diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 8ae747f1b..f42a3f4fc 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -40,6 +40,9 @@ elasticfleet: - checkpoint - cisco_asa - cisco_duo + - cisco_ftd + - cisco_ios + - cisco_ise - cisco_meraki - cisco_umbrella - cloudflare @@ -59,6 +62,7 @@ elasticfleet: - google_workspace - http_endpoint - httpjson + - iis - juniper - juniper_srx - kafka_log @@ -67,13 +71,16 @@ elasticfleet: - m365_defender - microsoft_defender_endpoint - microsoft_dhcp + - microsoft_sqlserver - mimecast + - mysql - netflow - o365 - okta - osquery_manager - panw - pfsense + - proofpoint_tap - pulse_connect_secure - redis - sentinel_one diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 66916acd1..4a9c65078 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2273,6 +2273,138 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-cisco_ftd_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-cisco_ftd.log-*" + template: + settings: + index: + lifecycle: + name: so-logs-cisco_ftd.log-logs + number_of_replicas: 0 + composed_of: + - "logs-cisco_ftd.log@package" + - "logs-cisco_ftd.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_ios_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-cisco_ios.log-*" + template: + settings: + index: + lifecycle: + name: so-logs-cisco_ios.log-logs + number_of_replicas: 0 + composed_of: + - "logs-cisco_ios.log@package" + - "logs-cisco_ios.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_ise_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-cisco_ise.log-*" + template: + settings: + index: + lifecycle: + name: so-logs-cisco_ise.log-logs + number_of_replicas: 0 + composed_of: + - "logs-cisco_ise.log@package" + - "logs-cisco_ise.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-cisco_meraki_x_events: index_sorting: false index_template: @@ -5295,6 +5427,94 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-iis_x_access: + index_sorting: False + index_template: + index_patterns: + - "logs-iis.access-*" + template: + settings: + index: + lifecycle: + name: so-logs-iis.access-logs + number_of_replicas: 0 + composed_of: + - "logs-iis.access@package" + - "logs-iis.access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-iis_x_error: + index_sorting: False + index_template: + index_patterns: + - "logs-iis.error-*" + template: + settings: + index: + lifecycle: + name: so-logs-iis.error-logs + number_of_replicas: 0 + composed_of: + - "logs-iis.error@package" + - "logs-iis.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-juniper_srx_x_log: index_sorting: false index_template: @@ -5867,6 +6087,182 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-microsoft_sqlserver_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_sqlserver.audit-*" + template: + settings: + index: + lifecycle: + name: so-logs-microsoft_sqlserver.audit-logs + number_of_replicas: 0 + composed_of: + - "logs-microsoft_sqlserver.audit@package" + - "logs-microsoft_sqlserver.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-microsoft_sqlserver_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_sqlserver.log-*" + template: + settings: + index: + lifecycle: + name: so-logs-microsoft_sqlserver.log-logs + number_of_replicas: 0 + composed_of: + - "logs-microsoft_sqlserver.log@package" + - "logs-microsoft_sqlserver.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mysql_x_error: + index_sorting: False + index_template: + index_patterns: + - "logs-mysql.error-*" + template: + settings: + index: + lifecycle: + name: so-logs-mysql.error-logs + number_of_replicas: 0 + composed_of: + - "logs-mysql.error@package" + - "logs-mysql.