mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-06-14 14:18:40 +02:00
Introduce so-import-pcap tool - WIP
This commit is contained in:
Jason Ertel
@@ -118,12 +118,31 @@ filebeat.inputs:
|
||||
clean_removed: false
|
||||
close_removed: false
|
||||
|
||||
- type: log
|
||||
paths:
|
||||
- /nsm/import/*/zeek/logs/{{ LOGNAME }}.log
|
||||
fields:
|
||||
module: zeek
|
||||
dataset: {{ LOGNAME }}
|
||||
category: network
|
||||
imported: true
|
||||
processors:
|
||||
- dissect:
|
||||
tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}"
|
||||
field: "source"
|
||||
target_prefix: ""
|
||||
- drop_fields:
|
||||
fields: ["source", "prospector", "input", "offset", "beat"]
|
||||
|
||||
fields_under_root: true
|
||||
clean_removed: false
|
||||
close_removed: false
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
|
||||
- type: log
|
||||
paths:
|
||||
- /suricata/eve*.json
|
||||
- /nsm/suricata/eve*.json
|
||||
fields:
|
||||
module: suricata
|
||||
dataset: common
|
||||
@@ -137,8 +156,27 @@ filebeat.inputs:
|
||||
clean_removed: false
|
||||
close_removed: false
|
||||
|
||||
{%- if STRELKAENABLED == 1 %}
|
||||
- type: log
|
||||
paths:
|
||||
- /nsm/import/*/suricata/eve*.json
|
||||
fields:
|
||||
module: suricata
|
||||
dataset: common
|
||||
category: network
|
||||
imported: true
|
||||
processors:
|
||||
- dissect:
|
||||
tokenizer: "/nsm/import/%{import_id}/suricata/%{import_source}"
|
||||
field: "source"
|
||||
target_prefix: ""
|
||||
- drop_fields:
|
||||
fields: ["source", "prospector", "input", "offset", "beat"]
|
||||
|
||||
fields_under_root: true
|
||||
clean_removed: false
|
||||
close_removed: false
|
||||
|
||||
{%- if STRELKAENABLED == 1 %}
|
||||
- type: log
|
||||
paths:
|
||||
- /nsm/strelka/log/strelka.log
|
||||
@@ -229,7 +267,7 @@ output.elasticsearch:
|
||||
- index: "so-strelka-%{+yyyy.MM.dd}"
|
||||
when.contains:
|
||||
module: "strelka"
|
||||
|
||||
|
||||
setup.template.enabled: false
|
||||
{%- else %}
|
||||
|
||||
|
||||
@@ -55,9 +55,7 @@ so-filebeat:
|
||||
- binds:
|
||||
- /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
|
||||
- /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
|
||||
- /nsm/zeek:/nsm/zeek:ro
|
||||
- /nsm/strelka/log:/nsm/strelka/log:ro
|
||||
- /nsm/suricata:/suricata:ro
|
||||
- /nsm:/nsm:ro
|
||||
- /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
|
||||
- /opt/so/wazuh/logs/archives:/wazuh/archives:ro
|
||||
- /nsm/osquery/fleet/:/nsm/osquery/fleet:ro
|
||||
|
||||
Reference in New Issue
Block a user