+ rename => { "espauth" => "esp_authentication" }
+ rename => { "esptransform" => "esp_transform" }
+ rename => { "eventid" => "event_id" }
+ rename => { "eventtype" => "event_type" }
+ rename => { "fazlograte" => "faz_lograte" }
+ rename => { "filename" => "file_name" }
+ rename => { "filesize" => "file_size" }
+ rename => { "filetype" => "file_type" }
+ rename => { "hostname" => "hostname" }
+ rename => { "ip" => "source_ip" }
+ rename => { "localip" => "source_ip" }
+ rename => { "locip" => "local_ip" }
+ rename => { "locport" => "source_port" }
+ rename => { "logid" => "log_id" }
+ rename => { "logver" => "log_version" }
+ rename => { "manuf" => "manufacturer" }
+ rename => { "mem" => "memory" }
+ rename => { "meshmode" => "mesh_mode" }
+ rename => { "msg" => "message" }
+ rename => { "nextstat" => "next_stat" }
+ rename => { "onwire" => "on_wire" }
+ rename => { "osname" => "os_name" }
+ rename => { "osversion" => "unauthenticated_user" }
+ rename => { "outintf" => "outbound_interface" }
+ rename => { "peer_notif" => "peer_notification" }
+ rename => { "phase2_name" => "phase2_name" }
+ rename => { "policyid" => "policy_id" }
+ rename => { "policytype" => "policy_type" }
+ rename => { "port" => "port" }
+ rename => { "probeproto" => "probe_protocol" }
+ rename => { "proto" => "protocol_number" }
+ rename => { "radioband" => "radio_band" }
+ rename => { "radioidclosest" => "radio_id_closest" }
+ rename => { "radioiddetected" => "radio_id_detected" }
+ rename => { "rcvd" => "bytes_received" }
+ rename => { "rcvdbyte" => "bytes_received" }
+ rename => { "rcvdpkt" => "packets_received" }
+ rename => { "remip" => "destination_ip" }
+ rename => { "remport" => "remote_port" }
+ rename => { "reqtype" => "request_type" }
+ rename => { "scantime" => "scan_time" }
+ rename => { "securitymode" => "security_mode" }
+ rename => { "sent" => "bytes_sent" }
+ rename => { "sentbyte" => "bytes_sent" }
+ rename => { "sentpkt" => "packets_sent" }
+ rename => { "session_id" => "session_id" }
+ rename => { "setuprate" => "setup_rate" }
+ rename => { "sn" => "serial" }
+ rename => { "snclosest" => "serial_closest_access_point" }
+ rename => { "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+ rename => { "snmeshparent" => "serial_mesh_parent" }
+ rename => { "srccountry" => "source_country" }
+ rename => { "srcip" => "source_ip" }
+ rename => { "srcmac" => "source_mac" }
+ rename => { "srcname" => "source_name" }
+ rename => { "srcintf" => "source_interface" }
+ rename => { "srcport" => "source_port" }
+ rename => { "stacount" => "station_count" }
+ rename => { "stamac" => "static_mac" }
+ rename => { "srccountry" => "source_country" }
+ rename => { "srcip" => "source_ip" }
+ rename => { "srcmac" => "source_mac" }
+ rename => { "srcname" => "source_name" }
+ rename => { "sn" => "serial" }
+ rename => { "srcintf" => "source_interface" }
+ rename => { "srcport" => "source_port" }
+ rename => { "total" => "total_bytes" }
+ rename => { "totalsession" => "total_sessions" }
+ rename => { "trandisp" => "nat_translation_type" }
+ rename => { "tranip" => "nat_destination_ip" }
+ rename => { "tranport" => "nat_destination_port" }
+ rename => { "transip" => "nat_source_ip" }
+ rename => { "transport" => "nat_source_port" }
+ rename => { "tunnelid" => "tunnel_id" }
+ rename => { "tunnelip" => "tunnel_ip" }
+ rename => { "tunneltype" => "tunnel_type" }
+ rename => { "unauthuser" => "unauthenticated_user_source" }
+ rename => { "unauthusersource" => "os_version" }
+ rename => { "vendorurl" => "vendor_url" }
+ rename => { "vpntunnel" => "vpn_tunnel" }
+ rename => { "vulncat" => "vulnerability_category" }
+ rename => { "vulncmt" => "vulnerability_count" }
+ rename => { "vulnid" => "vulnerability_id" }
+ rename => { "vulnname" => "vulnerability_name" }
+ rename => { "vulnref" => "vulnerability_reference" }
+ rename => { "vulnscore" => "vulnerability_score" }
+ rename => { "xauthgroup" => "x_authentication_group" }
+ rename => { "xauthuser" => "x_authentication_user" }
+ rename => { "[SubLog][appid]" => "sub_application_id" }
+ rename => { "[SubLog][devid]" => "sub_device_id" }
+ rename => { "[SubLog][dstip]" => "sub_destination_ip" }
+ rename => { "[SubLog][srcip]" => "sub_source_ip" }
+ rename => { "[SubLog][dstport]" => "sub_destination_port" }
+ rename => { "[SubLog][eventtype]" => "sub_event_type" }
+ rename => { "[SubLog][proto]" => "sub_protocol_number" }
+ rename => { "[SubLog][date]" => "sub_date" }
+ rename => { "[SubLog][time]" => "sub_time" }
+ rename => { "[SubLog][srcport]" => "sub_source_port" }
+ rename => { "[SubLog][subtype]" => "sub_subtype" }
+ rename => { "[SubLog][devname]" => "sub_device_name" }
+ rename => { "[SubLog][itime]" => "sub_itime" }
+ rename => { "[SubLog][level]" => "sub_level" }
+ rename => { "[SubLog][logid]" => "sub_log_id" }
+ rename => { "[SubLog][logver]" => "sub_log_version" }
+ rename => { "[SubLog][type]" => "sub_event_type" }
+ rename => { "[SubLog][vd]" => "sub_vd" }
+ rename => { "[SubLog][action]" => "sub_action" }
+ rename => { "[SubLog][logdesc]" => "sub_destination_ip" }
+ rename => { "[SubLog][policyid]" => "sub_olicy_id" }
+ rename => { "[SubLog][reason]" => "sub_reason" }
+ rename => { "[SubLog][service]" => "sub_service" }
+ rename => { "[SubLog][sessionid]" => "sub_session_id" }
+ rename => { "[SubLog][src]" => "sub_source_ip" }
+ rename => { "[SubLog][status]" => "sub_status" }
+ rename => { "[SubLog][ui]" => "sub_ui" }
+ rename => { "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+ strip => [ "bytes_sent", "bytes_received" ]
+ convert => [ "bytes_sent", "integer" ]
+ convert => [ "bytes_received", "integer" ]
+ convert => [ "cr_score", "integer" ]
+ convert => [ "cr_action", "integer" ]
+ convert => [ "elapsed_time", "integer" ]
+ convert => [ "destination_port", "integer" ]
+ convert => [ "source_port", "integer" ]
+ convert => [ "local_port", "integer" ]
+ convert => [ "remote_port", "integer" ]
+ convert => [ "packets_sent", "integer" ]
+ convert => [ "packets_received", "integer" ]
+ convert => [ "port", "integer" ]
+ convert => [ "ProtocolNumber", "integer" ]
+ convert => [ "XAuthUser", "string" ]
+ remove_field => [ "kv", "log" ]
+ }
+ if [tunnel_ip] == "N/A" {
+ mutate {
+ remove_field => [ "tunnel_ip" ]
+ }
+ }
+ if [nat_destination_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+ add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+ }
+ }
+ if [sub_destination_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+ add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+ }
+ }
+ if [nat_source_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{nat_source_ip}" ] }
+ add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+ }
+ }
+ if [sub_source_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{sub_source_ip}" ] }
+ add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+ }
+ }
+ if [addr_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{addr_ip}" ] }
+ }
+ }
+ if [assign_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{assign_ip}" ] }
+ }
+ }
+ if [assigned_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{assigned_ip}" ] }
+ }
+ }
+ grok {
+ match => ["message", "type=%{DATA:event_type}\s+"]
+ }
+ if [date] and [time] {
+ mutate {
+ add_field => { "receive_time" => "%{date} %{time}" }
+ remove_field => [ "date", "time" ]
+ }
+ date {
+ timezone => "America/Chicago"
+ match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+ target => "receive_time"
+ }
+ mutate {
+ rename => { "receive_time" => "@timestamp" }
+ }
+ } else {
+ mutate {
+ add_tag => [ "missing_date" ]
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_6200"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..acd08eba0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
@@ -0,0 +1,56 @@
+# Author: Wes Lambert
+# Updated by: Doug Burks
+
+filter {
+ if [type] == "filterlog" {
+ dissect {
+ mapping => {
+ "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
+ }
+ }
+ if [ip_version] == "4" {
+ dissect {
+ mapping => {
+ "sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+ }
+ }
+ }
+ if [ip_version] == "6" {
+ dissect {
+ mapping => {
+ "sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+ }
+ }
+ }
+ if [protocol] == "tcp" {
+ dissect {
+ mapping => {
+ "ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
+ }
+ }
+ }
+ if [protocol] == "udp" {
+ dissect {
+ mapping => {
+ "ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
+ }
+ }
+ }
+ if [protocol] == "Options" {
+ mutate {
+ copy => { "ip_sub_msg" => "options" }
+ }
+ mutate {
+ split => { "options" => "," }
+ }
+ }
+ mutate {
+ convert => [ "destination_port", "integer" ]
+ convert => [ "source_port", "integer" ]
+ convert => [ "ip_version", "integer" ]
+ replace => { "type" => "firewall" }
+ add_tag => [ "pfsense","firewall" ]
+ remove_field => [ "sub_msg", "ip_sub_msg" ]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6300_windows.conf b/salt/logstash/conf/pipelines/eval/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "windows" {
+# json {
+# source => "message"
+# }
+ date {
+ match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+ remove_field => [ "EventTime" ]
+ }
+ if [EventID] == 4634 {
+ mutate {
+ add_tag => [ "logoff" ]
+ }
+ }
+ if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+ mutate {
+ add_tag => [ "logon" ]
+ add_tag => [ "alert_data" ]
+ }
+ }
+ if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+ mutate {
+ add_tag => [ "logon_failure" ]
+ add_tag => [ "alert_data" ]
+ }
+ }
+ # Critical event IDs to monitor
+ if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+ mutate {
+ add_tag => [ "alert_data" ]
+ }
+ }
+ # Critical event IDs to monitor
+ if [EventID] == 5152 { drop {} }
+ if [EventID] == 4688 { drop {} }
+ if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+ if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+ if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+ if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+ # Whitelist/Blacklist check
+ if [EventID] == 7045 {
+ translate {
+ field => "ServiceName"
+ destination => "ServiceCheck"
+ dictionary_path => "/lib/dictionaries/services.yaml"
+ }
+ }
+ if [EventID] == 7045 and !([ServiceCheck]) {
+ mutate {
+ add_tag => [ "alert_data","new_service" ]
+ }
+ }
+ if [ServiceCheck] == 'whitelist' {
+ mutate {
+ remove_field => [ "ServiceCheck" ]
+ add_tag => [ "whitelist" ]
+ }
+ }
+ if [ServiceCheck] == 'blacklist' {
+ mutate {
+ remove_field => [ "ServiceCheck" ]
+ add_tag => [ "blacklist" ]
+ }
+ }
+ if [EventID] == 5158 {
+ if [Application] == "System" { drop {} }
+ if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+ if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+ if [Application] =~ "mcafee" { drop {} }
+ if [Application] =~ "carestream" { drop {} }
+ if [Application] =~ "Softdent" { drop {} }
+ }
+ if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+ if [EventID] == 4690 { drop {} }
+ if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+ if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+ if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+ if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+ if [EventID] == 5447 { drop {} }
+
+ mutate {
+ rename => [ "AccountName", "user" ]
+ rename => [ "AccountType", "account_type" ]
+ rename => [ "ActivityID", "activity_id" ]
+ rename => [ "Category", "category" ]
+ rename => [ "ClientAddress", "client_ip" ]
+ rename => [ "Channel", "channel" ]
+ rename => [ "DCIPAddress", "domain_controller_ip" ]
+ rename => [ "DCName", "domain_controller_name" ]
+ rename => [ "EventID", "event_id" ]
+ rename => [ "EventReceivedTime", "event_received_time" ]
+ rename => [ "EventType", "event_type" ]
+ rename => [ "GatewayIPAddress", "gateway_ip" ]
+ rename => [ "IPAddress", "client_ip" ]
+ rename => [ "Ipaddress", "client_ip" ]
+ rename => [ "IpAddress", "client_ip" ]
+ rename => [ "IPPort", "source_port" ]
+ rename => [ "OpcodeValue", "opcode_value" ]
+ rename => [ "PreAuthType", "preauthentication_type" ]
+ rename => [ "PrincipleSAMName", "user" ]
+ rename => [ "ProcessID", "process_id" ]
+ rename => [ "ProviderGUID", "providerguid" ]
+ rename => [ "RecordNumber", "record_number" ]
+ rename => [ "RemoteAddress", "destination_ip" ]
+ rename => [ "ServiceName", "service_name" ]
+ rename => [ "ServiceID", "service_id" ]
+ rename => [ "SeverityValue", "severity_value" ]
+ rename => [ "SourceAddress", "client_ip" ]
+ rename => [ "SourceModuleName", "source_module_name" ]
+ rename => [ "SourceModuleType", "source_module_type" ]
+ rename => [ "SourceName", "source_name" ]
+ rename => [ "SubjectUserName", "user" ]
+ rename => [ "TaskName", "task_name" ]
+ rename => [ "TargetDomainName", "target_domain_name" ]
+ rename => [ "TargetUserName", "user" ]
+ rename => [ "ThreadID", "thread_id" ]
+ rename => [ "User_ID", "user" ]
+ rename => [ "UserID", "user" ]
+ rename => [ "username", "user" ]
+ }
+ # For any accounts that are service accounts or special accounts add the tag of service_account
+ # This example applies the tag to any username that starts with SVC_. If you use a different
+ # standard change this.
+ if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+ mutate {
+ add_tag => [ "service_account" ]
+ }
+ }
+ # This looks for events that are typically noisy but may be of use for deep dive investigations
+ # A tag of noise is added to quickly filter out noise
+ if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+ mutate {
+ add_tag => [ "noise" ]
+ }
+ }
+ #Identify machine accounts
+ if [user] =~ /\$/ {
+ mutate {
+ add_tag => [ "machine", "noise" ]
+ }
+ }
+ # Lower case all field names
+ ruby {
+ code => "
+ event_hash = event.to_hash
+ new_event = {}
+ event_hash.keys.each do |key|
+ new_event[key.downcase] = event[key]
+ end
+ event.instance_variable_set(:@data, new_event)"
+ }
+ mutate {
+ #add_tag => [ "conf_file_6300"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "dns" and "bro" not in [tags] {
+ json {
+ source => "message"
+ }
+ # strip whitespace from message field
+ mutate {
+ strip => "message"
+ }
+ # If the message is blank, drop the log
+ if [Message] =~ /^$/ {
+ drop { }
+ } else {
+ if [type] == "dns" {
+ # This section is lookup for a match against the log and parsing out the fields
+ grok {
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ remove_field => [ "Message" ]
+ }
+ # This section attempts to convert the dns_domain into the traditional domain.com format
+ mutate {
+ gsub => [ "dns_domain", "(\(\d+\))", "." ]
+ }
+ grok {
+ match => { "dns_domain" => "\.%{DATA:query}\.$" }
+ remove_field => [ "dns_domain" ]
+ }
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_6301"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6400_suricata.conf b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+ if [type] == "suricata" {
+ if "test_data" not in [tags] {
+ date {
+ match => [ "timestamp", "ISO8601" ]
+ }
+ } else {
+ mutate {
+ remove_field => [ "netflow.start","netflow.end","timestamp" ]
+ }
+ }
+ if [event_type] == "fileinfo" {
+ ruby {
+ code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
+ }
+ }
+ # I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs
+ mutate {
+ rename => [ "src_ip", "source_ip" ]
+ rename => [ "dest_ip", "destination_ip" ]
+ rename => [ "src_port", "source_port" ]
+ rename => [ "dest_port", "destination_port" ]
+ }
+ # This will translate the alert.severity field into a severity field of either High, Medium, or Low
+ if [event_type] == "alert" {
+ if [alert][severity] == 1 {
+ mutate {
+ add_field => { "severity" => "High" }
+ }
+ }
+ if [alert][severity] == 2 {
+ mutate {
+ add_field => { "severity" => "Medium" }
+ }
+ }
+ if [alert][severity] == 3 {
+ mutate {
+ add_field => { "severity" => "Low" }
+ }
+ }
+ # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+ if [alert][signature] =~ "GPL " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Snort GPL" }
+ lowercase => [ "category" ]
+ }
+ }
+ # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+ if [alert][signature] =~ "ET " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Emerging Threats" }
+ lowercase => [ "category" ]
+ }
+ }
+ # This section adds URLs to lookup information about a rule online
+ if [rule_type] == "Snort GPL" {
+ mutate {
+ add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+ }
+ }
+ if [rule_type] == "Emerging Threats" {
+ mutate {
+ add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+ }
+ }
+ }
+ if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+ # mutate {
+ # remove_field => [ "message" ]
+ # }
+ }
+ mutate {
+ #add_tag => [ "conf_file_6400"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6500_ossec.conf b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
new file mode 100644
index 000000000..292fea49b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
@@ -0,0 +1,160 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/19/2018
+#
+# This conf file is based on accepting logs from OSSEC
+
+filter {
+ # OSSEC Alerts
+ if [type] == "ossec" {
+
+ # Sysmon/Autoruns logs transported by OSSEC
+ if [message] =~ "Microsoft-Windows-Sysmon" {
+ mutate {
+ replace => { "type" => "sysmon" }
+ add_tag => [ "ossec" ]
+ }
+ }
+ if [message] =~ "AR-LOG" {
+ mutate {
+ replace => { "type" => "autoruns" }
+ add_tag => [ "ossec" ]
+ }
+ }
+
+ # If message looks like json, try to parse it as such. Otherwise, grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+ mutate {
+ rename => { "rule" => "wazuh-rule" }
+ rename => { "[wazuh-rule][level]" => "alert_level" }
+ rename => { "[wazuh-rule][description]" => "description" }
+ rename => { "[data][srcuser]" => "username" }
+ rename => { "[data][dstuser]" => "escalated_user" }
+ rename => { "[data][command]" => "command" }
+ rename => { "[predecoder][program_name]" => "process" }
+
+ }
+ # Wazuh 3.8.2
+ if [data][EventChannel] {
+ mutate {
+ rename => { "[data][EventChannel][EventData][User]" => "username" }
+ rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+ rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+ rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+ rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+ rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+ rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+ rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+ }
+ }
+ # Wazuh 3.9.2
+ if [data][win] {
+ mutate {
+ rename => { "[data][win][eventdata][user]" => "username" }
+ rename => { "[data][win][system][eventID]" => "event_id" }
+ rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+ rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+ rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+ rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+ rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+ rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+ }
+ }
+ } else {
+ grok {
+ match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
+ "message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+ }
+ }
+
+ # Add tag for OSSEC alerts
+ if [alert_level] {
+ mutate {
+ add_tag => [ "alert" ]
+ }
+ }
+
+ translate {
+ field => "alert_level"
+
+ destination => "classification"
+
+ dictionary => [
+ "1", "None",
+ "2", "System low priority notification",
+ "3", "Successful/authorized event",
+ "4", "System low priority error",
+ "5", "User generated error",
+ "6", "Low relevance attack",
+ "7", '"Bad word" matching',
+ "8", "First time seen",
+ "9", "Error from invalid source",
+ "10", "Multiple user generated errors",
+ "11", "Integrity checking warning",
+ "12", "High importance event",
+ "13", "Unusal error (high importance)",
+ "14", "High importance security event",
+ "15", "Severe attack"
+ ]
+ }
+ }
+
+ # OSSEC Archive Logs
+ if [type] == "ossec_archive" {
+
+ # Sysmon/Autoruns logs transported by OSSEC
+ if [message] =~ "Microsoft-Windows-Sysmon" {
+ mutate {
+ replace => { "type" => "sysmon" }
+ add_tag => [ "ossec" ]
+ }
+ }
+ if [message] =~ "AR-LOG" {
+ mutate {
+ replace => { "type" => "autoruns" }
+ add_tag => [ "ossec" ]
+ }
+ }
+
+ # If message looks like json, try to parse it as such. Otherwise, grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+ mutate {
+ rename => [ "rule", "wazuh-rule" ]
+ rename => [ "[wazuh-rule][level]", "alert_level" ]
+ rename => [ "[wazuh-rule][description]", "description" ]
+ rename => [ "[data][srcuser]", "username" ]
+ rename => [ "[data][dstuser]", "escalated_user" ]
+ rename => [ "[data][command]", "command" ]
+ rename => [ "[predecoder][program_name]", "process" ]
+ }
+ } else {
+ grok {
+ match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+ "message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
+ "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+ "message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
+ "message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+ remove_field => [ "ossec_timestamp" ]
+ }
+ mutate {
+ convert => [ "status_code", "integer" ]
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..6ebf10487
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
@@ -0,0 +1,118 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+ # OSSEC Logs and Alerts
+ if [type] == "sysmon" or "sysmon" in [tags] {
+ if [message] !~ /^{.*}$/ {
+ #mutate { replace => { "type" => "sysmon" } }
+ grok {
+ # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+ match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+ }
+ mutate {
+ convert => ["event_id", "integer"]
+ remove_field => ["timestamp"]
+ remove_field => ["year"]
+ }
+ if [event_id] == 1 {
+ grok {
+ match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+ "rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+ "rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ add_tag => ["process_creation"]
+ }
+ }
+ if [event_id] == 3 {
+ mutate {
+ remove_field => ["source_ip"]
+ }
+ grok {
+ match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ convert => ["source_port", "integer"]
+ convert => ["destination_port", "integer"]
+ add_tag => ["network_connection"]
+ }
+ }
+ if [event_id] == 5 {
+ grok {
+ match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ add_tag => ["process_termination"]
+ }
+ }
+ if [event_id] == 11 {
+ grok {
+ match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ add_tag => ["file_created"]
+ }
+ }
+ mutate {
+ remove_field => ["rest_of_msg"]
+ }
+ } else {
+ mutate {
+ rename => { "[data][srcuser]" => "username" }
+ rename => { "[data][id]" => "event_id" }
+ rename => { "[data][dstport]" => "destination_port" }
+ rename => { "[data][dstip]" => "destination_ip" }
+ rename => { "[data][srcip]" => "source_ip" }
+ rename => { "[data][sysmon][image]" => "image_path" }
+ rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
+ rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+ rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
+ rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
+ }
+ # Wazuh 3.8.2
+ if [data][EventChannel] {
+ mutate {
+ rename => { "[data][EventChannel][EventData][User]" => "username" }
+ rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+ rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+ rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+ rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+ rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+ rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
+ rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
+ rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
+ rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+ rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+ }
+ }
+ # Wazuh 3.9.2
+ if [data][win] {
+ mutate {
+ rename => { "[data][win][eventdata][user]" => "username" }
+ rename => { "[data][win][system][eventID]" => "event_id" }
+ rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+ rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+ rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+ rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+ rename => { "[data][win][eventdata][image]" => "image_path" }
+ rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
+ rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
+ rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+ rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..5d7207891
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
@@ -0,0 +1,43 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Updated by: Dustin Lee
+# Last Update: 06/13/2019
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+ if [type] == "autoruns" or "autoruns" in [tags] {
+ if [message] !~ /^{.*}$/ {
+ grok {
+ match => [
+ "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+ "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+ ]
+ }
+ #csv {
+# columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+# separator => "|"
+# }
+ mutate {
+ remove_field => [ "year" ]
+ remove_field => [ "timestamp" ]
+ }
+ } else {
+ grok {
+ match => [
+ "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+ "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+ ]
+ }
+ mutate {
+ # Rename fields
+ }
+ }
+ date {
+ match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
+ target => "image_timestamp"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
new file mode 100644
index 000000000..200b58497
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/24/2018
+#
+# This conf file is based on accepting Sysmon logs from winlogbeat
+
+filter {
+ if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
+ mutate {
+ replace => { "type" => "sysmon" }
+ rename => { "[event_data][User]" => "username" }
+ rename => { "[event_data][DestinationPort]" => "destination_port" }
+ rename => { "[event_data][DestinationIp]" => "destination_ip" }
+ rename => { "[event_data][SourceIp]" => "source_ip" }
+ rename => { "[event_data][Image]" => "image_path" }
+ rename => { "[event_data][ParentImage]" => "parent_image_path" }
+ rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+ rename => { "[event_data][SourceHostname]" => "source_hostname" }
+ rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
+ rename => { "[event_data][TargetFilename]" => "target_filename" }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
new file mode 100644
index 000000000..222757956
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
@@ -0,0 +1,17 @@
+# Author: Doug Burks
+#
+# Last Update: 09/24/2018
+#
+# This conf file is for beat data
+
+filter {
+ if "beat" in [tags] {
+ mutate {
+ # As of beats 6.3.0, host is now an object:
+ # https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
+ # This creates a conflict with our existing host string.
+ # So let's rename the host object to beat_host.
+ rename => { "host" => "beat_host" }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+ if "osquery" in [tags] and [osquery][columns][eventid] {
+
+ mutate {
+ gsub => ["[osquery][columns][data]", "\\x0A", ""]
+ }
+
+ json {
+ source => "[osquery][columns][data]"
+ target => "[osquery][columns][data]"
+ }
+
+ mutate {
+ merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+ remove_field => ["[osquery][columns][data]"]
+ }
+
+ }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+ if [source_ip] {
+ if [source_ip] == "-" {
+ mutate {
+ replace => { "source_ip" => "0.0.0.0" }
+ }
+ }
+ if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+ mutate {
+ }
+ } else {
+ geoip {
+ source => "[source_ip]"
+ target => "source_geo"
+ }
+ }
+ if [source_ip] {
+ mutate {
+ add_field => { "ips" => "%{source_ip}" }
+ add_field => { "source_ips" => [ "%{source_ip}" ] }
+ }
+ }
+ }
+ if [destination_ip] {
+ if [destination_ip] == "-" {
+ mutate {
+ replace => { "destination_ip" => "0.0.0.0" }
+ }
+ }
+ if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+ mutate {
+ }
+ }
+ else {
+ geoip {
+ source => "[destination_ip]"
+ target => "destination_geo"
+ }
+ }
+ }
+ if [destination_ip] {
+ mutate {
+ add_field => { "ips" => "%{destination_ip}" }
+ add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+ }
+ }
+}
+ #if [source_ip] or [destination_ip] {
+ # mutate {
+ #add_tag => [ "conf_file_8001"]
+ # }
+ #}
+
diff --git a/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+ if [type] == "bro_http" {
+ if [uri] {
+ ruby {
+ code => "event.set('uri_length', event.get('uri').length)"
+ }
+ }
+ if [virtual_host] {
+ ruby {
+ code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+ }
+ }
+ if [useragent] {
+ ruby {
+ code => "event.set('useragent_length', event.get('useragent').length)"
+ }
+ }
+ mutate {
+ ##add_tag => [ "conf_file_8007"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..e698b3ce3
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
@@ -0,0 +1,63 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [destination_ip] {
+ if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+ mutate {
+ add_tag => [ "internal_destination" ]
+ }
+ } else {
+ mutate {
+ add_tag => [ "external_destination" ]
+ }
+ }
+ if "internal_destination" not in [tags] {
+ if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+ mutate {
+ add_tag => [ "root_dns_server" ]
+ }
+ }
+ }
+ # Customize this section to your environment
+ if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+ mutate {
+ add_tag => [ "authorized_dns_server" ]
+ }
+ }
+ }
+ if [source_ip] {
+ if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+ mutate {
+ add_tag => [ "internal_source" ]
+ }
+ } else {
+ mutate {
+ add_tag => [ "external_source" ]
+ }
+ }
+ if "internal_source" not in [tags] {
+ if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+ mutate {
+ add_tag => [ "root_dns_server" ]
+ }
+ }
+ }
+ # Customize this section to your environment
+ if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+ mutate {
+ add_tag => [ "authorized_dns_server" ]
+ }
+ }
+ mutate {
+ ##add_tag => [ "conf_file_8200"]
+ }
+ }
+ if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
+ mutate {
+ remove_tag => [ "syslog" ]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ ruby {
+ code => "event.set('task_end', Time.now.to_f)"
+ }
+ ruby {
+ code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+ }
+ mutate {
+ remove_field => [ 'task_start', 'task_end' ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_8998"]
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+ mutate {
+ rename => [ "type", "event_type" ]
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
new file mode 100644
index 000000000..2beafc8be
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
@@ -0,0 +1,32 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- set NAME = grains.host -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+ if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+ mutate {
+ add_field => { "sensor_name" => "{{ NAME }}" }
+ }
+ }
+}
+output {
+ if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ pipeline => "%{event_type}"
+ hosts => "{{ ES }}"
+ index => "logstash-bro-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "switch" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9001"]
+ }
+ }
+}
+output {
+ if "switch" in [tags] and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-switch-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+ if "import" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9002"]
+ }
+ }
+}
+output {
+ if "import" in [tags] and "test_data" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-import-%{+YYYY.MM.dd}"
+ template_name => "logstash-*"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "sflow" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9004"]
+ }
+ }
+}
+output {
+ if [event_type] == "sflow" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-flow-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "dhcp" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9026"]
+ }
+ }
+}
+output {
+ if [event_type] == "dhcp" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "esxi" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9029"]
+ }
+ }
+}
+output {
+ if [event_type] == "esxi" and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "greensql" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9030"]
+ }
+ }
+}
+output {
+ if [event_type] == "greensql" and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "iis" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9031"]
+ }
+ }
+}
+output {
+ if [event_type] == "iis" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "mcafee" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9032"]
+ }
+ }
+}
+output {
+ if [event_type] == "mcafee" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "ids" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9033"]
+ }
+ }
+}
+output {
+ if [event_type] == "ids" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ids-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+ if "syslog" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9034"]
+ }
+ }
+}
+output {
+ if "syslog" in [tags] and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-syslog-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
new file mode 100644
index 000000000..132f0eb66
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
@@ -0,0 +1,32 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Security Onion Solutions
+# Last Update: 2/3/2020
+# Output to ES for osquery tagged logs - EVAL install
+
+
+filter {
+ if "osquery" in [tags] {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ }
+ json {
+ source => "message"
+ target => "osquery"
+ }
+ }
+}
+
+output {
+ if "osquery" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-osquery-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "firewall" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9200"]
+ }
+ }
+}
+output {
+ if "firewall" in [tags] and "test_data" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-firewall-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "windows" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9300"]
+ }
+ }
+}
+output {
+ if [event_type] == "windows" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-windows-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "dns" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9301"]
+ }
+ }
+}
+output {
+ if [event_type] == "dns" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
new file mode 100644
index 000000000..1de235444
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- set NAME = grains.host -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "suricata" and "test_data" not in [tags] {
+ mutate {
+ add_field => { "sensor_name" => "{{ NAME }}" }
+ }
+ }
+}
+output {
+ if [event_type] == "suricata" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ids-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+ if "beat" in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9500"]
+ }
+ }
+}
+output {
+ if "beat" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-beats-%{+YYYY.MM.dd}"
+ template_name => "logstash-beats"
+ template => "/beats-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+ if [event_type] =~ "ossec" {
+ mutate {
+ ##add_tag => [ "conf_file_9600"]
+ }
+ }
+}
+
+output {
+ if [event_type] =~ "ossec" or "ossec" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ossec-%{+YYYY.MM.dd}"
+ template_name => "logstash-ossec"
+ template => "/logstash-ossec-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/0010_input_hhbeats.conf b/salt/logstash/conf/pipelines/helix/0010_input_hhbeats.conf
new file mode 100644
index 000000000..6b7667f5c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/0010_input_hhbeats.conf
@@ -0,0 +1,40 @@
+input {
+ beats {
+ port => "5644"
+ ssl => true
+ ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+ ssl_certificate => "/usr/share/logstash/filebeat.crt"
+ ssl_key => "/usr/share/logstash/filebeat.key"
+ tags => [ "beat" ]
+ }
+}
+filter {
+ if [type] == "ids" or [type] =~ "bro" {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ add_field => { "sensor_name" => "%{[beat][name]}" }
+ add_field => { "syslog-host_from" => "%{[beat][name]}" }
+ remove_field => [ "beat", "prospector", "input", "offset" ]
+ }
+ }
+ if [type] =~ "ossec" {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ add_field => { "syslog-host_from" => "%{[beat][name]}" }
+ remove_field => [ "beat", "prospector", "input", "offset" ]
+ }
+ }
+ if [type] == "osquery" {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ add_tag => ["osquery"]
+ }
+ json {
+ source => "message"
+ target => "osquery"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+ if [type] == "ids" {
+ # This is the initial parsing of the log
+ if [engine] == "suricata" {
+ json {
+ source => "message"
+ }
+ mutate {
+ rename => { "alert" => "orig_alert" }
+ rename => { "[orig_alert][gid]" => "gid" }
+ rename => { "[orig_alert][signature_id]" => "sid" }
+ rename => { "[orig_alert][rev]" => "rev" }
+ rename => { "[orig_alert][signature]" => "alert" }
+ rename => { "[orig_alert][category]" => "classification" }
+ rename => { "[orig_alert][severity]" => "priority" }
+ rename => { "[orig_alert][rule]" => "rule_signature" }
+ rename => { "app_proto" => "application_protocol" }
+ rename => { "dest_ip" => "destination_ip" }
+ rename => { "dest_port" => "destination_port" }
+ rename => { "in_iface" => "interface" }
+ rename => { "proto" => "protocol" }
+ rename => { "src_ip" => "source_ip" }
+ rename => { "src_port" => "source_port" }
+ #rename => { "[fileinfo][filename]" => "filename" }
+ #rename => { "[fileinfo][gaps]" => "gaps" }
+ #rename => { "[fileinfo][size]" => "size" }
+ #rename => { "[fileinfo][state]" => "state" }
+ #rename => { "[fileinfo][stored]" => "stored" }
+ #rename => { "[fileinfo][tx_id]" => "tx_id" }
+ #rename => { "[flow][age]" => "duration" }
+ #rename => { "[flow][alerted]" => "flow_alerted" }
+ #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+ #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+ #rename => { "[flow][end]" => "flow_end" }
+ #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+ #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+ #rename => { "[flow][reason]" => "reason" }
+ #rename => { "[flow][start]" => "flow_start" }
+ #rename => { "[flow][state]" => "state" }
+ #rename => { "[netflow][age]" => "duration" }
+ #rename => { "[netflow][bytes]" => "bytes" }
+ #rename => { "[netflow][end]" => "netflow_end" }
+ #rename => { "[netflow][start]" => "netflow_start" }
+ #rename => { "[netflow][pkts]" => "packets" }
+ rename => { "[alert][action]" => "action" }
+ rename => { "[alert][category]" => "category" }
+ rename => { "[alert][gid]" => "gid" }
+ rename => { "[alert][rev]" => "rev" }
+ rename => { "[alert][severity]" => "severity" }
+ rename => { "[alert][signature]" => "signature" }
+ rename => { "[alert][signature_id]" => "sid" }
+ #rename => { "[dns][aa]" => "aa" }
+ #rename => { "[dns][flags]" => "flags" }
+ #rename => { "[dns][id]" => "id" }
+ #rename => { "[dns][qr]" => "qr" }
+ #rename => { "[dns][rcode]" => "rcode_name" }
+ #rename => { "[dns][rrname]" => "rrname" }
+ #rename => { "[dns][rrtype]" => "rrtype" }
+ #rename => { "[dns][tx_id]" => "tx_id" }
+ #rename => { "[dns][type]" => "record_type" }
+ #rename => { "[dns][version]" => "version" }
+ rename => { "[http][hostname]" => "virtual_host" }
+ rename => { "[http][http_content_type]" => "content_type" }
+ rename => { "[http][http_port]" => "http_port" }
+ rename => { "[http][http_method]" => "method" }
+ rename => { "[http][http_user_agent]" => "useragent" }
+ #rename => { "[http][length]" => "payload_length" }
+ #rename => { "[http][protocol]" => "http_version" }
+ rename => { "[http][status]" => "status_message" }
+ rename => { "[http][url]" => "url" }
+ #rename => { "[metadata][flowbits]" => "flowbits" }
+ rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+ rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+ rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+ rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+ rename => { "[tls][subject]" => "certificate_common_name" }
+ rename => { "[tls][version]" => "tls_version" }
+ rename => { "event_type" => "ids_event_type" }
+ remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+ remove_tag => [ "beats_input_codec_plain_applied" ]
+ add_tag => [ "eve" ]
+
+ }
+ } else {
+ grok {
+ match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+ "message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+ "message", "%{GREEDYDATA:alert}"]
+ }
+ }
+ if [timestamp] {
+ mutate {
+ add_field => { "logstash_timestamp" => "%{@timestamp}" }
+ }
+ mutate {
+ convert => { "logstash_timestamp" => "string" }
+ }
+ date {
+ match => [ "timestamp", "ISO8601" ]
+ }
+ mutate {
+ rename => { "logstash_timestamp" => "timestamp" }
+ }
+ }
+
+ # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+ if [alert] =~ "GPL " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "alert" => "GPL\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Snort GPL" }
+ lowercase => [ "category"]
+ }
+ }
+ # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+ if [alert] =~ "ET " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "alert" => "ET\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Emerging Threats" }
+ lowercase => [ "category"]
+ }
+ }
+ # I recommend changing the field types below to integer so searches can do greater than or less than
+ # and also so math functions can be ran against them
+ mutate {
+ convert => [ "source_port", "integer" ]
+ convert => [ "destination_port", "integer" ]
+ convert => [ "gid", "integer" ]
+ convert => [ "sid", "integer" ]
+ # remove_field => [ "message"]
+ }
+ # This will translate the priority field into a severity field of either High, Medium, or Low
+ if [priority] == 1 {
+ mutate {
+ add_field => { "severity" => "High" }
+ }
+ }
+ if [priority] == 2 {
+ mutate {
+ add_field => { "severity" => "Medium" }
+ }
+ }
+ if [priority] == 3 {
+ mutate {
+ add_field => { "severity" => "Low" }
+ }
+ }
+ # This section adds URLs to lookup information about a rule online
+ if [sid] and [sid] > 0 and [sid] < 1000000 {
+ mutate {
+ add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+ }
+ }
+ if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+ mutate {
+ add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+ }
+ }
+# mutate {
+ #add_tag => [ "conf_file_1033"]
+# }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf b/salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf
new file mode 100644
index 000000000..b64b56bbe
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf
@@ -0,0 +1,77 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for conn.log from Bro systems
+filter {
+ if [type] == "bro_conn" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "proto" => "protocol" }
+ #service
+ #duration
+ rename => { "orig_bytes" => "original_bytes" }
+ rename => { "resp_bytes" => "respond_bytes" }
+ rename => { "conn_state" => "connection_state" }
+ #local_orig
+ rename => { "local_resp" => "local_respond" }
+ #missed_bytes
+ #history
+ rename => { "orig_pkts" => "original_packets" }
+ rename => { "orig_ip_bytes" => "original_ip_bytes" }
+ rename => { "resp_pkts" => "respond_packets" }
+ rename => { "resp_ip_bytes" => "respond_ip_bytes" }
+ #tunnel_parents
+ rename => { "orig_cc" => "original_country_code" }
+ rename => { "resp_cc" => "respond_country_code" }
+ rename => { "sensorname" => "sensor_name" }
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","service","duration","original_bytes","respond_bytes","connection_state","local_orig","local_respond","missed_bytes","history","original_packets","original_ip_bytes","respond_packets","respond_ip_bytes","tunnel_parents","sensor_name"]
+
+ # If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
+ separator => " "
+ }
+ }
+
+ translate {
+ field => "connection_state"
+
+ destination => "connection_state_description"
+
+ dictionary => [
+ "S0", "Connection attempt seen, no reply",
+ "S1", "Connection established, not terminated",
+ "S2", "Connection established and close attempt by originator seen (but no reply from responder)",
+ "S3", "Connection established and close attempt by responder seen (but no reply from originator)",
+ "SF", "Normal SYN/FIN completion",
+ "REJ", "Connection attempt rejected",
+ "RSTO", "Connection established, originator aborted (sent a RST)",
+ "RSTR", "Established, responder aborted",
+ "RSTOS0", "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder",
+ "RSTRH", "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator",
+ "SH", "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)",
+ "SHR", "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator",
+ "OTH", "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"
+ ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_1100"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf b/salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf
new file mode 100644
index 000000000..e7e7f12c0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf
@@ -0,0 +1,56 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 1/3/2019
+#
+# This conf file is based on accepting logs for dhcp.log from Bro systems
+filter {
+ if [type] == "bro_dhcp" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #mac
+ #assigned_ip
+ #lease_time
+ rename => { "trans_id" => "transaction_id" }
+ # new dhcp log format
+ rename => { "assigned_addr" => "assigned_ip" }
+ rename => { "client_addr" => "source_ip" }
+ rename => { "server_addr" => "destination_ip" }
+ rename => { "requested_addr" => "requested_ip" }
+ rename => { "domain" => "domain_name" }
+ rename => { "host_name" => "hostname" }
+ rename => { "msg_types" => "message_types" }
+ rename => { "uids" => "uid" }
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ # Bro logs in TSV format
+ csv {
+ columns => [ "timestamp", "uid", "source_ip", "destination_ip", "mac", "hostname", "client_fqdn", "domain_name", "requested_ip", "assigned_ip", "lease_time","client_message", "server_message", "message_types", "duration" ]
+ separator => " "
+ }
+ # Remove fields with empty values (-) to prevent field data type conflict
+ ruby {
+ code =>"
+ hash = event.to_hash.each do |key,value|
+ if value == '-'
+ event.remove(key)
+ end
+ end"
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf b/salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf
new file mode 100644
index 000000000..340cdafbc
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf
@@ -0,0 +1,74 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dns.log from Bro systems
+filter {
+ if [type] == "bro_dns" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "proto" => "protocol" }
+ rename => { "trans_id" => "transaction_id" }
+ #rtt field
+ #query field
+ rename => { "qclass" => "query_class" }
+ rename => { "qclass_name" => "query_class_name" }
+ rename => { "qtype" => "query_type" }
+ rename => { "qtype_name" => "query_type_name" }
+ #rcode
+ #rcode_name
+ rename => { "AA" => "aa" }
+ rename => { "TC" => "tc" }
+ rename => { "RD" => "rd" }
+ rename => { "RA" => "ra" }
+ rename => { "Z" => "z" }
+ #answers
+ rename => { "TTLs" => "ttls" }
+ #rejected
+ }
+ } else {
+
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","transaction_id","rtt","query","query_class","query_class_name","query_type","query_type_name","rcode","rcode_name","aa","tc","rd","ra","z","answers","ttls","rejected"]
+
+ #If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
+ separator => " "
+ }
+ }
+
+ mutate {
+ add_tag => [ "dns" ]
+ }
+ if [ttls] == "-" {
+ mutate {
+ remove_field => [ "ttls" ]
+ }
+ }
+ if [rtt] == "-" {
+ mutate {
+ remove_field => [ "rtt" ]
+ }
+ }
+ #mutate {
+ #convert => [ "rtt", "float" ]
+ #}
+ mutate {
+ #add_tag => [ "conf_file_1102"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf b/salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf
new file mode 100644
index 000000000..cc3b6ad39
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf
@@ -0,0 +1,42 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dpd.log from Bro systems
+filter {
+ if [type] == "bro_dpd" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "proto" => "protocol" }
+ #analyzer
+ #failure_reason
+ }
+ } else {
+
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","analyzer","failure_reason"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1103"]
+ }
+
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf b/salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf
new file mode 100644
index 000000000..88c524ea5
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf
@@ -0,0 +1,64 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for files.log from Bro systems
+filter {
+ if [type] == "bro_files" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #fuid
+ rename => { "tx_hosts" => "file_ip" }
+ rename => { "rx_hosts" => "destination_ip" }
+ rename => { "conn_uids" => "connection_uids" }
+ #source field
+ #depth field
+ rename => { "analyzers" => "analyzer" }
+ rename => { "mime_type" => "mimetype" }
+ rename => { "filename" => "file_name" }
+ #duration
+ #local_orig
+ #is_orig
+ #seen_bytes
+ #total_bytes
+ #missing_bytes
+ #overflow_bytes
+ rename => { "timedout" => "timed_out" }
+ #parent_fuid
+ #md5
+ #sha1
+ #sha256
+ #extracted
+ #extracted_cutoff
+ #extracted_size
+ }
+ } else {
+
+ csv {
+ columns => ["timestamp","fuid","file_ip","destination_ip","connection_uids","source","depth","analyzer","mimetype","file_name","duration","local_orig","is_orig","seen_bytes","total_bytes","missing_bytes","overflow_bytes","timed_out","parent_fuid","md5","sha1","sha256","extracted","extracted_cutoff","extracted_size"]
+ separator => " "
+ }
+ if [destination_ip] =~ /,/ {
+ mutate {
+ split => { "destination_ip" => "," }
+ }
+ }
+ if [file_ip] =~ /,/ {
+ mutate {
+ split => { "file_ip" => "," }
+ }
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1104"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf b/salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf
new file mode 100644
index 000000000..c37ac71a0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf
@@ -0,0 +1,56 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for ftp.log from Bro systems
+filter {
+ if [type] == "bro_ftp" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "user" => "username" }
+ #password
+ rename => { "command" => "ftp_command" }
+ rename => { "arg" => "ftp_argument" }
+ rename => { "mime_type" => "mimetype" }
+ #file_size
+ #reply_code
+ rename => { "reply_msg" => "reply_message" }
+ rename => { "data_channel.passive" => "data_channel_passive" }
+ rename => { "data_channel.orig_h" => "data_channel_source_ip" }
+ rename => { "data_channel.resp_h" => "data_channel_destination_ip" }
+ rename => { "data_channel.resp_p" => "data_channel_destination_port" }
+ #fuid
+ }
+
+ mutate {
+ convert => { "reply" => "string" }
+ }
+
+ } else {
+
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","username","password","ftp_command","ftp_argument","mimetype","file_size","reply_code","reply_message","data_channel_passive","data_channel_source_ip","data_channel_destination_ip","data_channel_destination_port","fuid"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1105"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf b/salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf
new file mode 100644
index 000000000..3cff8faa7
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf
@@ -0,0 +1,77 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for http.log from Bro systems
+filter {
+ if [type] == "bro_http" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+
+ # Rename logstash tags field to avoid being overwritten by Bro's http tags field
+ mutate {
+ rename => { "tags" => "tags-orig" }
+ }
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #trans_depth
+ #method
+ rename => { "host" => "virtual_host" }
+ #uri
+ #referrer
+ #version
+ #convert => { "version" => "string" }
+ rename => { "user_agent" => "useragent" }
+ #origin
+ rename => { "request_body_len" => "request_body_length" }
+ rename => { "response_body_len" => "response_body_length" }
+ #status_code
+ #status_message
+ rename => { "status_msg" => "status_message" }
+ #info_code
+ rename => { "info_msg" => "info_message" }
+ #tags
+ # Rename http tags field to http-tags
+ rename => { "tags" => "http-tags" }
+ # Rename logstash tags field to tags
+ rename => { "tags-orig" => "tags" }
+ #username
+ #password
+ #proxied
+ #orig_fuids
+ #orig_filenames
+ #orig_mime_types
+ #resp_fuids
+ #resp_filenames
+ #resp_mime_types
+ }
+ if [http-tags] {
+ mutate {
+ remove_field => [ "http-tags" ]
+ }
+ }
+ } else {
+ grok {
+ match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*?))\t(?(.*))\t(?(.*))\t(?(.*?))\t(?(.*))" ]
+ }
+ }
+
+ if [useragent] == "-" {
+ mutate {
+ remove_field => [ "useragent" ]
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_1106"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf b/salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf
new file mode 100644
index 000000000..841c4aa44
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf
@@ -0,0 +1,46 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for irc.log from Bro systems
+filter {
+ if [type] == "bro_irc" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #nick
+ rename => { "user" => "irc_username" }
+ rename => { "command" => "irc_command" }
+ #value
+ rename => { "addl" => "additional_info" }
+ #dcc_file_name
+ #dcc_file_size
+ #dcc_mime_type
+ #fuid
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","nick","irc_username","irc_command","value","additional_info","dcc_file_name","dcc_file_size","dcc_mime_type","fuid"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1107"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf b/salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf
new file mode 100644
index 000000000..89754126a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf
@@ -0,0 +1,56 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for kerberos.log from Bro systems
+filter {
+ if [type] == "bro_kerberos" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #request_type
+ #client
+ #service
+ rename => { "success" => "kerberos_success" }
+ rename => { "error_msg" => "error_message" }
+ rename => { "from" => "valid_from" }
+ rename => { "till" => "valid_till" }
+ #cipher
+ #forwardable
+ #renewable
+ rename => { "client_cert_subject" => "client_certificate_subject" }
+ rename => { "client_cert_fuid" => "client_certificate_fuid" }
+ rename => { "server_cert_subject" => "server_certificate_subject" }
+ rename => { "server_cert_fuid" => "server_certificate_fuid" }
+ }
+
+ mutate {
+ convert => { "kerberos_success" => "string" }
+ convert => { "renewable" => "string" }
+ }
+
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","request_type","client","service","kerberos_success","error_message","valid_from","valid_till","cipher","forwardable","renewable","client_certificate_subject","client_certificate_fuid","server_certificate_subject","server_certificate_fuid"]
+ separator => " "
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_1108"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf b/salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf
new file mode 100644
index 000000000..2c22896d8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf
@@ -0,0 +1,56 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for notice.log from Bro systems
+filter {
+ if [type] == "bro_notice" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #fuid
+ rename => { "mime" => "file_mime_type" }
+ rename => { "desc" => "file_description" }
+ rename => { "proto" => "protocol" }
+ rename => { "note" => "note" }
+ rename => { "msg" => "msg" }
+ rename => { "sub" => "sub_msg" }
+ rename => { "src" => "source_ip" }
+ rename => { "dst" => "destination_ip" }
+ #p
+ #n
+ rename => { "peer_descr" => "peer_description" }
+ rename => { "actions" => "action" }
+ #suppress_for
+ #destination_country_code
+ #destination_region
+ #destination_city
+ #destination_latitude
+ #destination_longitude
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","file_mime_type","file_description","protocol","note","msg","sub_msg","source_ip","destination_ip","p","n","peer_description","action","suppress_for","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1109"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf b/salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf
new file mode 100644
index 000000000..435a2ca3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf
@@ -0,0 +1,52 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for rdp.log from Bro systems
+filter {
+ if [type] == "bro_rdp" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #cookie
+ #result
+ #security_protocol
+ #client_channels
+ #keyboard_layout
+ #client_build
+ #client_name
+ rename => { "client_dig_product_id" => "client_digital_product_id" }
+ #desktop_width
+ #desktop_height
+ #requested_color_depth
+ rename => { "cert_type" => "certificate_type" }
+ rename => { "cert_count" => "certificate_count" }
+ rename => { "cert_permanent" => "certificate_permanent" }
+ #encryption_level
+ #encryption_method
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","cookie","result","security_protocol","client_channels","keyboard_layout","client_build","client_name","client_digital_product_id","desktop_width","desktop_height","requested_color_depth","certificate_type","certificate_count","certificate_permanent","encryption_level","encryption_method"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1110"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf b/salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf
new file mode 100644
index 000000000..0d3c1dc57
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf
@@ -0,0 +1,43 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for signatures.log from Bro systems
+filter {
+ if [type] == "bro_signatures" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #note
+ rename => { "sig_id" => "signature_id" }
+ rename => { "event_msg" => "event_message" }
+ rename => { "sub_msg" => "sub_message" }
+ rename => { "sig_count" => "signature_count" }
+ #host_count
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","note","signature_id","event_message","sub_message","signature_count","host_count"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1111"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf b/salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf
new file mode 100644
index 000000000..743bd5716
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf
@@ -0,0 +1,65 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for smtp.log from Bro systems
+filter {
+ if [type] == "bro_smtp" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #trans_depth
+ #helo
+ rename => { "mailfrom" => "mail_from" }
+ rename => { "rcptto" => "recipient_to" }
+ rename => { "date" => "mail_date" }
+ #from
+ #to
+ #cc
+ #reply_to
+ rename => { "msg_id" => "message_id" }
+ #in_reply_to
+ #subject
+ #x_originating_ip
+ #first_received
+ #second_received
+ #last_reply
+ #path
+ rename => { "user_agent" => "useragent" }
+ #tls
+ #fuids
+ #is_webmail
+ }
+
+ mutate {
+ convert => { "tls" => "string" }
+ convert => { "is_webmail" => "string" }
+ }
+
+ } else {
+ grok {
+ match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))" ]
+ }
+ }
+
+ if [useragent] == "-" {
+ mutate {
+ remove_field => [ "useragent" ]
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_1112"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf b/salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf
new file mode 100644
index 000000000..6a00a5244
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf
@@ -0,0 +1,47 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for snmp.log from Bro systems
+filter {
+ if [type] == "bro_snmp" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #duration
+ #version
+ #convert => { "version" => "string" }
+ #community
+ #get_requests
+ #get_bulk_requests
+ #get_responses
+ #set_requests
+ #display_string
+ #up_since
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","duration","version","community","get_requests","get_bulk_requests","get_responses","set_requests","display_string","up_since"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1113"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf b/salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf
new file mode 100644
index 000000000..ef7eded01
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for software.log from Bro systems
+filter {
+ if [type] == "bro_software" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "host" => "source_ip" }
+ rename => { "host_p" => "source_port" }
+ #software_type
+ #name
+ rename => { "version.major" => "version_major" }
+ rename => { "version.minor" => "version_minor" }
+ rename => { "version.minor2" => "version_minor2" }
+ rename => { "version.minor3" => "version_minor3" }
+ rename => { "version.addl" => "version_additional_info" }
+ #unparsed_version
+ }
+
+ mutate {
+ convert => { "version_major" => "string" }
+ convert => { "version_minor" => "string" }
+ }
+
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","source_ip","source_port","software_type","name","version_major","version_minor","version_minor2","version_minor3","version_additional_info","unparsed_version"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1114"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf b/salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf
new file mode 100644
index 000000000..a08d11e66
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf
@@ -0,0 +1,66 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+#
+# This conf file is based on accepting logs for ssh.log from Bro systems
+filter {
+ if [type] == "bro_ssh" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #version
+ #convert => { "version" => "string" }
+ rename => { "auth_success" => "authentication_success" }
+ rename => { "auth_attempts" => "authentication_attempts" }
+ #direction
+ #client
+ #server
+ rename => { "cipher_alg" => "cipher_algorithm" }
+ rename => { "compression_alg" => "compression_algorithm" }
+ rename => { "cshka" => "client_host_key_algorithms" }
+ rename => { "host_key_alg" => "host_key_algorithm" }
+ rename => { "hasshAlgorithms" => "hassh_algorithms" }
+ rename => { "hasshServer" => "hassh_server" }
+ rename => { "hasshServerAlgorithms" => "hassh_server_algorithms" }
+ rename => { "hasshVersion" => "hassh_version" }
+ rename => { "kex_alg" => "kex_algorithm" }
+ rename => { "mac_alg" => "mac_algorithm" }
+ rename => { "sshka" => "server_host_key_algorithms" }
+ #host_key
+ #destination_country_code
+ #destination_region
+ #destination_city
+ #destination_latitude
+ #destination_longitude
+ }
+
+ mutate {
+ convert => { "authentication_success" => "string" }
+ }
+
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","authentication_success","authentication_attempts","direction","client","server","cipher_algorithm","mac_algorithm","compression_algorithm","kex_algorithm","host_key_algorithm","host_key","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude","hassh_version","hassh","hassh_server","client_host_key_algorithms","hassh_algorithms","server_host_key_algorithms","hassh_server_algorithms"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1115"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf b/salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf
new file mode 100644
index 000000000..930a670e9
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf
@@ -0,0 +1,186 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 10/30/2018
+#
+# This conf file is based on accepting logs for ssl.log from Bro systems
+filter {
+ if [type] == "bro_ssl" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #version
+ #convert => { "version" => "string" }
+ #cipher
+ #curve
+ #server_name
+ #resumed
+ #last_alert
+ #next_protocol
+ #established
+ rename => { "cert_chain_fuids" => "certificate_chain_fuids" }
+ rename => { "client_cert_chain_fuids" => "client_certificate_chain_fuids" }
+ rename => { "subject" => "certificate_subject" }
+ rename => { "issuer" => "certificate_issuer" }
+ #client_subject
+ #client_issuer
+ #validation_status
+ #ja3
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","certificate_chain_fuids","client_certificate_chain_fuids","certificate_subject","certificate_issuer","client_subject","client_issuer","validation_status","ja3","ja3s"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ gsub => [ "subject", "\\\\,", "|" ]
+ }
+ kv {
+ include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+ field_split => ","
+ source => "certificate_issuer"
+ }
+ mutate {
+ rename => { "CN" => "issuer_common_name"}
+ rename => { "C" => "issuer_country_code"}
+ rename => { "O" => "issuer_organization"}
+ rename => { "OU" => "issuer_organization_unit"}
+ rename => { "ST" => "issuer_state"}
+ rename => { "SN" => "issuer_surname"}
+ rename => { "L" => "issuer_locality"}
+ rename => { "DC" => "issuer_distinguished_name"}
+ rename => { "GN" => "issuer_given_name"}
+ rename => { "pseudonym" => "issuer_pseudonym"}
+ rename => { "serialNumber" => "issuer_serial_number"}
+ rename => { "title" => "issuer_title"}
+ rename => { "initials" => "issuer_initials"}
+ }
+ kv {
+ include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+ field_split => ","
+ source => "certificate_subject"
+ }
+ mutate {
+ rename => { "CN" => "certificate_common_name"}
+ rename => { "C" => "certificate_country_code"}
+ rename => { "O" => "certificate_organization"}
+ rename => { "OU" => "certificate_organization_unit"}
+ rename => { "ST" => "certificate_state"}
+ rename => { "SN" => "certificate_surname"}
+ rename => { "L" => "certificate_locality"}
+ rename => { "GN" => "certificate_given_name"}
+ rename => { "pseudonym" => "certificate_pseudonym"}
+ rename => { "serialNumber" => "certificate_serial_number"}
+ rename => { "title" => "certificate_title"}
+ rename => { "initials" => "certificate_initials"}
+ }
+ if [certificate_subject] == "-" {
+ mutate {
+ remove_field => [ "certificate_subject" ]
+ }
+ }
+ if [certificate_issuer] == "-" {
+ mutate {
+ remove_field => [ "certificate_issuer" ]
+ }
+ }
+ if [certificate_common_name] {
+ ruby {
+ code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
+ }
+ }
+ if [issuer_common_name] {
+ ruby {
+ code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
+ }
+ }
+ if [server_name] {
+ if [server_name] == "-" {
+ mutate {
+ remove_field => [ "server_name" ]
+ }
+ } else {
+ ruby {
+ code => "event.set('server_name_length', event.get('server_name').length)"
+ }
+ }
+ }
+ if [certificate_chain_fuids] {
+ if [certificate_chain_fuids] == "-" {
+ mutate {
+ remove_field => [ "certificate_chain_fuids" ]
+ }
+ } else {
+ ruby {
+ code => "event.set('certificate_chain_count', event.get('certificate_chain_fuids').count(',') + 1)"
+ }
+ mutate {
+ convert => [ "certificate_chain_length", "integer" ]
+ }
+ }
+ }
+ if [client_certificate_chain_fuids] == "-" {
+ mutate {
+ remove_field => [ "client_certificate_chain_fuids" ]
+ }
+ }
+ if [client_issuer] == "-" {
+ mutate {
+ remove_field => [ "client_issuer" ]
+ }
+ }
+ if [client_subject] == "-" {
+ mutate {
+ remove_field => [ "client_subject" ]
+ }
+ }
+ if [curve] == "-" {
+ mutate {
+ remove_field => [ "curve" ]
+ }
+ }
+ if [issuer] == "-" {
+ mutate {
+ remove_field => [ "issuer" ]
+ }
+ }
+ if [query] == "-" {
+ mutate {
+ remove_field => [ "query" ]
+ }
+ }
+ if [subject] == "-" {
+ mutate {
+ remove_field => [ "subject" ]
+ }
+ }
+ if [validation_status] == "-" {
+ mutate {
+ remove_field => [ "validation_status" ]
+ }
+ }
+ if [ja3] == "-" {
+ mutate {
+ remove_field => [ "ja3" ]
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_1116"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf b/salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf
new file mode 100644
index 000000000..c9e52df0f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf
@@ -0,0 +1,41 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for syslog.log from Bro systems
+filter {
+ if [type] == "bro_syslog" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "proto" => "protocol" }
+ #facility
+ #severity
+ #message
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","facility","severity","message"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1117"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf b/salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf
new file mode 100644
index 000000000..5ae07508c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf
@@ -0,0 +1,40 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for tunnel.log from Bro systems
+# Security Onion syslog-ng.conf sets type to "bro_tunnels"
+filter {
+ if [type] == "bro_tunnels" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #tunnel_type
+ #action
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","tunnel_type","action"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1118"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf b/salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf
new file mode 100644
index 000000000..156a25786
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf
@@ -0,0 +1,42 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for weird.log from Bro systems
+filter {
+ if [type] == "bro_weird" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #name
+ rename => { "addl" => "additional_info" }
+ #notice
+ #peer
+ }
+
+ mutate {
+ convert => { "notice" => "string" }
+ }
+
+ } else {
+ grok {
+ match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*))" ]
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1119"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf b/salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf
new file mode 100644
index 000000000..97f0d6e28
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf
@@ -0,0 +1,57 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for mysql.log from Bro systems
+#
+# Parse using grok
+filter {
+ if [type] == "bro_mysql" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "cmd" => "mysql_command" }
+ rename => { "arg" => "mysql_argument" }
+ rename => { "success" => "mysql_success" }
+ #rows
+ #response
+ }
+
+ mutate {
+ convert => { "mysql_success" => "string" }
+ }
+
+ } else {
+ grok {
+ match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*))" ]
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1121"]
+ }
+ }
+}
+
+# Reverting to grok for now, due to double-quoted values in log file
+# Parse using csv filter
+#filter {
+# if [type] == "bro_mysql" {
+# csv {
+# columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","mysql_command","mysql_argument","mysql_success","rows","response"]
+# separator => " "
+# quote_char=
+# }
+# }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf b/salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf
new file mode 100644
index 000000000..1b2876eb4
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf
@@ -0,0 +1,62 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for socks.log from Bro systems
+
+# Parse using csv
+filter {
+ if [type] == "bro_socks" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #version
+ #convert => { "version" => "string" }
+ rename => { "user" => "username" }
+ #password
+ rename => { "status" => "server_status" }
+ rename => { "request.host" => "request_host" }
+ rename => { "request.name" => "request_name" }
+ rename => { "request_p" => "request_port" }
+ rename => { "bound.host" => "bound_host" }
+ rename => { "bound.name" => "bound_name" }
+ rename => { "bound_p" => "bound_port" }
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","username","password","server_status","request_host","request_name","request_port","bound_host","bound_name","bound_port"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1122"]
+ }
+ }
+}
+# Parse using grok
+#filter {
+# if [type] == "bro_socks" {
+# # This is the initial parsing of the log
+# grok {
+# match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))" ]
+# }
+# mutate {
+# #add_tag => [ "conf_file_1122"]
+# }
+# }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf b/salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf
new file mode 100644
index 000000000..37d4393e7
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf
@@ -0,0 +1,154 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for x509.log from Bro systems
+
+filter {
+ if [type] == "bro_x509" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #id
+ rename => { "certificate.version" => "certificate_version" }
+ rename => { "certificate.serial" => "certificate_serial" }
+ rename => { "certificate.subject" => "certificate_subject" }
+ rename => { "certificate.issuer" => "certificate_issuer" }
+ rename => { "certificate.not_valid_before" => "certificate_not_valid_before" }
+ rename => { "certificate.not_valid_after" => "certificate_not_valid_after" }
+ rename => { "certificate.key_alg" => "certificate_key_algorithm" }
+ rename => { "certificate.sig_alg" => "certificate_signing_algorithm" }
+ rename => { "certificate.key_type" => "certificate_key_type" }
+ rename => { "certificate.key_length" => "certificate_key_length" }
+ rename => { "certificate.exponent" => "certificate_exponent" }
+ rename => { "certificate.curve" => "certificate_curve" }
+ rename => { "id" => "fuid" }
+ rename => { "san.dns" => "san_dns" }
+ rename => { "san.uri" => "san_uri" }
+ rename => { "san.email" => "san_email" }
+ rename => { "san.ip" => "san_ip" }
+ rename => { "basic_constraints.ca" => "basic_constraints_ca" }
+ rename => { "basic_constraints.path_length" => "basic_constraints_path_length" }
+ }
+ } else {
+ grok {
+ match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))\t(?(.*))" ]
+ }
+ }
+
+ mutate {
+ gsub => [ "certificate_issuer", "\\\\,", "|" ]
+ gsub => [ "certificate_subject", "\\\\,", "|" ]
+ }
+
+ kv {
+ include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+ field_split => ","
+ source => "certificate_issuer"
+ }
+ mutate {
+ rename => { "CN" => "issuer_common_name"}
+ rename => { "C" => "issuer_country_code"}
+ rename => { "O" => "issuer_organization"}
+ rename => { "OU" => "issuer_organization_unit"}
+ rename => { "ST" => "issuer_state"}
+ rename => { "SN" => "issuer_surname"}
+ rename => { "L" => "issuer_locality"}
+ rename => { "DC" => "issuer_distinguished_name"}
+ rename => { "GN" => "issuer_given_name"}
+ rename => { "pseudonym" => "issuer_pseudonym"}
+ rename => { "serialNumber" => "issuer_serial_number"}
+ rename => { "title" => "issuer_title"}
+ rename => { "initials" => "issuer_initials"}
+ }
+ kv {
+ include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+ field_split => ","
+ source => "certificate_subject"
+ }
+ mutate {
+ rename => { "CN" => "certificate_common_name"}
+ rename => { "C" => "certificate_country_code"}
+ rename => { "O" => "certificate_organization"}
+ rename => { "OU" => "certificate_organization_unit"}
+ rename => { "ST" => "certificate_state"}
+ rename => { "SN" => "certificate_surname"}
+ rename => { "L" => "certificate_locality"}
+ rename => { "GN" => "certificate_given_name"}
+ rename => { "pseudonym" => "certificate_pseudonym"}
+ rename => { "serialNumber" => "certificate_serial_number"}
+ rename => { "title" => "certificate_title"}
+ rename => { "initials" => "certificate_initials"}
+ convert => [ "certificate_key_length", "integer" ]
+ convert => [ "certificate_not_valid_after", "integer" ]
+ convert => [ "certificate_not_valid_before", "integer" ]
+ }
+ if [query] == "-" {
+ mutate {
+ remove_field => [ "query" ]
+ }
+ }
+ if [san_dns] == "-" {
+ mutate {
+ remove_field => [ "san_dns" ]
+ }
+ }
+ if [san_email] == "-" {
+ mutate {
+ remove_field => [ "san_email" ]
+ }
+ }
+ if [san_uri] == "-" {
+ mutate {
+ remove_field => [ "san_uri" ]
+ }
+ }
+ if [san_ip] == "-" {
+ mutate {
+ remove_field => [ "san_ip" ]
+ }
+ }
+ if [certificate_common_name] {
+ ruby {
+ code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
+ }
+ }
+ if [issuer_common_name] {
+ ruby {
+ code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
+ }
+ }
+ if [certificate_not_valid_after] == "-" {
+ mutate {
+ remove_field => [ "certificate_not_valid_after" ]
+ }
+ }
+ if [certificate_not_valid_before] == "-" {
+ mutate {
+ remove_field => [ "certificate_not_valid_before" ]
+ }
+ }
+ if [certificate_not_valid_after] and [certificate_not_valid_before] {
+ ruby {
+ code => "event.set('certificate_number_days_valid', ((event.get('certificate_not_valid_after') - event.get('certificate_not_valid_before')) / 86400).ceil)"
+ }
+ date {
+ match => [ "certificate_not_valid_after", "UNIX" ]
+ target => "certificate_not_valid_after"
+ }
+ date {
+ match => [ "certificate_not_valid_before", "UNIX" ]
+ target => "certificate_not_valid_before"
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_1123"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf b/salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf
new file mode 100644
index 000000000..0f1c53134
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf
@@ -0,0 +1,46 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for intel.log from Bro systems
+filter {
+ if [type] == "bro_intel" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "seen.indicator" => "indicator" }
+ rename => { "seen.indicator_type" => "indicator_type" }
+ rename => { "seen.where" => "seen_where" }
+ rename => { "seen.node" => "seen_node" }
+ #matched
+ #sources
+ #fuid
+ rename => { "file_mime_type" => "mimetype" }
+ rename => { "file_desc" => "file_description" }
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","indicator","indicator_type","seen_where","seen_node","matched","sources","fuid","mimetype","file_description"]
+ separator => " "
+ }
+ }
+
+ mutate {
+ #add_tag => [ "conf_file_1124"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf b/salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf
new file mode 100644
index 000000000..6d6d48ad2
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf
@@ -0,0 +1,49 @@
+# Author: Wes Lambert
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for modbus.log from Bro systems
+#
+filter {
+ if [type] == "bro_modbus" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ rename => { "func" => "function" }
+ #exception
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","function","exception"]
+ separator => " "
+ }
+ }
+ }
+}
+
+# Parse using grok
+#filter {
+# if [type] == "bro_modbus" {
+# grok {
+# match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))$" ]
+# }
+ #mutate {
+ #add_tag => [ "conf_file_1125"]
+ #}
+# }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf b/salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf
new file mode 100644
index 000000000..0f1cf4c46
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf
@@ -0,0 +1,66 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for sip.log from Bro systems
+#
+filter {
+ if [type] == "bro_sip" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #trans_depth
+ #method
+ #uri
+ #date
+ #request_from
+ #request_to
+ #response_from
+ #response_to
+ #reply_to
+ #call_id
+ #seq
+ #subject
+ #request_path
+ #response_path
+ #user_agent
+ #status_code
+ #status_msg
+ #warning
+ rename => { "request_body_len" => "request_body_length" }
+ rename => { "response_body_len" => "response_body_length" }
+ #content_type
+ }
+ } else {
+ grok {
+ match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))$" ]
+ }
+ }
+
+ mutate {
+ add_tag => [ "conf_file_1126"]
+ }
+ }
+}
+# Parse using csv filter
+#filter {
+# if [type] == "bro_sip" {
+# csv {
+# columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","trans_depth","method","uri","date","request_from","request_to","response_from","response_to","reply_to","call_id","seq","subject","request_path","response_path","user_agent","status_code","status_msg","warning","request_body_len","response_body_len","content_type"]
+# separator => " "
+# }
+# }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf b/salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf
new file mode 100644
index 000000000..732efb23c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf
@@ -0,0 +1,73 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for radius.log from Bro systems
+#
+filter {
+ if [type] == "bro_radius" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #username
+ #mac
+ #framed_addr
+ #tunnel_client
+ #connect_info
+ rename => { "reply_msg" => "reply_message" }
+ #result
+ #ttl
+ #logged
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","username","mac","framed_addr","tunnel_client","connect_info","reply_message","result","ttl","logged"]
+ separator => " "
+ }
+ if [tunnel_client] == "-" {
+ mutate {
+ remove_field => [ "tunnel_client" ]
+ }
+ }
+
+ }
+ # Remove the ttl and framed_addr fields
+ if [ttl] {
+ mutate {
+ remove_field => [ "ttl" ]
+ }
+ }
+ if [framed_addr] {
+ mutate {
+ remove_field => [ "framed_addr" ]
+ }
+ }
+ }
+}
+
+# Parse using grok
+#filter {
+# if [type] == "bro_radius" {
+# grok {
+# match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))$" ]
+# }
+# mutate {
+# #add_tag => [ "conf_file_1127"]
+# }
+# }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf b/salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf
new file mode 100644
index 000000000..7770de12d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf
@@ -0,0 +1,46 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for pe.log from Bro systems
+#
+filter {
+ if [type] == "bro_pe" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ rename => { "id" => "fuid" }
+ #machine
+ #compile_ts
+ #os
+ #subsystem
+ #is_exe
+ #is_64bit
+ #uses_aslr
+ #uses_dep
+ #uses_code_integrity
+ #uses_seh
+ #has_import_table
+ #has_export_table
+ #has_cert_table
+ #has_debug_data
+ #section_names
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","fuid","machine","compile_ts","os","subsystem","is_exe","is_64bit","uses_aslr","uses_dep","uses_code_integrity","uses_seh","has_import_table","has_export_table","has_cert_table","has_debug_data","section_names"]
+ separator => " "
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf b/salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf
new file mode 100644
index 000000000..21ecac78f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf
@@ -0,0 +1,65 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for rfb.log from Bro systems
+#
+# Parse using csv filter
+filter {
+ if [type] == "bro_rfb" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #client_major_version
+ #client_minor_version
+ #server_major_version
+ #server_minor_version
+ #authentication_method
+ #auth
+ #share_flag
+ #desktop_name
+ #width
+ #height
+ }
+
+ mutate {
+ convert => { "auth" => "string" }
+ convert => { "share_flag" => "string" }
+ }
+
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","client_major_version","client_minor_version","server_major_version","server_minor_version","authentication_method","auth","share_flag","desktop_name","width","height"]
+ separator => " "
+ }
+ }
+ }
+}
+
+# Parse using grok
+#filter {
+# if [type] == "bro_rfb" {
+# grok {
+# match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))$" ]
+# }
+# mutate {
+# #add_tag => [ "conf_file_1129"]
+# }
+# }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf b/salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf
new file mode 100644
index 000000000..a2c10babf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf
@@ -0,0 +1,51 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dnp3.log from Bro systems
+#
+filter {
+ if [type] == "bro_dnp3" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #fc_request
+ #fc_reply
+ #iin
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fc_request","fc_reply","iin"]
+ separator => " "
+ }
+ }
+ }
+}
+
+# Parse using grok
+#filter {
+# if [type] == "bro_dnp3" {
+# grok {
+# match => [ "message", "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*?))$" ]
+# }
+# mutate {
+# #add_tag => [ "conf_file_1130"]
+# }
+# }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf b/salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf
new file mode 100644
index 000000000..ca6cfe8db
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf
@@ -0,0 +1,46 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for smb_files.log from Bro systems
+#
+filter {
+ if [type] == "bro_smb_files" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #fuid
+ #action
+ #path
+ #name
+ #size
+ #prev_name
+ rename => { "times.modified" => "times_modified" }
+ rename => { "times.accessed" => "times_accessed" }
+ rename => { "times.created" => "times_created" }
+ rename => { "times.changed" => "times_changed" }
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","action","path","name","size","prev_name","times_modified","times_accessed","times_created","times_changed"]
+ separator => " "
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf b/salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf
new file mode 100644
index 000000000..84256ed0e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf
@@ -0,0 +1,40 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for smb_mapping.log from Bro systems
+#
+filter {
+ if [type] == "bro_smb_mapping" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #path
+ #service
+ #native_file_system
+ #share_type
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","path","service","native_file_system","share_type"]
+ separator => " "
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf b/salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf
new file mode 100644
index 000000000..3b5fd6384
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf
@@ -0,0 +1,50 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 1/2/2019
+#
+# This conf file is based on accepting logs for ntlm.log from Bro systems
+#
+filter {
+ if [type] == "bro_ntlm" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #hostname
+ rename => { "domainname" => "domain_name" }
+ rename => { "success" => "ntlm_success" }
+ #status
+ }
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => [ "timestamp", "uid", "source_ip", "source_port", "destination_ip", "destination_port", "username", "hostname", "domain_name", "server_nb_computer_name", "server_dns_computer_name", "server_tree_name", "ntlm_success"]
+ separator => " "
+ }
+ ruby {
+ code =>"
+ hash = event.to_hash.each do |key,value|
+ if value == '-'
+ event.remove(key)
+ end
+ end"
+ }
+
+
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf b/salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf
new file mode 100644
index 000000000..1b0e56a67
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf
@@ -0,0 +1,54 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dce_rpc.log from Bro systems
+#
+filter {
+ if [type] == "bro_dce_rpc" {
+ # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+
+ mutate {
+ rename => { "ts" => "timestamp" }
+ #uid
+ rename => { "id.orig_h" => "source_ip" }
+ rename => { "id.orig_p" => "source_port" }
+ rename => { "id.resp_h" => "destination_ip" }
+ rename => { "id.resp_p" => "destination_port" }
+ #rtt
+ #named_pipe
+ #endpoint
+ #operation
+ }
+
+ #mutate {
+ #convert => { "rtt" => "float" }
+ #}
+ } else {
+ mutate {
+ gsub => [ "message", "[\"']", "" ]
+ }
+ csv {
+ columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","rtt","named_pipe","endpoint","operation"]
+ separator => " "
+ }
+
+ if [rtt] == "-" {
+ mutate {
+ remove_field => [ "rtt" ]
+ }
+ }
+
+ #mutate {
+ #convert => [ "rtt", "float" ]
+ #}
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+ if [source_ip] {
+ if [source_ip] == "-" {
+ mutate {
+ replace => { "source_ip" => "0.0.0.0" }
+ }
+ }
+ if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+ mutate {
+ }
+ } else {
+ geoip {
+ source => "[source_ip]"
+ target => "source_geo"
+ }
+ }
+ if [source_ip] {
+ mutate {
+ add_field => { "ips" => "%{source_ip}" }
+ add_field => { "source_ips" => [ "%{source_ip}" ] }
+ }
+ }
+ }
+ if [destination_ip] {
+ if [destination_ip] == "-" {
+ mutate {
+ replace => { "destination_ip" => "0.0.0.0" }
+ }
+ }
+ if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+ mutate {
+ }
+ }
+ else {
+ geoip {
+ source => "[destination_ip]"
+ target => "destination_geo"
+ }
+ }
+ }
+ if [destination_ip] {
+ mutate {
+ add_field => { "ips" => "%{destination_ip}" }
+ add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+ }
+ }
+}
+ #if [source_ip] or [destination_ip] {
+ # mutate {
+ #add_tag => [ "conf_file_8001"]
+ # }
+ #}
+
diff --git a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
new file mode 100644
index 000000000..aa586d3b6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
@@ -0,0 +1,160 @@
+{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
+{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
+{% set CBNAME = grains.host %}
+
+filter {
+ if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
+ grok {
+ match => [
+ "source_ip", "^%{IPV4:srcipv4}$",
+ "source_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)"
+ ]
+ }
+ grok {
+ match => [
+ "destination_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)",
+ "destination_ip", "^%{IPV4:dstipv4}$"
+ ]
+ }
+
+ #geoip {
+ # source => "[source_ip]"
+ # target => "source_geo"
+ #}
+ #geoip {
+ # source => "[destination_ip]"
+ # target => "destination_geo"
+ #}
+ mutate {
+ rename => { "[beat_host][name]" => "sensor" }
+ copy => { "sensor" => "rawmsghostname" }
+ rename => { "message" => "rawmsg" }
+ copy => { "type" => "class" }
+ copy => { "class" => "program"}
+ rename => { "source_port" => "srcport" }
+ rename => { "destination_port" => "dstport" }
+ rename => { "[log][file][path]" => "filepath" }
+ add_field => { "meta_cbid" => "{{ UNIQUEID }}" }
+ add_field => { "meta_cbname" => "{{ CBNAME }}" }
+ remove_field => ["source_ip", "destination_ip", "syslog-host_from"]
+ remove_field => ["beat_host", "timestamp", "type", "log", "@version", "@timestamp"]
+ remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
+ remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
+ }
+ if "bro_conn" in [class] {
+ mutate {
+ #add_field => { "metaclass" => "connection" }
+ rename => { "original_bytes" => "sentbytes" }
+ rename => { "respond_bytes" => "rcvdbytes" }
+ rename => { "connection_state" => "connstate" }
+ rename => { "uid" => "connectionid" }
+ rename => { "respond_packets" => "rcvdpackets" }
+ rename => { "original_packets" => "sentpackets" }
+ rename => { "respond_ip_bytes" => "rcvdipbytes" }
+ rename => { "original_ip_bytes" => "sentipbytes" }
+ rename => { "local_respond" => "local_resp" }
+ rename => { "local_orig" => "localorig" }
+ rename => { "missed_bytes" => "missingbytes" }
+ rename => { "connection_state_description" => "description" }
+ }
+ }
+ if "bro_dns" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "answers" => "answer" }
+ rename => { "query" => "domain" }
+ rename => { "query_class" => "queryclass" }
+ rename => { "query_class_name" => "queryclassname" }
+ rename => { "query_type" => "querytype" }
+ rename => { "query_type_name" => "querytypename" }
+ rename => { "ra" => "recursionavailable" }
+ rename => { "rd" => "recursiondesired" }
+ rename => { "uid" => "connectionid" }
+ rename => { "ttls" => "ttl" }
+ rename => { "transaction_id" => "transactionid" }
+ }
+ }
+ if "bro_dhcp" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dhcp"}
+ rename => { "message_types" => "direction" }
+ rename => { "uid" => "connectionid" }
+ rename => { "lease_time" => "duration" }
+ }
+ }
+ if "bro_files" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "missing_bytes" => "missingbytes" }
+ rename => { "seen_bytes" => "seenbytes" }
+ rename => { "overflow_bytes" => "overflowbytes" }
+ rename => { "fuid" => "fileid" }
+ rename => { "conn_uids" => "connectionid" }
+ rename => { "is_orig" => "isorig" }
+ rename => { "timed_out" => "timedout" }
+ rename => { "local_orig" => "localorig" }
+ rename => { "file_ip" => "tx_host" }
+ }
+ }
+ if "bro_http" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "virtual_host" => "hostname" }
+ rename => { "status_code" => "statuscode" }
+ rename => { "status_message" => "statusmsg" }
+ rename => { "resp_mime_types" => "rcvdmimetype" }
+ rename => { "resp_fuids" => "rcvdfileid" }
+ rename => { "response_body_len" => "rcvdbodybytes" }
+ rename => { "request_body_len" => "sentbodybytes" }
+ rename => { "uid" => "connectionid" }
+ rename => { "ts"=> "eventtime" }
+ rename => { "@timestamp"=> "eventtime" }
+ rename => { "trans_depth" => "depth" }
+ rename => { "request_body_length" => "sentbodybytes" }
+ rename => { "response_body_length" => "rcvdbodybytes" }
+ }
+ }
+ if "bro_ssl" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "status_code" => "statuscode" }
+ rename => { "status_message" => "statusmsg" }
+ rename => { "resp_mime_types" => "rcvdmimetype" }
+ rename => { "resp_fuids" => "rcvdfileid" }
+ rename => { "response_body_len" => "rcvdbodybytes" }
+ rename => { "request_body_len" => "sentbodybytes" }
+ rename => { "uid" => "connectionid" }
+ }
+ }
+ if "bro_weird" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "name" => "eventname" }
+ }
+ }
+ if "bro_x509" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "certificate_common_name" => "certname" }
+ rename => { "certificate_subject" => "certsubject" }
+ rename => { "issuer_common_name" => "issuer" }
+ rename => { "certificate_issuer" => "issuersubject" }
+ rename => { "certificate_not_valid_before" => "issuetime" }
+ rename => { "certificate_key_type" => "cert_type" }
+ }
+ }
+ }
+}
+
+output {
+ if [class] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
+ http {
+ url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
+ http_method => post
+ http_compression => true
+ socket_timeout => 60
+ headers => ["Authorization","{{ HELIX_API_KEY }}"]
+ format => json_batch
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf b/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
new file mode 100644
index 000000000..6b7667f5c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
@@ -0,0 +1,40 @@
+input {
+ beats {
+ port => "5644"
+ ssl => true
+ ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+ ssl_certificate => "/usr/share/logstash/filebeat.crt"
+ ssl_key => "/usr/share/logstash/filebeat.key"
+ tags => [ "beat" ]
+ }
+}
+filter {
+ if [type] == "ids" or [type] =~ "bro" {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ add_field => { "sensor_name" => "%{[beat][name]}" }
+ add_field => { "syslog-host_from" => "%{[beat][name]}" }
+ remove_field => [ "beat", "prospector", "input", "offset" ]
+ }
+ }
+ if [type] =~ "ossec" {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ add_field => { "syslog-host_from" => "%{[beat][name]}" }
+ remove_field => [ "beat", "prospector", "input", "offset" ]
+ }
+ }
+ if [type] == "osquery" {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ add_tag => ["osquery"]
+ }
+ json {
+ source => "message"
+ target => "osquery"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
new file mode 100644
index 000000000..f176e0b94
--- /dev/null
+++ b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
@@ -0,0 +1,26 @@
+{%- if salt['grains.get']('role') == 'so-master' %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
+{%- else %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- endif %}
+
+
+output {
+ redis {
+ host => '{{ master }}'
+ data_type => 'list'
+ {%- if nodetype == 'parser' %}
+ key => 'logstash:parsed'
+ {%- else %}
+ key => 'logstash:unparsed'
+ {%- endif %}
+ congestion_interval => 1
+ congestion_threshold => 50000000
+ # batch_events => 500
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
new file mode 100644
index 000000000..d098eb11a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ ruby {
+ code => "event.set('task_start', Time.now.to_f)"
+ }
+ mutate {
+ #add_tag => [ "conf_file_1000"]
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf b/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
new file mode 100644
index 000000000..84bce8802
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
@@ -0,0 +1,33 @@
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+
+filter {
+ if "syslogng" in [tags] {
+ mutate {
+ rename => { "MESSAGE" => "message" }
+ rename => { "PROGRAM" => "type" }
+ rename => { "FACILITY" => "syslog-facility" }
+ rename => { "FILE_NAME" => "syslog-file_name" }
+ rename => { "HOST" => "syslog-host" }
+ rename => { "HOST_FROM" => "syslog-host_from" }
+ rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
+ rename => { "PID" => "syslog-pid" }
+ rename => { "PRIORITY" => "syslog-priority" }
+ rename => { "SOURCEIP" => "syslog-sourceip" }
+ rename => { "TAGS" => "syslog-tags" }
+ lowercase => [ "syslog-host_from" ]
+ remove_field => [ "ISODATE" ]
+ remove_field => [ "SEQNUM" ]
+ #add_tag => [ "conf_file_1001"]
+ }
+ if "bro_" in [type] {
+ mutate {
+ add_tag => [ "bro" ]
+ }
+ } else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
+ mutate {
+ add_tag => [ "syslog" ]
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf b/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
new file mode 100644
index 000000000..ea7c677da
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "json" in [tags]{
+ json {
+ source => "message"
+ }
+ mutate {
+ remove_tag => [ "json" ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_1002"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf b/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
new file mode 100644
index 000000000..243abcc15
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
@@ -0,0 +1,19 @@
+filter {
+ if "syslog" in [tags] {
+ if [host] == "172.16.1.1" {
+ mutate {
+ add_field => { "type" => "fortinet" }
+ add_tag => [ "firewall" ]
+ }
+ }
+ if [host] == "10.0.0.101" {
+ mutate {
+ add_field => { "type" => "brocade" }
+ add_tag => [ "switch" ]
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_1004"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf b/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
new file mode 100644
index 000000000..2f893cf7a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
@@ -0,0 +1,140 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 12/9/2016
+# This conf file is based on accepting logs for DHCP. It is currently based on Windows DHCP only.
+filter {
+ if [type] == "dhcp" {
+ mutate {
+ add_field => { "Hostname" => "%{host}" }
+ }
+ mutate {
+ strip => "message"
+ }
+ # This is the initial parsing of the log
+ grok {
+ # Server 2008+
+ match => { "message" => "%{DATA:id},%{DATE_US:date},(?%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+ # Server 2003
+ match => { "message" => "%{DATA:id},%{DATE_US:date},(?%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+ match => { "message" => "%{DATA:id},%{DATA:date},(?%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+ }
+ # This section below translates the message ID into something humans can understand.
+ if [id] == "00" {
+ mutate {
+ add_field => [ "event", "The log was started"]
+ }
+ }
+ if [id] == "01" {
+ mutate {
+ add_field => [ "event", "The log was stopped"]
+ }
+ }
+ if [id] == "02" {
+ mutate {
+ add_field => [ "event", "The log was temporarily paused due to low disk space"]
+ }
+ }
+ if [id] == "10" {
+ mutate {
+ add_field => [ "event", "A new IP address was leased to a client"]
+ }
+ }
+ if [id] == "11" {
+ mutate {
+ add_field => [ "event", "A lease was renewed by a client"]
+ }
+ }
+ if [id] == "12" {
+ mutate {
+ add_field => [ "event", "A lease was released by a client"]
+ }
+ }
+ if [id] == "13" {
+ mutate {
+ add_field => [ "event", "An IP address was found to be in use on the network"]
+ }
+ }
+ if [id] == "14" {
+ mutate {
+ add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+ }
+ }
+ if [id] == "15" {
+ mutate {
+ add_field => [ "event", "A lease was denied"]
+ }
+ }
+ if [id] == "16" {
+ mutate {
+ add_field => [ "event", "A lease was deleted"]
+ }
+ }
+ if [id] == "17" {
+ mutate {
+ add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+ }
+ }
+ if [id] == "18" {
+ mutate {
+ add_field => [ "event", "A lease was expired and DNS records were deleted"]
+ }
+ }
+ if [id] == "20" {
+ mutate {
+ add_field => [ "event", "A BOOTP address was leased to a client"]
+ }
+ }
+ if [id] == "21" {
+ mutate {
+ add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+ }
+ }
+ if [id] == "22" {
+ mutate {
+ add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+ }
+ }
+ if [id] == "23" {
+ mutate {
+ add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+ }
+ }
+ if [id] == "24" {
+ mutate {
+ add_field => [ "event", "IP address cleanup operation has began"]
+ }
+ }
+ if [id] == "25" {
+ mutate {
+ add_field => [ "event", "IP address cleanup statistics"]
+ }
+ }
+ if [id] == "30" {
+ mutate {
+ add_field => [ "event", "DNS update request to the named DNS server"]
+ }
+ }
+ if [id] == "31" {
+ mutate {
+ add_field => [ "event", "DNS update failed"]
+ }
+ }
+ if [id] == "32" {
+ mutate {
+ add_field => [ "event", "DNS update successful"]
+ }
+ }
+ if [id] == "33" {
+ mutate {
+ add_field => [ "event", "Packet dropped due to NAP policy"]
+ }
+ }
+ # If the message failed to parse correctly keep the message for debugging. Otherwise, drop it.
+ #if "_grokparsefailure" not in [tags] {
+ # mutate {
+ # remove_field => [ "message"]
+ # }
+ #}
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them. There is no input as the logs would have came in via syslog
+filter {
+ # This is an example of using an IP address range to classify a syslog message to a specific type of log
+ # This is helpful as so many devices only send logs via syslog
+ if [host] =~ "10\.[0-1]\.9\." {
+ mutate {
+ replace => ["type", "esxi"]
+ }
+ }
+ if [host] =~ "\.234$" {
+ mutate {
+ replace => ["type", "esxi"]
+ }
+ }
+ if [type] == "esxi" {
+ grok {
+ match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?(?:\[(?[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+# pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?(?:\[(?[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+ }
+ mutate {
+ #add_tag => [ "conf_file_1029"]
+ }
+ }
+}
+
diff --git a/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "greensql" {
+ # This section is parsing out the fields for GreenSQL syslog data
+ grok {
+ match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+ match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+ }
+ # Remove the message field as it is unnecessary
+ #mutate {
+ # remove_field => [ "message"]
+ #}
+ mutate {
+ #add_tag => [ "conf_file_1030"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "iis" {
+ # The log is expected to have come from NXLog and in JSON format. This allows for automatic parsing of fields
+ json {
+ source => "message"
+ }
+ # This removes the message field as it is unneccesary and tags the packet as web
+ mutate {
+ # remove_field => [ "message"]
+ add_tag => [ "web" ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_1031"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+ if [type] == "mcafee" {
+ # NXLog should be sending the logs in JSON format so they auto parse
+ json {
+ source => "message"
+ }
+ # This section converts the UTC fields to the proper time format
+ date {
+ match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+ target => [ "ReceivedUTC" ]
+ }
+ date {
+ match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+ target => [ "DetectedUTC" ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_1032"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+ if [type] == "ids" {
+ # This is the initial parsing of the log
+ if [engine] == "suricata" {
+ json {
+ source => "message"
+ }
+ mutate {
+ rename => { "alert" => "orig_alert" }
+ rename => { "[orig_alert][gid]" => "gid" }
+ rename => { "[orig_alert][signature_id]" => "sid" }
+ rename => { "[orig_alert][rev]" => "rev" }
+ rename => { "[orig_alert][signature]" => "alert" }
+ rename => { "[orig_alert][category]" => "classification" }
+ rename => { "[orig_alert][severity]" => "priority" }
+ rename => { "[orig_alert][rule]" => "rule_signature" }
+ rename => { "app_proto" => "application_protocol" }
+ rename => { "dest_ip" => "destination_ip" }
+ rename => { "dest_port" => "destination_port" }
+ rename => { "in_iface" => "interface" }
+ rename => { "proto" => "protocol" }
+ rename => { "src_ip" => "source_ip" }
+ rename => { "src_port" => "source_port" }
+ #rename => { "[fileinfo][filename]" => "filename" }
+ #rename => { "[fileinfo][gaps]" => "gaps" }
+ #rename => { "[fileinfo][size]" => "size" }
+ #rename => { "[fileinfo][state]" => "state" }
+ #rename => { "[fileinfo][stored]" => "stored" }
+ #rename => { "[fileinfo][tx_id]" => "tx_id" }
+ #rename => { "[flow][age]" => "duration" }
+ #rename => { "[flow][alerted]" => "flow_alerted" }
+ #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+ #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+ #rename => { "[flow][end]" => "flow_end" }
+ #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+ #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+ #rename => { "[flow][reason]" => "reason" }
+ #rename => { "[flow][start]" => "flow_start" }
+ #rename => { "[flow][state]" => "state" }
+ #rename => { "[netflow][age]" => "duration" }
+ #rename => { "[netflow][bytes]" => "bytes" }
+ #rename => { "[netflow][end]" => "netflow_end" }
+ #rename => { "[netflow][start]" => "netflow_start" }
+ #rename => { "[netflow][pkts]" => "packets" }
+ rename => { "[alert][action]" => "action" }
+ rename => { "[alert][category]" => "category" }
+ rename => { "[alert][gid]" => "gid" }
+ rename => { "[alert][rev]" => "rev" }
+ rename => { "[alert][severity]" => "severity" }
+ rename => { "[alert][signature]" => "signature" }
+ rename => { "[alert][signature_id]" => "sid" }
+ #rename => { "[dns][aa]" => "aa" }
+ #rename => { "[dns][flags]" => "flags" }
+ #rename => { "[dns][id]" => "id" }
+ #rename => { "[dns][qr]" => "qr" }
+ #rename => { "[dns][rcode]" => "rcode_name" }
+ #rename => { "[dns][rrname]" => "rrname" }
+ #rename => { "[dns][rrtype]" => "rrtype" }
+ #rename => { "[dns][tx_id]" => "tx_id" }
+ #rename => { "[dns][type]" => "record_type" }
+ #rename => { "[dns][version]" => "version" }
+ rename => { "[http][hostname]" => "virtual_host" }
+ rename => { "[http][http_content_type]" => "content_type" }
+ rename => { "[http][http_port]" => "http_port" }
+ rename => { "[http][http_method]" => "method" }
+ rename => { "[http][http_user_agent]" => "useragent" }
+ #rename => { "[http][length]" => "payload_length" }
+ #rename => { "[http][protocol]" => "http_version" }
+ rename => { "[http][status]" => "status_message" }
+ rename => { "[http][url]" => "url" }
+ #rename => { "[metadata][flowbits]" => "flowbits" }
+ rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+ rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+ rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+ rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+ rename => { "[tls][subject]" => "certificate_common_name" }
+ rename => { "[tls][version]" => "tls_version" }
+ rename => { "event_type" => "ids_event_type" }
+ remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+ remove_tag => [ "beats_input_codec_plain_applied" ]
+ add_tag => [ "eve" ]
+
+ }
+ } else {
+ grok {
+ match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+ "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+ "message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+ "message", "%{GREEDYDATA:alert}"]
+ }
+ }
+ if [timestamp] {
+ mutate {
+ add_field => { "logstash_timestamp" => "%{@timestamp}" }
+ }
+ mutate {
+ convert => { "logstash_timestamp" => "string" }
+ }
+ date {
+ match => [ "timestamp", "ISO8601" ]
+ }
+ mutate {
+ rename => { "logstash_timestamp" => "timestamp" }
+ }
+ }
+
+ # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+ if [alert] =~ "GPL " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "alert" => "GPL\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Snort GPL" }
+ lowercase => [ "category"]
+ }
+ }
+ # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+ if [alert] =~ "ET " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "alert" => "ET\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Emerging Threats" }
+ lowercase => [ "category"]
+ }
+ }
+ # I recommend changing the field types below to integer so searches can do greater than or less than
+ # and also so math functions can be ran against them
+ mutate {
+ convert => [ "source_port", "integer" ]
+ convert => [ "destination_port", "integer" ]
+ convert => [ "gid", "integer" ]
+ convert => [ "sid", "integer" ]
+ # remove_field => [ "message"]
+ }
+ # This will translate the priority field into a severity field of either High, Medium, or Low
+ if [priority] == 1 {
+ mutate {
+ add_field => { "severity" => "High" }
+ }
+ }
+ if [priority] == 2 {
+ mutate {
+ add_field => { "severity" => "Medium" }
+ }
+ }
+ if [priority] == 3 {
+ mutate {
+ add_field => { "severity" => "Low" }
+ }
+ }
+ # This section adds URLs to lookup information about a rule online
+ if [sid] and [sid] > 0 and [sid] < 1000000 {
+ mutate {
+ add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+ }
+ }
+ if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+ mutate {
+ add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+ }
+ }
+# mutate {
+ #add_tag => [ "conf_file_1033"]
+# }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+ if [type] == "syslog" {
+ # This drops syslog messages regarding license messages. You may want to comment it out.
