mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Adjust imports for filebeat configuration to ensure import data is placed into ES
This commit is contained in:
Jason Ertel
@@ -76,11 +76,13 @@ function zeek() {
|
|||||||
|
|
||||||
NSM_PATH=/nsm/import/${HASH}/zeek
|
NSM_PATH=/nsm/import/${HASH}/zeek
|
||||||
mkdir -p $NSM_PATH/logs
|
mkdir -p $NSM_PATH/logs
|
||||||
mkdir -p $NSM_PATH/spool
|
|
||||||
mkdir -p $NSM_PATH/extracted
|
mkdir -p $NSM_PATH/extracted
|
||||||
|
mkdir -p $NSM_PATH/spool
|
||||||
chown -R zeek:socore $NSM_PATH
|
chown -R zeek:socore $NSM_PATH
|
||||||
docker run --rm \
|
docker run --rm \
|
||||||
-v $NSM_PATH:/nsm:rw \
|
-v $NSM_PATH/logs:/nsm/zeek/logs:rw \
|
||||||
|
-v $NSM_PATH/spool:/nsm/zeek/spool:rw \
|
||||||
|
-v $NSM_PATH/extracted:/nsm/zeek/extracted:rw \
|
||||||
-v $PCAP:/input.pcap:ro \
|
-v $PCAP:/input.pcap:ro \
|
||||||
-v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \
|
-v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \
|
||||||
-v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \
|
-v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \
|
||||||
|
|||||||
@@ -128,8 +128,8 @@ filebeat.inputs:
|
|||||||
imported: true
|
imported: true
|
||||||
processors:
|
processors:
|
||||||
- dissect:
|
- dissect:
|
||||||
tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}"
|
tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
|
||||||
field: "source"
|
field: "log.file.path"
|
||||||
target_prefix: ""
|
target_prefix: ""
|
||||||
- drop_fields:
|
- drop_fields:
|
||||||
fields: ["source", "prospector", "input", "offset", "beat"]
|
fields: ["source", "prospector", "input", "offset", "beat"]
|
||||||
@@ -166,8 +166,8 @@ filebeat.inputs:
|
|||||||
imported: true
|
imported: true
|
||||||
processors:
|
processors:
|
||||||
- dissect:
|
- dissect:
|
||||||
tokenizer: "/nsm/import/%{import_id}/suricata/%{import_source}"
|
tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
|
||||||
field: "source"
|
field: "log.file.path"
|
||||||
target_prefix: ""
|
target_prefix: ""
|
||||||
- drop_fields:
|
- drop_fields:
|
||||||
fields: ["source", "prospector", "input", "offset", "beat"]
|
fields: ["source", "prospector", "input", "offset", "beat"]
|
||||||
|
|||||||
@@ -53,12 +53,11 @@ so-filebeat:
|
|||||||
- user: root
|
- user: root
|
||||||
- extra_hosts: {{ MASTER }}:{{ MASTERIP }}
|
- extra_hosts: {{ MASTER }}:{{ MASTERIP }}
|
||||||
- binds:
|
- binds:
|
||||||
|
- /nsm:/nsm:ro
|
||||||
- /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
|
- /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
|
||||||
- /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
|
- /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
|
||||||
- /nsm:/nsm:ro
|
|
||||||
- /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
|
- /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
|
||||||
- /opt/so/wazuh/logs/archives:/wazuh/archives:ro
|
- /opt/so/wazuh/logs/archives:/wazuh/archives:ro
|
||||||
- /nsm/osquery/fleet/:/nsm/osquery/fleet:ro
|
|
||||||
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
|
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
|
||||||
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
|
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
|
||||||
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
|
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
|
||||||
|
|||||||
Reference in New Issue
Block a user