CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update so-filebeat-module-setup to use new load style to avoid having to explicitly enabled filesets

Browse Source
This commit is contained in:
Wes Lambert
2022-03-19 03:54:41 +00:00
parent 2e7d314650
commit a18b38de4d
1 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
salt/common/tools/sbin/so-filebeat-module-setup
View File

@@ -49,19 +49,20 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
fi fi
echo "Testing to see if the pipelines are already applied" echo "Testing to see if the pipelines are already applied"
ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \")
PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c) PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c)
if [[ "$PIPELINES" -lt 5 ]]; then if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then
echo "Setting up ingest pipeline(s)" echo "Setting up ingest pipeline(s)"
{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %}
for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system threatintel tomcat traefik zeek zscaler {% for module in MODULESMERGED.modules.keys() %}
do {% for fileset in MODULESMERGED.modules[module] %}
echo "Loading $MODULE" {#% if MODULESMERGED.modules[module][fileset].get('enabled', False) %#}
docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML echo "{{ module }}.{{ fileset}}"
sleep 2 docker exec -i so-filebeat filebeat setup --pipelines --modules {{ module }} -M "{{ module }}.{{ fileset }}.enabled=true" -c $FB_MODULE_YML
done sleep 0.5
{#% endif %#}
{% endfor %}
{% endfor %}
else else
exit 0 exit 0
fi fi