From b756c0cd38244f3eda728658710504eb6f54650c Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 2 Nov 2021 08:57:11 -0400
Subject: [PATCH 1/3] Pull ES Creds at Runtime

---
 salt/common/tools/sbin/so-import-evtx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx
index 9e640beaa..274a2835d 100755
--- a/salt/common/tools/sbin/so-import-evtx
+++ b/salt/common/tools/sbin/so-import-evtx
@@ -41,13 +41,16 @@ function evtx2es() {
   EVTX=$1
   HASH=$2
   
+  ES_PW=$(lookup_pillar "auth:users:so_elastic_user:pass" "elasticsearch")
+  ES_USER=$(lookup_pillar "auth:users:so_elastic_user:user" "elasticsearch")
+
   docker run --rm \
     -v "$EVTX:/tmp/$RUNID.evtx" \
     --entrypoint evtx2es \
     {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} \
     --host {{ MANAGERIP }} --scheme https \
     --index so-beats-$INDEX_DATE --pipeline import.wel \
-    --login {{ES_USER}} --pwd {{ES_PW}} \
+    --login $ES_USER --pwd $ES_PW \
     "/tmp/$RUNID.evtx" 1>/dev/null 2>/dev/null
 
   docker run --rm \

From 35342565170b756e74e449c856b3061dea6f6174 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 2 Nov 2021 09:03:52 -0400
Subject: [PATCH 2/3] Add evtx import logging

---
 salt/common/tools/sbin/so-import-evtx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx
index 274a2835d..d00e4b13d 100755
--- a/salt/common/tools/sbin/so-import-evtx
+++ b/salt/common/tools/sbin/so-import-evtx
@@ -25,6 +25,7 @@
 
 INDEX_DATE=$(date +'%Y.%m.%d')
 RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
+LOG_FILE=/nsm/import/evtx-import.log
 
 . /usr/sbin/so-common
 
@@ -51,7 +52,7 @@ function evtx2es() {
     --host {{ MANAGERIP }} --scheme https \
     --index so-beats-$INDEX_DATE --pipeline import.wel \
     --login $ES_USER --pwd $ES_PW \
-    "/tmp/$RUNID.evtx" 1>/dev/null 2>/dev/null
+    "/tmp/$RUNID.evtx" 1>/dev/null  > $LOG_FILE 2>&1
 
   docker run --rm \
     -v "$EVTX:/tmp/import.evtx" \

From a6f399acf45f5706bf4e147057846ede4e1a0374 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 2 Nov 2021 09:19:32 -0400
Subject: [PATCH 3/3] Fix evtx import logging

---
 salt/common/tools/sbin/so-import-evtx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx
index d00e4b13d..83815eecd 100755
--- a/salt/common/tools/sbin/so-import-evtx
+++ b/salt/common/tools/sbin/so-import-evtx
@@ -52,7 +52,7 @@ function evtx2es() {
     --host {{ MANAGERIP }} --scheme https \
     --index so-beats-$INDEX_DATE --pipeline import.wel \
     --login $ES_USER --pwd $ES_PW \
-    "/tmp/$RUNID.evtx" 1>/dev/null  > $LOG_FILE 2>&1
+    "/tmp/$RUNID.evtx" >> $LOG_FILE 2>&1
 
   docker run --rm \
     -v "$EVTX:/tmp/import.evtx" \