[merge] Merge master into feature/setup-refactor

2026-04-26 22:47:49 +02:00 · 2020-04-28 01:15:02 -04:00
parent 5c5a97ca75
commit 3bfaa6f8de
254 changed files with 26274 additions and 112 deletions
@@ -0,0 +1,23 @@
+input {
+  beats {
+    port => "5044"
+    ssl => false
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    tags => [ "beat" ]
+  }
+}
+filter {
+    if [type] == "osquery" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
@@ -0,0 +1,203 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/bro/logs/current/conn*.log"
+		type => "bro_conn"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dce_rpc*.log"
+		type => "bro_dce_rpc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dhcp*.log"
+		type => "bro_dhcp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dnp3*.log"
+		type => "bro_dnp3"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dns*.log"
+		type => "bro_dns"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dpd*.log"
+		type => "bro_dpd"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/files*.log"
+		type => "bro_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ftp*.log"
+		type => "bro_ftp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/http*.log"
+		type => "bro_http"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/intel*.log"
+		type => "bro_intel"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/irc*.log"
+		type => "bro_irc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/kerberos*.log"
+		type => "bro_kerberos"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/modbus*.log"
+		type => "bro_modbus"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/mysql*.log"
+		type => "bro_mysql"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/notice*.log"
+		type => "bro_notice"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ntlm*.log"
+		type => "bro_ntlm"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/pe*.log"
+		type => "bro_pe"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/radius*.log"
+		type => "bro_radius"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rdp*.log"
+		type => "bro_rdp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rfb*.log"
+		type => "bro_rfb"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/signatures*.log"
+		type => "bro_signatures"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/sip*.log"
+		type => "bro_sip"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_files*.log"
+		type => "bro_smb_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_mapping*.log"
+		type => "bro_smb_mapping"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smtp*.log"
+		type => "bro_smtp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/snmp*.log"
+		type => "bro_snmp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/socks*.log"
+		type => "bro_socks"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/software*.log"
+		type => "bro_software"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssh*.log"
+		type => "bro_ssh"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssl*.log"
+		type => "bro_ssl"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/syslog*.log"
+		type => "bro_syslog"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/tunnel*.log"
+		type => "bro_tunnels"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/weird*.log"
+		type => "bro_weird"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/x509*.log"
+		type => "bro_x509"
+	    	tags => ["bro"]
+	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archive.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+        mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+        json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+        mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+        }
+
+  }
+}
@@ -0,0 +1,31 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9000"]
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      pipeline => "%{event_type}"
+      hosts => "{{ ES }}"
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template_name => "logstash-*"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "ids" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "ids" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9400"]
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9500"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template_name => "logstash-beats"
+      template => "/beats-template.json"
+      template_overwrite => true
+    }
+  }
+}
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+  if [event_type] =~ "ossec" {
+    mutate {
+          ##add_tag => [ "conf_file_9600"]
+        }
+  }
+}
+
+output {
+  if [event_type] =~ "ossec" or "ossec" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ossec-%{+YYYY.MM.dd}"
+      template_name => "logstash-ossec"
+      template => "/logstash-ossec-template.json"
+      template_overwrite => true
+    }
+  }
+}
@@ -0,0 +1,142 @@
+{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
+
+filter {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+    grok {
+      match => [
+        "source_ip", "^%{IPV4:srcipv4}$",
+        "source_ip",  "(?<srcipv6>^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)"
+        ]
+    }
+    grok {
+      match => [
+        "destination_ip",  "(?<dstipv6>^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)",
+        "destination_ip", "^%{IPV4:dstipv4}$"
+       ]
+    }
+
+    geoip {
+      source => "[source_ip]"
+      target => "source_geo"
+    }
+    geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+    }
+    mutate {
+      #rename => { "%{[source_geo][country_code]}" => "srccountrycode" }
+      #rename => { "%{[destination_geo][country_code]}" => "dstcountrycode" }
+      rename => { "[beat_host][name]" => "sensor" }
+      copy => { "sensor" => "rawmsghostname" }
+      rename => { "message" => "rawmsg" }
+      #rename => { "event_type" => "program" }
+      copy => { "type" => "class" }
+      copy => { "class" => "program"}
+      rename => { "source_port" => "srcport" }
+      rename => { "destination_port" => "dstport" }
+      remove_field => ["source_ip", "destination_ip"]
+      remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
+      remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
+    }
+    if "bro_conn" in [class] {
+      mutate {
+        #add_field => { "metaclass" => "connection" }
+        rename => { "original_bytes" => "sentbytes" }
+        rename => { "respond_bytes" => "rcvdbytes" }
+        rename => { "connection_state" => "connstate" }
+        rename => { "uid" => "connectionid" }
+        rename => { "respond_packets" => "rcvdpackets" }
+        rename => { "original_packets" => "sentpackets" }
+        rename => { "respond_ip_bytes" => "rcvdipbytes" }
+        rename => { "original_ip_bytes" => "sentipbytes" }
+        rename => { "local_respond" => "local_resp" }
+        rename => { "local_orig" => "localorig" }
+        rename => { "missed_bytes" => "missingbytes" }
+      }
+    }
+    if "bro_dns" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "answers" => "answer" }
+        rename => { "query" => "domain" }
+        rename => { "query_class" => "queryclass" }
+        rename => { "query_class_name" => "queryclassname" }
+        rename => { "query_type" => "querytype" }
+        rename => { "query_type_name" => "querytypename" }
+        rename => { "ra" => "recursionavailable" }
+        rename => { "rd" => "recursiondesired" }
+      }
+    }
+    if "bro_dhcp" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dhcp"}
+        rename => { "message_types" => "direction" }
+				rename => { "lease_time" => "duration" }
+      }
+    }
+    if "bro_files" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "missing_bytes" => "missingbytes" }
+        rename => { "fuid" => "fileid" }
+        rename => { "uid" => "connectionid" }
+      }
+    }
+    if "bro_http" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "virtual_host" => "hostname" }
+        rename => { "status_code" => "statuscode" }
+        rename => { "status_message" => "statusmsg" }
+        rename => { "resp_mime_types" => "rcvdmimetype" }
+        rename => { "resp_fuids" => "rcvdfileid" }
+        rename => { "response_body_len" => "rcvdbodybytes" }
+        rename => { "request_body_len" => "sentbodybytes" }
+        rename => { "uid" => "connectionid" }
+        rename => { "ts"=> "eventtime" }
+	      rename => { "@timestamp"=> "eventtime" }
+      }
+    }
+    if "bro_ssl" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "status_code" => "statuscode" }
+        rename => { "status_message" => "statusmsg" }
+        rename => { "resp_mime_types" => "rcvdmimetype" }
+        rename => { "resp_fuids" => "rcvdfileid" }
+        rename => { "response_body_len" => "rcvdbodybytes" }
+        rename => { "request_body_len" => "sentbodybytes" }
+      }
+    }
+		if "bro_weird" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "name" => "eventname" }
+      }
+    }
+		if "bro_x509" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+				rename => { "certificate_common_name" => "certname" }
+        rename => { "certificate_subject" => "certsubject" }
+				rename => { "issuer_common_name" => "issuer" }
+				rename => { "certificate_issuer" => "issuersubject" }
+				rename => { "certificate_not_valid_before" => "issuetime" }
+				rename => { "certificate_key_type" => "cert_type" }
+      }
+    }
+  }
+}
+
+output {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+    http {
+      url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
+      http_method => post
+      http_compression => true
+      socket_timeout => 60
+      headers => ["Authorization","{{ HELIX_API_KEY }}"]
+      format => json_batch
+    }
+  }
+}
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "test_data" in [tags] {
+    mutate {
+	  #add_tag => [ "conf_file_9998"]
+	}
+  }
+}
+output {
+  if "test_data" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-test-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}