Merge pull request #358 from Security-Onion-Solutions/fix/strelka_config

Fix/strelka config

salt/logstash/conf/conf.enabled.txt.search

@@ -104,3 +104,4 @@
 /usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
 /usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
 /usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf
+/usr/share/logstash/pipeline.dynamic/9700_output_strelka.conf

salt/logstash/conf/conf.enabled.txt.so-eval

@@ -111,3 +111,4 @@
 #/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
 /usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
 /usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf
+/usr/share/logstash/pipeline.dynamic/9700_output_strelka.conf

salt/logstash/conf/pipelines/eval/templates/9700_ouptut_strelka.conf

@@ -0,0 +1,30 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if [event_type] =~ "strelka" {
+    mutate {
+          ##add_tag => [ "conf_file_9000"]
+        }
+  }
+}
+output {
+  if [event_type] =~ "strelka" {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-strelka-%{+YYYY.MM.dd}"
+      template_name => "logstash-strelka"
+      template => "/logstash-strelka-template.json"
+      template_overwrite => true
+    }
+  }
+}
+

salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf

@@ -0,0 +1,30 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if [event_type] =~ "strelka" {
+    mutate {
+          ##add_tag => [ "conf_file_9000"]
+        }
+  }
+}
+output {
+  if [event_type] =~ "strelka" {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-strelka-%{+YYYY.MM.dd}"
+      template_name => "logstash-strelka"
+      template => "/logstash-strelka-template.json"
+      template_overwrite => true
+    }
+  }
+}
+

salt/logstash/etc/logstash-strelka-template.json

@@ -0,0 +1,24 @@
+{
+  "index_patterns": ["logstash-strelka-*"],
+  "version":50001,
+  "order" : 0,
+  "settings":{
+    "number_of_replicas":0,
+    "number_of_shards":1,
+    "index.refresh_interval":"30s"
+  },
+  "mappings":{
+    "doc":{
+      "dynamic": false,
+      "date_detection": false,
+      "properties":{
+        "@timestamp":{
+         "type":"date"
+        },
+        "@version":{
+          "type":"keyword"
+        }
+      }
+    }
+  }
+}

salt/logstash/init.sls

@@ -227,6 +227,7 @@ so-logstash:
       - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
       - /opt/so/conf/logstash/etc/logstash-template.json:/logstash-template.json:ro
       - /opt/so/conf/logstash/etc/logstash-ossec-template.json:/logstash-ossec-template.json:ro
+      - /opt/so/conf/logstash/etc/logstash-strelka-template.json:/logstash-strelka-template.json:ro
       - /opt/so/conf/logstash/etc/beats-template.json:/beats-template.json:ro
       - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml
       - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro