Merge pull request #70 from defensivedepth/osquery

Osquery - tweaks to initial config
2025-12-06 17:22:49 +01:00 · 2019-01-02 09:54:19 -05:00
parent 739c8b8d5e ce43fd7cd4
commit 8a4e180a18
4 changed files with 11 additions and 10 deletions
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -107,3 +107,5 @@
 /usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
 /usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
 /usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
+/usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
+/usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -25,7 +25,7 @@ filter {
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
      remove_field => [ "beat", "prospector", "input", "offset" ]
    }
-    
+   }
    if [type] == "osquery" {
    mutate {
      remove_tag => ["beat"]
@@ -35,6 +35,5 @@ filter {
    source => "message"
    target => "osquery"
        }
-    
  }
 }
--- a/salt/logstash/files/custom/parsers/7100_osquery_wel.conf
+++ b/salt/logstash/files/custom/parsers/7100_osquery_wel.conf
@@ -1,6 +1,6 @@
 # Author: Josh Brower
 # Last Update: 12/28/2018
-# If log is tagged osquery and there is an eventid column, then cleanup and parse out the EventData column
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column

 filter {
  if "osquery" in [tags] and [osquery][columns][eventid] {
--- a/salt/logstash/files/custom/parsers/9100_output_osquery.conf
+++ b/salt/logstash/files/custom/parsers/9100_output_osquery.conf
@@ -4,7 +4,7 @@
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
 # Author: Josh Brower
-# Last Update: 12/28/2018
+# Last Update: 12/29/2018
 # Output to ES for osquery tagged logs