+ #if [message] =~ "license" {
+ # drop { }
+ #}
+ mutate {
+ #convert => [ "status_code", "integer" ]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/2000_network_flow.conf b/salt/logstash/conf/pipelines/search/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "sflow" {
+ if [message] =~ /CNTR/ {
+ drop { }
+ }
+
+ grok {
+ match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+ }
+
+ if "_grokparsefailure" in [tags] {
+ drop { }
+ }
+
+ mutate {
+ add_field => {
+ "[source_hostname]" => "%{source_ip}"
+ "[destination_hostname]" => "%{destination_ip}"
+ "[sflow_source_hostname]" => "%{sflow_source_ip}"
+ }
+ }
+
+ translate {
+ field => "[source_port]"
+ destination => "[source_service]"
+ dictionary_path => "/lib/dictionaries/iana_services.yaml"
+ }
+
+ translate {
+ field => "[destination_port]"
+ destination => "[destination_service]"
+ dictionary_path => "/lib/dictionaries/iana_services.yaml"
+ }
+
+ translate {
+ field => "[protocol]"
+ destination => "[protocol_name]"
+ dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+ }
+
+ translate {
+ field => "[tcp_flags]"
+ destination => "[tcp_flag]"
+ dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+ }
+
+ mutate {
+ add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+ }
+ mutate {
+ #add_tag => [ "conf_file_2000"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6002_syslog.conf b/salt/logstash/conf/pipelines/search/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+ if "syslog" in [tags] {
+ mutate {
+ #convert => [ "status_code", "integer" ]
+ #add_tag => [ "conf_file_6002"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "brocade" {
+ grok {
+ match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+ }
+ grok {
+ match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+ add_field => [ "received_at", "%{@timestamp}" ]
+ }
+ if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+ grok {
+ match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+ }
+ mutate {
+ add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+ }
+ }
+ date {
+ match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
+ timezone => "America/Chicago"
+ remove_field => "syslog_timestamp"
+ remove_field => "received_at"
+ }
+ mutate {
+ #add_tag => [ "conf_file_6101"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "fortinet" {
+ mutate {
+ gsub => [ "message", "= ", "=NA " ]
+ }
+
+ grok {
+ match => ["message", "type=%{DATA:event_type}\s+"]
+ tag_on_failure => []
+ }
+ grok {
+ match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+ tag_on_failure => []
+ }
+ kv {
+ source => "kv"
+ exclude_keys => [ "type" ]
+ }
+ mutate {
+ gsub => [ "log", "= ", "=NA " ]
+ }
+ kv {
+ source => "log"
+ target => "SubLog"
+ }
+ grok {
+ match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+ tag_on_failure => [ "" ]
+ }
+ mutate {
+ rename => { "action" => "action" }
+ rename => { "addr" => "addr_ip" }
+ rename => { "age" => "age" }
+ rename => { "assigned" => "assigned_ip" }
+ rename => { "assignip" => "assign_ip" }
+ rename => { "ap" => "access_point" }
+ rename => { "app" => "application" }
+ rename => { "appcat" => "application_category" }
+ rename => { "applist" => "application_list" }
+ rename => { "apprisk" => "application_risk" }
+ rename => { "approfile" => "accessPoint_profile" }
+ rename => { "apscan" => "access_point_scan" }
+ rename => { "apstatus" => "acces_point_status" }
+ rename => { "aptype" => "access_point_type" }
+ rename => { "authproto" => "authentication_protocol" }
+ rename => { "bandwidth" => "bandwidth" }
+ rename => { "banned_src" => "banned_source" }
+ rename => { "cat" => "category" }
+ rename => { "catdesc" => "category_description" }
+ rename => { "cfgattr" => "configuration_attribute" }
+ rename => { "cfgobj" => "configuration_object" }
+ rename => { "cfgpath" => "configuration_path" }
+ rename => { "cfgtid" => "configuration_transaction_id" }
+ rename => { "channel" => "channel" }
+ rename => { "community" => "community" }
+ rename => { "cookies" => "cookies" }
+ rename => { "craction" => "cr_action" }
+ rename => { "crlevel" => "cr_level" }
+ rename => { "crscore" => "cr_score" }
+ rename => { "datarange" => "data_range" }
+ rename => { "desc" => "description" }
+ rename => { "detectionmethod" => "detection_method" }
+ rename => { "devid" => "device_id" }
+ rename => { "devname" => "device_name" }
+ rename => { "devtype" => "device_type" }
+ rename => { "dhcp_msg" => "dhcp_message" }
+ rename => { "disklograte" => "disk_lograte" }
+ rename => { "dstcountry" => "destination_country" }
+ rename => { "dstintf" => "destination_interface" }
+ rename => { "dstip" => "destination_ip" }
+ rename => { "dstport" => "destination_port" }
+ rename => { "duration" => "elapsed_time" }
+ rename => { "error_num" => "error_number" }
+ rename => { "espauth" => "esp_authentication" }
+ rename => { "esptransform" => "esp_transform" }
+ rename => { "eventid" => "event_id" }
+ rename => { "eventtype" => "event_type" }
+ rename => { "fazlograte" => "faz_lograte" }
+ rename => { "filename" => "file_name" }
+ rename => { "filesize" => "file_size" }
+ rename => { "filetype" => "file_type" }
+ rename => { "hostname" => "hostname" }
+ rename => { "ip" => "source_ip" }
+ rename => { "localip" => "source_ip" }
+ rename => { "locip" => "local_ip" }
+ rename => { "locport" => "source_port" }
+ rename => { "logid" => "log_id" }
+ rename => { "logver" => "log_version" }
+ rename => { "manuf" => "manufacturer" }
+ rename => { "mem" => "memory" }
+ rename => { "meshmode" => "mesh_mode" }
+ rename => { "msg" => "message" }
+ rename => { "nextstat" => "next_stat" }
+ rename => { "onwire" => "on_wire" }
+ rename => { "osname" => "os_name" }
+ rename => { "osversion" => "unauthenticated_user" }
+ rename => { "outintf" => "outbound_interface" }
+ rename => { "peer_notif" => "peer_notification" }
+ rename => { "phase2_name" => "phase2_name" }
+ rename => { "policyid" => "policy_id" }
+ rename => { "policytype" => "policy_type" }
+ rename => { "port" => "port" }
+ rename => { "probeproto" => "probe_protocol" }
+ rename => { "proto" => "protocol_number" }
+ rename => { "radioband" => "radio_band" }
+ rename => { "radioidclosest" => "radio_id_closest" }
+ rename => { "radioiddetected" => "radio_id_detected" }
+ rename => { "rcvd" => "bytes_received" }
+ rename => { "rcvdbyte" => "bytes_received" }
+ rename => { "rcvdpkt" => "packets_received" }
+ rename => { "remip" => "destination_ip" }
+ rename => { "remport" => "remote_port" }
+ rename => { "reqtype" => "request_type" }
+ rename => { "scantime" => "scan_time" }
+ rename => { "securitymode" => "security_mode" }
+ rename => { "sent" => "bytes_sent" }
+ rename => { "sentbyte" => "bytes_sent" }
+ rename => { "sentpkt" => "packets_sent" }
+ rename => { "session_id" => "session_id" }
+ rename => { "setuprate" => "setup_rate" }
+ rename => { "sn" => "serial" }
+ rename => { "snclosest" => "serial_closest_access_point" }
+ rename => { "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+ rename => { "snmeshparent" => "serial_mesh_parent" }
+ rename => { "srccountry" => "source_country" }
+ rename => { "srcip" => "source_ip" }
+ rename => { "srcmac" => "source_mac" }
+ rename => { "srcname" => "source_name" }
+ rename => { "srcintf" => "source_interface" }
+ rename => { "srcport" => "source_port" }
+ rename => { "stacount" => "station_count" }
+ rename => { "stamac" => "static_mac" }
+ rename => { "srccountry" => "source_country" }
+ rename => { "srcip" => "source_ip" }
+ rename => { "srcmac" => "source_mac" }
+ rename => { "srcname" => "source_name" }
+ rename => { "sn" => "serial" }
+ rename => { "srcintf" => "source_interface" }
+ rename => { "srcport" => "source_port" }
+ rename => { "total" => "total_bytes" }
+ rename => { "totalsession" => "total_sessions" }
+ rename => { "trandisp" => "nat_translation_type" }
+ rename => { "tranip" => "nat_destination_ip" }
+ rename => { "tranport" => "nat_destination_port" }
+ rename => { "transip" => "nat_source_ip" }
+ rename => { "transport" => "nat_source_port" }
+ rename => { "tunnelid" => "tunnel_id" }
+ rename => { "tunnelip" => "tunnel_ip" }
+ rename => { "tunneltype" => "tunnel_type" }
+ rename => { "unauthuser" => "unauthenticated_user_source" }
+ rename => { "unauthusersource" => "os_version" }
+ rename => { "vendorurl" => "vendor_url" }
+ rename => { "vpntunnel" => "vpn_tunnel" }
+ rename => { "vulncat" => "vulnerability_category" }
+ rename => { "vulncmt" => "vulnerability_count" }
+ rename => { "vulnid" => "vulnerability_id" }
+ rename => { "vulnname" => "vulnerability_name" }
+ rename => { "vulnref" => "vulnerability_reference" }
+ rename => { "vulnscore" => "vulnerability_score" }
+ rename => { "xauthgroup" => "x_authentication_group" }
+ rename => { "xauthuser" => "x_authentication_user" }
+ rename => { "[SubLog][appid]" => "sub_application_id" }
+ rename => { "[SubLog][devid]" => "sub_device_id" }
+ rename => { "[SubLog][dstip]" => "sub_destination_ip" }
+ rename => { "[SubLog][srcip]" => "sub_source_ip" }
+ rename => { "[SubLog][dstport]" => "sub_destination_port" }
+ rename => { "[SubLog][eventtype]" => "sub_event_type" }
+ rename => { "[SubLog][proto]" => "sub_protocol_number" }
+ rename => { "[SubLog][date]" => "sub_date" }
+ rename => { "[SubLog][time]" => "sub_time" }
+ rename => { "[SubLog][srcport]" => "sub_source_port" }
+ rename => { "[SubLog][subtype]" => "sub_subtype" }
+ rename => { "[SubLog][devname]" => "sub_device_name" }
+ rename => { "[SubLog][itime]" => "sub_itime" }
+ rename => { "[SubLog][level]" => "sub_level" }
+ rename => { "[SubLog][logid]" => "sub_log_id" }
+ rename => { "[SubLog][logver]" => "sub_log_version" }
+ rename => { "[SubLog][type]" => "sub_event_type" }
+ rename => { "[SubLog][vd]" => "sub_vd" }
+ rename => { "[SubLog][action]" => "sub_action" }
+ rename => { "[SubLog][logdesc]" => "sub_destination_ip" }
+ rename => { "[SubLog][policyid]" => "sub_olicy_id" }
+ rename => { "[SubLog][reason]" => "sub_reason" }
+ rename => { "[SubLog][service]" => "sub_service" }
+ rename => { "[SubLog][sessionid]" => "sub_session_id" }
+ rename => { "[SubLog][src]" => "sub_source_ip" }
+ rename => { "[SubLog][status]" => "sub_status" }
+ rename => { "[SubLog][ui]" => "sub_ui" }
+ rename => { "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+ strip => [ "bytes_sent", "bytes_received" ]
+ convert => [ "bytes_sent", "integer" ]
+ convert => [ "bytes_received", "integer" ]
+ convert => [ "cr_score", "integer" ]
+ convert => [ "cr_action", "integer" ]
+ convert => [ "elapsed_time", "integer" ]
+ convert => [ "destination_port", "integer" ]
+ convert => [ "source_port", "integer" ]
+ convert => [ "local_port", "integer" ]
+ convert => [ "remote_port", "integer" ]
+ convert => [ "packets_sent", "integer" ]
+ convert => [ "packets_received", "integer" ]
+ convert => [ "port", "integer" ]
+ convert => [ "ProtocolNumber", "integer" ]
+ convert => [ "XAuthUser", "string" ]
+ remove_field => [ "kv", "log" ]
+ }
+ if [tunnel_ip] == "N/A" {
+ mutate {
+ remove_field => [ "tunnel_ip" ]
+ }
+ }
+ if [nat_destination_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+ add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+ }
+ }
+ if [sub_destination_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+ add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+ }
+ }
+ if [nat_source_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{nat_source_ip}" ] }
+ add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+ }
+ }
+ if [sub_source_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{sub_source_ip}" ] }
+ add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+ }
+ }
+ if [addr_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{addr_ip}" ] }
+ }
+ }
+ if [assign_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{assign_ip}" ] }
+ }
+ }
+ if [assigned_ip] {
+ mutate {
+ add_field => { "ips" => [ "%{assigned_ip}" ] }
+ }
+ }
+ grok {
+ match => ["message", "type=%{DATA:event_type}\s+"]
+ }
+ if [date] and [time] {
+ mutate {
+ add_field => { "receive_time" => "%{date} %{time}" }
+ remove_field => [ "date", "time" ]
+ }
+ date {
+ timezone => "America/Chicago"
+ match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+ target => "receive_time"
+ }
+ mutate {
+ rename => { "receive_time" => "@timestamp" }
+ }
+ } else {
+ mutate {
+ add_tag => [ "missing_date" ]
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_6200"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..acd08eba0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
@@ -0,0 +1,56 @@
+# Author: Wes Lambert
+# Updated by: Doug Burks
+
+filter {
+ if [type] == "filterlog" {
+ dissect {
+ mapping => {
+ "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
+ }
+ }
+ if [ip_version] == "4" {
+ dissect {
+ mapping => {
+ "sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+ }
+ }
+ }
+ if [ip_version] == "6" {
+ dissect {
+ mapping => {
+ "sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+ }
+ }
+ }
+ if [protocol] == "tcp" {
+ dissect {
+ mapping => {
+ "ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
+ }
+ }
+ }
+ if [protocol] == "udp" {
+ dissect {
+ mapping => {
+ "ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
+ }
+ }
+ }
+ if [protocol] == "Options" {
+ mutate {
+ copy => { "ip_sub_msg" => "options" }
+ }
+ mutate {
+ split => { "options" => "," }
+ }
+ }
+ mutate {
+ convert => [ "destination_port", "integer" ]
+ convert => [ "source_port", "integer" ]
+ convert => [ "ip_version", "integer" ]
+ replace => { "type" => "firewall" }
+ add_tag => [ "pfsense","firewall" ]
+ remove_field => [ "sub_msg", "ip_sub_msg" ]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6300_windows.conf b/salt/logstash/conf/pipelines/search/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "windows" {
+# json {
+# source => "message"
+# }
+ date {
+ match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+ remove_field => [ "EventTime" ]
+ }
+ if [EventID] == 4634 {
+ mutate {
+ add_tag => [ "logoff" ]
+ }
+ }
+ if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+ mutate {
+ add_tag => [ "logon" ]
+ add_tag => [ "alert_data" ]
+ }
+ }
+ if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+ mutate {
+ add_tag => [ "logon_failure" ]
+ add_tag => [ "alert_data" ]
+ }
+ }
+ # Critical event IDs to monitor
+ if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+ mutate {
+ add_tag => [ "alert_data" ]
+ }
+ }
+ # Critical event IDs to monitor
+ if [EventID] == 5152 { drop {} }
+ if [EventID] == 4688 { drop {} }
+ if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+ if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+ if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+ if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+ # Whitelist/Blacklist check
+ if [EventID] == 7045 {
+ translate {
+ field => "ServiceName"
+ destination => "ServiceCheck"
+ dictionary_path => "/lib/dictionaries/services.yaml"
+ }
+ }
+ if [EventID] == 7045 and !([ServiceCheck]) {
+ mutate {
+ add_tag => [ "alert_data","new_service" ]
+ }
+ }
+ if [ServiceCheck] == 'whitelist' {
+ mutate {
+ remove_field => [ "ServiceCheck" ]
+ add_tag => [ "whitelist" ]
+ }
+ }
+ if [ServiceCheck] == 'blacklist' {
+ mutate {
+ remove_field => [ "ServiceCheck" ]
+ add_tag => [ "blacklist" ]
+ }
+ }
+ if [EventID] == 5158 {
+ if [Application] == "System" { drop {} }
+ if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+ if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+ if [Application] =~ "mcafee" { drop {} }
+ if [Application] =~ "carestream" { drop {} }
+ if [Application] =~ "Softdent" { drop {} }
+ }
+ if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+ if [EventID] == 4690 { drop {} }
+ if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+ if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+ if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+ if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+ if [EventID] == 5447 { drop {} }
+
+ mutate {
+ rename => [ "AccountName", "user" ]
+ rename => [ "AccountType", "account_type" ]
+ rename => [ "ActivityID", "activity_id" ]
+ rename => [ "Category", "category" ]
+ rename => [ "ClientAddress", "client_ip" ]
+ rename => [ "Channel", "channel" ]
+ rename => [ "DCIPAddress", "domain_controller_ip" ]
+ rename => [ "DCName", "domain_controller_name" ]
+ rename => [ "EventID", "event_id" ]
+ rename => [ "EventReceivedTime", "event_received_time" ]
+ rename => [ "EventType", "event_type" ]
+ rename => [ "GatewayIPAddress", "gateway_ip" ]
+ rename => [ "IPAddress", "client_ip" ]
+ rename => [ "Ipaddress", "client_ip" ]
+ rename => [ "IpAddress", "client_ip" ]
+ rename => [ "IPPort", "source_port" ]
+ rename => [ "OpcodeValue", "opcode_value" ]
+ rename => [ "PreAuthType", "preauthentication_type" ]
+ rename => [ "PrincipleSAMName", "user" ]
+ rename => [ "ProcessID", "process_id" ]
+ rename => [ "ProviderGUID", "providerguid" ]
+ rename => [ "RecordNumber", "record_number" ]
+ rename => [ "RemoteAddress", "destination_ip" ]
+ rename => [ "ServiceName", "service_name" ]
+ rename => [ "ServiceID", "service_id" ]
+ rename => [ "SeverityValue", "severity_value" ]
+ rename => [ "SourceAddress", "client_ip" ]
+ rename => [ "SourceModuleName", "source_module_name" ]
+ rename => [ "SourceModuleType", "source_module_type" ]
+ rename => [ "SourceName", "source_name" ]
+ rename => [ "SubjectUserName", "user" ]
+ rename => [ "TaskName", "task_name" ]
+ rename => [ "TargetDomainName", "target_domain_name" ]
+ rename => [ "TargetUserName", "user" ]
+ rename => [ "ThreadID", "thread_id" ]
+ rename => [ "User_ID", "user" ]
+ rename => [ "UserID", "user" ]
+ rename => [ "username", "user" ]
+ }
+ # For any accounts that are service accounts or special accounts add the tag of service_account
+ # This example applies the tag to any username that starts with SVC_. If you use a different
+ # standard change this.
+ if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+ mutate {
+ add_tag => [ "service_account" ]
+ }
+ }
+ # This looks for events that are typically noisy but may be of use for deep dive investigations
+ # A tag of noise is added to quickly filter out noise
+ if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+ mutate {
+ add_tag => [ "noise" ]
+ }
+ }
+ #Identify machine accounts
+ if [user] =~ /\$/ {
+ mutate {
+ add_tag => [ "machine", "noise" ]
+ }
+ }
+ # Lower case all field names
+ ruby {
+ code => "
+ event_hash = event.to_hash
+ new_event = {}
+ event_hash.keys.each do |key|
+ new_event[key.downcase] = event[key]
+ end
+ event.instance_variable_set(:@data, new_event)"
+ }
+ mutate {
+ #add_tag => [ "conf_file_6300"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6301_dns_windows.conf b/salt/logstash/conf/pipelines/search/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [type] == "dns" and "bro" not in [tags] {
+ json {
+ source => "message"
+ }
+ # strip whitespace from message field
+ mutate {
+ strip => "message"
+ }
+ # If the message is blank, drop the log
+ if [Message] =~ /^$/ {
+ drop { }
+ } else {
+ if [type] == "dns" {
+ # This section is lookup for a match against the log and parsing out the fields
+ grok {
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+ remove_field => [ "Message" ]
+ }
+ # This section attempts to convert the dns_domain into the traditional domain.com format
+ mutate {
+ gsub => [ "dns_domain", "(\(\d+\))", "." ]
+ }
+ grok {
+ match => { "dns_domain" => "\.%{DATA:query}\.$" }
+ remove_field => [ "dns_domain" ]
+ }
+ }
+ }
+ mutate {
+ #add_tag => [ "conf_file_6301"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6400_suricata.conf b/salt/logstash/conf/pipelines/search/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+ if [type] == "suricata" {
+ if "test_data" not in [tags] {
+ date {
+ match => [ "timestamp", "ISO8601" ]
+ }
+ } else {
+ mutate {
+ remove_field => [ "netflow.start","netflow.end","timestamp" ]
+ }
+ }
+ if [event_type] == "fileinfo" {
+ ruby {
+ code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
+ }
+ }
+ # I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs
+ mutate {
+ rename => [ "src_ip", "source_ip" ]
+ rename => [ "dest_ip", "destination_ip" ]
+ rename => [ "src_port", "source_port" ]
+ rename => [ "dest_port", "destination_port" ]
+ }
+ # This will translate the alert.severity field into a severity field of either High, Medium, or Low
+ if [event_type] == "alert" {
+ if [alert][severity] == 1 {
+ mutate {
+ add_field => { "severity" => "High" }
+ }
+ }
+ if [alert][severity] == 2 {
+ mutate {
+ add_field => { "severity" => "Medium" }
+ }
+ }
+ if [alert][severity] == 3 {
+ mutate {
+ add_field => { "severity" => "Low" }
+ }
+ }
+ # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+ if [alert][signature] =~ "GPL " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Snort GPL" }
+ lowercase => [ "category" ]
+ }
+ }
+ # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+ if [alert][signature] =~ "ET " {
+ # This will parse out the category type from the alert
+ grok {
+ match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+ }
+ # This will store the category
+ mutate {
+ add_field => { "rule_type" => "Emerging Threats" }
+ lowercase => [ "category" ]
+ }
+ }
+ # This section adds URLs to lookup information about a rule online
+ if [rule_type] == "Snort GPL" {
+ mutate {
+ add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+ }
+ }
+ if [rule_type] == "Emerging Threats" {
+ mutate {
+ add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+ }
+ }
+ }
+ if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+ # mutate {
+ # remove_field => [ "message" ]
+ # }
+ }
+ mutate {
+ #add_tag => [ "conf_file_6400"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6500_ossec.conf b/salt/logstash/conf/pipelines/search/6500_ossec.conf
new file mode 100644
index 000000000..292fea49b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6500_ossec.conf
@@ -0,0 +1,160 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/19/2018
+#
+# This conf file is based on accepting logs from OSSEC
+
+filter {
+ # OSSEC Alerts
+ if [type] == "ossec" {
+
+ # Sysmon/Autoruns logs transported by OSSEC
+ if [message] =~ "Microsoft-Windows-Sysmon" {
+ mutate {
+ replace => { "type" => "sysmon" }
+ add_tag => [ "ossec" ]
+ }
+ }
+ if [message] =~ "AR-LOG" {
+ mutate {
+ replace => { "type" => "autoruns" }
+ add_tag => [ "ossec" ]
+ }
+ }
+
+ # If message looks like json, try to parse it as such. Otherwise, grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+ mutate {
+ rename => { "rule" => "wazuh-rule" }
+ rename => { "[wazuh-rule][level]" => "alert_level" }
+ rename => { "[wazuh-rule][description]" => "description" }
+ rename => { "[data][srcuser]" => "username" }
+ rename => { "[data][dstuser]" => "escalated_user" }
+ rename => { "[data][command]" => "command" }
+ rename => { "[predecoder][program_name]" => "process" }
+
+ }
+ # Wazuh 3.8.2
+ if [data][EventChannel] {
+ mutate {
+ rename => { "[data][EventChannel][EventData][User]" => "username" }
+ rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+ rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+ rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+ rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+ rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+ rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+ rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+ }
+ }
+ # Wazuh 3.9.2
+ if [data][win] {
+ mutate {
+ rename => { "[data][win][eventdata][user]" => "username" }
+ rename => { "[data][win][system][eventID]" => "event_id" }
+ rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+ rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+ rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+ rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+ rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+ rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+ }
+ }
+ } else {
+ grok {
+ match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
+ "message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+ "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+ }
+ }
+
+ # Add tag for OSSEC alerts
+ if [alert_level] {
+ mutate {
+ add_tag => [ "alert" ]
+ }
+ }
+
+ translate {
+ field => "alert_level"
+
+ destination => "classification"
+
+ dictionary => [
+ "1", "None",
+ "2", "System low priority notification",
+ "3", "Successful/authorized event",
+ "4", "System low priority error",
+ "5", "User generated error",
+ "6", "Low relevance attack",
+ "7", '"Bad word" matching',
+ "8", "First time seen",
+ "9", "Error from invalid source",
+ "10", "Multiple user generated errors",
+ "11", "Integrity checking warning",
+ "12", "High importance event",
+ "13", "Unusal error (high importance)",
+ "14", "High importance security event",
+ "15", "Severe attack"
+ ]
+ }
+ }
+
+ # OSSEC Archive Logs
+ if [type] == "ossec_archive" {
+
+ # Sysmon/Autoruns logs transported by OSSEC
+ if [message] =~ "Microsoft-Windows-Sysmon" {
+ mutate {
+ replace => { "type" => "sysmon" }
+ add_tag => [ "ossec" ]
+ }
+ }
+ if [message] =~ "AR-LOG" {
+ mutate {
+ replace => { "type" => "autoruns" }
+ add_tag => [ "ossec" ]
+ }
+ }
+
+ # If message looks like json, try to parse it as such. Otherwise, grok.
+ if [message] =~ /^{.*}$/ {
+ json {
+ source => "message"
+ }
+ mutate {
+ rename => [ "rule", "wazuh-rule" ]
+ rename => [ "[wazuh-rule][level]", "alert_level" ]
+ rename => [ "[wazuh-rule][description]", "description" ]
+ rename => [ "[data][srcuser]", "username" ]
+ rename => [ "[data][dstuser]", "escalated_user" ]
+ rename => [ "[data][command]", "command" ]
+ rename => [ "[predecoder][program_name]", "process" ]
+ }
+ } else {
+ grok {
+ match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+ "message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
+ "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+ "message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
+ "message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+ remove_field => [ "ossec_timestamp" ]
+ }
+ mutate {
+ convert => [ "status_code", "integer" ]
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..6ebf10487
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
@@ -0,0 +1,118 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+ # OSSEC Logs and Alerts
+ if [type] == "sysmon" or "sysmon" in [tags] {
+ if [message] !~ /^{.*}$/ {
+ #mutate { replace => { "type" => "sysmon" } }
+ grok {
+ # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+ match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+ }
+ mutate {
+ convert => ["event_id", "integer"]
+ remove_field => ["timestamp"]
+ remove_field => ["year"]
+ }
+ if [event_id] == 1 {
+ grok {
+ match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+ "rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+ "rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ add_tag => ["process_creation"]
+ }
+ }
+ if [event_id] == 3 {
+ mutate {
+ remove_field => ["source_ip"]
+ }
+ grok {
+ match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ convert => ["source_port", "integer"]
+ convert => ["destination_port", "integer"]
+ add_tag => ["network_connection"]
+ }
+ }
+ if [event_id] == 5 {
+ grok {
+ match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ add_tag => ["process_termination"]
+ }
+ }
+ if [event_id] == 11 {
+ grok {
+ match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+ }
+ mutate {
+ convert => ["process_guid", "integer"]
+ convert => ["process_id", "integer"]
+ add_tag => ["file_created"]
+ }
+ }
+ mutate {
+ remove_field => ["rest_of_msg"]
+ }
+ } else {
+ mutate {
+ rename => { "[data][srcuser]" => "username" }
+ rename => { "[data][id]" => "event_id" }
+ rename => { "[data][dstport]" => "destination_port" }
+ rename => { "[data][dstip]" => "destination_ip" }
+ rename => { "[data][srcip]" => "source_ip" }
+ rename => { "[data][sysmon][image]" => "image_path" }
+ rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
+ rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+ rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
+ rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
+ }
+ # Wazuh 3.8.2
+ if [data][EventChannel] {
+ mutate {
+ rename => { "[data][EventChannel][EventData][User]" => "username" }
+ rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+ rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+ rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+ rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+ rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+ rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
+ rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
+ rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
+ rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+ rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+ }
+ }
+ # Wazuh 3.9.2
+ if [data][win] {
+ mutate {
+ rename => { "[data][win][eventdata][user]" => "username" }
+ rename => { "[data][win][system][eventID]" => "event_id" }
+ rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+ rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+ rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+ rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+ rename => { "[data][win][eventdata][image]" => "image_path" }
+ rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
+ rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
+ rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+ rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..5d7207891
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
@@ -0,0 +1,43 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Updated by: Dustin Lee
+# Last Update: 06/13/2019
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+ if [type] == "autoruns" or "autoruns" in [tags] {
+ if [message] !~ /^{.*}$/ {
+ grok {
+ match => [
+ "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+ "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+ ]
+ }
+ #csv {
+# columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+# separator => "|"
+# }
+ mutate {
+ remove_field => [ "year" ]
+ remove_field => [ "timestamp" ]
+ }
+ } else {
+ grok {
+ match => [
+ "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+ "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+ ]
+ }
+ mutate {
+ # Rename fields
+ }
+ }
+ date {
+ match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
+ target => "image_timestamp"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
new file mode 100644
index 000000000..200b58497
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/24/2018
+#
+# This conf file is based on accepting Sysmon logs from winlogbeat
+
+filter {
+ if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
+ mutate {
+ replace => { "type" => "sysmon" }
+ rename => { "[event_data][User]" => "username" }
+ rename => { "[event_data][DestinationPort]" => "destination_port" }
+ rename => { "[event_data][DestinationIp]" => "destination_ip" }
+ rename => { "[event_data][SourceIp]" => "source_ip" }
+ rename => { "[event_data][Image]" => "image_path" }
+ rename => { "[event_data][ParentImage]" => "parent_image_path" }
+ rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+ rename => { "[event_data][SourceHostname]" => "source_hostname" }
+ rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
+ rename => { "[event_data][TargetFilename]" => "target_filename" }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
new file mode 100644
index 000000000..222757956
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
@@ -0,0 +1,17 @@
+# Author: Doug Burks
+#
+# Last Update: 09/24/2018
+#
+# This conf file is for beat data
+
+filter {
+ if "beat" in [tags] {
+ mutate {
+ # As of beats 6.3.0, host is now an object:
+ # https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
+ # This creates a conflict with our existing host string.
+ # So let's rename the host object to beat_host.
+ rename => { "host" => "beat_host" }
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+ if "osquery" in [tags] and [osquery][columns][eventid] {
+
+ mutate {
+ gsub => ["[osquery][columns][data]", "\\x0A", ""]
+ }
+
+ json {
+ source => "[osquery][columns][data]"
+ target => "[osquery][columns][data]"
+ }
+
+ mutate {
+ merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+ remove_field => ["[osquery][columns][data]"]
+ }
+
+ }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+ if [source_ip] {
+ if [source_ip] == "-" {
+ mutate {
+ replace => { "source_ip" => "0.0.0.0" }
+ }
+ }
+ if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+ mutate {
+ }
+ } else {
+ geoip {
+ source => "[source_ip]"
+ target => "source_geo"
+ }
+ }
+ if [source_ip] {
+ mutate {
+ add_field => { "ips" => "%{source_ip}" }
+ add_field => { "source_ips" => [ "%{source_ip}" ] }
+ }
+ }
+ }
+ if [destination_ip] {
+ if [destination_ip] == "-" {
+ mutate {
+ replace => { "destination_ip" => "0.0.0.0" }
+ }
+ }
+ if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+ mutate {
+ }
+ }
+ else {
+ geoip {
+ source => "[destination_ip]"
+ target => "destination_geo"
+ }
+ }
+ }
+ if [destination_ip] {
+ mutate {
+ add_field => { "ips" => "%{destination_ip}" }
+ add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+ }
+ }
+}
+ #if [source_ip] or [destination_ip] {
+ # mutate {
+ #add_tag => [ "conf_file_8001"]
+ # }
+ #}
+
diff --git a/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+ if [type] == "bro_http" {
+ if [uri] {
+ ruby {
+ code => "event.set('uri_length', event.get('uri').length)"
+ }
+ }
+ if [virtual_host] {
+ ruby {
+ code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+ }
+ }
+ if [useragent] {
+ ruby {
+ code => "event.set('useragent_length', event.get('useragent').length)"
+ }
+ }
+ mutate {
+ ##add_tag => [ "conf_file_8007"]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..e698b3ce3
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
@@ -0,0 +1,63 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [destination_ip] {
+ if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+ mutate {
+ add_tag => [ "internal_destination" ]
+ }
+ } else {
+ mutate {
+ add_tag => [ "external_destination" ]
+ }
+ }
+ if "internal_destination" not in [tags] {
+ if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+ mutate {
+ add_tag => [ "root_dns_server" ]
+ }
+ }
+ }
+ # Customize this section to your environment
+ if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+ mutate {
+ add_tag => [ "authorized_dns_server" ]
+ }
+ }
+ }
+ if [source_ip] {
+ if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+ mutate {
+ add_tag => [ "internal_source" ]
+ }
+ } else {
+ mutate {
+ add_tag => [ "external_source" ]
+ }
+ }
+ if "internal_source" not in [tags] {
+ if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+ mutate {
+ add_tag => [ "root_dns_server" ]
+ }
+ }
+ }
+ # Customize this section to your environment
+ if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+ mutate {
+ add_tag => [ "authorized_dns_server" ]
+ }
+ }
+ mutate {
+ ##add_tag => [ "conf_file_8200"]
+ }
+ }
+ if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
+ mutate {
+ remove_tag => [ "syslog" ]
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ ruby {
+ code => "event.set('task_end', Time.now.to_f)"
+ }
+ ruby {
+ code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+ }
+ mutate {
+ remove_field => [ 'task_start', 'task_end' ]
+ }
+ mutate {
+ #add_tag => [ "conf_file_8998"]
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+ mutate {
+ rename => [ "type", "event_type" ]
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
new file mode 100644
index 000000000..ede940367
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
@@ -0,0 +1,14 @@
+{%- if grains.role == 'so-heavynode' %}
+{%- set master = salt['pillar.get']('node:mainip', '') %}
+{%- else %}
+{%- set master = salt['pillar.get']('static:masterip', '') %}
+{% endif -%}
+input {
+ redis {
+ host => '{{ master }}'
+ data_type => 'list'
+ key => 'logstash:unparsed'
+ type => 'redis-input'
+ # threads => 1
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
new file mode 100644
index 000000000..553500281
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
@@ -0,0 +1,31 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+ if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9000"]
+ }
+ }
+}
+output {
+ if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ pipeline => "%{event_type}"
+ hosts => "{{ ES }}"
+ index => "logstash-bro-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "switch" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9001"]
+ }
+ }
+}
+output {
+ if "switch" in [tags] and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-switch-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+ if "import" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9002"]
+ }
+ }
+}
+output {
+ if "import" in [tags] and "test_data" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-import-%{+YYYY.MM.dd}"
+ template_name => "logstash-*"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "sflow" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9004"]
+ }
+ }
+}
+output {
+ if [event_type] == "sflow" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-flow-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "dhcp" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9026"]
+ }
+ }
+}
+output {
+ if [event_type] == "dhcp" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "esxi" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9029"]
+ }
+ }
+}
+output {
+ if [event_type] == "esxi" and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "greensql" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9030"]
+ }
+ }
+}
+output {
+ if [event_type] == "greensql" and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "iis" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9031"]
+ }
+ }
+}
+output {
+ if [event_type] == "iis" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "mcafee" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9032"]
+ }
+ }
+}
+output {
+ if [event_type] == "mcafee" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "ids" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9033"]
+ }
+ }
+}
+output {
+ if [event_type] == "ids" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ids-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+ if "syslog" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9034"]
+ }
+ }
+}
+output {
+ if "syslog" in [tags] and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-syslog-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
new file mode 100644
index 000000000..e95119562
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+ if "osquery" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-osquery-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "firewall" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9200"]
+ }
+ }
+}
+output {
+ if "firewall" in [tags] and "test_data" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-firewall-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "windows" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9300"]
+ }
+ }
+}
+output {
+ if [event_type] == "windows" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-windows-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "dns" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9301"]
+ }
+ }
+}
+output {
+ if [event_type] == "dns" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
new file mode 100644
index 000000000..4bffd7f0a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "suricata" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9400"]
+ }
+ }
+}
+output {
+ if [event_type] == "suricata" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ids-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+ if "beat" in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9500"]
+ }
+ }
+}
+output {
+ if "beat" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-beats-%{+YYYY.MM.dd}"
+ template_name => "logstash-beats"
+ template => "/beats-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+ if [event_type] =~ "ossec" {
+ mutate {
+ ##add_tag => [ "conf_file_9600"]
+ }
+ }
+}
+
+output {
+ if [event_type] =~ "ossec" or "ossec" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ossec-%{+YYYY.MM.dd}"
+ template_name => "logstash-ossec"
+ template => "/logstash-ossec-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/defaults.yml b/salt/logstash/defaults.yml
new file mode 100644
index 000000000..ba6d19534
--- /dev/null
+++ b/salt/logstash/defaults.yml
@@ -0,0 +1,6 @@
+logstash:
+ pipelines:
+ master:
+ config: "/usr/share/logstash/pipelines/master/*.conf"
+ search:
+ config: "/usr/share/logstash/pipelines/search/*.conf"
diff --git a/salt/logstash/etc/beats-template.json b/salt/logstash/etc/beats-template.json
new file mode 100644
index 000000000..0e831aa52
--- /dev/null
+++ b/salt/logstash/etc/beats-template.json
@@ -0,0 +1,1292 @@
+{
+ "index_patterns": [
+ "logstash-beats-*"
+ ],
+ "mappings": {
+ "doc": {
+ "_meta": {
+ "version": "6.1.3"
+ },
+ "date_detection": false,
+ "dynamic_templates": [
+ {
+ "fields": {
+ "mapping": {
+ "type": "keyword"
+ },
+ "match_mapping_type": "string",
+ "path_match": "fields.*"
+ }
+ },
+ {
+ "docker.container.labels": {
+ "mapping": {
+ "type": "keyword"
+ },
+ "match_mapping_type": "string",
+ "path_match": "docker.container.labels.*"
+ }
+ },
+ {
+ "strings_as_keyword": {
+ "mapping": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "match_mapping_type": "string"
+ }
+ }
+ ],
+ "properties": {
+ "@timestamp": {
+ "type": "date"
+ },
+ "event_data": {
+ "type":"object",
+ "dynamic": true
+ },
+ "beat_host": {
+ "type":"object",
+ "dynamic": true
+ },
+ "activity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "beat": {
+ "properties": {
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "username":{
+ "type":"text",
+ "fields": {
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "computer_name": {
+ "type": "text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "docker": {
+ "properties": {
+ "container": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "image": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "labels": {
+ "type": "object"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "error": {
+ "properties": {
+ "code": {
+ "type": "long"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "event_id": {
+ "type": "long"
+ },
+ "fields": {
+ "type": "object"
+ },
+ "keywords": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "kubernetes": {
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "container": {
+ "properties": {
+ "image": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "labels": {
+ "type": "object"
+ },
+ "namespace": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pod": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "log_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "message_error": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "meta": {
+ "properties": {
+ "cloud": {
+ "properties": {
+ "availability_zone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "instance_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "instance_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "machine_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "project_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "provider": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "region": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "opcode": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "process_id": {
+ "type": "long"
+ },
+ "provider_guid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "record_number": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "related_activity_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tags": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "task": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "thread_id": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "properties": {
+ "domain": {
+ "type": "keyword"
+ },
+ "identifier": {
+ "type": "keyword"
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "type": {
+ "type": "keyword"
+ }
+ }
+ },
+ "user_data": {
+ "type": "object",
+ "dynamic": "true"
+ },
+ "version": {
+ "type": "keyword"
+ },
+ "xml": {
+ "norms": false,
+ "type": "text"
+ },
+ "apache2": {
+ "properties": {
+ "access": {
+ "properties": {
+ "agent": {
+ "norms": false,
+ "type": "text"
+ },
+ "body_sent": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ },
+ "geoip": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "http_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "remote_ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "response_code": {
+ "type": "long"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_agent": {
+ "properties": {
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_major": {
+ "type": "long"
+ },
+ "os_minor": {
+ "type": "long"
+ },
+ "os_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "patch": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "error": {
+ "properties": {
+ "client": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "code": {
+ "type": "long"
+ },
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "tid": {
+ "type": "long"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "auditd": {
+ "properties": {
+ "log": {
+ "properties": {
+ "a0": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "acct": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geoip": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "item": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "items": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "new_auid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "new_ses": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old_auid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "old_ses": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ppid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "record_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "res": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sequence": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "fileset": {
+ "properties": {
+ "module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "icinga": {
+ "properties": {
+ "debug": {
+ "properties": {
+ "facility": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "main": {
+ "properties": {
+ "facility": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "startup": {
+ "properties": {
+ "facility": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "severity": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "kafka": {
+ "properties": {
+ "log": {
+ "properties": {
+ "class": {
+ "norms": false,
+ "type": "text"
+ },
+ "component": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "timestamp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "trace": {
+ "properties": {
+ "class": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "full": {
+ "norms": false,
+ "type": "text"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "logstash": {
+ "properties": {
+ "log": {
+ "properties": {
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "log_event": {
+ "type": "object"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "thread": {
+ "norms": false,
+ "type": "text"
+ }
+ }
+ },
+ "slowlog": {
+ "properties": {
+ "event": {
+ "norms": false,
+ "type": "text"
+ },
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "module": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "plugin_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "plugin_params": {
+ "norms": false,
+ "type": "text"
+ },
+ "plugin_params_object": {
+ "type": "object"
+ },
+ "plugin_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "thread": {
+ "norms": false,
+ "type": "text"
+ },
+ "took_in_millis": {
+ "type": "long"
+ },
+ "took_in_nanos": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "mysql": {
+ "properties": {
+ "error": {
+ "properties": {
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "thread_id": {
+ "type": "long"
+ },
+ "timestamp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "slowlog": {
+ "properties": {
+ "host": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "type": "long"
+ },
+ "ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "lock_time": {
+ "properties": {
+ "sec": {
+ "type": "float"
+ }
+ }
+ },
+ "query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "query_time": {
+ "properties": {
+ "sec": {
+ "type": "float"
+ }
+ }
+ },
+ "rows_examined": {
+ "type": "long"
+ },
+ "rows_sent": {
+ "type": "long"
+ },
+ "timestamp": {
+ "type": "long"
+ },
+ "user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "nginx": {
+ "properties": {
+ "access": {
+ "properties": {
+ "agent": {
+ "norms": false,
+ "type": "text"
+ },
+ "body_sent": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ },
+ "geoip": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "http_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "remote_ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "response_code": {
+ "type": "long"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_agent": {
+ "properties": {
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_major": {
+ "type": "long"
+ },
+ "os_minor": {
+ "type": "long"
+ },
+ "os_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "patch": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "error": {
+ "properties": {
+ "connection_id": {
+ "type": "long"
+ },
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "tid": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "offset": {
+ "type": "long"
+ },
+ "postgresql": {
+ "properties": {
+ "log": {
+ "properties": {
+ "database": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duration": {
+ "type": "float"
+ },
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "query": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "thread_id": {
+ "type": "long"
+ },
+ "timestamp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timezone": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "prospector": {
+ "properties": {
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "read_timestamp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "redis": {
+ "properties": {
+ "log": {
+ "properties": {
+ "level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "norms": false,
+ "type": "text"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "role": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "slowlog": {
+ "properties": {
+ "args": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "cmd": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "duration": {
+ "properties": {
+ "us": {
+ "type": "long"
+ }
+ }
+ },
+ "id": {
+ "type": "long"
+ },
+ "key": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "stream": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "system": {
+ "properties": {
+ "auth": {
+ "properties": {
+ "groupadd": {
+ "properties": {
+ "gid": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "type": "long"
+ },
+ "program": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ssh": {
+ "properties": {
+ "dropped_ip": {
+ "type": "ip"
+ },
+ "event": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "geoip": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "ip": {
+ "type": "ip"
+ },
+ "method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "port": {
+ "type": "long"
+ },
+ "signature": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "sudo": {
+ "properties": {
+ "command": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "error": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pwd": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "tty": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "timestamp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "useradd": {
+ "properties": {
+ "gid": {
+ "type": "long"
+ },
+ "home": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "shell": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "uid": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ },
+ "syslog": {
+ "properties": {
+ "hostname": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "message": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "pid": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "program": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "timestamp": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "traefik": {
+ "properties": {
+ "access": {
+ "properties": {
+ "agent": {
+ "norms": false,
+ "type": "text"
+ },
+ "backend_url": {
+ "norms": false,
+ "type": "text"
+ },
+ "body_sent": {
+ "properties": {
+ "bytes": {
+ "type": "long"
+ }
+ }
+ },
+ "frontend_name": {
+ "norms": false,
+ "type": "text"
+ },
+ "geoip": {
+ "properties": {
+ "city_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "continent_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "country_iso_code": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "location": {
+ "type": "geo_point"
+ },
+ "region_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "http_version": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "method": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "referrer": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "remote_ip": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "request_count": {
+ "type": "long"
+ },
+ "response_code": {
+ "type": "long"
+ },
+ "url": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "user_agent": {
+ "properties": {
+ "device": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "major": {
+ "type": "long"
+ },
+ "minor": {
+ "type": "long"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "os_major": {
+ "type": "long"
+ },
+ "os_minor": {
+ "type": "long"
+ },
+ "os_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "patch": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "user_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "order": 1,
+ "settings": {
+ "index": {
+ "mapping": {
+ "total_fields": {
+ "limit": 10000
+ }
+ },
+ "number_of_replicas": 0,
+ "number_of_shards": 1,
+ "refresh_interval": "30s"
+ }
+ }
+}
diff --git a/salt/logstash/etc/logstash-ossec-template.json b/salt/logstash/etc/logstash-ossec-template.json
new file mode 100644
index 000000000..ab3a14a93
--- /dev/null
+++ b/salt/logstash/etc/logstash-ossec-template.json
@@ -0,0 +1,3494 @@
+{
+ "index_patterns": ["logstash-ossec*"],
+ "version":50001,
+ "order" : 1,
+ "settings":{
+ "index": {
+ "mapping": {
+ "total_fields": {
+ "limit": 10000
+ }
+ }
+ },
+ "number_of_replicas":0,
+ "number_of_shards":1,
+ "index.refresh_interval":"30s"
+ },
+ "mappings":{
+ "doc":{
+ "dynamic": false,
+ "date_detection": false,
+ "properties":{
+ "@timestamp":{
+ "type":"date"
+ },
+ "@version":{
+ "type":"keyword"
+ },
+ "geoip":{
+ "dynamic":true,
+ "properties":{
+ "ip":{
+ "type":"ip"
+ },
+ "location":{
+ "type":"geo_point"
+ },
+ "latitude":{
+ "type":"half_float"
+ },
+ "longitude":{
+ "type":"half_float"
+ }
+ }
+ },
+ "destination_geo":{
+ "dynamic":true,
+ "properties":{
+ "ip":{
+ "type":"ip"
+ },
+ "location":{
+ "type":"geo_point"
+ },
+ "latitude":{
+ "type":"half_float"
+ },
+ "longitude":{
+ "type":"half_float"
+ }
+ }
+ },
+ "source_geo":{
+ "dynamic":true,
+ "properties":{
+ "ip":{
+ "type":"ip"
+ },
+ "location":{
+ "type":"geo_point"
+ },
+ "latitude":{
+ "type":"half_float"
+ },
+ "longitude":{
+ "type":"half_float"
+ }
+ }
+ },
+ "signature_info":{
+ "type":"keyword"
+ },
+ "aa":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ack":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "action":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "additional_info":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "age":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "agent":{
+ "type":"object",
+ "dynamic": true
+ },
+ "alert":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "alert_level":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "analyzer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "answers":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "assigned_ip":{
+ "type":"ip",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "auth":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "authentication_attempts":{
+ "type":"long"
+ },
+ "authentication_method":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "authentication_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "basic_constraints":{
+ "type":"object",
+ "properties":{
+ "path_len": {
+ "type": "text"
+ }
+ }
+ },
+ "basic_constraints_ca":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "basic_constraints_path_length":{
+ "type":"long"
+ },
+ "bound_port":{
+ "type":"long"
+ },
+ "call_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "category":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cc":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_chain_count":{
+ "type":"long"
+ },
+ "certificate_chain_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_common_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_common_name_frequency_score":{
+ "type":"long"
+ },
+ "certificate_common_name_length":{
+ "type":"long"
+ },
+ "certificate_count":{
+ "type":"long"
+ },
+ "certificate_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_curve":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_exponent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_issuer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_key_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_key_length":{
+ "type":"long"
+ },
+ "certificate_key_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_locality":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_not_valid_after":{
+ "type":"date"
+ },
+ "certificate_not_valid_before":{
+ "type":"date"
+ },
+ "certificate_number_days_valid":{
+ "type":"long"
+ },
+ "certificate_organization":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_organization_unit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_permanent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_serial":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_serial_number":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_signing_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_state":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "checksum":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cipher":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cipher_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "class":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "classification":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_build":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_certificate_chain_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_certificate_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_certificate_fuid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_digital_product_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_issuer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_major_version":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_minor_version":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "community":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "company":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "compile_ts":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "compression_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "connect_info":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "connection_state":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "connection_state_description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "content_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cookie":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "creation_date":{
+ "type":"date"
+ },
+ "creation_time":{
+ "type":"date"
+ },
+ "current_directory":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "curve":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "data":{
+ "type":"object",
+ "dynamic": true
+ },
+ "data_channel_destination_ip":{
+ "type":"ip"
+ },
+ "data_channel_destination_port":{
+ "type":"long"
+ },
+ "data_channel_passive":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "data_channel_source_ip":{
+ "type":"ip"
+ },
+ "data_length":{
+ "type":"long"
+ },
+ "date":{
+ "type":"text"
+ },
+ "dcc_file_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "dcc_file_size":{
+ "type":"long"
+ },
+ "dcc_mime_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "decoder":{
+ "type":"object",
+ "dynamic": true
+ },
+ "depth":{
+ "type":"long"
+ },
+ "description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "desktop_height":{
+ "type":"long"
+ },
+ "desktop_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "desktop_width":{
+ "type":"long"
+ },
+ "dest_is_ipv6":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_city":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.city_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.continent_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.dma_code":{
+ "type":"long"
+ },
+ "destination_geo.ip":{
+ "type":"ip"
+ },
+ "destination_geo.latitude":{
+ "type":"long"
+ },
+ "destination_geo.location":{
+ "type":"geo_point"
+ },
+ "destination_geo.longitude":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.postal_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.region_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.country_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.region_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.timezone":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_hostname":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_ip":{
+ "type":"ip"
+ },
+ "destination_ips":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_latitude":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_longitude":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_port":{
+ "type":"long"
+ },
+ "destination_port_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_region":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "details":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "dir":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "direction":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "display_string":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "domain_age":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "domain_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "dropped":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "duration":{
+ "type":"long"
+ },
+ "valid_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "enabled":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "encryption_level":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "encryption_method":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "endpoint":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "entry":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "entry_location":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "error_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "escalated_user":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "established":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "event_id":{
+ "type":"long"
+ },
+ "event_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "event_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "exception":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "extracted":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "extracted_cutoff":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "facility":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fc_reply":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fc_request":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_ip":{
+ "type":"ip",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_mime_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_size":{
+ "type":"long"
+ },
+ "first_received":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "flow_label":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "forwardable":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "framed_addr":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "freq_virtual_host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "frequency_scores":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ftp_argument":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ftp_command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fuid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "full_log":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "function":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "geoip.ip":{
+ "type":"ip"
+ },
+ "geoip.latitude":{
+ "type":"long"
+ },
+ "geoip.location":{
+ "type":"geo_point"
+ },
+ "geoip.longitude":{
+ "type":"long"
+ },
+ "get_bulk_requests":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "get_requests":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "get_responses":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "gid":{
+ "type":"long"
+ },
+ "has_cert_table":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "has_debug_data":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "has_export_table":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "has_import_table":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "height":{
+ "type":"long"
+ },
+ "helo":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "highest_registered_domain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "highest_registered_domain_frequency_score":{
+ "type":"long"
+ },
+ "history":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hop_limit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "host_key":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "host_key_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hostname":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "iin":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "image_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "in_reply_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "indicator":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "indicator_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "info_code":{
+ "type":"long"
+ },
+ "info_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "initiated":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "integrity_level":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "interface":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ip_version":{
+ "type":"long"
+ },
+ "ipv4_ecn":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ips":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_flags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_offset":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_protocol_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_protocol_length":{
+ "type":"long"
+ },
+ "ipv4_tos":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_ttl":{
+ "type":"long"
+ },
+ "irc_command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "irc_username":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_64bit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_exe":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_orig":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_source_ipv6":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_webmail":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_common_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_common_name_frequency_score":{
+ "type":"long"
+ },
+ "issuer_common_name_length":{
+ "type":"long"
+ },
+ "issuer_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_distinguished_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_locality":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_organization":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_organization_frequency_score":{
+ "type":"long"
+ },
+ "issuer_organization_unit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_serial_number":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_state":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "kerberos_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "kex_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "keyboard_layout":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "last_alert":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "last_reply":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "launch_string":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "lease_time":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "length":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "local_orig":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "local_respond":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "location":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "log_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "log_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logged":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logon_guid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logon_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logstash_time":{
+ "type":"long"
+ },
+ "mac":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mac_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "machine":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mail_date":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mail_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "manager":{
+ "type":"object",
+ "dynamic": true
+ },
+ "matched":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "md5":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "message_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "method":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mimetype":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "missed_bytes":{
