CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Imported logs are sent to so-import index on eval installations

Browse Source
This commit is contained in:
Jason Ertel
2020-07-14 22:59:42 -04:00
parent b53ce392ef
commit 9dc1151347
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/filebeat/etc/filebeat.yml
View File

@@ -127,7 +127,7 @@ filebeat.inputs:
imported: true imported: true
processors: processors:
- add_tags: - add_tags:
tags: [import] tags: ["import"]
- dissect: - dissect:
tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
field: "log.file.path" field: "log.file.path"
@@ -167,7 +167,7 @@ filebeat.inputs:
imported: true imported: true
processors: processors:
- add_tags: - add_tags:
tags: [import] tags: ["import"]
- dissect: - dissect:
tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
field: "log.file.path" field: "log.file.path"
@@ -260,6 +260,9 @@ output.elasticsearch:
pipelines: pipelines:
- pipeline: "%{[module]}.%{[dataset]}" - pipeline: "%{[module]}.%{[dataset]}"
indices: indices:
- index: "so-import-%{+yyyy.MM.dd}"
when.contains:
tags: "import"
- index: "so-zeek-%{+yyyy.MM.dd}" - index: "so-zeek-%{+yyyy.MM.dd}"
when.contains: when.contains:
module: "zeek" module: "zeek"