CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

move templates from logstash to elasticsearch

Browse Source
This commit is contained in:
m0duspwnens
2020-07-14 16:07:46 -04:00
parent 7a36803e2c
commit 57bf23d83c
30 changed files with 70 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pillar/elasticsearch/search.sls Normal file
View File

@@ -0,0 +1,13 @@
elasticsearch:
templates:
- so/so-beats-template.json.jinja
- so/so-common-template.json
- so/so-firewall-template.json.jinja
- so/so-flow-template.json.jinja
- so/so-ids-template.json.jinja
- so/so-import-template.json.jinja
- so/so-osquery-template.json.jinja
- so/so-ossec-template.json.jinja
- so/so-strelka-template.json.jinja
- so/so-syslog-template.json.jinja
- so/so-zeek-template.json.jinja

29
pillar/logstash/eval.sls
View File

@@ -1,29 +0,0 @@
logstash:
pipelines:
eval:
config:
- so/0800_input_eval.conf
- so/1002_preprocess_json.conf
- so/1033_preprocess_snort.conf
- so/7100_osquery_wel.conf
- so/8999_postprocess_rename_type.conf
- so/9000_output_bro.conf.jinja
- so/9002_output_import.conf.jinja
- so/9033_output_snort.conf.jinja
- so/9100_output_osquery.conf.jinja
- so/9400_output_suricata.conf.jinja
- so/9500_output_beats.conf.jinja
- so/9600_output_ossec.conf.jinja
- so/9700_output_strelka.conf.jinja
templates:
- so/so-beats-template.json.jinja
- so/so-common-template.json
- so/so-firewall-template.json.jinja
- so/so-flow-template.json.jinja
- so/so-ids-template.json.jinja
- so/so-import-template.json.jinja
- so/so-osquery-template.json.jinja
- so/so-ossec-template.json.jinja
- so/so-strelka-template.json.jinja
- so/so-syslog-template.json.jinja
- so/so-zeek-template.json.jinja

12
pillar/logstash/search.sls
View File

@@ -11,15 +11,3 @@ logstash:
- so/9500_output_beats.conf.jinja - so/9500_output_beats.conf.jinja
- so/9600_output_ossec.conf.jinja - so/9600_output_ossec.conf.jinja
- so/9700_output_strelka.conf.jinja - so/9700_output_strelka.conf.jinja
templates:
- so/so-beats-template.json.jinja
- so/so-common-template.json
- so/so-firewall-template.json.jinja
- so/so-flow-template.json.jinja
- so/so-ids-template.json.jinja
- so/so-import-template.json.jinja
- so/so-osquery-template.json.jinja
- so/so-ossec-template.json.jinja
- so/so-strelka-template.json.jinja
- so/so-syslog-template.json.jinja
- so/so-zeek-template.json.jinja

3
pillar/top.sls
View File

@@ -11,6 +11,7 @@ base:
- logstash - logstash
- logstash.manager - logstash.manager
- logstash.search - logstash.search
- elasticsearch.search
'*_sensor': '*_sensor':
- static - static
@@ -41,6 +42,7 @@ base:
- logstash - logstash
- logstash.manager - logstash.manager
- logstash.search - logstash.search
- elasticsearch.search
- data.* - data.*
- brologs - brologs
- secrets - secrets
@@ -75,4 +77,5 @@ base:
- static - static
- logstash - logstash
- logstash.search - logstash.search
- elasticsearch.search
- minions.{{ grains.id }} - minions.{{ grains.id }}

4
salt/common/tools/sbin/so-elasticsearch-templates
View File

@@ -15,13 +15,13 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
default_salt_dir=/opt/so/saltstack/default default_conf_dir=/opt/so/conf
ELASTICSEARCH_HOST="{{ MANAGERIP}}" ELASTICSEARCH_HOST="{{ MANAGERIP}}"
ELASTICSEARCH_PORT=9200 ELASTICSEARCH_PORT=9200
#ELASTICSEARCH_AUTH="" #ELASTICSEARCH_AUTH=""
# Define a default directory to load pipelines from # Define a default directory to load pipelines from
ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/" ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/"
# Wait for ElasticSearch to initialize # Wait for ElasticSearch to initialize
echo -n "Waiting for ElasticSearch..." echo -n "Waiting for ElasticSearch..."

