From 59d6b7cb8a42e01fbf48adc299e8588e0c5d30e5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 30 Jan 2020 16:00:57 -0500 Subject: [PATCH] Add log paths --- .../files/dynamic/0008_input_eval.conf | 187 ++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 salt/logstash/files/dynamic/0008_input_eval.conf diff --git a/salt/logstash/files/dynamic/0008_input_eval.conf b/salt/logstash/files/dynamic/0008_input_eval.conf new file mode 100644 index 000000000..b2850a984 --- /dev/null +++ b/salt/logstash/files/dynamic/0008_input_eval.conf @@ -0,0 +1,187 @@ +# Updated by: Mike Reeves +# Last Update: 11/1/2018 + +input { + file { + path => "/suricata/eve.json" + type => "ids" + add_field => { "engine" => "suricata" } + } + file { + path => "/nsm/bro/logs/current/conn*.log" + type => "bro_conn" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/dce_rpc*.log" + type => "bro_dce_rpc" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/dhcp*.log" + type => "bro_dhcp" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/dnp3*.log" + type => "bro_dnp3" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/dns*.log" + type => "bro_dns" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/dpd*.log" + type => "bro_dpd" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/files*.log" + type => "bro_files" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/ftp*.log" + type => "bro_ftp" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/http*.log" + type => "bro_http" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/intel*.log" + type => "bro_intel" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/irc*.log" + type => "bro_irc" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/kerberos*.log" + type => "bro_kerberos" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/modbus*.log" + type => "bro_modbus" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/mysql*.log" + type => "bro_mysql" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/notice*.log" + type => "bro_notice" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/ntlm*.log" + type => "bro_ntlm" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/pe*.log" + type => "bro_pe" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/radius*.log" + type => "bro_radius" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/rdp*.log" + type => "bro_rdp" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/rfb*.log" + type => "bro_rfb" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/signatures*.log" + type => "bro_signatures" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/sip*.log" + type => "bro_sip" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/smb_files*.log" + type => "bro_smb_files" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/smb_mapping*.log" + type => "bro_smb_mapping" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/smtp*.log" + type => "bro_smtp" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/snmp*.log" + type => "bro_snmp" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/socks*.log" + type => "bro_socks" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/software*.log" + type => "bro_software" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/ssh*.log" + type => "bro_ssh" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/ssl*.log" + type => "bro_ssl" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/syslog*.log" + type => "bro_syslog" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/tunnel*.log" + type => "bro_tunnels" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/weird*.log" + type => "bro_weird" + tags => ["bro"] + } + file { + path => "/nsm/bro/logs/current/x509*.log" + type => "bro_x509" + tags => ["bro"] + } +} +filter { + if "import" in [tags] { + mutate { + #add_tag => [ "conf_file_0007"] + } + } +}