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mysql_x_slowlog: + index_sorting: False + index_template: + index_patterns: + - "logs-mysql.slowlog-*" + template: + settings: + index: + lifecycle: + name: so-logs-mysql.slowlog-logs + number_of_replicas: 0 + composed_of: + - "logs-mysql.slowlog@package" + - "logs-mysql.slowlog@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-mimecast_x_audit_events: index_sorting: false index_template: @@ -6473,6 +6869,182 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-proofpoint_tap_x_clicks_blocked: + index_sorting: False + index_template: + index_patterns: + - "logs-proofpoint_tap.clicks_blocked-*" + template: + settings: + index: + lifecycle: + name: so-logs-proofpoint_tap.clicks_blocked-logs + number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.clicks_blocked@package" + - "logs-proofpoint_tap.clicks_blocked@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-proofpoint_tap_x_clicks_permitted: + index_sorting: False + index_template: + index_patterns: + - "logs-proofpoint_tap.clicks_permitted-*" + template: + settings: + index: + lifecycle: + name: so-logs-proofpoint_tap.clicks_permitted-logs + number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.clicks_permitted@package" + - "logs-proofpoint_tap.clicks_permitted@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-proofpoint_tap_x_message_blocked: + index_sorting: False + index_template: + index_patterns: + - "logs-proofpoint_tap.message_blocked-*" + template: + settings: + index: + lifecycle: + name: so-logs-proofpoint_tap.message_blocked-logs + number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.message_blocked@package" + - "logs-proofpoint_tap.message_blocked@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-proofpoint_tap_x_message_delivered: + index_sorting: False + index_template: + index_patterns: + - "logs-proofpoint_tap.message_delivered-*" + template: + settings: + index: + lifecycle: + name: so-logs-proofpoint_tap.message_delivered-logs + number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.message_delivered@package" + - "logs-proofpoint_tap.message_delivered@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-pulse_connect_secure_x_log: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0b93a6c1a..d465a8487 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -343,6 +343,9 @@ elasticsearch: so-logs-azure_x_springcloudlogs: *indexSettings so-logs-barracuda_x_waf: *indexSettings so-logs-cisco_asa_x_log: *indexSettings + so-logs-cisco_ftd_x_log: *indexSettings + so-logs-cisco_ios_x_log: *indexSettings + so-logs-cisco_ise_x_log: *indexSettings so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings @@ -383,6 +386,8 @@ elasticsearch: so-logs-google_workspace_x_user_accounts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings + so-logs-iis_x_access: *indexSettings + so-logs-iis_x_error: *indexSettings so-logs-juniper_x_junos: *indexSettings so-logs-juniper_x_netscreen: *indexSettings so-logs-juniper_x_srx: *indexSettings @@ -396,11 +401,19 @@ elasticsearch: so-logs-m365_defender_x_log: *indexSettings so-logs-microsoft_defender_endpoint_x_log: *indexSettings so-logs-microsoft_dhcp_x_log: *indexSettings + so-logs-microsoft_sqlserver_x_audit: *indexSettings + so-logs-microsoft_sqlserver_x_log: *indexSettings + so-logs-mysql_x_error: *indexSettings + so-logs-mysql_x_slowlog: *indexSettings so-logs-netflow_x_log: *indexSettings so-logs-o365_x_audit: *indexSettings so-logs-okta_x_system: *indexSettings so-logs-panw_x_panos: *indexSettings so-logs-pfsense_x_log: *indexSettings + so-logs-proofpoint_tap_x_clicks_blocked: *indexSettings + so-logs-proofpoint_tap_x_clicks_permitted: *indexSettings + so-logs-proofpoint_tap_x_message_blocked: *indexSettings + so-logs-proofpoint_tap_x_message_delivered: *indexSettings so-logs-sentinel_one_x_activity: *indexSettings so-logs-sentinel_one_x_agent: *indexSettings so-logs-sentinel_one_x_alert: *indexSettings diff --git a/setup/so-verify b/setup/so-verify index 6f47940ac..b4c79a88c 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -66,7 +66,8 @@ log_has_errors() { grep -vE "response from daemon: unauthorized" | \ grep -vE "Reading first line of patchfile" | \ grep -vE "Command failed with exit code" | \ - grep -vE "Running scope as unit" &> "$error_log" + grep -vE "Running scope as unit" | \ + grep -vE "log-.*-pipeline_failed_attempts" &> "$error_log" if [[ $? -eq 0 ]]; then # This function succeeds (returns 0) if errors are detected