CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-02 21:33:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

Switch from log input to filestream input

Browse Source
This commit is contained in:
weslambert
2022-03-17 21:18:03 -04:00
committed by GitHub
parent 6e2aaa0098
commit 712a92aa39
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
salt/filebeat/etc/filebeat.yml
View File

@@ -113,7 +113,7 @@ filebeat.inputs:
fields_under_root: true fields_under_root: true
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}
- type: log - type: filestream
paths: paths:
- /logs/logscan/alerts.log - /logs/logscan/alerts.log
fields: fields:
@@ -130,7 +130,7 @@ filebeat.inputs:
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %}
{%- if ZEEKVER != 'SURICATA' %} {%- if ZEEKVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %}
- type: log - type: filestream
paths: paths:
- /nsm/zeek/logs/current/{{ LOGNAME }}.log - /nsm/zeek/logs/current/{{ LOGNAME }}.log
fields: fields:
@@ -145,7 +145,7 @@ filebeat.inputs:
clean_removed: true clean_removed: true
close_removed: false close_removed: false
- type: log - type: filestream
paths: paths:
- /nsm/import/*/zeek/logs/{{ LOGNAME }}.log - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log
fields: fields:
@@ -169,7 +169,7 @@ filebeat.inputs:
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
- type: log - type: filestream
paths: paths:
- /nsm/suricata/eve*.json - /nsm/suricata/eve*.json
fields: fields:
@@ -185,7 +185,7 @@ filebeat.inputs:
clean_removed: false clean_removed: false
close_removed: false close_removed: false
- type: log - type: filestream
paths: paths:
- /nsm/import/*/suricata/eve*.json - /nsm/import/*/suricata/eve*.json
fields: fields:
@@ -207,7 +207,7 @@ filebeat.inputs:
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- if STRELKAENABLED == 1 %} {%- if STRELKAENABLED == 1 %}
- type: log - type: filestream
paths: paths:
- /nsm/strelka/log/strelka.log - /nsm/strelka/log/strelka.log
fields: fields:
@@ -228,7 +228,7 @@ filebeat.inputs:
{%- if WAZUHENABLED == 1 %} {%- if WAZUHENABLED == 1 %}
- type: log - type: filestream
paths: paths:
- /wazuh/archives/archives.json - /wazuh/archives/archives.json
fields: fields:
@@ -246,7 +246,7 @@ filebeat.inputs:
{%- if FLEETMANAGER or FLEETNODE %} {%- if FLEETMANAGER or FLEETNODE %}
- type: log - type: filestream
paths: paths:
- /nsm/osquery/fleet/result.log - /nsm/osquery/fleet/result.log
fields: fields:
@@ -265,7 +265,7 @@ filebeat.inputs:
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}
- type: log - type: filestream
paths: paths:
- /logs/kratos/kratos.log - /logs/kratos/kratos.log
fields: fields:
@@ -295,7 +295,7 @@ filebeat.inputs:
{%- endif %} {%- endif %}
{%- if grains.role == 'so-idh' %} {%- if grains.role == 'so-idh' %}
- type: log - type: filestream
paths: paths:
- /nsm/idh/opencanary.log - /nsm/idh/opencanary.log
fields: fields: