mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-07 17:52:46 +01:00
Fix Wazuh paths for logstash/fb
This commit is contained in:
Mike Reeves
@@ -57,8 +57,8 @@ so-filebeat:
|
|||||||
- /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
|
- /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
|
||||||
- /nsm/zeek:/nsm/zeek:ro
|
- /nsm/zeek:/nsm/zeek:ro
|
||||||
- /opt/so/log/suricata:/suricata:ro
|
- /opt/so/log/suricata:/suricata:ro
|
||||||
- /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
|
- /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro
|
||||||
- /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
|
- /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro
|
||||||
- /opt/so/log/fleet/:/osquery/logs:ro
|
- /opt/so/log/fleet/:/osquery/logs:ro
|
||||||
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
|
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
|
||||||
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
|
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
{%- if grains['role'] == 'so-eval' -%}
|
{%- if grains['role'] == 'so-eval' -%}
|
||||||
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
|
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
|
||||||
|
{%- set NAME = grains.host -%}
|
||||||
{%- else %}
|
{%- else %}
|
||||||
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
|
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
@@ -12,7 +13,7 @@
|
|||||||
filter {
|
filter {
|
||||||
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
|
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
|
||||||
mutate {
|
mutate {
|
||||||
##add_tag => [ "conf_file_9000"]
|
add_field => { "sensor_name" => "{{ NAME }}" }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
{%- if grains['role'] == 'so-eval' -%}
|
{%- if grains['role'] == 'so-eval' -%}
|
||||||
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
|
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
|
||||||
|
{%- set NAME = grains.host -%}
|
||||||
{%- else %}
|
{%- else %}
|
||||||
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
|
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
@@ -11,7 +12,7 @@
|
|||||||
filter {
|
filter {
|
||||||
if [event_type] == "suricata" and "test_data" not in [tags] {
|
if [event_type] == "suricata" and "test_data" not in [tags] {
|
||||||
mutate {
|
mutate {
|
||||||
##add_tag => [ "conf_file_9400"]
|
add_field => { "sensor_name" => "{{ NAME }}" }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,4 +1,6 @@
|
|||||||
{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
|
{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
|
||||||
|
{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
|
||||||
|
{% set CBNAME = grains.host %}
|
||||||
|
|
||||||
filter {
|
filter {
|
||||||
if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
|
if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
|
||||||
@@ -34,6 +36,8 @@ filter {
|
|||||||
copy => { "class" => "program"}
|
copy => { "class" => "program"}
|
||||||
rename => { "source_port" => "srcport" }
|
rename => { "source_port" => "srcport" }
|
||||||
rename => { "destination_port" => "dstport" }
|
rename => { "destination_port" => "dstport" }
|
||||||
|
add_field => { "metacbid" => "{{ UNIQUEID }}"}
|
||||||
|
add_field => { "metacbname" => "{{ CBNAME }}"}
|
||||||
remove_field => ["source_ip", "destination_ip"]
|
remove_field => ["source_ip", "destination_ip"]
|
||||||
remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
|
remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
|
||||||
remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
|
remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
|
||||||
|
|||||||
@@ -241,8 +241,8 @@ so-logstash:
|
|||||||
{%- if grains['role'] == 'so-eval' %}
|
{%- if grains['role'] == 'so-eval' %}
|
||||||
- /nsm/zeek:/nsm/zeek:ro
|
- /nsm/zeek:/nsm/zeek:ro
|
||||||
- /opt/so/log/suricata:/suricata:ro
|
- /opt/so/log/suricata:/suricata:ro
|
||||||
- /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
|
- /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro
|
||||||
- /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
|
- /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro
|
||||||
- /opt/so/log/fleet/:/osquery/logs:ro
|
- /opt/so/log/fleet/:/osquery/logs:ro
|
||||||
- /opt/so/log/strelka:/strelka:ro
|
- /opt/so/log/strelka:/strelka:ro
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ ossecm:
|
|||||||
user.present:
|
user.present:
|
||||||
- uid: 943
|
- uid: 943
|
||||||
- gid: 945
|
- gid: 945
|
||||||
- home: /opt/so/wazuh
|
- home: /opt/so/conf/wazuh
|
||||||
- createhome: False
|
- createhome: False
|
||||||
- allow_uid_change: True
|
- allow_uid_change: True
|
||||||
- allow_gid_change: True
|
- allow_gid_change: True
|
||||||
@@ -22,7 +22,7 @@ ossecr:
|
|||||||
user.present:
|
user.present:
|
||||||
- uid: 944
|
- uid: 944
|
||||||
- gid: 945
|
- gid: 945
|
||||||
- home: /opt/so/wazuh
|
- home: /opt/so/conf/wazuh
|
||||||
- createhome: False
|
- createhome: False
|
||||||
- allow_uid_change: True
|
- allow_uid_change: True
|
||||||
- allow_gid_change: True
|
- allow_gid_change: True
|
||||||
@@ -32,11 +32,23 @@ ossec:
|
|||||||
user.present:
|
user.present:
|
||||||
- uid: 945
|
- uid: 945
|
||||||
- gid: 945
|
- gid: 945
|
||||||
- home: /opt/so/wazuh
|
- home: /opt/so/conf/wazuh
|
||||||
- createhome: False
|
- createhome: False
|
||||||
- allow_uid_change: True
|
- allow_uid_change: True
|
||||||
- allow_gid_change: True
|
- allow_gid_change: True
|
||||||
|
|
||||||
|
wazuhdir:
|
||||||
|
file.directory:
|
||||||
|
- name: /opt/so/conf/wazuh
|
||||||
|
- user: 945
|
||||||
|
- group: 945
|
||||||
|
|
||||||
|
wazuhlogdir:
|
||||||
|
file.directory:
|
||||||
|
- name: /opt/so/log/wazuh
|
||||||
|
- user: 945
|
||||||
|
- group: 945
|
||||||
|
|
||||||
# Add wazuh agent
|
# Add wazuh agent
|
||||||
wazuhpkgs:
|
wazuhpkgs:
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
@@ -83,7 +95,9 @@ so-wazuh:
|
|||||||
- 0.0.0.0:1514:1514/tcp
|
- 0.0.0.0:1514:1514/tcp
|
||||||
- 0.0.0.0:55000:55000
|
- 0.0.0.0:55000:55000
|
||||||
- binds:
|
- binds:
|
||||||
- /opt/so/wazuh/:/var/ossec/data/:rw
|
- /opt/so/conf/wazuh/etc:/var/ossec/data/etc:rw
|
||||||
|
- /opt/so/log/wazuh:/var/ossec/data/logs:rw
|
||||||
|
|
||||||
|
|
||||||
# Register the agent
|
# Register the agent
|
||||||
registertheagent:
|
registertheagent:
|
||||||
|
|||||||
Reference in New Issue
Block a user