From bccb83fae92447f16649dbaf1a3886cc900645ff Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 7 Dec 2018 03:57:31 +0000 Subject: [PATCH 1/7] Setup - Install Wazuh agent --- so-setup-network.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/so-setup-network.sh b/so-setup-network.sh index 2ca925137..9c6eeda09 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -75,6 +75,22 @@ add_socore_user_notmaster() { } +add_wazuh_users() { + + if [ $OS == 'centos' ]; then + local ADDUSER=adduser + else + local ADDUSER=useradd + fi + + groupadd --gid 945 ossec + $ADDUSER --uid 943 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecm + $ADDUSER --uid 944 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecr + $ADDUSER --uid 945 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossec + +} + + # Enable Bro Logs bro_logs_enabled() { @@ -875,6 +891,22 @@ update_sudoers() { } +wazuh_agent_install() { + + # Get key + curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + # Add repo + echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list + apt-get update -y + # Install + apt-get install -y wazuh-agent + # Prevent automatic updates + sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list + # Set package state to "hold" + echo "wazuh-agent hold" | sudo dpkg --set-selections + +} + ########################################### ## ## ## Whiptail Menu Section ## @@ -1421,6 +1453,12 @@ if (whiptail_you_sure); then echo "" add_socore_user_master + echo "** Adding Wazuh users **" + add_wazuh_users + + echo "** Installing Wazuh agent **" + wazuh_agent_install + # Install salt and dependencies echo " ** Installing Salt and Dependencies **" saltify >>~/sosetup.log 2>&1 @@ -1507,6 +1545,8 @@ if (whiptail_you_sure); then mkdir -p /nsm get_filesystem_root get_filesystem_nsm + add_wazuh_users + wazuh_agent_install copy_ssh_key set_initial_firewall_policy create_bond @@ -1571,6 +1611,8 @@ if (whiptail_you_sure); then echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors" echo "" add_socore_user_master + add_wazuh_users + wazuh_agent_instal create_bond saltify docker_install @@ -1632,6 +1674,8 @@ if (whiptail_you_sure); then mkdir -p /nsm get_filesystem_root get_filesystem_nsm + add_wazuh_users + wazuh_agent_install copy_ssh_key set_initial_firewall_policy saltify From e21c67f553448ead57747371cf03694d09571157 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 7 Dec 2018 04:14:30 +0000 Subject: [PATCH 2/7] Setup - Fix typo --- so-setup-network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 9c6eeda09..dc470487b 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -1612,7 +1612,7 @@ if (whiptail_you_sure); then echo "" add_socore_user_master add_wazuh_users - wazuh_agent_instal + wazuh_agent_install create_bond saltify docker_install From 6bfb813cdfd0e36702097d7d4c1c2c4a3c4d113f Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 7 Dec 2018 04:18:28 +0000 Subject: [PATCH 3/7] Setup - Adjust syntax --- so-setup-network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index dc470487b..21b6e85e6 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -171,7 +171,7 @@ chown_salt_master() { clear_master() { # Clear out the old master public key in case this is a re-install. # This only happens if you re-install the master. - if [ -f /etc/salt/pki/minion/minion_master.pub]; then + if [ -f /etc/salt/pki/minion/minion_master.pub ]; then rm /etc/salt/pki/minion/minion_master.pub service salt-minion restart fi From f5e2b7f210b2a1be1e4b76b7d2c18411be15e445 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 7 Dec 2018 04:22:11 +0000 Subject: [PATCH 4/7] Setup - Adjust to prevent unary operator error --- so-setup-network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 21b6e85e6..63a214dc4 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -547,7 +547,7 @@ master_static() { echo " broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls echo " ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls echo " masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls - if [ $MASTERUPDATES == 'MASTER' ]; then + if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else echo " masterupdate: 0" >> /opt/so/saltstack/pillar/static.sls From e11aadf7306a1fdad74bfd2babbd39caa3c617a4 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 7 Dec 2018 13:36:11 +0000 Subject: [PATCH 5/7] Wazuh - agent install for CentOS --- salt/wazuh/files/filebeat.yml | 328 ++++++++++++++++++++++++++++++++-- so-setup-network.sh | 39 ++-- 2 files changed, 341 insertions(+), 26 deletions(-) diff --git a/salt/wazuh/files/filebeat.yml b/salt/wazuh/files/filebeat.yml index 7f076793c..7c6e0655b 100644 --- a/salt/wazuh/files/filebeat.yml +++ b/salt/wazuh/files/filebeat.yml @@ -1,16 +1,314 @@ -filebeat: - prospectors: - - input_type: log - paths: - - "/var/ossec/data/logs/alerts/alerts.json" - document_type: wazuh-alerts - json.message_key: log - json.keys_under_root: true - json.overwrite_keys: true +{%- set MASTER = grains['master'] %} +{%- set HOSTNAME = salt['grains.get']('host', '') %} +{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} -output: - logstash: - # The Logstash hosts - hosts: ["logstash:5000"] -# ssl: -# certificate_authorities: ["/etc/filebeat/logstash.crt"] +name: {{ HOSTNAME }} + +#========================== Modules configuration ============================ +filebeat.modules: +#=========================== Filebeat prospectors ============================= + +# List of prospectors to fetch data. +filebeat.prospectors: +#------------------------------ Log prospector -------------------------------- +{%- if BROVER != 'SURICATA' %} +{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} + - type: log + paths: + - /nsm/bro/logs/current/{{ LOGNAME }}.log + fields: + type: bro_{{ LOGNAME }} + fields_under_root: true + tags: ["bro"] + clean_removed: false + close_removed: false + +{%- endfor %} +{%- endif %} + + - type: log + paths: + - /suricata/eve.json + fields: + type: ids + engine: suricata + fields_under_root: true + clean_removed: false + close_removed: false + + - type: log + paths: + - /alerts/alerts.json + fields: + type: ossec + fields_under_root: true + clean_removed: false + close_removed: false + + + +#----------------------------- Logstash output --------------------------------- +output.logstash: + # Boolean flag to enable or disable the output module. + enabled: true + + # The Logstash hosts + hosts: ["{{ MASTER }}:5044"] + + # Number of workers per Logstash host. + worker: 1 + + # Set gzip compression level. + compression_level: 3 + + + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] + + # Certificate for SSL client authentication + ssl.certificate: "/usr/share/filebeat/filebeat.crt" + + # Client Certificate Key + ssl.key: "/usr/share/filebeat/filebeat.key" + + +# Elasticsearch template settings +#setup.template.settings: + + # A dictionary of settings to place into the settings.index dictionary + # of the Elasticsearch template. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html + #index: + #number_of_shards: 1 + #codec: best_compression + #number_of_routing_shards: 30 + + # A dictionary of settings for the _source field. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html + #_source: + #enabled: false + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +#setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # Optional HTTP Path + #path: "" + + # Use SSL settings for HTTPS. Default is true. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # SSL configuration. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + + +#================================ Logging ====================================== +# There are four options for the log output: file, stderr, syslog, eventlog +# The file output is the default. + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +logging.level: debug + +# Enable debug output for selected components. To enable all selectors use ["*"] +# Other available selectors are "beat", "publish", "service" +# Multiple selectors can be chained. +#logging.selectors: [ ] + +# Send all logging output to syslog. The default is false. +#logging.to_syslog: false + +# Send all logging output to Windows Event Logs. The default is false. +#logging.to_eventlog: false + +# If enabled, filebeat periodically logs its internal metrics that have changed +# in the last period. For each metric that changed, the delta from the value at +# the beginning of the period is logged. Also, the total values for +# all non-zero internal metrics are logged on shutdown. The default is true. +#logging.metrics.enabled: true + +# The period after which to log the internal metrics. The default is 30s. +#logging.metrics.period: 30s + +# Logging to rotating files. Set logging.to_files to false to disable logging to +# files. +logging.to_files: true +logging.files: + # Configure the path where the logs are written. The default is the logs directory + # under the home path (the binary location). + path: /var/log/filebeat + + # The name of the files where the logs are written to. + name: filebeat + + # Configure log file size limit. If limit is reached, log file will be + # automatically rotated + rotateeverybytes: 10485760 # = 10MB + + # Number of rotated log files to keep. Oldest files will be deleted first. + keepfiles: 7 + + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 + +# Set to true to log messages in json format. +#logging.json: false + + +#============================== Xpack Monitoring ===================================== +# filebeat can export internal metrics to a central Elasticsearch monitoring cluster. +# This requires xpack monitoring to be enabled in Elasticsearch. +# The reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line, and leave the rest commented out. +#xpack.monitoring.elasticsearch: + + # Array of hosts to connect to. + # Scheme and port can be left out and will be set to the default (http and 9200) + # In case you specify and additional path, the scheme is required: http://localhost:9200/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 + #hosts: ["localhost:9200"] + + # Set gzip compression level. + #compression_level: 0 + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "beats_system" + #password: "changeme" + + # Dictionary of HTTP parameters to pass within the url with index operations. + #parameters: + #param1: value1 + #param2: value2 + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Proxy server url + #proxy_url: http://proxy:3128 + + # The number of times a particular Elasticsearch index operation is attempted. If + # the indexing operation doesn't succeed after this many retries, the events are + # dropped. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Elasticsearch bulk API index request. + # The default is 50. + #bulk_max_size: 50 + + # Configure http request timeout before failing an request to Elasticsearch. + #timeout: 90 + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # SSL configuration. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + +#================================ HTTP Endpoint ====================================== +# Each beat can expose internal metrics through a HTTP endpoint. For security +# reasons the endpoint is disabled by default. This feature is currently experimental. +# Stats can be access through http://localhost:5066/stats . For pretty JSON output +# append ?pretty to the URL. + +# Defines if the HTTP endpoint is enabled. +#http.enabled: false + +# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost. +#http.host: localhost + +# Port on which the HTTP endpoint will bind. Default is 5066. diff --git a/so-setup-network.sh b/so-setup-network.sh index 63a214dc4..240172838 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -893,17 +893,34 @@ update_sudoers() { wazuh_agent_install() { - # Get key - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - - # Add repo - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list - apt-get update -y - # Install - apt-get install -y wazuh-agent - # Prevent automatic updates - sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list - # Set package state to "hold" - echo "wazuh-agent hold" | sudo dpkg --set-selections + if [ $OS == 'centos' ]; then + # Add repo + cat > /etc/yum.repos.d/wazuh.repo <<\EOF +[wazuh_repo] +gpgcheck=1 +gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://packages.wazuh.com/3.x/yum/ +protect=1 +EOF + # Install agent + yum install -y wazuh-agent + # Prevent automatic upates + sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo + else + # Get key + curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + # Add repo + echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list + apt-get update -y + # Install + apt-get install -y wazuh-agent + # Prevent automatic updates + sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list + # Set package state to "hold" + echo "wazuh-agent hold" | sudo dpkg --set-selections + fi } From e355503324e61f5dfaea7277a1f84da85bc8319a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 7 Dec 2018 13:38:31 +0000 Subject: [PATCH 6/7] Filebeat - Update for Wazuh logs --- salt/filebeat/etc/filebeat.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index f8fb5acf5..7c6e0655b 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -36,6 +36,16 @@ filebeat.prospectors: clean_removed: false close_removed: false + - type: log + paths: + - /alerts/alerts.json + fields: + type: ossec + fields_under_root: true + clean_removed: false + close_removed: false + + #----------------------------- Logstash output --------------------------------- output.logstash: @@ -152,7 +162,7 @@ output.logstash: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +logging.level: debug # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" From 6a9a537cf8d1e8ab6dc18fa7b7c1a0d773ae3d86 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 7 Dec 2018 13:39:10 +0000 Subject: [PATCH 7/7] Wazuh - Remove filebeat.yml --- salt/wazuh/files/filebeat.yml | 314 ---------------------------------- 1 file changed, 314 deletions(-) delete mode 100644 salt/wazuh/files/filebeat.yml diff --git a/salt/wazuh/files/filebeat.yml b/salt/wazuh/files/filebeat.yml deleted file mode 100644 index 7c6e0655b..000000000 --- a/salt/wazuh/files/filebeat.yml +++ /dev/null @@ -1,314 +0,0 @@ -{%- set MASTER = grains['master'] %} -{%- set HOSTNAME = salt['grains.get']('host', '') %} -{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} - -name: {{ HOSTNAME }} - -#========================== Modules configuration ============================ -filebeat.modules: -#=========================== Filebeat prospectors ============================= - -# List of prospectors to fetch data. -filebeat.prospectors: -#------------------------------ Log prospector -------------------------------- -{%- if BROVER != 'SURICATA' %} -{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - - type: log - paths: - - /nsm/bro/logs/current/{{ LOGNAME }}.log - fields: - type: bro_{{ LOGNAME }} - fields_under_root: true - tags: ["bro"] - clean_removed: false - close_removed: false - -{%- endfor %} -{%- endif %} - - - type: log - paths: - - /suricata/eve.json - fields: - type: ids - engine: suricata - fields_under_root: true - clean_removed: false - close_removed: false - - - type: log - paths: - - /alerts/alerts.json - fields: - type: ossec - fields_under_root: true - clean_removed: false - close_removed: false - - - -#----------------------------- Logstash output --------------------------------- -output.logstash: - # Boolean flag to enable or disable the output module. - enabled: true - - # The Logstash hosts - hosts: ["{{ MASTER }}:5044"] - - # Number of workers per Logstash host. - worker: 1 - - # Set gzip compression level. - compression_level: 3 - - - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. - ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions 1.0 up to - # 1.2 are enabled. - #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] - - # Certificate for SSL client authentication - ssl.certificate: "/usr/share/filebeat/filebeat.crt" - - # Client Certificate Key - ssl.key: "/usr/share/filebeat/filebeat.key" - - -# Elasticsearch template settings -#setup.template.settings: - - # A dictionary of settings to place into the settings.index dictionary - # of the Elasticsearch template. For more details, please check - # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html - #index: - #number_of_shards: 1 - #codec: best_compression - #number_of_routing_shards: 30 - - # A dictionary of settings for the _source field. For more details, please check - # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html - #_source: - #enabled: false - -#============================== Kibana ===================================== - -# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. -# This requires a Kibana endpoint configuration. -#setup.kibana: - - # Kibana Host - # Scheme and port can be left out and will be set to the default (http and 5601) - # In case you specify and additional path, the scheme is required: http://localhost:5601/path - # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 - #host: "localhost:5601" - - # Optional protocol and basic auth credentials. - #protocol: "https" - #username: "elastic" - #password: "changeme" - - # Optional HTTP Path - #path: "" - - # Use SSL settings for HTTPS. Default is true. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions 1.0 up to - # 1.2 are enabled. - #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] - - # SSL configuration. By default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #ssl.curve_types: [] - - - -#================================ Logging ====================================== -# There are four options for the log output: file, stderr, syslog, eventlog -# The file output is the default. - -# Sets log level. The default log level is info. -# Available log levels are: error, warning, info, debug -logging.level: debug - -# Enable debug output for selected components. To enable all selectors use ["*"] -# Other available selectors are "beat", "publish", "service" -# Multiple selectors can be chained. -#logging.selectors: [ ] - -# Send all logging output to syslog. The default is false. -#logging.to_syslog: false - -# Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false - -# If enabled, filebeat periodically logs its internal metrics that have changed -# in the last period. For each metric that changed, the delta from the value at -# the beginning of the period is logged. Also, the total values for -# all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true - -# The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s - -# Logging to rotating files. Set logging.to_files to false to disable logging to -# files. -logging.to_files: true -logging.files: - # Configure the path where the logs are written. The default is the logs directory - # under the home path (the binary location). - path: /var/log/filebeat - - # The name of the files where the logs are written to. - name: filebeat - - # Configure log file size limit. If limit is reached, log file will be - # automatically rotated - rotateeverybytes: 10485760 # = 10MB - - # Number of rotated log files to keep. Oldest files will be deleted first. - keepfiles: 7 - - # The permissions mask to apply when rotating log files. The default value is 0600. - # Must be a valid Unix-style file permissions mask expressed in octal notation. - #permissions: 0600 - -# Set to true to log messages in json format. -#logging.json: false - - -#============================== Xpack Monitoring ===================================== -# filebeat can export internal metrics to a central Elasticsearch monitoring cluster. -# This requires xpack monitoring to be enabled in Elasticsearch. -# The reporting is disabled by default. - -# Set to true to enable the monitoring reporter. -#xpack.monitoring.enabled: false - -# Uncomment to send the metrics to Elasticsearch. Most settings from the -# Elasticsearch output are accepted here as well. Any setting that is not set is -# automatically inherited from the Elasticsearch output configuration, so if you -# have the Elasticsearch output configured, you can simply uncomment the -# following line, and leave the rest commented out. -#xpack.monitoring.elasticsearch: - - # Array of hosts to connect to. - # Scheme and port can be left out and will be set to the default (http and 9200) - # In case you specify and additional path, the scheme is required: http://localhost:9200/path - # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 - #hosts: ["localhost:9200"] - - # Set gzip compression level. - #compression_level: 0 - - # Optional protocol and basic auth credentials. - #protocol: "https" - #username: "beats_system" - #password: "changeme" - - # Dictionary of HTTP parameters to pass within the url with index operations. - #parameters: - #param1: value1 - #param2: value2 - - # Custom HTTP headers to add to each request - #headers: - # X-My-Header: Contents of the header - - # Proxy server url - #proxy_url: http://proxy:3128 - - # The number of times a particular Elasticsearch index operation is attempted. If - # the indexing operation doesn't succeed after this many retries, the events are - # dropped. The default is 3. - #max_retries: 3 - - # The maximum number of events to bulk in a single Elasticsearch bulk API index request. - # The default is 50. - #bulk_max_size: 50 - - # Configure http request timeout before failing an request to Elasticsearch. - #timeout: 90 - - # Use SSL settings for HTTPS. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions 1.0 up to - # 1.2 are enabled. - #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] - - # SSL configuration. By default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - -#================================ HTTP Endpoint ====================================== -# Each beat can expose internal metrics through a HTTP endpoint. For security -# reasons the endpoint is disabled by default. This feature is currently experimental. -# Stats can be access through http://localhost:5066/stats . For pretty JSON output -# append ?pretty to the URL. - -# Defines if the HTTP endpoint is enabled. -#http.enabled: false - -# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost. -#http.host: localhost - -# Port on which the HTTP endpoint will bind. Default is 5066.