From 71a74a665653f209c31354eed53ee345007b213d Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 13 May 2021 13:07:16 -0400
Subject: [PATCH] Added updated script and core modules

---
 .../tools/sbin/so-filebeat-module-setup       | 50 +++++++++----------
 salt/filebeat/securityoniondefaults.yaml      | 45 +++++++++++------
 2 files changed, 54 insertions(+), 41 deletions(-)

diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup
index a42b0ac80..6616854eb 100755
--- a/salt/common/tools/sbin/so-filebeat-module-setup
+++ b/salt/common/tools/sbin/so-filebeat-module-setup
@@ -25,32 +25,30 @@ ELASTICSEARCH_PORT=9200
 # Define a default directory to load pipelines from
 FB_MODULE_YML="/usr/share/filebeat/module-setup.yml"
 
-if [ "$1" == "" ]; then
-        echo "No module supplied. Exiting..."
-else
-        # Wait for ElasticSearch to initialize
-        echo -n "Waiting for ElasticSearch..."
-        COUNT=0
-        ELASTICSEARCH_CONNECTED="no"
-        while [[ "$COUNT" -le 240 ]]; do
-                curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
-                if [ $? -eq 0 ]; then
-                        ELASTICSEARCH_CONNECTED="yes"
-                        echo "connected!"
-                        break
-                else
-                        ((COUNT+=1))
-                        sleep 1
-                        echo -n "."
-                fi
-        done
-        if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
-                echo
-                echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
-                echo
-        fi
 
-        echo "Setting up ingest pipeline(s) for $1..."
-        docker exec -it so-filebeat filebeat setup modules -pipelines -modules $1 -c $FB_MODULE_YML
+# Wait for ElasticSearch to initialize
+echo -n "Waiting for ElasticSearch..."
+COUNT=0
+ELASTICSEARCH_CONNECTED="no"
+while [[ "$COUNT" -le 240 ]]; do
+        curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+        if [ $? -eq 0 ]; then
+                ELASTICSEARCH_CONNECTED="yes"
+                echo "connected!"
+                break
+        else
+                ((COUNT+=1))
+                sleep 1
+                echo -n "."
+        fi
+done
+if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+        echo
+        echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+        echo
 fi
 
+echo "Setting up ingest pipeline(s)"
+docker exec -it so-filebeat filebeat setup modules -pipelines -modules activemq,apache,auditd,aws,azure,barracuda,bluecoat,cef,checkpoint,cisco,coredns,crowdstrike,cyberark,cylance,elasticsearch,envoyproxy,f5,fortinet,gcp,google_workspace,googlecloud,gsuite,haproxy,ibmmq,icinga,iis,imperva,infoblox,iptables,juniper,kafka,kibana,logstash,microsoft,misp,mondogb,mssql,mysql,mysqlenterprise,nats,netflow,netscout,nginx,o365,okta,osquery,panw,pensando,postgresql,rabbitmq,radware,redis,santa,snort,snyk,sonicwall,sophos,squid,suricata,system,threatintel,tomcat,traefik,zeek,zoom,zscaler -c $FB_MODULE_YML
+
+
diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml
index 1e2eb8c23..e6406af8c 100644
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -1,17 +1,32 @@
-third_party_filebeat:
+securityonion_filebeat:
   modules:
-    fortinet:
-      firewall:
-        enabled: false 
-        var.input: udp
-        var.syslog_host: 0.0.0.0
-        var.syslog_port: 9004
-      clientendpoint:
+    elasticsearch:
+      server:
+        enabled: true
+        var.paths: ["/logs/elasticsearch/*.log"]
+    kibana:
+      log:
+        enabled: true
+        var.paths: ["/logs/kibana/kibana.log"]
+    logstash:
+      log:
+        enabled: true
+        var.paths: ["/logs/logstash.log"]
+    redis:
+      log:
+        enabled: true
+        var.paths: ["/logs/redis.log"]
+    suricata:
+      eve:
+        enabled: true
+        var.paths: ["/nsm/suricata/eve*.json"]
+    {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
+      {%- if ZEEKVER != 'SURICATA' %}
+    zeek:
+        {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
+      {{ LOGNAME }}:
         enabled: false
-        var.input: udp
-        var.syslog_host: 0.0.0.0
-        var.syslog_port: 9510
-      fortimail:
-        enabled: false
-        var.input: udp
-        var.syslog_port: 9350
\ No newline at end of file
+        var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
+        {%- endfor %}
+      {%- endif %}
+    {%- endif %}
\ No newline at end of file