39
salt/elasticsearch/init.sls
View File

@@ -31,6 +31,8 @@
{% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %} {% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %}
{% endif %} {% endif %}
{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
vm.max_map_count: vm.max_map_count:
sysctl.present: sysctl.present:
- value: 262144 - value: 262144
@@ -63,6 +65,13 @@ esingestdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
estemplatedir:
file.directory:
- name: /opt/so/conf/elasticsearch/templates
- user: 930
- group: 939
- makedirs: True
esingestconf: esingestconf:
file.recurse: file.recurse:
- name: /opt/so/conf/elasticsearch/ingest - name: /opt/so/conf/elasticsearch/ingest
@@ -86,6 +95,36 @@ esyml:
- group: 939 - group: 939
- template: jinja - template: jinja
#sync templates to /opt/so/conf/elasticsearch/templates
{% for TEMPLATE in TEMPLATES %}
es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
file.managed:
- source: salt://elasticsearch/templates/{{TEMPLATE}}
{% if 'jinja' in TEMPLATE.split('.')[-1] %}
- name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
- template: jinja
{% else %}
- name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}}
{% endif %}
- user: 930
- group: 939
{% endfor %}
es_templates:
file.recurse:
- name: /opt/so/conf/elasticsearch/templates
- source: salt://elasticsearch/templates
- user: 930
- group: 939
- template: jinja
- clean: True
{% if TEMPLATES %}
- require:
{% for TEMPLATE in TEMPLATES %}
- file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
{% endfor %}
{% endif %}
nsmesdir: nsmesdir:
file.directory: file.directory:
- name: /nsm/elasticsearch - name: /nsm/elasticsearch

0
salt/logstash/pipelines/templates/custom/place_custom_template_in_local → salt/elasticsearch/templates/custom/place_custom_template_in_local
View File

0
salt/logstash/pipelines/templates/so/so-beats-template.json.jinja → salt/elasticsearch/templates/so/so-beats-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-common-template.json → salt/elasticsearch/templates/so/so-common-template.json
View File

0
salt/logstash/pipelines/templates/so/so-firewall-template.json.jinja → salt/elasticsearch/templates/so/so-firewall-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-flow-template.json.jinja → salt/elasticsearch/templates/so/so-flow-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-ids-template.json.jinja → salt/elasticsearch/templates/so/so-ids-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-import-template.json.jinja → salt/elasticsearch/templates/so/so-import-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-osquery-template.json.jinja → salt/elasticsearch/templates/so/so-osquery-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-ossec-template.json.jinja → salt/elasticsearch/templates/so/so-ossec-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-strelka-template.json.jinja → salt/elasticsearch/templates/so/so-strelka-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-syslog-template.json.jinja → salt/elasticsearch/templates/so/so-syslog-template.json.jinja
View File

0
salt/logstash/pipelines/templates/so/so-zeek-template.json.jinja → salt/elasticsearch/templates/so/so-zeek-template.json.jinja
View File

35
salt/logstash/init.sls
View File

@@ -36,7 +36,6 @@
{% endif %} {% endif %}
{% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %}
{% set TEMPLATES = salt['pillar.get']('logstash:templates', {}) %}
{% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %}
# Create the logstash group # Create the logstash group
@@ -94,21 +93,6 @@ ls_pipeline_{{PL}}:
{% endfor %} {% endfor %}
#sync templates to /opt/so/conf/logstash/etc
{% for TEMPLATE in TEMPLATES %}
ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
file.managed:
- source: salt://logstash/pipelines/templates/{{TEMPLATE}}
{% if 'jinja' in TEMPLATE.split('.')[-1] %}
- name: /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
- template: jinja
{% else %}
- name: /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1]}}
{% endif %}
- user: 931
- group: 939
{% endfor %}
lspipelinesyml: lspipelinesyml:
file.managed: file.managed:
- name: /opt/so/conf/logstash/etc/pipelines.yml - name: /opt/so/conf/logstash/etc/pipelines.yml
@@ -126,12 +110,6 @@ lsetcsync:
- group: 939 - group: 939
- template: jinja - template: jinja
- clean: True - clean: True
{% if TEMPLATES %}
- require:
{% for TEMPLATE in TEMPLATES %}
- file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
{% endfor %}
{% endif %}
- exclude_pat: pipelines* - exclude_pat: pipelines*
# Create the import directory # Create the import directory
@@ -171,13 +149,7 @@ so-logstash:
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
{% for TEMPLATE in TEMPLATES %} - /opt/so/conf/elasticsearch/templates/:/templates/:ro
{% if 'jinja' in TEMPLATE.split('.')[-1] %}
- /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:ro
{% else %}
- /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1]}}:/{{TEMPLATE.split('/')[1]}}:ro
{% endif %}
{% endfor %}
- /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro - /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro
- /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
- /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml
@@ -206,7 +178,4 @@ so-logstash:
- file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% for TEMPLATE in TEMPLATES %} - file: /opt/so/conf/elasticsearch/templates/*
- file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
{% endfor %}
# - file: /opt/so/conf/logstash/rulesets

2
salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-zeek-%{+YYYY.MM.dd}" index => "so-zeek-%{+YYYY.MM.dd}"
template_name => "so-zeek" template_name => "so-zeek"
template => "/so-zeek-template.json" template => "/templates/so-zeek-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-import-%{+YYYY.MM.dd}" index => "so-import-%{+YYYY.MM.dd}"
template_name => "so-import" template_name => "so-import"
template => "/so-import-template.json" template => "/templates/so-import-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
View File

@@ -9,7 +9,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-flow-%{+YYYY.MM.dd}" index => "so-flow-%{+YYYY.MM.dd}"
template_name => "so-flow" template_name => "so-flow"
template => "/so-flow-template.json" template => "/templates/so-flow-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
View File

@@ -9,7 +9,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-ids-%{+YYYY.MM.dd}" index => "so-ids-%{+YYYY.MM.dd}"
template_name => "so-ids" template_name => "so-ids"
template => "/so-ids-template.json" template => "/templates/so-ids-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-syslog-%{+YYYY.MM.dd}" index => "so-syslog-%{+YYYY.MM.dd}"
template_name => "so-syslog" template_name => "so-syslog"
template => "/so-syslog-template.json" template => "/templates/so-syslog-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-osquery-%{+YYYY.MM.dd}" index => "so-osquery-%{+YYYY.MM.dd}"
template_name => "so-osquery" template_name => "so-osquery"
template => "/so-osquery-template.json" template => "/templates/so-osquery-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
View File

@@ -9,7 +9,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-firewall-%{+YYYY.MM.dd}" index => "so-firewall-%{+YYYY.MM.dd}"
template_name => "so-firewall" template_name => "so-firewall"
template => "/so-firewall-template.json" template => "/templates/so-firewall-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-ids-%{+YYYY.MM.dd}" index => "so-ids-%{+YYYY.MM.dd}"
template_name => "so-ids" template_name => "so-ids"
template => "/so-ids-template.json" template => "/templates/so-ids-template.json"
} }
} }
} }

2
salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-beats-%{+YYYY.MM.dd}" index => "so-beats-%{+YYYY.MM.dd}"
template_name => "so-beats" template_name => "so-beats"
template => "/so-beats-template.json" template => "/templates/so-beats-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-ossec-%{+YYYY.MM.dd}" index => "so-ossec-%{+YYYY.MM.dd}"
template_name => "so-ossec" template_name => "so-ossec"
template => "/so-ossec-template.json" template => "/templates/so-ossec-template.json"
template_overwrite => true template_overwrite => true
} }
} }

2
salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
View File

@@ -10,7 +10,7 @@ output {
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-strelka-%{+YYYY.MM.dd}" index => "so-strelka-%{+YYYY.MM.dd}"
template_name => "so-strelka" template_name => "so-strelka"
template => "/so-strelka-template.json" template => "/templates/so-strelka-template.json"
template_overwrite => true template_overwrite => true
} }
} }