+ "type":"long"
+ },
+ "missing_bytes":{
+ "type":"long"
+ },
+ "msg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mysql_argument":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mysql_command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mysql_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "n":{
+ "type":"long"
+ },
+ "name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "named_pipe":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "native_file_system":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "next_protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "nick":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "note":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "notice":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ntlm_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "num_packets":{
+ "type":"long"
+ },
+ "object_size":{
+ "type":"long"
+ },
+ "operation":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "options":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "orig_filenames":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "orig_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "orig_mime_types":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "original_bytes":{
+ "type":"long"
+ },
+ "original_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "original_ip_bytes":{
+ "type":"long"
+ },
+ "original_packets":{
+ "type":"long"
+ },
+ "os":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ossec_agent_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ossec_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "overflow_bytes":{
+ "type":"long"
+ },
+ "p":{
+ "type":"long"
+ },
+ "parent_domain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_domain_frequency_score":{
+ "type":"long"
+ },
+ "parent_domain_length":{
+ "type":"long"
+ },
+ "parent_image_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_process_guid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_process_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_process_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "password":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "peer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "peer_description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "pesha1":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "pesha256":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "pid":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "port":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "predecoder":{
+ "type":"object",
+ "dynamic": true
+ },
+ "prev_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "priority":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process_arguments":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process_guid":{
+ "type":"long"
+ },
+ "process_id":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "profile":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "program":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "protocol_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "protocol_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "proxied":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "query":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "query_class":{
+ "type":"long"
+ },
+ "query_class_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "query_length":{
+ "type":"long"
+ },
+ "query_type":{
+ "type":"long"
+ },
+ "query_type_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ra":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rcode":{
+ "type":"long"
+ },
+ "rcode_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rd":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reason":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "recipient_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "referrer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rejected":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "remote_ip":{
+ "type":"ip"
+ },
+ "remote_location":{
+ "type":"object",
+ "properties":{
+ "country_code": {
+ "type": "text"
+ }
+ }
+ },
+ "renewable":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reply_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reply_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reply_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_body_len":{
+ "type":"long"
+ },
+ "request_body_length":{
+ "type":"long"
+ },
+ "request_from":{
+ "type":"text"
+ },
+ "request_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_port":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "requested_color_depth":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "requested_resource":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resp_filenames":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resp_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resp_mime_types":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "respond_bytes":{
+ "type":"long"
+ },
+ "respond_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "respond_ip_bytes":{
+ "type":"long"
+ },
+ "respond_packets":{
+ "type":"long"
+ },
+ "response":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "response_body_len":{
+ "type":"long"
+ },
+ "response_body_length":{
+ "type":"long"
+ },
+ "response_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "response_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "response_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "result":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resumed":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rev":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rig":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rows":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rtt":{
+ "type":"float",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "wazuh-rule":{
+ "type":"object",
+ "dynamic": true
+ },
+ "rule_number":{
+ "type":"long"
+ },
+ "rule_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "san_dns":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "second_received":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "section_names":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "security_protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "seen_bytes":{
+ "type":"long"
+ },
+ "seen_node":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "seen_where":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sensor_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "seq":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sequence_number":{
+ "type":"long"
+ },
+ "server":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_certificate_fuid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_certificate_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_major_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_minor_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_name_frequency_score":{
+ "type":"long"
+ },
+ "server_name_length":{
+ "type":"long"
+ },
+ "service":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "set_requests":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "severity":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sha1":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sha256":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "share_flag":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "share_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sid":{
+ "type":"long"
+ },
+ "signer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "site":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "size":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "software_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.city_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.continent_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.dma_code":{
+ "type":"long"
+ },
+ "source_geo.ip":{
+ "type":"ip"
+ },
+ "source_geo.latitude":{
+ "type":"long"
+ },
+ "source_geo.location":{
+ "type":"geo_point"
+ },
+ "source_geo.longitude":{
+ "type":"long"
+ },
+ "source_geo.postal_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.region_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.region_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.timezone":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_hostname":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_ip":{
+ "type":"ip"
+ },
+ "source_ips":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_port":{
+ "type":"long"
+ },
+ "source_port_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sources":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "status":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "status_code":{
+ "type":"long"
+ },
+ "status_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "status_msg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sub_msg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sub_rule_number":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "subdomain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "subdomain_frequency_score":{
+ "type":"long"
+ },
+ "subdomain_length":{
+ "type":"long"
+ },
+ "subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "subsystem":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "suppress_for":{
+ "type":"long"
+ },
+ "syscheck":{
+ "type":"object",
+ "dynamic": true
+ },
+ "syslog-facility":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-file_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-host_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-legacy_msghdr":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-pid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-priority":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-sourceip":{
+ "type":"ip"
+ },
+ "syslog-tags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sysmon_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "target_filename":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tc":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tcp_flags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "terminal_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "valid_till":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+
+ "timed_out":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_accessed":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_changed":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_created":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_modified":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tld.subdomain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tls":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "top_level_domain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "total_bytes":{
+ "type":"long"
+ },
+ "tracker_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "trans_depth":{
+ "type":"long"
+ },
+ "transaction_id":{
+ "type":"long"
+ },
+ "ttls":{
+ "type":"text"
+ },
+ "tty":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tunnel_parents":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tunnel_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "unparsed_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "up_since":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "urg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uri":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uri_length":{
+ "type":"long"
+ },
+ "username":{
+ "type":"text",
+ "fields": {
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "user_agent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "useragent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "useragent_length":{
+ "type":"long"
+ },
+ "uses_aslr":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uses_code_integrity":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uses_dep":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uses_seh":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "validation_status":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "value":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_additional_info":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_major":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_minor":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_minor2":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_minor3":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "virtual_host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "virtual_host_frequency_score":{
+ "type":"long"
+ },
+ "virtual_host_length":{
+ "type":"long"
+ },
+ "warning":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "width":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "window":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "x_originating_ip":{
+ "type":"ip"
+ },
+ "year":{
+ "type":"long"
+ },
+ "z":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/logstash/etc/logstash-template.json b/salt/logstash/etc/logstash-template.json
new file mode 100644
index 000000000..44e519842
--- /dev/null
+++ b/salt/logstash/etc/logstash-template.json
@@ -0,0 +1,3619 @@
+{
+ "index_patterns": ["logstash-ids-*", "logstash-firewall-*", "logstash-syslog-*", "logstash-bro-*", "logstash-import-*", "logstash-beats-*"],
+ "version":50001,
+ "order" : 0,
+ "settings":{
+ "number_of_replicas":0,
+ "number_of_shards":1,
+ "index.refresh_interval":"30s"
+ },
+ "mappings":{
+ "doc":{
+ "dynamic": false,
+ "date_detection": false,
+ "properties":{
+ "@timestamp":{
+ "type":"date"
+ },
+ "@version":{
+ "type":"keyword"
+ },
+ "geoip":{
+ "dynamic":true,
+ "properties":{
+ "ip":{
+ "type":"ip"
+ },
+ "location":{
+ "type":"geo_point"
+ },
+ "latitude":{
+ "type":"half_float"
+ },
+ "longitude":{
+ "type":"half_float"
+ }
+ }
+ },
+ "destination_geo":{
+ "dynamic":true,
+ "properties":{
+ "ip":{
+ "type":"ip"
+ },
+ "location":{
+ "type":"geo_point"
+ },
+ "latitude":{
+ "type":"half_float"
+ },
+ "longitude":{
+ "type":"half_float"
+ }
+ }
+ },
+ "source_geo":{
+ "dynamic":true,
+ "properties":{
+ "ip":{
+ "type":"ip"
+ },
+ "location":{
+ "type":"geo_point"
+ },
+ "latitude":{
+ "type":"half_float"
+ },
+ "longitude":{
+ "type":"half_float"
+ }
+ }
+ },
+ "signature_info":{
+ "type":"keyword"
+ },
+ "aa":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ack":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "action":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "additional_info":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "age":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "alert":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "alert_level":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "analyzer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "answers":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "assigned_ip":{
+ "type":"ip",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "auth":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "authentication_attempts":{
+ "type":"long"
+ },
+ "authentication_method":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "authentication_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "basic_constraints":{
+ "type":"object",
+ "properties":{
+ "path_len": {
+ "type": "text"
+ }
+ }
+ },
+ "basic_constraints_ca":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "basic_constraints_path_length":{
+ "type":"long"
+ },
+ "bound_port":{
+ "type":"long"
+ },
+ "call_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "category":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cc":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_chain_count":{
+ "type":"long"
+ },
+ "certificate_chain_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_common_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_common_name_frequency_score":{
+ "type":"long"
+ },
+ "certificate_common_name_length":{
+ "type":"long"
+ },
+ "certificate_count":{
+ "type":"long"
+ },
+ "certificate_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_curve":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_exponent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_issuer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_key_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_key_length":{
+ "type":"long"
+ },
+ "certificate_key_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_locality":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_not_valid_after":{
+ "type":"date"
+ },
+ "certificate_not_valid_before":{
+ "type":"date"
+ },
+ "certificate_number_days_valid":{
+ "type":"long"
+ },
+ "certificate_organization":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_organization_unit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_permanent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_serial":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_serial_number":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_signing_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_state":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "certificate_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "checksum":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cipher":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cipher_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "class":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "classification":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_build":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_certificate_chain_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_certificate_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_certificate_fuid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_digital_product_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_fqdn":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_issuer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_ip": {
+ "type":"ip",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_major_version":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_minor_version":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "client_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "community":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "company":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "compile_ts":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "compression_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "connect_info":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "connection_state":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "connection_state_description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "content_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "cookie":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "creation_date":{
+ "type":"date"
+ },
+ "creation_time":{
+ "type":"date"
+ },
+ "client_host_key_algorithms":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "current_directory":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "curve":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "data_channel_destination_ip":{
+ "type":"ip"
+ },
+ "data_channel_destination_port":{
+ "type":"long"
+ },
+ "data_channel_passive":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "data_channel_source_ip":{
+ "type":"ip"
+ },
+ "data_length":{
+ "type":"long"
+ },
+ "date":{
+ "type":"text"
+ },
+ "dcc_file_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "dcc_file_size":{
+ "type":"long"
+ },
+ "dcc_mime_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "depth":{
+ "type":"long"
+ },
+ "description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "desktop_height":{
+ "type":"long"
+ },
+ "desktop_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "desktop_width":{
+ "type":"long"
+ },
+ "dest_is_ipv6":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_city":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.city_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.continent_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.dma_code":{
+ "type":"long"
+ },
+ "destination_geo.ip":{
+ "type":"ip"
+ },
+ "destination_geo.latitude":{
+ "type":"long"
+ },
+ "destination_geo.location":{
+ "type":"geo_point"
+ },
+ "destination_geo.longitude":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.postal_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.region_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.country_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.region_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_geo.timezone":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_hostname":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_ip":{
+ "type":"ip"
+ },
+ "destination_ips":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_latitude":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_longitude":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_port":{
+ "type":"long"
+ },
+ "destination_port_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "destination_region":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "details":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "dir":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "direction":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "display_string":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "domain_age":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "domain_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "dropped":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "duration":{
+ "type":"long"
+ },
+ "valid_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "enabled":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "encryption_level":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "encryption_method":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "endpoint":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "entry":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "entry_location":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "error_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "escalated_user":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "established":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "event_id":{
+ "type":"long"
+ },
+ "event_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "event_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "exception":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "extracted":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "extracted_cutoff":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "facility":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fc_reply":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fc_request":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_ip":{
+ "type":"ip",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_mime_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "file_size":{
+ "type":"long"
+ },
+ "first_received":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "flow_label":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "forwardable":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "framed_addr":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "freq_virtual_host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "frequency_scores":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ftp_argument":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ftp_command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fuid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "function":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "geoip.ip":{
+ "type":"ip"
+ },
+ "geoip.latitude":{
+ "type":"long"
+ },
+ "geoip.location":{
+ "type":"geo_point"
+ },
+ "geoip.longitude":{
+ "type":"long"
+ },
+ "get_bulk_requests":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "get_requests":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "get_responses":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "gid":{
+ "type":"long"
+ },
+ "has_cert_table":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "has_debug_data":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "has_export_table":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "has_import_table":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hassh":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hassh_algorithms":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hassh_server":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hassh_server_algorithms":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hassh_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "height":{
+ "type":"long"
+ },
+ "helo":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "highest_registered_domain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "highest_registered_domain_frequency_score":{
+ "type":"long"
+ },
+ "history":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hop_limit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "host_key":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "host_key_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "hostname":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "iin":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "image_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "in_reply_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "indicator":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "indicator_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "info_code":{
+ "type":"long"
+ },
+ "info_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "initiated":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "integrity_level":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "interface":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ip_version":{
+ "type":"long"
+ },
+ "ipv4_ecn":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ips":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_flags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_offset":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_protocol_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_protocol_length":{
+ "type":"long"
+ },
+ "ipv4_tos":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ipv4_ttl":{
+ "type":"long"
+ },
+ "irc_command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "irc_username":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_64bit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_exe":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_orig":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_source_ipv6":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "is_webmail":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_common_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_common_name_frequency_score":{
+ "type":"long"
+ },
+ "issuer_common_name_length":{
+ "type":"long"
+ },
+ "issuer_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_distinguished_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_locality":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_organization":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_organization_frequency_score":{
+ "type":"long"
+ },
+ "issuer_organization_unit":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_serial_number":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "issuer_state":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ja3":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ja3s":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "kerberos_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "kex_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "keyboard_layout":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "last_alert":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "last_reply":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "launch_string":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "lease_time":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "length":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "local_orig":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "local_respond":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "location":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "log_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "log_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logged":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logon_guid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logon_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "logstash_time":{
+ "type":"long"
+ },
+ "mac":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mac_algorithm":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "machine":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mail_date":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mail_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "matched":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "md5":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "message_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "message_types":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "method":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mimetype":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "missed_bytes":{
+ "type":"long"
+ },
+ "missing_bytes":{
+ "type":"long"
+ },
+ "msg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mysql_argument":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mysql_command":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "mysql_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "n":{
+ "type":"long"
+ },
+ "name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "named_pipe":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "native_file_system":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "next_protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "nick":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "note":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "notice":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ntlm_success":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "num_packets":{
+ "type":"long"
+ },
+ "object_size":{
+ "type":"long"
+ },
+ "operation":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "options":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "orig_filenames":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "orig_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "orig_mime_types":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "original_bytes":{
+ "type":"long"
+ },
+ "original_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "original_ip_bytes":{
+ "type":"long"
+ },
+ "original_packets":{
+ "type":"long"
+ },
+ "os":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ossec_agent_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ossec_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "overflow_bytes":{
+ "type":"long"
+ },
+ "p":{
+ "type":"long"
+ },
+ "parent_domain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_domain_frequency_score":{
+ "type":"long"
+ },
+ "parent_domain_length":{
+ "type":"long"
+ },
+ "parent_image_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_process_guid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_process_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "parent_process_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "password":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "peer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "peer_description":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "pesha1":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "pesha256":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "pid":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "port":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "prev_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "priority":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process_arguments":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process_guid":{
+ "type":"long"
+ },
+ "process_id":{
+ "type":"long",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "process_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "profile":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "program":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "protocol_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "protocol_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "proxied":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "query":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "query_class":{
+ "type":"long"
+ },
+ "query_class_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "query_length":{
+ "type":"long"
+ },
+ "query_type":{
+ "type":"long"
+ },
+ "query_type_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "ra":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rcode":{
+ "type":"long"
+ },
+ "rcode_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rd":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reason":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "recipient_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "referrer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rejected":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "remote_ip":{
+ "type":"ip"
+ },
+ "remote_location":{
+ "type":"object",
+ "properties":{
+ "country_code": {
+ "type": "text"
+ }
+ }
+ },
+ "renewable":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reply_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reply_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "reply_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_body_len":{
+ "type":"long"
+ },
+ "request_body_length":{
+ "type":"long"
+ },
+ "request_from":{
+ "type":"text"
+ },
+ "request_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_port":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "request_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "requested_color_depth":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "requested_resource":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "requested_ip": {
+ "type":"ip",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resp_filenames":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resp_fuids":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resp_mime_types":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "respond_bytes":{
+ "type":"long"
+ },
+ "respond_country_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "respond_ip_bytes":{
+ "type":"long"
+ },
+ "respond_packets":{
+ "type":"long"
+ },
+ "response":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "response_body_len":{
+ "type":"long"
+ },
+ "response_body_length":{
+ "type":"long"
+ },
+ "response_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "response_path":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "response_to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "result":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "resumed":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rev":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rig":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rows":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rtt":{
+ "type":"float",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rule":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rule_number":{
+ "type":"long"
+ },
+ "rule_signature":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "rule_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "san_dns":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "second_received":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "section_names":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "security_protocol":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "seen_bytes":{
+ "type":"long"
+ },
+ "seen_node":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "seen_where":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sensor_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "seq":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sequence_number":{
+ "type":"long"
+ },
+ "server":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_certificate_fuid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_certificate_subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_dns_computer_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_ip": {
+ "type":"ip",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_major_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_minor_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_name_frequency_score":{
+ "type":"long"
+ },
+ "server_name_length":{
+ "type":"long"
+ },
+ "server_nb_computer_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_tree_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "service":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "set_requests":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "severity":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sha1":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sha256":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "share_flag":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "share_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sid":{
+ "type":"long"
+ },
+ "signer":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "site":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "size":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "software_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.city_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.continent_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.dma_code":{
+ "type":"long"
+ },
+ "source_geo.ip":{
+ "type":"ip"
+ },
+ "source_geo.latitude":{
+ "type":"long"
+ },
+ "source_geo.location":{
+ "type":"geo_point"
+ },
+ "source_geo.longitude":{
+ "type":"long"
+ },
+ "source_geo.postal_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.region_code":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.region_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_geo.timezone":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_hostname":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_ip":{
+ "type":"ip"
+ },
+ "source_ips":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "source_port":{
+ "type":"long"
+ },
+ "source_port_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sources":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "server_host_key_algorithms":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "status":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "status_code":{
+ "type":"long"
+ },
+ "status_message":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "status_msg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sub_msg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sub_rule_number":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "subdomain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "subdomain_frequency_score":{
+ "type":"long"
+ },
+ "subdomain_length":{
+ "type":"long"
+ },
+ "subject":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "subsystem":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "suppress_for":{
+ "type":"long"
+ },
+ "syslog-facility":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-file_name":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-host_from":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-legacy_msghdr":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-pid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-priority":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "syslog-sourceip":{
+ "type":"ip"
+ },
+ "syslog-tags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "sysmon_timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "target_filename":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tc":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tcp_flags":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "terminal_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "valid_till":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+
+ "timed_out":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_accessed":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_changed":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_created":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "times_modified":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "timestamp":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tld.subdomain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tls":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "to":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "top_level_domain":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "total_bytes":{
+ "type":"long"
+ },
+ "tracker_id":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "trans_depth":{
+ "type":"long"
+ },
+ "transaction_id":{
+ "type":"long"
+ },
+ "ttls":{
+ "type":"text"
+ },
+ "tty":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tunnel_parents":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "tunnel_type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "type":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uid":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "unparsed_version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "up_since":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "urg":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uri":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uri_length":{
+ "type":"long"
+ },
+ "username":{
+ "type":"text",
+ "fields": {
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "user_agent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "useragent":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "useragent_length":{
+ "type":"long"
+ },
+ "uses_aslr":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uses_code_integrity":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uses_dep":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "uses_seh":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "validation_status":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "value":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_additional_info":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_major":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_minor":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_minor2":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "version_minor3":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "virtual_host":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "virtual_host_frequency_score":{
+ "type":"long"
+ },
+ "virtual_host_length":{
+ "type":"long"
+ },
+ "warning":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "width":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "window":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ },
+ "x_originating_ip":{
+ "type":"ip"
+ },
+ "year":{
+ "type":"long"
+ },
+ "z":{
+ "type":"text",
+ "fields":{
+ "keyword":{
+ "type":"keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/salt/logstash/files/custom/parsers/Drop.Your.Custom.Parsers.Here.conf b/salt/logstash/files/custom/parsers/Drop.Your.Custom.Parsers.Here.conf
new file mode 100644
index 000000000..6e9bbe36f
--- /dev/null
+++ b/salt/logstash/files/custom/parsers/Drop.Your.Custom.Parsers.Here.conf
@@ -0,0 +1,2 @@
+#
+#
diff --git a/salt/logstash/files/custom/templates/Drop.Your.Custom.Templates.Here.conf b/salt/logstash/files/custom/templates/Drop.Your.Custom.Templates.Here.conf
new file mode 100644
index 000000000..9ee9e27b5
--- /dev/null
+++ b/salt/logstash/files/custom/templates/Drop.Your.Custom.Templates.Here.conf
@@ -0,0 +1,2 @@
+# Reference /usr/share/logstash/pipeline.custom/templates/YOURTEMPLATE.json
+#
diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf
new file mode 100644
index 000000000..a7140f859
--- /dev/null
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -0,0 +1,23 @@
+input {
+ beats {
+ port => "5044"
+ ssl => false
+ ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+ ssl_certificate => "/usr/share/logstash/filebeat.crt"
+ ssl_key => "/usr/share/logstash/filebeat.key"
+ tags => [ "beat" ]
+ }
+}
+filter {
+ if [type] == "osquery" {
+ mutate {
+ rename => { "host" => "beat_host" }
+ remove_tag => ["beat"]
+ add_tag => ["osquery"]
+ }
+ json {
+ source => "message"
+ target => "osquery"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/0008_input_eval.conf b/salt/logstash/files/dynamic/0008_input_eval.conf
new file mode 100644
index 000000000..b02f9d516
--- /dev/null
+++ b/salt/logstash/files/dynamic/0008_input_eval.conf
@@ -0,0 +1,203 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+ file {
+ path => "/suricata/eve.json"
+ type => "ids"
+ add_field => { "engine" => "suricata" }
+ }
+ file {
+ path => "/nsm/bro/logs/current/conn*.log"
+ type => "bro_conn"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/dce_rpc*.log"
+ type => "bro_dce_rpc"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/dhcp*.log"
+ type => "bro_dhcp"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/dnp3*.log"
+ type => "bro_dnp3"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/dns*.log"
+ type => "bro_dns"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/dpd*.log"
+ type => "bro_dpd"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/files*.log"
+ type => "bro_files"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/ftp*.log"
+ type => "bro_ftp"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/http*.log"
+ type => "bro_http"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/intel*.log"
+ type => "bro_intel"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/irc*.log"
+ type => "bro_irc"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/kerberos*.log"
+ type => "bro_kerberos"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/modbus*.log"
+ type => "bro_modbus"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/mysql*.log"
+ type => "bro_mysql"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/notice*.log"
+ type => "bro_notice"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/ntlm*.log"
+ type => "bro_ntlm"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/pe*.log"
+ type => "bro_pe"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/radius*.log"
+ type => "bro_radius"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/rdp*.log"
+ type => "bro_rdp"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/rfb*.log"
+ type => "bro_rfb"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/signatures*.log"
+ type => "bro_signatures"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/sip*.log"
+ type => "bro_sip"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/smb_files*.log"
+ type => "bro_smb_files"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/smb_mapping*.log"
+ type => "bro_smb_mapping"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/smtp*.log"
+ type => "bro_smtp"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/snmp*.log"
+ type => "bro_snmp"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/socks*.log"
+ type => "bro_socks"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/software*.log"
+ type => "bro_software"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/ssh*.log"
+ type => "bro_ssh"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/ssl*.log"
+ type => "bro_ssl"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/syslog*.log"
+ type => "bro_syslog"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/tunnel*.log"
+ type => "bro_tunnels"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/weird*.log"
+ type => "bro_weird"
+ tags => ["bro"]
+ }
+ file {
+ path => "/nsm/bro/logs/current/x509*.log"
+ type => "bro_x509"
+ tags => ["bro"]
+ }
+ file {
+ path => "/wazuh/alerts/alerts.json"
+ type => "ossec"
+ }
+ file {
+ path => "/wazuh/archives/archive.json"
+ type => "ossec_archive"
+ }
+ file {
+ path => "/osquery/logs/result.log"
+ type => "osquery"
+ }
+ file {
+ path => "/strelka/strelka.log"
+ type => "strelka"
+ }
+}
+filter {
+ if "import" in [tags] {
+ mutate {
+ #add_tag => [ "conf_file_0007"]
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/7100_osquery_wel.conf b/salt/logstash/files/dynamic/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/files/dynamic/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+ if "osquery" in [tags] and [osquery][columns][eventid] {
+
+ mutate {
+ gsub => ["[osquery][columns][data]", "\\x0A", ""]
+ }
+
+ json {
+ source => "[osquery][columns][data]"
+ target => "[osquery][columns][data]"
+ }
+
+ mutate {
+ merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+ remove_field => ["[osquery][columns][data]"]
+ }
+
+ }
+}
\ No newline at end of file
diff --git a/salt/logstash/files/dynamic/9000_output_bro.conf b/salt/logstash/files/dynamic/9000_output_bro.conf
new file mode 100644
index 000000000..553500281
--- /dev/null
+++ b/salt/logstash/files/dynamic/9000_output_bro.conf
@@ -0,0 +1,31 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+ if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9000"]
+ }
+ }
+}
+output {
+ if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ pipeline => "%{event_type}"
+ hosts => "{{ ES }}"
+ index => "logstash-bro-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9001_output_switch.conf b/salt/logstash/files/dynamic/9001_output_switch.conf
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/files/dynamic/9001_output_switch.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "switch" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9001"]
+ }
+ }
+}
+output {
+ if "switch" in [tags] and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-switch-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9002_output_import.conf b/salt/logstash/files/dynamic/9002_output_import.conf
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/files/dynamic/9002_output_import.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+ if "import" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9002"]
+ }
+ }
+}
+output {
+ if "import" in [tags] and "test_data" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-import-%{+YYYY.MM.dd}"
+ template_name => "logstash-*"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9004_output_flow.conf b/salt/logstash/files/dynamic/9004_output_flow.conf
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/files/dynamic/9004_output_flow.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "sflow" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9004"]
+ }
+ }
+}
+output {
+ if [event_type] == "sflow" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-flow-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9026_output_dhcp.conf b/salt/logstash/files/dynamic/9026_output_dhcp.conf
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/files/dynamic/9026_output_dhcp.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "dhcp" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9026"]
+ }
+ }
+}
+output {
+ if [event_type] == "dhcp" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9029_output_esxi.conf b/salt/logstash/files/dynamic/9029_output_esxi.conf
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/files/dynamic/9029_output_esxi.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "esxi" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9029"]
+ }
+ }
+}
+output {
+ if [event_type] == "esxi" and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9030_output_greensql.conf b/salt/logstash/files/dynamic/9030_output_greensql.conf
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/files/dynamic/9030_output_greensql.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "greensql" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9030"]
+ }
+ }
+}
+output {
+ if [event_type] == "greensql" and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9031_output_iis.conf b/salt/logstash/files/dynamic/9031_output_iis.conf
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/files/dynamic/9031_output_iis.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "iis" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9031"]
+ }
+ }
+}
+output {
+ if [event_type] == "iis" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9032_output_mcafee.conf b/salt/logstash/files/dynamic/9032_output_mcafee.conf
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/files/dynamic/9032_output_mcafee.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "mcafee" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9032"]
+ }
+ }
+}
+output {
+ if [event_type] == "mcafee" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9033_output_snort.conf b/salt/logstash/files/dynamic/9033_output_snort.conf
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/files/dynamic/9033_output_snort.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "ids" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9033"]
+ }
+ }
+}
+output {
+ if [event_type] == "ids" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ids-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9034_output_syslog.conf b/salt/logstash/files/dynamic/9034_output_syslog.conf
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/files/dynamic/9034_output_syslog.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+ if "syslog" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9034"]
+ }
+ }
+}
+output {
+ if "syslog" in [tags] and "test_data" not in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-syslog-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9100_output_osquery.conf b/salt/logstash/files/dynamic/9100_output_osquery.conf
new file mode 100644
index 000000000..e95119562
--- /dev/null
+++ b/salt/logstash/files/dynamic/9100_output_osquery.conf
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+ if "osquery" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-osquery-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
\ No newline at end of file
diff --git a/salt/logstash/files/dynamic/9200_output_firewall.conf b/salt/logstash/files/dynamic/9200_output_firewall.conf
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/files/dynamic/9200_output_firewall.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "firewall" in [tags] and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9200"]
+ }
+ }
+}
+output {
+ if "firewall" in [tags] and "test_data" not in [tags] {
+# stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-firewall-%{+YYYY.MM.dd}"
+ template_name => "logstash"
+ template => "/logstash-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9300_output_windows.conf b/salt/logstash/files/dynamic/9300_output_windows.conf
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/files/dynamic/9300_output_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "windows" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9300"]
+ }
+ }
+}
+output {
+ if [event_type] == "windows" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-windows-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9301_output_dns_windows.conf b/salt/logstash/files/dynamic/9301_output_dns_windows.conf
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/files/dynamic/9301_output_dns_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "dns" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9301"]
+ }
+ }
+}
+output {
+ if [event_type] == "dns" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9400_output_suricata.conf b/salt/logstash/files/dynamic/9400_output_suricata.conf
new file mode 100644
index 000000000..4bffd7f0a
--- /dev/null
+++ b/salt/logstash/files/dynamic/9400_output_suricata.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if [event_type] == "suricata" and "test_data" not in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9400"]
+ }
+ }
+}
+output {
+ if [event_type] == "suricata" and "test_data" not in [tags] {
+ #stdout { codec => rubydebug }
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ids-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9500_output_beats.conf b/salt/logstash/files/dynamic/9500_output_beats.conf
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/files/dynamic/9500_output_beats.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+ if "beat" in [tags] {
+ mutate {
+ ##add_tag => [ "conf_file_9500"]
+ }
+ }
+}
+output {
+ if "beat" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-beats-%{+YYYY.MM.dd}"
+ template_name => "logstash-beats"
+ template => "/beats-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9600_output_ossec.conf b/salt/logstash/files/dynamic/9600_output_ossec.conf
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/files/dynamic/9600_output_ossec.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+ if [event_type] =~ "ossec" {
+ mutate {
+ ##add_tag => [ "conf_file_9600"]
+ }
+ }
+}
+
+output {
+ if [event_type] =~ "ossec" or "ossec" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-ossec-%{+YYYY.MM.dd}"
+ template_name => "logstash-ossec"
+ template => "/logstash-ossec-template.json"
+ template_overwrite => true
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9997_output_helix.conf b/salt/logstash/files/dynamic/9997_output_helix.conf
new file mode 100644
index 000000000..5dd0036fe
--- /dev/null
+++ b/salt/logstash/files/dynamic/9997_output_helix.conf
@@ -0,0 +1,142 @@
+{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
+
+filter {
+ if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+ grok {
+ match => [
+ "source_ip", "^%{IPV4:srcipv4}$",
+ "source_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)"
+ ]
+ }
+ grok {
+ match => [
+ "destination_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)",
+ "destination_ip", "^%{IPV4:dstipv4}$"
+ ]
+ }
+
+ geoip {
+ source => "[source_ip]"
+ target => "source_geo"
+ }
+ geoip {
+ source => "[destination_ip]"
+ target => "destination_geo"
+ }
+ mutate {
+ #rename => { "%{[source_geo][country_code]}" => "srccountrycode" }
+ #rename => { "%{[destination_geo][country_code]}" => "dstcountrycode" }
+ rename => { "[beat_host][name]" => "sensor" }
+ copy => { "sensor" => "rawmsghostname" }
+ rename => { "message" => "rawmsg" }
+ #rename => { "event_type" => "program" }
+ copy => { "type" => "class" }
+ copy => { "class" => "program"}
+ rename => { "source_port" => "srcport" }
+ rename => { "destination_port" => "dstport" }
+ remove_field => ["source_ip", "destination_ip"]
+ remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
+ remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
+ }
+ if "bro_conn" in [class] {
+ mutate {
+ #add_field => { "metaclass" => "connection" }
+ rename => { "original_bytes" => "sentbytes" }
+ rename => { "respond_bytes" => "rcvdbytes" }
+ rename => { "connection_state" => "connstate" }
+ rename => { "uid" => "connectionid" }
+ rename => { "respond_packets" => "rcvdpackets" }
+ rename => { "original_packets" => "sentpackets" }
+ rename => { "respond_ip_bytes" => "rcvdipbytes" }
+ rename => { "original_ip_bytes" => "sentipbytes" }
+ rename => { "local_respond" => "local_resp" }
+ rename => { "local_orig" => "localorig" }
+ rename => { "missed_bytes" => "missingbytes" }
+ }
+ }
+ if "bro_dns" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "answers" => "answer" }
+ rename => { "query" => "domain" }
+ rename => { "query_class" => "queryclass" }
+ rename => { "query_class_name" => "queryclassname" }
+ rename => { "query_type" => "querytype" }
+ rename => { "query_type_name" => "querytypename" }
+ rename => { "ra" => "recursionavailable" }
+ rename => { "rd" => "recursiondesired" }
+ }
+ }
+ if "bro_dhcp" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dhcp"}
+ rename => { "message_types" => "direction" }
+ rename => { "lease_time" => "duration" }
+ }
+ }
+ if "bro_files" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "missing_bytes" => "missingbytes" }
+ rename => { "fuid" => "fileid" }
+ rename => { "uid" => "connectionid" }
+ }
+ }
+ if "bro_http" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "virtual_host" => "hostname" }
+ rename => { "status_code" => "statuscode" }
+ rename => { "status_message" => "statusmsg" }
+ rename => { "resp_mime_types" => "rcvdmimetype" }
+ rename => { "resp_fuids" => "rcvdfileid" }
+ rename => { "response_body_len" => "rcvdbodybytes" }
+ rename => { "request_body_len" => "sentbodybytes" }
+ rename => { "uid" => "connectionid" }
+ rename => { "ts"=> "eventtime" }
+ rename => { "@timestamp"=> "eventtime" }
+ }
+ }
+ if "bro_ssl" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "status_code" => "statuscode" }
+ rename => { "status_message" => "statusmsg" }
+ rename => { "resp_mime_types" => "rcvdmimetype" }
+ rename => { "resp_fuids" => "rcvdfileid" }
+ rename => { "response_body_len" => "rcvdbodybytes" }
+ rename => { "request_body_len" => "sentbodybytes" }
+ }
+ }
+ if "bro_weird" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "name" => "eventname" }
+ }
+ }
+ if "bro_x509" in [class] {
+ mutate{
+ #add_field = { "metaclass" => "dns"}
+ rename => { "certificate_common_name" => "certname" }
+ rename => { "certificate_subject" => "certsubject" }
+ rename => { "issuer_common_name" => "issuer" }
+ rename => { "certificate_issuer" => "issuersubject" }
+ rename => { "certificate_not_valid_before" => "issuetime" }
+ rename => { "certificate_key_type" => "cert_type" }
+ }
+ }
+ }
+}
+
+output {
+ if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+ http {
+ url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
+ http_method => post
+ http_compression => true
+ socket_timeout => 60
+ headers => ["Authorization","{{ HELIX_API_KEY }}"]
+ format => json_batch
+ }
+ }
+}
diff --git a/salt/logstash/files/dynamic/9998_output_test_data.conf b/salt/logstash/files/dynamic/9998_output_test_data.conf
new file mode 100644
index 000000000..4e83aa185
--- /dev/null
+++ b/salt/logstash/files/dynamic/9998_output_test_data.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+ if "test_data" in [tags] {
+ mutate {
+ #add_tag => [ "conf_file_9998"]
+ }
+ }
+}
+output {
+ if "test_data" in [tags] {
+ elasticsearch {
+ hosts => "{{ ES }}"
+ index => "logstash-test-%{+YYYY.MM.dd}"
+ template => "/logstash-template.json"
+ }
+ }
+}
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index 8d25a4247..a8e47ca5b 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -85,9 +85,4 @@ so-mysql:
- /opt/so/log/mysql:/var/log/mysql:rw
- watch:
- /opt/so/conf/mysql/etc
- cmd.run:
- - name: until nc -z localhost 3306; do sleep 1; done
- - timeout: 10
- - onchanges:
- - docker_container: so-mysql
{% endif %}
\ No newline at end of file
diff --git a/salt/registry/etc/config.yml b/salt/registry/etc/config.yml
index d25a034b0..ccd64aa25 100644
--- a/salt/registry/etc/config.yml
+++ b/salt/registry/etc/config.yml
@@ -19,5 +19,4 @@ health:
enabled: true
interval: 10s
threshold: 3
-proxy:
- remoteurl: https://registry-1.docker.io
+
diff --git a/setup/so-functions b/setup/so-functions
index 88d4ccdf1..eb3a34a97 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -21,14 +21,9 @@ source ./so-common-functions
so_version=1.2.1
-accept_salt_key_local() {
- echo "Accept the key locally on the master" >> "$setup_log" 2>&1
- # Accept the key locally on the master
- salt-key -ya "$MINION_ID"
-
-}
-
accept_salt_key_remote() {
+ systemctl restart salt-minion
+
echo "Accept the key remotely on the master" >> "$setup_log" 2>&1
# Delete the key just in case.
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y
@@ -185,6 +180,9 @@ bro_logs_enabled() {
" - socks"\
" - x509" >> "$brologs_pillar"
fi
+
+ printf '%s\n' '----' >> "$setup_log" 2>&1
+ cat "$brologs_pillar" >> "$setup_log" 2>&1
}
check_admin_pass() {
@@ -351,12 +349,15 @@ configure_minion() {
echo "Enabling checkin at boot" >> "$setup_log" 2>&1
echo "startup_states: highstate" >> "$minion_config"
+
+ printf '%s\n' '----' >> "$setup_log" 2>&1
+ cat "$minion_config" >> "$setup_log" 2>&1
}
copy_master_config() {
# Copy the master config template to the proper directory
- if [ "$INSTALLMETHOD" = 'iso' ]; then
+ if [ "$setup_type" = 'iso' ]; then
cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1
else
cp "../files/master" /etc/salt/master >> "$setup_log" 2>&1
@@ -625,11 +626,11 @@ docker_seed_registry() {
"so-strelka-filestream:$VERSION"
)
fi
- local initial_percent=30
+ local percent=25
for i in "${TRUSTED_CONTAINERS[@]}"; do
- if [ "$install_type" != 'HELIXSENSOR' ]; then ((intial_percent++)); else ((initial_percent+=6)); fi
+ if [ "$install_type" != 'HELIXSENSOR' ]; then ((percent=percent+1)); else ((percent=percent+6)); fi
# Pull down the trusted docker image
- set_progress_str "$initial_percent" "Downloading $i"
+ set_progress_str "$percent" "Downloading $i"
{
docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i"
# Tag it with the new registry destination
@@ -800,7 +801,8 @@ master_pillar() {
" redirect: $REDIRECTIT"\
"" >> "$pillar_file"
-
+ printf '%s\n' '----' >> "$setup_log" 2>&1
+ cat "$pillar_file" >> "$setup_log" 2>&1
}
master_static() {
@@ -892,6 +894,8 @@ node_pillar() {
" cur_close_days: $CURCLOSEDAYS"\
"" >> "$pillar_file"
+ printf '%s\n' '----' >> "$setup_log" 2>&1
+ cat "$pillar_file" >> "$setup_log" 2>&1
}
patch_pillar() {
@@ -899,7 +903,6 @@ patch_pillar() {
local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
printf '%s\n'\
- ""\
"patch:"\
" os:"\
" schedule_name: $PATCHSCHEDULENAME"\
@@ -907,6 +910,9 @@ patch_pillar() {
" splay: 300"\
"" >> "$pillar_file"
+ printf '%s\n' '----' >> "$setup_log" 2>&1
+ cat "$pillar_file" >> "$setup_log" 2>&1
+
}
patch_schedule_os_new() {
@@ -929,6 +935,8 @@ patch_schedule_os_new() {
done
done
+ printf '%s\n' '----' >> "$setup_log" 2>&1
+ cat "$OSPATCHSCHEDULE" >> "$setup_log" 2>&1
}
print_salt_state_apply() {
@@ -980,10 +988,10 @@ saltify() {
if [ "$MASTERUPDATES" = '1' ]; then
{
# Create the GPG Public Key for the Salt Repo
- cp "./public_keys/salt.pem" /etc/pki/rpm-gpg/saltstack-signing-key;
+ cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key;
# Add the Wazuh Key
- cp "./public_keys/wazuh.pem" /etc/pki/rpm-gpg/GPG-KEY-WAZUH;
+ cp ./public_keys/wazuh.pem /etc/pki/rpm-gpg/GPG-KEY-WAZUH;
# Copy repo files over
cp "./yum_repos/salt-latest.repo" /etc/yum.repos.d/salt-latest.repo;
@@ -1099,9 +1107,9 @@ salt_checkin() {
echo "Building Certificate Authority";
salt-call state.apply ca;
echo " *** Restarting Salt to fix any SSL errors. ***";
- service salt-master restart;
+ systemctl restart salt-master;
sleep 5;
- service salt-minion restart;
+ systemctl restart salt-minion;
sleep 15;
echo " Applyng a mine hack";
salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
@@ -1129,7 +1137,7 @@ setup_salt_master_dirs() {
mkdir -p /opt/so/saltstack/pillar
# Copy over the salt code and templates
- if [ "$INSTALLMETHOD" = 'iso' ]; then
+ if [ "$setup_type" = 'iso' ]; then
rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* /opt/so/saltstack/pillar/ >> "$setup_log" 2>&1
rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* /opt/so/saltstack/salt/ >> "$setup_log" 2>&1
else
@@ -1152,7 +1160,11 @@ set_progress_str() {
fi
percentage_str="XXX\n${percentage}\n${progress_bar_text}\nXXX"
+
echo -e "$percentage_str"
+
+ printf '%s\n' '----' "${progress_bar_text^^}" "----" >> "$setup_log" 2>&1
+
sleep 5
}
@@ -1162,19 +1174,19 @@ sensor_pillar() {
# Create the sensor pillar
printf '%s\n'\
- "sensor"\
+ "sensor:"\
" interface: bond0"\
" mainip: $MAINIP"\
- " mainint: $MNIC" > "$pillar_file"
+ " mainint: $MNIC" >> "$pillar_file"
if [ "$NSMSETUP" = 'ADVANCED' ]; then
echo " bro_pins:" >> "$pillar_file"
- for PIN in $BROPINS; do
+ for PIN in "${BROPINS[@]}"; do
PIN=$(echo "$PIN" | cut -d\" -f2)
echo " - $PIN" >> "$pillar_file"
done
echo " suripins:" >> "$pillar_file"
- for SPIN in $SURIPINS; do
+ for SPIN in "${SURIPINS[@]}"; do
SPIN=$(echo "$SPIN" | cut -d\" -f2)
echo " - $SPIN" >> "$pillar_file"
done
@@ -1199,6 +1211,9 @@ sensor_pillar() {
" access_key: $ACCESS_KEY"\
" access_secret: $ACCESS_SECRET"\
"" >> "$pillar_file"
+
+ printf '%s\n' '----' >> "$setup_log" 2>&1
+ cat "$pillar_file" >> "$setup_log" 2>&1
}
set_hostname() {
@@ -1223,22 +1238,20 @@ set_hostname_iso() {
echo "::1 $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
echo "$HOSTNAME" > /etc/hostname
+
}
set_initial_firewall_policy() {
set_main_ip
- mkdir -p /opt/so/saltstack/pillar/firewall
- mkdir -p /opt/so/saltstack/pillar/data
-
case "$install_type" in
'MASTER')
- printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls
+ printf " - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls
/opt/so/saltstack/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$FSROOT" "$FSNSM"
;;
'EVAL' | 'MASTERSEARCH')
- printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\
+ printf " - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\
/opt/so/saltstack/pillar/firewall/masterfw.sls\
/opt/so/saltstack/pillar/firewall/forward_nodes.sls\
/opt/so/saltstack/pillar/firewall/search_nodes.sls
@@ -1252,7 +1265,7 @@ set_initial_firewall_policy() {
esac
;;
'HELIXSENSOR')
- printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\
+ printf " - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\
/opt/so/saltstack/pillar/firewall/masterfw.sls\
/opt/so/saltstack/pillar/firewall/forward_nodes.sls
;;
diff --git a/setup/so-setup b/setup/so-setup
index ec4ca82b3..288d046f0 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -22,6 +22,7 @@ source ./so-whiptail
source ./so-variables
setup_type=$1
+export setup_type
case "$setup_type" in
iso | network) # Accepted values
@@ -232,27 +233,27 @@ if [[ $is_node && ! $is_eval ]]; then
fi
whiptail_make_changes
-set_hostname
-set_version
-clear_master
+set_hostname 2>> "$setup_log"
+set_version 2>> "$setup_log"
+clear_master 2>> "$setup_log"
if [[ $is_master ]]; then
- generate_passwords
- secrets_pillar
- add_socore_user_master
+ generate_passwords 2>> "$setup_log"
+ secrets_pillar 2>> "$setup_log"
+ add_socore_user_master 2>> "$setup_log"
fi
if [[ $is_master && ! $is_eval ]]; then
- add_soremote_user_master
+ add_soremote_user_master 2>> "$setup_log"
fi
if [[ $is_helix || $is_master ]]; then
- set_main_ip
+ set_main_ip 2>> "$setup_log"
fi
if [[ $is_minion ]]; then
- set_updates
- copy_ssh_key
+ set_updates 2>> "$setup_log"
+ copy_ssh_key 2>> "$setup_log"
fi
# Begin install
@@ -262,92 +263,97 @@ fi
set_progress_str 1 'Creating bond interface'
create_sensor_bond >> "$setup_log" 2>&1
- set_progress_str 2 'Generating the sensor pillar'
+ set_progress_str 2 'Generating sensor pillar'
sensor_pillar >> "$setup_log" 2>&1
fi
set_progress_str 3 'Installing Salt and dependencies'
- saltify
+ saltify 2>> "$setup_log"
+
+ set_progress_str 7 'Installing Docker and dependencies'
+ docker_install 2>> "$setup_log"
- set_progress_str 8 'Installing Docker and dependencies'
- docker_install
+ set_progress_str 8 'Generating patch pillar'
+ patch_pillar 2>> "$setup_log"
- set_progress_str 9 'Configuring firewall'
- set_initial_firewall_policy
+ set_progress_str 9 'Initializing Salt minion'
+ configure_minion "$minion_type" 2>> "$setup_log"
- set_progress_str 10 "$(print_salt_state_apply 'firewall')"
- salt-call state.apply -l info firewall >> $setup_log 2>&1
-
- set_progress_str 11 'Initializing Salt minion'
- configure_minion "$minion_type"
-
- set_progress_str 12 'Generating CA'
- gen_ca
if [[ $is_master || $is_helix ]]; then
- set_progress_str 13 'Configuring Salt master'
- copy_master_config
- setup_salt_master_dirs
+ set_progress_str 10 'Configuring Salt master'
+ copy_master_config 2>> "$setup_log"
+ setup_salt_master_dirs 2>> "$setup_log"
- set_progress_str 15 'Updating sudoers file for soremote user'
- update_sudoers
+ set_progress_str 11 'Updating sudoers file for soremote user'
+ update_sudoers 2>> "$setup_log"
- set_progress_str 16 'Generating master static pillar'
- master_static
+ set_progress_str 12 'Generating master static pillar'
+ master_static 2>> "$setup_log"
- set_progress_str 17 'Generating master pillar'
- master_pillar
-
- set_progress_str 18 'Accepting Salt key'
- salt-key -ya "$MINION_ID" >> "$setup_log" 2>&1
+ set_progress_str 13 'Generating master pillar'
+ master_pillar 2>> "$setup_log"
fi
if [[ $is_helix ]]; then
- set_progress_str 19 'Generating the FireEye pillar'
- fireeye_pillar
+ set_progress_str 15 'Generating the FireEye pillar'
+ fireeye_pillar 2>> "$setup_log"
fi
+ set_progress_str 16 'Copying minion pillars to master'
+ copy_minion_tmp_files 2>> "$setup_log"
+
if [[ $is_minion ]]; then
- set_progress_str 20 'Accepting salt key on master'
- accept_salt_key_remote
+ set_progress_str 17 'Accepting Salt key on master'
+ accept_salt_key_remote 2>> "$setup_log"
fi
- set_progress_str 20 'Copying minion pillars to master'
- copy_minion_tmp_files
-
- set_progress_str 21 'Running intial Salt highstate'
- salt-call state.highstate -l info >> "$setup_log" 2>&1
+ if [[ $is_master ]]; then
+ set_progress_str 17 'Accepting Salt key'
+ salt-key -ya "$MINION_ID" >> "$setup_log" 2>&1
+ fi
if [[ $is_node ]]; then
- set_progress_str 25 'Setting node type'
- set_node_type
+ set_progress_str 18 'Setting node type'
+ set_node_type 2>> "$setup_log"
- set_progress_str 26 'Generating search node pillar'
- node_pillar
-
- set_progress_str 27 "$(print_salt_state_apply 'curator')"
- salt-call state.apply -l info curator >> $setup_log 2>&1
+ set_progress_str 19 'Generating search node pillar'
+ node_pillar 2>> "$setup_log"
fi
- if [[ $is_sensor ]]; then
- set_progress_str 28 "$(print_salt_state_apply 'pcap')"
+ set_progress_str 20 'Generating CA'
+ gen_ca 2>> "$setup_log"
+
+ if [[ $is_master || $is_helix ]]; then
+ set_progress_str 25 'Downloading containers from the internet'
+ salt-call state.apply -l info registry >> "$setup_log" 2>&1
+ docker_seed_registry 2>> "$setup_log" # ~ 60% when finished
+ fi
+
+ set_progress_str 59 'Configuring firewall'
+ set_initial_firewall_policy 2>> "$setup_log"
+
+ set_progress_str 60 "$(print_salt_state_apply 'firewall')"
+ salt-call state.apply -l info firewall >> $setup_log 2>&1
+
+ set_progress_str 61 "$(print_salt_state_apply 'common')"
+ salt-call state.apply -l info common >> $setup_log 2>&1
+
+ if [[ $is_sensor ]]; then
+ set_progress_str 62 "$(print_salt_state_apply 'pcap')"
salt-call state.apply -l info pcap >> $setup_log 2>&1
- set_progress_str 29 "$(print_salt_state_apply 'suricata')"
+ set_progress_str 63 "$(print_salt_state_apply 'suricata')"
salt-call state.apply -l info suricata >> $setup_log 2>&1
- set_progress_str 30 "$(print_salt_state_apply 'zeek')"
+ set_progress_str 64 "$(print_salt_state_apply 'zeek')"
salt-call state.apply -l info zeek >> $setup_log 2>&1
fi
- if [[ $is_master || $is_helix ]]; then
- set_progress_str 30 'Downloading containers from the internet'
- salt-call state.apply -l info registry >> "$setup_log" 2>&1
- docker_seed_registry # ~ 65% when finished
+ if [[ $is_node ]]; then
+ set_progress_str 65 "$(print_salt_state_apply 'curator')"
+ salt-call state.apply -l info curator >> $setup_log 2>&1
fi
-
- set_progress_str 65 "$(print_salt_state_apply 'common')"
- salt-call state.apply -l info common >> $setup_log 2>&1
if [[ "$OSQUERY" = 1 ]]; then
set_progress_str 66 "$(print_salt_state_apply 'fleet')"
@@ -419,8 +425,8 @@ fi
salt-call state.apply -l info schedule >> $setup_log 2>&1
set_progress_str 90 'Applying finishing touches'
- filter_unused_nics
- network_setup
+ filter_unused_nics 2>> "$setup_log"
+ network_setup 2>> "$setup_log"
set_progress_str 91 'Verifying setup'
salt-call -l info state.highstate >> $setup_log 2>&1
@@ -430,7 +436,7 @@ fi
success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}')
if [[ "$success" = 0 ]]; then
whiptail_setup_complete
- if [[ $THEHIVE == '1' ]]; then
+ if [[ $THEHIVE == 1 ]]; then
check_hive_init_then_reboot
else
shutdown -r now
diff --git a/test.log b/test.log
new file mode 100644
index 000000000..a2e5d9148
--- /dev/null
+++ b/test.log
@@ -0,0 +1,2 @@
+Configuring minion type as eval
+Enabling checkin at boot
