CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Show correct dates and Kibana URL for already processed EVTX files

Browse Source
This commit is contained in:
Wes
2023-09-18 21:31:15 +00:00
parent ad025b9683
commit 5bac1e4d15
1 changed files with 26 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
salt/common/tools/sbin_jinja/so-import-evtx
View File

@@ -80,8 +80,8 @@ function evtx2es() {
-e "SHIFTTS=$SHIFTDATE" \ -e "SHIFTTS=$SHIFTDATE" \
-v "$EVTX:/tmp/data.evtx" \ -v "$EVTX:/tmp/data.evtx" \
-v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-v "/nsm/import/evtx-end_newest:/tmp/newest" \ -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
-v "/nsm/import/evtx-start_oldest:/tmp/oldest" \ -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
--entrypoint "/evtx_calc_timestamps.sh" \ --entrypoint "/evtx_calc_timestamps.sh" \
{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1 {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
} }
@@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0
VALID_EVTXS_COUNT=0 VALID_EVTXS_COUNT=0
SKIPPED_EVTXS_COUNT=0 SKIPPED_EVTXS_COUNT=0
touch /nsm/import/evtx-start_oldest
touch /nsm/import/evtx-end_newest
echo $START_OLDEST > /nsm/import/evtx-start_oldest
echo $END_NEWEST > /nsm/import/evtx-end_newest
# paths must be quoted in case they include spaces # paths must be quoted in case they include spaces
for EVTX in $INPUT_FILES; do for EVTX in $INPUT_FILES; do
EVTX=$(/usr/bin/realpath "$EVTX") EVTX=$(/usr/bin/realpath "$EVTX")
@@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do
status "- this EVTX has already been imported; skipping" status "- this EVTX has already been imported; skipping"
SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1)) SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
else else
# create EVTX directory
EVTX_DIR=$HASH_DIR/evtx EVTX_DIR=$HASH_DIR/evtx
mkdir -p $EVTX_DIR mkdir -p $EVTX_DIR
# create import timestamp files
for i in evtx-start_oldest evtx-end_newest; do
if ! [ -f "$i" ]; then
touch /nsm/import/$HASH/$i
fi
done
# import evtx and write them to import ingest pipeline # import evtx and write them to import ingest pipeline
status "- importing logs to Elasticsearch..." status "- importing logs to Elasticsearch..."
@@ -154,28 +155,28 @@ for EVTX in $INPUT_FILES; do
VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1)) VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
fi fi
# compare $START to $START_OLDEST
START=$(cat /nsm/import/evtx-start_oldest)
START_COMPARE=$(date -d $START +%s)
START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
START_OLDEST=$START
fi
# compare $ENDNEXT to $END_NEWEST
END=$(cat /nsm/import/evtx-end_newest)
ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
END_NEWEST=$ENDNEXT
fi
cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
chmod 644 "${EVTX_DIR}"/data.evtx chmod 644 "${EVTX_DIR}"/data.evtx
fi # end of valid evtx fi # end of valid evtx
# compare $START to $START_OLDEST
START=$(cat /nsm/import/$HASH/evtx-start_oldest)
START_COMPARE=$(date -d $START +%s)
START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
START_OLDEST=$START
fi
# compare $ENDNEXT to $END_NEWEST
END=$(cat /nsm/import/$HASH/evtx-end_newest)
ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
END_NEWEST=$ENDNEXT
fi
status status
done # end of for-loop processing evtx files done # end of for-loop processing evtx files