CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added updated script and core modules

Browse Source
This commit is contained in:
Mike Reeves
2021-05-13 13:07:16 -04:00
parent 68a667ee7c
commit 71a74a6656
2 changed files with 54 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
salt/common/tools/sbin/so-filebeat-module-setup
View File

@@ -25,9 +25,7 @@ ELASTICSEARCH_PORT=9200
# Define a default directory to load pipelines from # Define a default directory to load pipelines from
FB_MODULE_YML="/usr/share/filebeat/module-setup.yml" FB_MODULE_YML="/usr/share/filebeat/module-setup.yml"
if [ "$1" == "" ]; then
echo "No module supplied. Exiting..."
else
# Wait for ElasticSearch to initialize # Wait for ElasticSearch to initialize
echo -n "Waiting for ElasticSearch..." echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
@@ -50,7 +48,7 @@ else
echo echo
fi fi
echo "Setting up ingest pipeline(s) for $1..." echo "Setting up ingest pipeline(s)"
docker exec -it so-filebeat filebeat setup modules -pipelines -modules $1 -c $FB_MODULE_YML docker exec -it so-filebeat filebeat setup modules -pipelines -modules activemq,apache,auditd,aws,azure,barracuda,bluecoat,cef,checkpoint,cisco,coredns,crowdstrike,cyberark,cylance,elasticsearch,envoyproxy,f5,fortinet,gcp,google_workspace,googlecloud,gsuite,haproxy,ibmmq,icinga,iis,imperva,infoblox,iptables,juniper,kafka,kibana,logstash,microsoft,misp,mondogb,mssql,mysql,mysqlenterprise,nats,netflow,netscout,nginx,o365,okta,osquery,panw,pensando,postgresql,rabbitmq,radware,redis,santa,snort,snyk,sonicwall,sophos,squid,suricata,system,threatintel,tomcat,traefik,zeek,zoom,zscaler -c $FB_MODULE_YML
fi

45
salt/filebeat/securityoniondefaults.yaml
View File

@@ -1,17 +1,32 @@
third_party_filebeat: securityonion_filebeat:
modules: modules:
fortinet: elasticsearch:
firewall: server:
enabled: true
var.paths: ["/logs/elasticsearch/*.log"]
kibana:
log:
enabled: true
var.paths: ["/logs/kibana/kibana.log"]
logstash:
log:
enabled: true
var.paths: ["/logs/logstash.log"]
redis:
log:
enabled: true
var.paths: ["/logs/redis.log"]
suricata:
eve:
enabled: true
var.paths: ["/nsm/suricata/eve*.json"]
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %}
{%- if ZEEKVER != 'SURICATA' %}
zeek:
{%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %}
{{ LOGNAME }}:
enabled: false enabled: false
var.input: udp var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
var.syslog_host: 0.0.0.0 {%- endfor %}
var.syslog_port: 9004 {%- endif %}
clientendpoint: {%- endif %}
enabled: false
var.input: udp
var.syslog_host: 0.0.0.0
var.syslog_port: 9510
fortimail:
enabled: false
var.input: udp
var.syslog_port: 9350