CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Logstash Module - Add Jinja for output plugins

Browse Source
This commit is contained in:
Mike Reeves
2018-09-14 14:32:27 -04:00
parent cb988eefde
commit a413b7594d
19 changed files with 39 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
salt/logstash/files/dynamic/0900_input_redis.conf
View File

@@ -1,9 +1,10 @@
{%- set master = grains['master'] %}
input {
redis {
host => '172.18.0.1'
host => '{{ master }}'
data_type => 'list'
key => 'logstash:redis'
type => 'redis-input'
# threads => 1
}
}
}

3
salt/logstash/files/dynamic/9000_output_bro.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -15,7 +16,7 @@ output {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-bro-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"

3
salt/logstash/files/dynamic/9001_output_switch.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if "switch" in [tags] and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-switch-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}

3
salt/logstash/files/dynamic/9002_output_import.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Updated by: Doug Burks
# Last Update: 5/16/2017
@@ -12,7 +13,7 @@ output {
if "import" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-import-%{+YYYY.MM.dd}"
template_name => "logstash-*"
template => "/logstash-template.json"

3
salt/logstash/files/dynamic/9004_output_flow.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if [event_type] == "sflow" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-flow-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}

3
salt/logstash/files/dynamic/9026_output_dhcp.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if [event_type] == "dhcp" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
template => "/logstash-template.json"
}
}

3
salt/logstash/files/dynamic/9029_output_esxi.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -13,7 +14,7 @@ filter {
output {
if [event_type] == "esxi" and "test_data" not in [tags] {
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
template => "/logstash-template.json"
}
}

3
salt/logstash/files/dynamic/9030_output_greensql.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -13,7 +14,7 @@ filter {
output {
if [event_type] == "greensql" and "test_data" not in [tags] {
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
template => "/logstash-template.json"
}
}

3
salt/logstash/files/dynamic/9031_output_iis.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if [event_type] == "iis" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
template => "/logstash-template.json"
}
}

3
salt/logstash/files/dynamic/9032_output_mcafee.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if [event_type] == "mcafee" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
template => "/logstash-template.json"
}
}

3
salt/logstash/files/dynamic/9033_output_snort.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if [event_type] == "snort" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-ids-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"

3
salt/logstash/files/dynamic/9034_output_syslog.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
@@ -13,7 +14,7 @@ filter {
output {
if "syslog" in [tags] and "test_data" not in [tags] {
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-syslog-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"

3
salt/logstash/files/dynamic/9200_output_firewall.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if "firewall" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-firewall-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"

4
salt/logstash/files/dynamic/9300_output_windows.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,10 +15,9 @@ output {
if [event_type] == "windows" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }
index => "logstash-windows-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

4
salt/logstash/files/dynamic/9301_output_dns_windows.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,10 +15,9 @@ output {
if [event_type] == "dns" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

3
salt/logstash/files/dynamic/9400_output_suricata.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -14,7 +15,7 @@ output {
if [event_type] == "suricata" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-ids-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}

3
salt/logstash/files/dynamic/9500_output_beats.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Wes Lambert
# Last Update: 12/11/2017
filter {
@@ -10,7 +11,7 @@ filter {
output {
if "beat" in [tags] {
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-beats-%{+YYYY.MM.dd}"
template_name => "logstash-beats"
template => "/beats-template.json"

3
salt/logstash/files/dynamic/9998_output_test_data.conf
View File

@@ -1,3 +1,4 @@
{%- set ES = salt['pillar.get']('mainip'. '') %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
@@ -13,7 +14,7 @@ filter {
output {
if "test_data" in [tags] {
elasticsearch {
hosts => elasticsearch
hosts => {{ ES }}
index => "logstash-test-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}

2
so-setup-network.sh
View File

@@ -389,6 +389,7 @@ node_pillar() {
# Create the node pillar
touch $TMP/$HOSTNAME.sls
echo "node:" > $TMP/$HOSTNAME.sls
echo " mainip: $MAINIP" >> $TMP/$HOSTNAME.sls
echo " esaccessip: 127.0.0.1" >> $TMP/$HOSTNAME.sls
echo " esheap: $NODE_ES_HEAP_SIZE" >> $TMP/$HOSTNAME.sls
echo " esclustername: {{ grains.host }}" >> $TMP/$HOSTNAME.sls
@@ -543,6 +544,7 @@ sensor_pillar() {
touch $TMP/$HOSTNAME.sls
echo "sensor:" > $TMP/$HOSTNAME.sls
echo " interface: bond0" >> $TMP/$HOSTNAME.sls
echo " mainip: $MAINIP" >> $TMP/$HOSTNAME.sls
if [ $NSMSETUP == 'ADVANCED' ]; then
echo " bro_pins:" >> $TMP/$HOSTNAME.sls
for PIN in $BROPINS; do