CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #814 from Security-Onion-Solutions/feature/syslog

Browse Source 
Feature/syslog
This commit is contained in:
weslambert
2020-06-02 13:39:23 -04:00
committed by GitHub
parent 42683ddb67 8cac30728b
commit 98e0f0d7d8
3 changed files with 23 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
pillar/logstash/search.sls
View File

@@ -5,6 +5,7 @@ logstash:
- so/0900_input_redis.conf.jinja - so/0900_input_redis.conf.jinja
- so/9000_output_zeek.conf.jinja - so/9000_output_zeek.conf.jinja
- so/9002_output_import.conf.jinja - so/9002_output_import.conf.jinja
- so/9034_output_syslog.conf.jinja
- so/9100_output_osquery.conf.jinja - so/9100_output_osquery.conf.jinja
- so/9400_output_suricata.conf.jinja - so/9400_output_suricata.conf.jinja
- so/9500_output_beats.conf.jinja - so/9500_output_beats.conf.jinja

17
salt/filebeat/etc/filebeat.yml
View File

@@ -75,9 +75,9 @@ filebeat.modules:
filebeat.inputs: filebeat.inputs:
#------------------------------ Log prospector -------------------------------- #------------------------------ Log prospector --------------------------------
{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %} {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %}
- type: syslog
- type: udp
enabled: true enabled: true
protocol.udp:
host: "0.0.0.0:514" host: "0.0.0.0:514"
fields: fields:
module: syslog module: syslog
@@ -87,7 +87,20 @@ filebeat.inputs:
processors: processors:
- drop_fields: - drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
- type: tcp
enabled: true
host: "0.0.0.0:514"
fields:
module: syslog
dataset: syslog
pipeline: "syslog"
index: "so-syslog-%{+yyyy.MM.dd}"
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
{%- if BROVER != 'SURICATA' %} {%- if BROVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}
- type: log - type: log

13
salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
View File

@@ -3,24 +3,21 @@
{%- else %} {%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%} {%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %} {%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/15/2017
filter { filter {
if "syslog" in [tags] and "test_data" not in [tags] { if [module] =~ "syslog" {
mutate { mutate {
##add_tag => [ "conf_file_9034"] ##add_tag => [ "conf_file_9000"]
} }
} }
} }
output { output {
if "syslog" in [tags] and "test_data" not in [tags] { if [module] =~ "syslog" {
elasticsearch { elasticsearch {
pipeline => "%{module}"
hosts => "{{ ES }}" hosts => "{{ ES }}"
index => "so-syslog-%{+YYYY.MM.dd}" index => "so-syslog-%{+YYYY.MM.dd}"
template_name => "logstash" template_name => "so-common"
template => "/so-common-template.json" template => "/so-common-template.json"
template_overwrite => true template_overwrite => true
} }