CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #70 from defensivedepth/osquery

Browse Source 
Osquery - tweaks to initial config
This commit is contained in:
Mike Reeves
2019-01-02 09:54:19 -05:00
committed by GitHub
parent 739c8b8d5e ce43fd7cd4
commit 8a4e180a18
4 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/logstash/conf/conf.enabled.txt.so-eval
View File

@@ -107,3 +107,5 @@
/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf /usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf /usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf /usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
/usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
/usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf

3
salt/logstash/files/dynamic/0006_input_beats.conf
View File

@@ -25,7 +25,7 @@ filter {
add_field => { "syslog-host_from" => "%{[beat][name]}" } add_field => { "syslog-host_from" => "%{[beat][name]}" }
remove_field => [ "beat", "prospector", "input", "offset" ] remove_field => [ "beat", "prospector", "input", "offset" ]
} }
}
if [type] == "osquery" { if [type] == "osquery" {
mutate { mutate {
remove_tag => ["beat"] remove_tag => ["beat"]
@@ -35,6 +35,5 @@ filter {
source => "message" source => "message"
target => "osquery" target => "osquery"
} }
} }
} }

10
salt/logstash/files/custom/parsers/7100_osquery_wel.conf → salt/logstash/files/dynamic/7100_osquery_wel.conf
View File

@@ -1,23 +1,23 @@
# Author: Josh Brower # Author: Josh Brower
# Last Update: 12/28/2018 # Last Update: 12/28/2018
# If log is tagged osquery and there is an eventid column, then cleanup and parse out the EventData column # If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
filter { filter {
if "osquery" in [tags] and [osquery][columns][eventid] { if "osquery" in [tags] and [osquery][columns][eventid] {
mutate { mutate {
gsub => ["[osquery][columns][data]", "\\x0A", ""] gsub => ["[osquery][columns][data]", "\\x0A", ""]
} }
json { json {
source => "[osquery][columns][data]" source => "[osquery][columns][data]"
target => "[osquery][columns][data]" target => "[osquery][columns][data]"
} }
mutate { mutate {
merge => { "[osquery][columns]" => "[osquery][columns][data]" } merge => { "[osquery][columns]" => "[osquery][columns][data]" }
remove_field => ["[osquery][columns][data]"] remove_field => ["[osquery][columns][data]"]
} }
} }
} }

2
salt/logstash/files/custom/parsers/9100_output_osquery.conf → salt/logstash/files/dynamic/9100_output_osquery.conf
View File

@@ -4,7 +4,7 @@
{%- set ES = salt['pillar.get']('node:mainip', '') -%} {%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %} {%- endif %}
# Author: Josh Brower # Author: Josh Brower
# Last Update: 12/28/2018 # Last Update: 12/29/2018
# Output to ES for osquery tagged logs # Output to ES for osquery tagged logs