diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog index b4e09e9df..6d28aa705 100644 --- a/salt/elasticsearch/files/ingest/syslog +++ b/salt/elasticsearch/files/ingest/syslog @@ -13,7 +13,7 @@ } }, { "grok": { "field": "message", "patterns": ["<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}: %{GREEDYDATA:real_message}"], "ignore_failure": false } }, - { "set": { "if": "ctx.source.application == 'filterlog'", "field": "dataset", "value": "firewall" } }, + { "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall" } }, { "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog" } }, { "pipeline": { "name": "common" } } ] diff --git a/salt/top.sls b/salt/top.sls index 0c7bde183..d707af003 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -6,6 +6,13 @@ {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} +{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} +{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} +{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} +{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} +{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} +{% set CURATOR = salt['pillar.get']('curator:enabled', True) %} +{% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} @@ -51,8 +58,12 @@ base: - suricata - zeek - redis + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - schedule '*_sensor and G@saltversion:{{saltversion}}': @@ -101,8 +112,12 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -111,9 +126,15 @@ base: {%- if STRELKA %} - strelka {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet - redis @@ -158,12 +179,24 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - utility - schedule {%- if FLEETMANAGER or FLEETNODE %} @@ -207,10 +240,18 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -219,9 +260,15 @@ base: {%- if STRELKA %} - strelka {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet - fleet.install_package @@ -248,7 +295,9 @@ base: '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if LOGSTASH %} - logstash + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -258,8 +307,12 @@ base: '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -269,7 +322,9 @@ base: '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -286,10 +341,18 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -332,13 +395,28 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + - utility - schedule {%- if FLEETMANAGER or FLEETNODE %} @@ -370,11 +448,21 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} {%- if STRELKA %} - strelka {%- endif %} @@ -386,7 +474,9 @@ base: {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - schedule - docker_clean @@ -417,9 +507,15 @@ base: - idstools - suricata.manager - pcap + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - utility - suricata - zeek diff --git a/sigs/images/so-acng.sig b/sigs/images/so-acng.sig new file mode 100644 index 000000000..ef0728b1c Binary files /dev/null and b/sigs/images/so-acng.sig differ