diff --git a/salt/filebeat/modules/suricata.yml b/salt/filebeat/modules/suricata.yml new file mode 100644 index 000000000..b7cc11e85 --- /dev/null +++ b/salt/filebeat/modules/suricata.yml @@ -0,0 +1,12 @@ +# Module: suricata +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html + +- module: suricata + # All logs + eve: + enabled: true + var.paths: ["/nsm/suricata/eve*.json"] + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/zeek.yml b/salt/filebeat/modules/zeek.yml new file mode 100644 index 000000000..9fd61c448 --- /dev/null +++ b/salt/filebeat/modules/zeek.yml @@ -0,0 +1,122 @@ +# Module: zeek +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html + +- module: zeek + capture_loss: + enabled: false + var.paths: ["/nsm/zeek/logs/current/capture_loss.log"] + connection: + enabled: true + var.paths: ["/nsm/zeek/logs/current/conn.log"] + dce_rpc: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dce_rpc.log"] + dhcp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dhcp.log"] + dnp3: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dnp3.log"] + dns: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dns.log"] + dpd: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dpd.log"] + files: + enabled: true + var.paths: ["/nsm/zeek/logs/current/files.log"] + ftp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ftp.log"] + http: + enabled: true + var.paths: ["/nsm/zeek/logs/current/http.log"] + intel: + enabled: true + var.paths: ["/nsm/zeek/logs/current/intel.log"] + irc: + enabled: true + var.paths: ["/nsm/zeek/logs/current/irc.log"] + kerberos: + enabled: true + var.paths: ["/nsm/zeek/logs/current/kerberos.log"] + modbus: + enabled: true + var.paths: ["/nsm/zeek/logs/current/modbus.log"] + mysql: + enabled: true + var.paths: ["/nsm/zeek/logs/current/mysql.log"] + notice: + enabled: true + var.paths: ["/nsm/zeek/logs/current/notice.log"] + ntlm: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ntlm.log"] + ocsp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/oscp.log"] + pe: + enabled: true + var.paths: ["/nsm/zeek/logs/current/pe.log"] + radius: + enabled: true + var.paths: ["/nsm/zeek/logs/current/radius.log"] + rdp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/rdp.log"] + rfb: + enabled: true + var.paths: ["/nsm/zeek/logs/current/rfb.log"] + signature: + enabled: true + var.paths: ["/nsm/zeek/logs/current/signature.log"] + sip: + enabled: true + var.paths: ["/nsm/zeek/logs/current/sip.log"] + smb_cmd: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smb_cmd.log"] + smb_files: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smb_files.log"] + smb_mapping: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smb_mapping.log"] + smtp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smtp.log"] + snmp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/snmp.log"] + socks: + enabled: true + var.paths: ["/nsm/zeek/logs/current/socks.log"] + ssh: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ssh.log"] + ssl: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ssl.log"] + stats: + enabled: false + var.paths: ["/nsm/zeek/logs/current/stats.log"] + syslog: + enabled: false + var.paths: ["/nsm/zeek/logs/current/syslog.log"] + traceroute: + enabled: false + var.paths: ["/nsm/zeek/logs/current/traceroute.log.log"] + tunnel: + enabled: true + var.paths: ["/nsm/zeek/logs/current/tunnel.log"] + weird: + enabled: true + var.paths: ["/nsm/zeek/logs/current/weird.log"] + x509: + enabled: true + var.paths: ["/nsm/zeek/logs/current/x509.log"] + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: