From 799e92e595ed5d411c6b000c417a027a6b4e2783 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 02:56:23 +0000 Subject: [PATCH] Add files --- .../grid-nodes/import-zeek-logs.json | 32 ++++++++++++++++++ .../grid-nodes/zeek-logs.json | 33 +++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json create mode 100644 salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json new file mode 100644 index 000000000..c7e37f97f --- /dev/null +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json @@ -0,0 +1,32 @@ +{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded', {}) %} +{%- raw -%} +{ + "package": { + "name": "log", + "version": "" + }, + "name": "import-zeek-logs", + "namespace": "so", + "description": "Zeek Import logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/import/*/zeek/logs/*.log" + ], + "data_stream.dataset": "import", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", + "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}$\"]\n" + } + } + } + } + } +} +{%- endraw -%} diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json new file mode 100644 index 000000000..076549523 --- /dev/null +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json @@ -0,0 +1,33 @@ +{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded', {}) %} +{%- raw -%} +{ + "package": { + "name": "log", + "version": "" + }, + "id": "zeek-logs", + "name": "zeek-logs", + "namespace": "so", + "description": "Zeek logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/zeek/logs/current/*.log" + ], + "data_stream.dataset": "zeek", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", + "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}.log$\"]\n" + } + } + } + } + } +} +{%- endraw -%}