Added updated script and core modules

2025-12-06 09:12:45 +01:00 · 2021-05-13 13:07:16 -04:00
parent 68a667ee7c
commit 71a74a6656
2 changed files with 54 additions and 41 deletions
--- a/salt/common/tools/sbin/so-filebeat-module-setup
+++ b/salt/common/tools/sbin/so-filebeat-module-setup
@@ -25,9 +25,7 @@ ELASTICSEARCH_PORT=9200
 # Define a default directory to load pipelines from
 FB_MODULE_YML="/usr/share/filebeat/module-setup.yml"

-if [ "$1" == "" ]; then
-        echo "No module supplied. Exiting..."
-else
+
 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."
 COUNT=0
@@ -50,7 +48,7 @@ else
        echo
 fi

-        echo "Setting up ingest pipeline(s) for $1..."
-        docker exec -it so-filebeat filebeat setup modules -pipelines -modules $1 -c $FB_MODULE_YML
-fi
+echo "Setting up ingest pipeline(s)"
+docker exec -it so-filebeat filebeat setup modules -pipelines -modules activemq,apache,auditd,aws,azure,barracuda,bluecoat,cef,checkpoint,cisco,coredns,crowdstrike,cyberark,cylance,elasticsearch,envoyproxy,f5,fortinet,gcp,google_workspace,googlecloud,gsuite,haproxy,ibmmq,icinga,iis,imperva,infoblox,iptables,juniper,kafka,kibana,logstash,microsoft,misp,mondogb,mssql,mysql,mysqlenterprise,nats,netflow,netscout,nginx,o365,okta,osquery,panw,pensando,postgresql,rabbitmq,radware,redis,santa,snort,snyk,sonicwall,sophos,squid,suricata,system,threatintel,tomcat,traefik,zeek,zoom,zscaler -c $FB_MODULE_YML
+

--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -1,17 +1,32 @@
-third_party_filebeat:
+securityonion_filebeat:
  modules:
-    fortinet:
-      firewall:
+    elasticsearch:
+      server:
+        enabled: true
+        var.paths: ["/logs/elasticsearch/*.log"]
+    kibana:
+      log:
+        enabled: true
+        var.paths: ["/logs/kibana/kibana.log"]
+    logstash:
+      log:
+        enabled: true
+        var.paths: ["/logs/logstash.log"]
+    redis:
+      log:
+        enabled: true
+        var.paths: ["/logs/redis.log"]
+    suricata:
+      eve:
+        enabled: true
+        var.paths: ["/nsm/suricata/eve*.json"]
+    {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
+      {%- if ZEEKVER != 'SURICATA' %}
+    zeek:
+        {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
+      {{ LOGNAME }}:
        enabled: false
-        var.input: udp
-        var.syslog_host: 0.0.0.0
-        var.syslog_port: 9004
-      clientendpoint:
-        enabled: false
-        var.input: udp
-        var.syslog_host: 0.0.0.0
-        var.syslog_port: 9510
-      fortimail:
-        enabled: false
-        var.input: udp
-        var.syslog_port: 9350
+        var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
+        {%- endfor %}
+      {%- endif %}
+    {%- endif %}