move templates from logstash to elasticsearch

2025-12-27 19:33:14 +01:00 · 2020-07-14 16:07:46 -04:00
parent 7a36803e2c
commit 57bf23d83c
30 changed files with 70 additions and 87 deletions
--- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-zeek-%{+YYYY.MM.dd}"
      template_name => "so-zeek"
-      template => "/so-zeek-template.json"
+      template => "/templates/so-zeek-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-import-%{+YYYY.MM.dd}"
      template_name => "so-import"
-      template => "/so-import-template.json"
+      template => "/templates/so-import-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
@@ -9,7 +9,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-flow-%{+YYYY.MM.dd}"
      template_name => "so-flow"
-      template => "/so-flow-template.json"
+      template => "/templates/so-flow-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
@@ -9,7 +9,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-ids-%{+YYYY.MM.dd}"
      template_name => "so-ids"
-      template => "/so-ids-template.json"
+      template => "/templates/so-ids-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-syslog-%{+YYYY.MM.dd}"
      template_name => "so-syslog"
-      template => "/so-syslog-template.json"
+      template => "/templates/so-syslog-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-osquery-%{+YYYY.MM.dd}"
      template_name => "so-osquery"
-      template => "/so-osquery-template.json"
+      template => "/templates/so-osquery-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
@@ -9,7 +9,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-firewall-%{+YYYY.MM.dd}"
      template_name => "so-firewall"
-      template => "/so-firewall-template.json"
+      template => "/templates/so-firewall-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-ids-%{+YYYY.MM.dd}"
      template_name => "so-ids" 
-      template => "/so-ids-template.json"
+      template => "/templates/so-ids-template.json"
    }
  }
 }
--- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-beats-%{+YYYY.MM.dd}"
      template_name => "so-beats"
-      template => "/so-beats-template.json"
+      template => "/templates/so-beats-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-ossec-%{+YYYY.MM.dd}"
      template_name => "so-ossec"
-      template => "/so-ossec-template.json"
+      template => "/templates/so-ossec-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
@@ -10,7 +10,7 @@ output {
      hosts => "{{ ES }}"
      index => "so-strelka-%{+YYYY.MM.dd}"
      template_name => "so-strelka"
-      template => "/so-strelka-template.json"
+      template => "/templates/so-strelka-template.json"
      template_overwrite => true
    }
  }
--- a/salt/logstash/pipelines/templates/custom/place_custom_template_in_local
+++ b/salt/logstash/pipelines/templates/custom/place_custom_template_in_local
@@ -1,2 +0,0 @@
-# Reference /usr/share/logstash/pipeline.custom/templates/YOURTEMPLATE.json
-# For custom logstash templates, they should be placed in /opt/so/saltstack/local/salt/logstash/pipelines/templates/custom/
--- a/salt/logstash/pipelines/templates/so/so-beats-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-beats-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %}
-{
-  "index_patterns": ["so-beats-*"],
-  "version": 50001,
-  "order": 11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-common-template.json
+++ b/salt/logstash/pipelines/templates/so/so-common-template.json
@@ -1,394 +0,0 @@
-{
-  "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"],
-  "version":50001,
-  "order":10,
-  "settings":{
-    "number_of_replicas":0,
-    "number_of_shards":1,
-    "index.refresh_interval":"30s",
-    "index.routing.allocation.require.box_type":"hot"
-  },
-  "mappings":{
-       "dynamic":false,
-       "date_detection":false,
-       "properties":{
-        "@timestamp":{
-          "type":"date"
-        },
-        "@version":{
-          "type":"keyword"
-        },
-  "osquery":{
-          "type":"object",
-          "dynamic":true
-        },
-        "geoip":{
-          "dynamic":true,
-          "properties":{
-            "ip":{
-              "type":"ip"
-            },
-            "location":{
-              "type":"geo_point"
-            },
-            "latitude":{
-              "type":"half_float"
-            },
-            "longitude":{
-              "type":"half_float"
-            }
-          }
-        },
-        "destination_geo":{
-          "dynamic":true,
-          "properties":{
-            "ip":{
-              "type":"ip"
-            },
-            "location":{
-              "type":"geo_point"
-            },
-            "latitude":{
-              "type":"half_float"
-            },
-            "longitude":{
-              "type":"half_float"
-            }
-          }
-        },
-        "source_geo":{
-          "dynamic":true,
-          "properties":{
-            "ip":{
-              "type":"ip"
-            },
-            "location":{
-              "type":"geo_point"
-            },
-            "latitude":{
-              "type":"half_float"
-            },
-            "longitude":{
-              "type":"half_float"
-            }
-          }
-        },
-        "agent":{
-          "type":"object",
-          "dynamic": true
-        },
-        "as":{
-          "type":"object",
-          "dynamic": true
-        },
-        "alert":{
-          "type":"object",
-          "dynamic": true
-        },
-	"client":{
-          "type":"object",
-          "dynamic": true
-        },
-        "cloud":{
-          "type":"object",
-          "dynamic": true
-        },
-        "code_signature":{
-          "type":"object",
-          "dynamic": true
-        },
-        "connection":{
-          "type":"object",
-          "dynamic": true
-        },
-        "container":{
-          "type":"object",
-          "dynamic": true
-        },
-        "data":{
-          "type":"object",
-          "dynamic": true
-        },
-        "dce_rpc":{
-          "type":"object",
-          "dynamic": true
-        },
-        "destination":{
-          "type":"object",
-          "dynamic": true
-        },
-        "dhcp":{
-          "type":"object",
-          "dynamic": true
-        },
-        "dnp3":{
-          "type":"object",
-          "dynamic": true
-        },
-        "dns":{
-          "type":"object",
-          "dynamic": true
-        },
-        "dll":{
-          "type":"object",
-          "dynamic": true
-        },
-        "ecs":{
-          "type":"object",
-          "dynamic": true
-        },
-        "error":{
-          "type":"object",
-          "dynamic": true
-        },
-        "event":{
-          "type":"object",
-          "dynamic": true
-        }, 
-        "file":{
-          "type":"object",
-          "dynamic": true
-        },
-        "flow":{
-          "type":"object",
-          "dynamic": true
-        },
-        "ftp":{
-          "type":"object",
-          "dynamic": true
-        },
-        "geo":{
-          "type":"object",
-          "dynamic": true
-        },
-        "group":{
-          "type":"object",
-          "dynamic": true
-        },
-        "hash":{
-          "type":"object",
-          "dynamic": true
-        },
-        "host":{
-          "type":"object",
-          "dynamic": true
-        },
-        "http":{
-          "type":"object",
-          "dynamic": true
-        },
-        "ingest":{
-          "type":"object",
-          "dynamic": true
-        },
-        "interface":{
-          "type":"object",
-          "dynamic": true
-        },
-	"irc":{
-          "type":"object",
-          "dynamic": true
-        },
-        "kerberos":{
-          "type":"object",
-          "dynamic": true
-        },
-        "log":{
-          "type":"object",
-          "dynamic": true
-        },
-        "manager":{
-          "type":"object",
-          "dynamic": true
-        },
-	"message":{  
-          "type":"text",
-          "fields":{  
-            "keyword":{  
-              "type":"keyword"
-            }
-          }
-        },
-        "modbus":{
-          "type":"object",
-          "dynamic": true
-        },
-	"mysql":{
-          "type":"object",
-          "dynamic": true
-        },
-        "network":{
-          "type":"object",
-          "dynamic": true
-        },
-	"notice":{
-          "type":"object",
-          "dynamic": true
-        },
-        "ntlm":{
-          "type":"object",
-          "dynamic": true
-        },
-        "observer":{
-          "type":"object",
-          "dynamic": true
-        },
-        "organization":{
-          "type":"object",
-          "dynamic": true
-        },
-        "os":{
-          "type":"object",
-          "dynamic": true
-        },
-        "package":{
-          "type":"object",
-          "dynamic": true
-        },
-        "pe":{
-          "type":"object",
-          "dynamic": true
-        },
-        "process":{
-          "type":"object",
-          "dynamic": true
-        },
-        "radius":{
-          "type":"object",
-          "dynamic": true
-        },
-        "rdp":{
-          "type":"object",
-          "dynamic": true
-        },
-        "registry":{
-          "type":"object",
-          "dynamic": true
-        },
-        "related":{
-          "type":"object",
-          "dynamic": true
-        },
-	"request":{
-          "type":"object",
-          "dynamic": true
-        },
-        "rfb":{
-          "type":"object",
-          "dynamic": true
-        },
-        "rule":{
-          "type":"object",
-          "dynamic": true
-        },
-	"scan":{
-          "type":"object",
-          "dynamic": true
-        },
-        "server":{
-          "type":"object",
-          "dynamic": true
-        },
-        "service":{
-          "type":"object",
-          "dynamic": true
-        },
-        "sip":{
-          "type":"object",
-          "dynamic": true
-        },
-        "smb":{
-          "type":"object",
-          "dynamic": true
-        },
-        "smtp":{
-          "type":"object",
-          "dynamic": true
-        },
-        "snmp":{
-          "type":"object",
-          "dynamic": true
-        },
-        "socks":{
-          "type":"object",
-          "dynamic": true
-        },
-        "software":{
-          "type":"object",
-          "dynamic": true
-        },
-	"source":{
-          "type":"object",
-          "dynamic": true
-        },
-        "ssh":{
-          "type":"object",
-          "dynamic": true
-        },
-        "ssl":{
-          "type":"object",
-          "dynamic": true
-        },
-	"syslog":{
-          "type":"object",
-          "dynamic": true
-        },
-        "tags":{
-          "type":"text",
-          "fields":{
-            "keyword":{
-              "type":"keyword"
-            }
-          }
-        },
-        "threat":{
-          "type":"object",
-          "dynamic": true
-        },
-        "tls":{
-          "type":"object",
-          "dynamic": true
-        },
-        "trace":{
-          "type":"object",
-          "dynamic": true
-        },
-        "tunnel":{
-          "type":"object",
-          "dynamic": true
-        },
-        "user":{
-          "type":"object",
-          "dynamic": true
-        },
-        "user_agent":{
-          "type":"object",
-          "dynamic": true
-        },
-        "version":{
-          "type":"object",
-          "dynamic": true
-        },
-        "vlan":{
-          "type":"object",
-          "dynamic": true
-        },
-        "vulnerability":{
-          "type":"object",
-          "dynamic": true
-        },
-        "weird":{
-          "type":"object",
-          "dynamic": true
-        },
-        "winlog":{
-          "type":"object",
-          "dynamic": true
-        },
-        "x509":{
-          "type":"object",
-          "dynamic": true
-        }
-     }
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-firewall-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-firewall-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %}
-{
-  "index_patterns": ["so-firewall-*"],
-  "version":50001,
-  "order":11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-flow-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-flow-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %}
-{
-  "index_patterns": ["so-flow-*"],
-  "version": 50001,
-  "order": 11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-ids-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-ids-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %}
-{
-  "index_patterns": ["so-ids-*"],
-  "version":50001,
-  "order":11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-import-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-import-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %}
-{
-  "index_patterns": ["so-import-*"],
-  "version":50001,
-  "order": 11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-osquery-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-osquery-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %}
-{
-  "index_patterns": ["so-osquery-*"],
-  "version":50001,
-  "order":11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-ossec-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-ossec-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %}
-{
-  "index_patterns": ["so-ossec-*"],
-  "version":50001,
-  "order":11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-strelka-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-strelka-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %}
-{
-  "index_patterns": ["so-strelka-*"],
-  "version":50001,
-  "order":11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
--- a/salt/logstash/pipelines/templates/so/so-syslog-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-syslog-template.json.jinja
@@ -1,14 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %}
-{
-  "index_patterns": ["so-syslog-*"],
-  "version":50001,
-  "order":11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}
-
--- a/salt/logstash/pipelines/templates/so/so-zeek-template.json.jinja
+++ b/salt/logstash/pipelines/templates/so/so-zeek-template.json.jinja
@@ -1,13 +0,0 @@
-{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %}
-{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
-{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %}
-{
-  "index_patterns": ["so-zeek-*"],
-  "version":50001,
-  "order":11,
-  "settings":{
-    "number_of_replicas":{{ REPLICAS }},
-    "number_of_shards":{{ SHARDS }},
-    "index.refresh_interval":"{{ REFRESH }}"
-  }
-}