From 6ceb127c460a19b5f873ee4f5746727caa08300b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 7 Feb 2020 08:52:09 -0500 Subject: [PATCH] Fix Wazuh paths for logstash/fb --- salt/filebeat/init.sls | 4 ++-- .../eval/templates/9000_output_bro.conf | 3 ++- .../eval/templates/9400_output_suricata.conf | 3 ++- .../helix/templates/9997_output_helix.conf | 4 ++++ salt/logstash/init.sls | 4 ++-- salt/wazuh/init.sls | 22 +++++++++++++++---- 6 files changed, 30 insertions(+), 10 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 45abfea56..5c7287fd2 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -57,8 +57,8 @@ so-filebeat: - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - /nsm/zeek:/nsm/zeek:ro - /opt/so/log/suricata:/suricata:ro - - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro + - /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro + - /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro diff --git a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf index 553500281..2beafc8be 100644 --- a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf +++ b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf @@ -1,5 +1,6 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set NAME = grains.host -%} {%- else %} {%- set ES = salt['pillar.get']('node:mainip', '') -%} {%- endif %} @@ -12,7 +13,7 @@ filter { if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] { mutate { - ##add_tag => [ "conf_file_9000"] + add_field => { "sensor_name" => "{{ NAME }}" } } } } diff --git a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf index 4bffd7f0a..1de235444 100644 --- a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf +++ b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf @@ -1,5 +1,6 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set NAME = grains.host -%} {%- else %} {%- set ES = salt['pillar.get']('node:mainip', '') -%} {%- endif %} @@ -11,7 +12,7 @@ filter { if [event_type] == "suricata" and "test_data" not in [tags] { mutate { - ##add_tag => [ "conf_file_9400"] + add_field => { "sensor_name" => "{{ NAME }}" } } } } diff --git a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf index 5dd0036fe..35b737593 100644 --- a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf +++ b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf @@ -1,4 +1,6 @@ {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} +{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} +{% set CBNAME = grains.host %} filter { if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ { @@ -34,6 +36,8 @@ filter { copy => { "class" => "program"} rename => { "source_port" => "srcport" } rename => { "destination_port" => "dstport" } + add_field => { "metacbid" => "{{ UNIQUEID }}"} + add_field => { "metacbname" => "{{ CBNAME }}"} remove_field => ["source_ip", "destination_ip"] remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"] remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"] diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index f52413006..af1d23c0e 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -241,8 +241,8 @@ so-logstash: {%- if grains['role'] == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /opt/so/log/suricata:/suricata:ro - - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro + - /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro + - /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {%- endif %} diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 42cf3f4b7..2cfd28c86 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -12,7 +12,7 @@ ossecm: user.present: - uid: 943 - gid: 945 - - home: /opt/so/wazuh + - home: /opt/so/conf/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -22,7 +22,7 @@ ossecr: user.present: - uid: 944 - gid: 945 - - home: /opt/so/wazuh + - home: /opt/so/conf/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -32,11 +32,23 @@ ossec: user.present: - uid: 945 - gid: 945 - - home: /opt/so/wazuh + - home: /opt/so/conf/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True +wazuhdir: + file.directory: + - name: /opt/so/conf/wazuh + - user: 945 + - group: 945 + +wazuhlogdir: + file.directory: + - name: /opt/so/log/wazuh + - user: 945 + - group: 945 + # Add wazuh agent wazuhpkgs: pkg.installed: @@ -83,7 +95,9 @@ so-wazuh: - 0.0.0.0:1514:1514/tcp - 0.0.0.0:55000:55000 - binds: - - /opt/so/wazuh/:/var/ossec/data/:rw + - /opt/so/conf/wazuh/etc:/var/ossec/data/etc:rw + - /opt/so/log/wazuh:/var/ossec/data/logs:rw + # Register the agent registertheagent: