Revert to SO taxonomy for zeek and suricata

2025-12-07 01:32:47 +01:00 · 2021-06-08 09:52:05 -04:00
parent cba719b3a0
commit 56eb220ed6
2 changed files with 78 additions and 19 deletions
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -111,7 +111,84 @@ filebeat.inputs:
  fields_under_root: true

 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
+  {%- if ZEEKVER != 'SURICATA' %}
+    {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
+- type: log
+  paths:
+    - /nsm/zeek/logs/current/{{ LOGNAME }}.log
+  fields:
+      module: zeek 
+      dataset: {{ LOGNAME }}
+      category: network
+  processors:
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
 
+  fields_under_root: true
+  clean_removed: true
+  close_removed: false
+
+- type: log
+  paths:
+    - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log
+  fields:
+      module: zeek 
+      dataset: {{ LOGNAME }}
+      category: network
+      imported: true
+  processors:
+  - add_tags:
+      tags: ["import"]
+  - dissect:
+      tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
+      field: "log.file.path"
+      target_prefix: ""
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+ 
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+    {%- endfor %}
+  {%- endif %}
+
+- type: log
+  paths:
+    - /nsm/suricata/eve*.json
+  fields:
+    module: suricata
+    dataset: common
+    category: network
+
+  processors:
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+
+- type: log
+  paths:
+    - /nsm/import/*/suricata/eve*.json
+  fields:
+    module: suricata
+    dataset: common
+    category: network
+    imported: true 
+  processors:
+  - add_tags:
+      tags: ["import"]
+  - dissect:
+      tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
+      field: "log.file.path"
+      target_prefix: ""
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
  {%- if STRELKAENABLED == 1 %}
 - type: log
  paths:
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -23,22 +23,4 @@ securityonion_filebeat:
        var.paths: ["/logs/redis.log"]
      slowlog:
        enabled: false
-    suricata:
-      eve:
-        enabled: true
-        var.paths: ["/nsm/suricata/eve*.json"]
-    {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
-      {%- if ZEEKVER != 'SURICATA' %}
-    zeek:
-        {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
-          {% if LOGNAME in ZEEKLOGLOOKUP.keys() %}
-            {% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %}
-          {% else %}
-            {% set FILESET = LOGNAME %}
-          {% endif %}
-      {{ FILESET }}:
-        enabled: true
-        var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
-        {%- endfor %}
-      {%- endif %}
-    {%- endif %}
+