mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-19 07:23:06 +01:00
Pull in upstream changes
This commit is contained in:
Josh Brower
8
.github/workflows/pythontest.yml
vendored
8
.github/workflows/pythontest.yml
vendored
@@ -1,6 +1,12 @@
|
||||
name: python-test
|
||||
|
||||
on: [push, pull_request]
|
||||
on:
|
||||
push:
|
||||
paths:
|
||||
- "salt/sensoroni/files/analyzers/**"
|
||||
pull_request:
|
||||
paths:
|
||||
- "salt/sensoroni/files/analyzers/**"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
@@ -2,8 +2,6 @@ logstash:
|
||||
pipelines:
|
||||
manager:
|
||||
config:
|
||||
- so/0009_input_beats.conf
|
||||
- so/0010_input_hhbeats.conf
|
||||
- so/0011_input_endgame.conf
|
||||
- so/0012_input_elastic_agent.conf
|
||||
- so/9999_output_redis.conf.jinja
|
||||
|
||||
@@ -2,8 +2,7 @@ logstash:
|
||||
pipelines:
|
||||
receiver:
|
||||
config:
|
||||
- so/0009_input_beats.conf
|
||||
- so/0010_input_hhbeats.conf
|
||||
- so/0011_input_endgame.conf
|
||||
- so/0012_input_elastic_agent.conf
|
||||
- so/9999_output_redis.conf.jinja
|
||||
|
||||
@@ -3,16 +3,5 @@ logstash:
|
||||
search:
|
||||
config:
|
||||
- so/0900_input_redis.conf.jinja
|
||||
- so/9000_output_zeek.conf.jinja
|
||||
- so/9002_output_import.conf.jinja
|
||||
- so/9034_output_syslog.conf.jinja
|
||||
- so/9050_output_filebeatmodules.conf.jinja
|
||||
- so/9100_output_osquery.conf.jinja
|
||||
- so/9400_output_suricata.conf.jinja
|
||||
- so/9500_output_beats.conf.jinja
|
||||
- so/9600_output_ossec.conf.jinja
|
||||
- so/9700_output_strelka.conf.jinja
|
||||
- so/9800_output_logscan.conf.jinja
|
||||
- so/9801_output_rita.conf.jinja
|
||||
- so/9805_output_elastic_agent.conf.jinja
|
||||
- so/9900_output_endgame.conf.jinja
|
||||
|
||||
@@ -1,7 +1,5 @@
|
||||
{% set node_types = {} %}
|
||||
{% set manage_alived = salt.saltutil.runner('manage.alived', show_ip=True) %}
|
||||
{% set manager = grains.master %}
|
||||
{% set manager_type = manager.split('_')|last %}
|
||||
{% for minionid, ip in salt.saltutil.runner('mine.get', tgt='*', fun='network.ip_addrs', tgt_type='glob') | dictsort() %}
|
||||
{% set hostname = minionid.split('_')[0] %}
|
||||
{% set node_type = minionid.split('_')[1] %}
|
||||
@@ -24,10 +22,10 @@
|
||||
|
||||
node_data:
|
||||
{% for node_type, host_values in node_types.items() %}
|
||||
{{node_type}}:
|
||||
{% for hostname, details in host_values.items() %}
|
||||
{{hostname}}:
|
||||
ip: {{details.ip}}
|
||||
alive: {{ details.alive }}
|
||||
{{hostname}}:
|
||||
ip: {{details.ip}}
|
||||
alive: {{ details.alive }}
|
||||
role: {{node_type}}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
@@ -10,6 +10,7 @@ base:
|
||||
- sensoroni.adv_sensoroni
|
||||
- telegraf.soc_telegraf
|
||||
- telegraf.adv_telegraf
|
||||
- node_data.ips
|
||||
|
||||
'* and not *_eval and not *_import':
|
||||
- logstash.nodes
|
||||
@@ -23,11 +24,15 @@ base:
|
||||
- logstash
|
||||
- logstash.manager
|
||||
- logstash.search
|
||||
- logstash.soc_logstash
|
||||
- logstash.adv_logstash
|
||||
- elasticsearch.index_templates
|
||||
|
||||
'*_manager':
|
||||
- logstash
|
||||
- logstash.manager
|
||||
- logstash.soc_logstash
|
||||
- logstash.adv_logstash
|
||||
- elasticsearch.index_templates
|
||||
|
||||
'*_manager or *_managersearch':
|
||||
@@ -51,6 +56,8 @@ base:
|
||||
- redis.adv_redis
|
||||
- influxdb.soc_influxdb
|
||||
- influxdb.adv_influxdb
|
||||
- elasticsearch.soc_elasticsearch
|
||||
- elasticsearch.adv_elasticsearch
|
||||
- backup.soc_backup
|
||||
- backup.adv_backup
|
||||
- minions.{{ grains.id }}
|
||||
@@ -76,6 +83,7 @@ base:
|
||||
- soc_global
|
||||
- kratos.soc_kratos
|
||||
- elasticsearch.soc_elasticsearch
|
||||
- elasticsearch.adv_elasticsearch
|
||||
- manager.soc_manager
|
||||
- soc.soc_soc
|
||||
- kratos.soc_kratos
|
||||
@@ -94,6 +102,7 @@ base:
|
||||
- logstash.manager
|
||||
- logstash.search
|
||||
- logstash.soc_logstash
|
||||
- logstash.adv_logstash
|
||||
- elasticsearch.index_templates
|
||||
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
|
||||
- elasticsearch.auth
|
||||
@@ -111,6 +120,7 @@ base:
|
||||
- influxdb.soc_influxdb
|
||||
- influxdb.adv_influxdb
|
||||
- elasticsearch.soc_elasticsearch
|
||||
- elasticsearch.adv_elasticsearch
|
||||
- manager.soc_manager
|
||||
- soc.soc_soc
|
||||
- backup.soc_backup
|
||||
@@ -134,6 +144,8 @@ base:
|
||||
'*_searchnode':
|
||||
- logstash
|
||||
- logstash.search
|
||||
- logstash.soc_logstash
|
||||
- logstash.adv_logstash
|
||||
- elasticsearch.index_templates
|
||||
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
|
||||
- elasticsearch.auth
|
||||
@@ -148,6 +160,8 @@ base:
|
||||
'*_receiver':
|
||||
- logstash
|
||||
- logstash.receiver
|
||||
- logstash.soc_logstash
|
||||
- logstash.adv_logstash
|
||||
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
|
||||
- elasticsearch.auth
|
||||
{% endif %}
|
||||
@@ -169,6 +183,7 @@ base:
|
||||
{% endif %}
|
||||
- kratos.soc_kratos
|
||||
- elasticsearch.soc_elasticsearch
|
||||
- elasticsearch.adv_elasticsearch
|
||||
- manager.soc_manager
|
||||
- soc.soc_soc
|
||||
- soc_global
|
||||
|
||||
@@ -107,7 +107,8 @@
|
||||
'zeek',
|
||||
'schedule',
|
||||
'tcpreplay',
|
||||
'docker_clean'
|
||||
'docker_clean',
|
||||
'elastic-fleet'
|
||||
],
|
||||
'so-manager': [
|
||||
'salt.master',
|
||||
|
||||
@@ -218,6 +218,11 @@ sostatus_check_cron:
|
||||
- month: '*'
|
||||
- dayweek: '*'
|
||||
|
||||
remove_post_setup_cron:
|
||||
cron.absent:
|
||||
- name: 'salt-call state.highstate'
|
||||
- identifier: post_setup_cron
|
||||
|
||||
{% if GLOBALS.role not in ['eval', 'manager', 'managersearch', 'standalone'] %}
|
||||
|
||||
soversionfile:
|
||||
|
||||
@@ -1,6 +1,33 @@
|
||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||
|
||||
{% if GLOBALS.os != 'CentOS' %}
|
||||
{% if GLOBALS.os == 'Ubuntu' %}
|
||||
commonpkgs:
|
||||
pkg.installed:
|
||||
- skip_suggestions: True
|
||||
- pkgs:
|
||||
- chrony
|
||||
- apache2-utils
|
||||
- wget
|
||||
- ntpdate
|
||||
- jq
|
||||
- python3-docker
|
||||
- curl
|
||||
- ca-certificates
|
||||
- software-properties-common
|
||||
- apt-transport-https
|
||||
- openssl
|
||||
- netcat
|
||||
- python3-mysqldb
|
||||
- sqlite3
|
||||
- libssl-dev
|
||||
- python3-dateutil
|
||||
- python3-m2crypto
|
||||
- python3-mysqldb
|
||||
- python3-packaging
|
||||
- python3-lxml
|
||||
- git
|
||||
- vim
|
||||
{% elif GLOBALS.os == 'Rocky' %}
|
||||
commonpkgs:
|
||||
pkg.installed:
|
||||
- skip_suggestions: True
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
POLICY_ID=$1
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
# Let's snag a cookie from Kibana
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
POLICY_ID=$1
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
# Let's snag a cookie from Kibana
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
POLICY_ID=$1
|
||||
|
||||
# Let's snag a cookie from Kibana
|
||||
SESSIONCOOKIE=$(curl -q -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
|
||||
|
||||
# Get integration policies relative to agent policy
|
||||
INTEGRATION_POLICY_IDS=$(curl -q -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID" | jq -r '.item.package_policies[].id')
|
||||
|
||||
for i in $INTEGRATION_POLICY_IDS; do
|
||||
# Delete integration policies
|
||||
echo "Deleting integration policy: $i..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d"{\"packagePolicyIds\": [\"$i\"], \"force\":true}";
|
||||
echo
|
||||
echo
|
||||
done
|
||||
@@ -1,4 +1,9 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
POLICY_ID=$1
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
# Let's snag a cookie from Kibana
|
||||
|
||||
@@ -1,4 +1,8 @@
|
||||
#/bin/bash
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
@@ -17,68 +21,76 @@ echo
|
||||
echo "Setting up default Security Onion package policies for Elastic Agent..."
|
||||
|
||||
# Set up Suricata logs
|
||||
echo
|
||||
echo "Setting up Suricata package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "suricata_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "alert", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", "custom": "pipeline: suricata.common" }}}}}}'
|
||||
|
||||
# Import - Suricata
|
||||
echo "Settings up Suricata import package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "import_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "alert", "tags": ["import"], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }'
|
||||
|
||||
# Zeek logs
|
||||
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %}
|
||||
{%- if ZEEKVER != 'SURICATA' %}
|
||||
{% import_yaml 'filebeat/defaults.yaml' as FBD with context %}
|
||||
{% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %}
|
||||
{%- for LOGNAME in FBCONFIG.zeek_logs_enabled %}
|
||||
|
||||
# Set up Zeek {{ LOGNAME }} logs
|
||||
echo "Setting up Zeek {{ LOGNAME }} package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-{{ LOGNAME }}", "description": "Zeek {{ LOGNAME }} logs", "namespace": "zeek_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/zeek/logs/current/{{ LOGNAME }}.log" ], "data_stream.dataset": "{{ LOGNAME }}", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: zeek", "custom": "pipeline: zeek.{{ LOGNAME }}" }}}}}}'
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "suricata", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", "custom": "pipeline: suricata.common" }}}}}}'
|
||||
echo
|
||||
|
||||
echo "Setting up Zeek import {{ LOGNAME }} package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-zeek-{{ LOGNAME }}-logs", "name": "import-zeek-{{ LOGNAME }}-logs", "description": "Import Zeek {{ LOGNAME }} logs", "namespace": "import_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/{{ LOGNAME }}.log"], "data_stream.dataset": "{{ LOGNAME }}", "tags": ["import"], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: suricata\n imported: true", "custom": "pipeline: zeek.{{ LOGNAME }}" } } } } } }'
|
||||
# Set up Zeek logs
|
||||
echo
|
||||
echo "Setting up Zeek package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"(broker | capture_loss | loaded_scripts | packet_filter | stats | stderr | stdout).log$\"]\n" } } } } } }'
|
||||
echo
|
||||
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- endif %}
|
||||
# Import - Suricata
|
||||
echo
|
||||
echo "Settings up Suricata import package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "import", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }'
|
||||
echo
|
||||
|
||||
# Set Import - Zeek logs
|
||||
echo
|
||||
echo "Setting up Zeek Import package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"" } } } } } }'
|
||||
# Strelka logs
|
||||
echo "Setting up Strelka package policy"
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "strelka_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}'
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}'
|
||||
echo
|
||||
|
||||
# Syslog TCP Port 514
|
||||
echo
|
||||
echo "Setting up Syslog TCP package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "tcp", "version": "1.5.0" }, "id": "syslog-tcp-514", "name": "syslog-tcp-514", "description": "Syslog Over TCP Port 514", "namespace": "syslog_so", "inputs": { "tcp-tcp": { "enabled": true, "streams": { "tcp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "processors": "- add_fields:\n target: event\n fields:\n module: syslog", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "tcp", "version": "1.5.0" }, "id": "syslog-tcp-514", "name": "syslog-tcp-514", "description": "Syslog Over TCP Port 514", "namespace": "so", "inputs": { "tcp-tcp": { "enabled": true, "streams": { "tcp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "processors": "- add_fields:\n target: event\n fields:\n module: syslog", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
|
||||
echo
|
||||
|
||||
# Syslog UDP Port 514
|
||||
echo
|
||||
echo "Setting up Syslog UDP package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "udp", "version": "1.5.0" }, "id": "syslog-udp-514", "name": "syslog-udp-514", "description": "Syslog over UDP Port 514", "namespace": "syslog_so", "inputs": { "udp-udp": { "enabled": true, "streams": { "udp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "udp", "version": "1.5.0" }, "id": "syslog-udp-514", "name": "syslog-udp-514", "description": "Syslog over UDP Port 514", "namespace": "so", "inputs": { "udp-udp": { "enabled": true, "streams": { "udp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
|
||||
echo
|
||||
|
||||
# Kratos logs
|
||||
echo
|
||||
echo "Setting up Kratos package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "kratos_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "access", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- rename:\n fields:\n - from: \"audience\"\n to: \"event.dataset\"\n ignore_missing: true\n- add_fields:\n when:\n not: \n has_fields: ['event.dataset']\n target: ''\n fields:\n event.dataset: access", "custom": "pipeline: kratos" }}}}}}'
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- rename:\n fields:\n - from: \"audience\"\n to: \"event.dataset\"\n ignore_missing: true\n- add_fields:\n when:\n not: \n has_fields: ['event.dataset']\n target: ''\n fields:\n event.dataset: access", "custom": "pipeline: kratos" }}}}}}'
|
||||
echo
|
||||
|
||||
# RITA Beacon logs
|
||||
echo "Setting up RITA Beacon package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-beacon-logs", "name": "rita-beacon-logs", "description": "RITA Beacon logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/beacons.csv" ], "data_stream.dataset": "beacon", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.beacon" }}}}}}'
|
||||
|
||||
# RITA Connection Logs
|
||||
echo "Setting up RITA connection package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-connection-logs", "name": "rita-connection-logs", "description": "RITA Connection logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/long-connections.csv" ], "data_stream.dataset": "connections", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.connections" }}}}}}'
|
||||
|
||||
# RITA DNS Logs
|
||||
echo "Setting up RITA DNS package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-exploded-dns-logs", "name": "rita-exploded-dns-logs", "description": "RITA Exploded DNS logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/exploded-dns.csv" ], "data_stream.dataset": "exploded_dns", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.dns" }}}}}}'
|
||||
# RITA Logs
|
||||
#echo
|
||||
#echo "Setting up RITA package policy..."
|
||||
#curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-logs", "name": "rita-logs", "description": "RITA Beacon logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/beacons.csv", "/nsm/rita/long-connections.csv", "/nsm/rita/short-connections.csv", "/nsm/rita/exploded-dns.csv" ], "data_stream.dataset": "rita", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita\n- if:\n log.file.path: beacons.csv\n then: \n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: rita.beacon\n- if:\n regexp:\n log.file.path: \"*connections.csv\"\n then: \n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: rita.connection\n- if:\n log.file.path: \"exploded-dns.csv\"\n then: \n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: rita.dns" }}}}}}'
|
||||
#echo
|
||||
|
||||
# Elasticsearch logs
|
||||
echo
|
||||
echo "Seting up Elasticsearch package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "elasticsearch", "version": "1.0.0" }, "id": "elasticsearch-logs", "name": "elasticsearch-logs", "description": "Elasticsearch Logs", "namespace": "default", "inputs": { "elasticsearch-logfile": { "enabled": true, "streams": { "elasticsearch.audit": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_audit.json" ] } }, "elasticsearch.deprecation": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_deprecation.json" ] } }, "elasticsearch.gc": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/gc.log.[0-9]*", "/var/log/elasticsearch/gc.log" ] } }, "elasticsearch.server": { "enabled": true, "vars": { "paths": [ "/opt/so/log/elasticsearch/*.log" ] } }, "elasticsearch.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_index_search_slowlog.json", "/var/log/elasticsearch/*_index_indexing_slowlog.json" ] } } } }, "elasticsearch-elasticsearch/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9200" ], "scope": "node" }, "streams": { "elasticsearch.stack_monitoring.ccr": { "enabled": false }, "elasticsearch.stack_monitoring.cluster_stats": { "enabled": false }, "elasticsearch.stack_monitoring.enrich": { "enabled": false }, "elasticsearch.stack_monitoring.index": { "enabled": false }, "elasticsearch.stack_monitoring.index_recovery": { "enabled": false, "vars": { "active.only": true } }, "elasticsearch.stack_monitoring.index_summary": { "enabled": false }, "elasticsearch.stack_monitoring.ml_job": { "enabled": false }, "elasticsearch.stack_monitoring.node": { "enabled": false }, "elasticsearch.stack_monitoring.node_stats": { "enabled": false }, "elasticsearch.stack_monitoring.pending_tasks": { "enabled": false }, "elasticsearch.stack_monitoring.shard": { "enabled": false } } } } }'
|
||||
echo
|
||||
|
||||
# Logstash logs
|
||||
echo
|
||||
echo "Setting up Logstash package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "logstash", "version": "2.0.0" }, "id": "logstash-logs", "name": "logstash-logs", "description": "Logstash logs", "namespace": "default", "inputs": { "logstash-logfile": { "enabled": true, "streams": { "logstash.log": { "enabled": true, "vars": { "paths": [ "/opt/so/logs/logstash/logstash.log" ] } }, "logstash.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/logstash/logstash-slowlog-plain*.log", "/var/log/logstash/logstash-slowlog-json*.log" ] } } } }, "logstash-logstash/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9600" ], "period": "10s" }, "streams": { "logstash.stack_monitoring.node": { "enabled": false }, "logstash.stack_monitoring.node_stats": { "enabled": false } } } } }'
|
||||
echo
|
||||
|
||||
# Kibana logs
|
||||
echo
|
||||
echo "Setting up Kibana package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "kibana", "version": "2.0.0" }, "id": "kibana-logs", "name": "kibana-logs", "description": "Kibana logs", "namespace": "default", "inputs": { "kibana-logfile": { "enabled": true, "streams": { "kibana.audit": { "enabled": false, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } }, "kibana.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } } } }, "kibana-kibana/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:5601" ] }, "streams": { "kibana.stack_monitoring.cluster_actions": { "enabled": false }, "kibana.stack_monitoring.cluster_rules": { "enabled": false }, "kibana.stack_monitoring.node_actions": { "enabled": false }, "kibana.stack_monitoring.node_rules": { "enabled": false }, "kibana.stack_monitoring.stats": { "enabled": false }, "kibana.stack_monitoring.status": { "enabled": false } } } } }'
|
||||
echo
|
||||
|
||||
# Redis logs
|
||||
echo
|
||||
echo "Setting up Redis package policy..."
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }'
|
||||
echo
|
||||
|
||||
@@ -19,10 +19,22 @@ printf "\n"
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}'
|
||||
printf "\n\n"
|
||||
|
||||
# Create Logstash Output payload
|
||||
# Configure certificates
|
||||
mkdir -p /opt/so/conf/elastic-fleet/certs
|
||||
cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
|
||||
cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs
|
||||
|
||||
{% if grains.role == 'so-import' %}
|
||||
# Add SO-Manager Elasticsearch Ouput
|
||||
ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt)
|
||||
JSON_STRING=$( jq -n \
|
||||
--arg ESCACRT "$ESCACRT" \
|
||||
'{"name":"so-manager_elasticsearch2","id":"so-manager_elasticsearch2","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' )
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
||||
printf "\n\n"
|
||||
|
||||
{% else %}
|
||||
# Create Logstash Output payload
|
||||
LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt)
|
||||
LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/elastic-fleet/certs/elasticfleet.key)
|
||||
LOGSTASHCA=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt)
|
||||
@@ -36,6 +48,7 @@ JSON_STRING=$( jq -n \
|
||||
# Add SO-Manager Logstash Ouput
|
||||
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
||||
printf "\n\n"
|
||||
{%- endif %}
|
||||
|
||||
# Add Elastic Fleet Integrations
|
||||
|
||||
|
||||
@@ -37,6 +37,8 @@ container_list() {
|
||||
"so-suricata"
|
||||
"so-telegraf"
|
||||
"so-zeek"
|
||||
"so-elastic-agent"
|
||||
"so-elastic-agent-builder"
|
||||
)
|
||||
elif [ $MANAGERCHECK != 'so-helix' ]; then
|
||||
TRUSTED_CONTAINERS=(
|
||||
|
||||
@@ -131,13 +131,24 @@ function add_fleet_to_minion() {
|
||||
|
||||
# Write out settings to minion file
|
||||
printf '%s\n'\
|
||||
"logstash_settings:"\
|
||||
" lsheap: '500m'"\
|
||||
"fleet-server:"\
|
||||
" ES-Token: '$ESTOKEN'"\
|
||||
" " >> $PILLARFILE
|
||||
}
|
||||
|
||||
|
||||
function add_logstash_to_minion() {
|
||||
# Create the logstash advanced pillar
|
||||
printf '%s\n'\
|
||||
"logstash_settings:"\
|
||||
" ls_host: '$LSHOSTNAME'"\
|
||||
" ls_pipeline_batch_size: 125"\
|
||||
" ls_input_threads: 1"\
|
||||
" lsheap: $LSHEAP"\
|
||||
" ls_pipeline_workers: $CPUCORES"\
|
||||
" " >> $PILLARFILE
|
||||
}
|
||||
|
||||
# Analyst Workstation
|
||||
function add_analyst_to_minion() {
|
||||
printf '%s\n'\
|
||||
@@ -186,11 +197,13 @@ function add_sensor_to_minion() {
|
||||
|
||||
function createEVAL() {
|
||||
add_elastic_to_minion
|
||||
add_logstash_to_minion
|
||||
add_sensor_to_minion
|
||||
}
|
||||
|
||||
function createFLEET() {
|
||||
add_fleet_to_minion
|
||||
add_logstash_to_minion
|
||||
}
|
||||
|
||||
function createIDHNODE() {
|
||||
@@ -199,20 +212,24 @@ function createIDHNODE() {
|
||||
|
||||
function createIMPORT() {
|
||||
add_elastic_to_minion
|
||||
add_logstash_to_minion
|
||||
add_sensor_to_minion
|
||||
}
|
||||
|
||||
function createHEAVYNODE() {
|
||||
add_elastic_to_minion
|
||||
add_logstash_to_minion
|
||||
add_sensor_to_minion
|
||||
}
|
||||
|
||||
function createMASTER() {
|
||||
function createMANAGER() {
|
||||
add_elastic_to_minion
|
||||
add_logstash_to_minion
|
||||
}
|
||||
|
||||
function createMASTERSEARCH() {
|
||||
function createMANAGERSEARCH() {
|
||||
add_elastic_to_minion
|
||||
add_logstash_to_minion
|
||||
}
|
||||
|
||||
function createSENSOR() {
|
||||
@@ -221,10 +238,12 @@ function createSENSOR() {
|
||||
|
||||
function createSEARCHNODE() {
|
||||
add_elastic_to_minion
|
||||
add_logstash_to_minion
|
||||
}
|
||||
|
||||
function createSTANDALONE() {
|
||||
add_elastic_to_minion
|
||||
add_logstash_to_minion
|
||||
add_sensor_to_minion
|
||||
}
|
||||
|
||||
|
||||
@@ -4,12 +4,25 @@
|
||||
# Elastic License 2.0.
|
||||
|
||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||
|
||||
|
||||
dockergroup:
|
||||
group.present:
|
||||
- name: docker
|
||||
- gid: 920
|
||||
|
||||
{% if GLOBALS.os == 'Ubuntu' %}
|
||||
dockerheldpackages:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- containerd.io: 1.4.9-1
|
||||
- docker-ce: 5:20.10.8~3-0~ubuntu-focal
|
||||
- docker-ce-cli: 5:20.10.5~3-0~ubuntu-focal
|
||||
- docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
|
||||
- hold: True
|
||||
- update_holds: True
|
||||
{% else %}
|
||||
dockerheldpackages:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
@@ -19,6 +32,7 @@ dockerheldpackages:
|
||||
- docker-ce-rootless-extras: 20.10.5-3.el7
|
||||
- hold: True
|
||||
- update_holds: True
|
||||
{% endif %}
|
||||
|
||||
#disable docker from managing iptables
|
||||
iptables_disabled:
|
||||
|
||||
@@ -1165,7 +1165,7 @@ elasticsearch:
|
||||
index_template:
|
||||
data_stream: {}
|
||||
index_patterns:
|
||||
- logs-*_so
|
||||
- logs-*-so*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -1418,7 +1418,7 @@ elasticsearch:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- so-elasticsearch*
|
||||
- logs-elasticsearch-default*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -2171,7 +2171,7 @@ elasticsearch:
|
||||
index_template:
|
||||
data_stream: {}
|
||||
index_patterns:
|
||||
- logs-*-suricata_so
|
||||
- logs-suricata-so*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -2339,7 +2339,7 @@ elasticsearch:
|
||||
index_template:
|
||||
data_stream: {}
|
||||
index_patterns:
|
||||
- logs-*-import_so
|
||||
- logs-import-so*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -2677,8 +2677,11 @@ elasticsearch:
|
||||
delete: 365
|
||||
index_sorting: False
|
||||
index_template:
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
index_patterns:
|
||||
- logs-*-kratos_so
|
||||
- logs-kratos-so*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -2755,7 +2758,7 @@ elasticsearch:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- so-logstash*
|
||||
- logs-logstash-default*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -3676,7 +3679,7 @@ elasticsearch:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- so-redis*
|
||||
- logs-redis-default*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -4178,7 +4181,7 @@ elasticsearch:
|
||||
index_template:
|
||||
data_stream: {}
|
||||
index_patterns:
|
||||
- logs-*-strelka_so
|
||||
- logs-strelka-so*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -4263,7 +4266,7 @@ elasticsearch:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- so-syslog*
|
||||
- logs-syslog-so*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
@@ -4432,7 +4435,7 @@ elasticsearch:
|
||||
index_template:
|
||||
data_stream: {}
|
||||
index_patterns:
|
||||
- logs-*-zeek_so
|
||||
- logs-zeek-so*
|
||||
template:
|
||||
mappings:
|
||||
dynamic_templates:
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "kratos",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "access" } },
|
||||
{ "pipeline": { "name": "common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
"processors": [
|
||||
{
|
||||
"set": {
|
||||
"field": "_index",
|
||||
"value": "so-rita",
|
||||
"field": "event.dataset",
|
||||
"value": "beacon",
|
||||
"override": true
|
||||
}
|
||||
},
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
"processors": [
|
||||
{
|
||||
"set": {
|
||||
"field": "_index",
|
||||
"value": "so-rita",
|
||||
"field": "event.dataset",
|
||||
"value": "connection",
|
||||
"override": true
|
||||
}
|
||||
},
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
"processors": [
|
||||
{
|
||||
"set": {
|
||||
"field": "_index",
|
||||
"value": "so-rita",
|
||||
"field": "event.dataset",
|
||||
"value": "dns",
|
||||
"override": true
|
||||
}
|
||||
},
|
||||
|
||||
@@ -9,12 +9,11 @@
|
||||
{ "rename":{ "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } },
|
||||
{ "rename":{ "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } },
|
||||
{ "remove":{ "field": "dataset", "ignore_failure": true } },
|
||||
{ "rename":{ "field": "message2.event_type", "target_field": "dataset", "ignore_failure": true } },
|
||||
{ "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } },
|
||||
{ "set": { "field": "observer.name", "value": "{{agent.name}}" } },
|
||||
{ "set": { "field": "event.ingested", "value": "{{@timestamp}}" } },
|
||||
{ "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } },
|
||||
{ "remove":{ "field": "agent", "ignore_failure": true } },
|
||||
{ "pipeline": { "if": "ctx?.dataset != null", "name": "suricata.{{dataset}}" } }
|
||||
{ "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } }
|
||||
]
|
||||
}
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bacnet",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bacnet" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bacnet_discovery",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bacnet_discovery" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bacnet_property",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bacnet_property" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bsap_ip_header",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bsap_ip_header" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bsap_ip_rdb",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bsap_ip_rdb" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.header_size", "target_field": "bsap.header.length", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bsap_ip_unknown",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bsap_ip_unknown" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_header",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bsap_serial_header" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.ser", "target_field": "bsap.message.serial_number", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_rdb",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bsap_serial_rdb" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_rdb_ext",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bsap_serial_rdb_ext" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_unknown",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "bsap_serial_unknown" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.cip",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "cip" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.cip_identity",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "cip_identity" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.cip_io",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "cip_io" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.conn",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "conn" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.cotp",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "cotp" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.pdu_code", "target_field": "cotp.pdu.code", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.dce_rpc",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "dce_rpc" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.dhcp",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "dhcp" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.uids", "target_field": "log.id.uids", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.dnp3",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "dnp3" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.fc_request", "target_field": "dnp3.fc_request", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.dnp3_control",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "dnp3_control" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.block_type", "target_field": "dnp3.block_type", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.dnp3_objects",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "dnp3_objects" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.dns",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "dns" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.dpd",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "dpd" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_aoe_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_aoe_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_arp_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_arp_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_coe_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_coe_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_dev_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_dev_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_foe_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_foe_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_log_address",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_log_address" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_registers",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_registers" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ecat_soe_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ecat_soe_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.enip",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "enip" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "enip.is_orig", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.files",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "files" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ftp",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ftp" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.user", "target_field": "ftp.user", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.http",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "http" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.intel",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "intel" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.irc",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "irc" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.nick", "target_field": "irc.nickname", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.kerberos",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "kerberos" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.request_type", "target_field": "kerberos.request_type", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.modbus",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "modbus" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.modbus_detailed",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "modbus_detailed" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.modbus_mask_write_register",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "modbus_mask_write_register" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.read_write_multiple_registers",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "modbus_read_write_multiple_registers" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.mysql",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "mysql" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.cmd", "target_field": "mysql.command", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.notice",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "notice" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.ntlm",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "ntlm" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.hostname", "target_field": "host.name", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_activate_session" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session_client_software_cert",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_client_software_cert" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session_diagnostic_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_diagnostic_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session_locale_id",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_locale_id" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_browse" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_description",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_browse_description" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.browse_description_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_diagnostic_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_browse_diagnostic_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_diag_info_link_id", "target_field": "opcua.browse_session_diag_info_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_request_continuation_point",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_browse_request_continuation_point" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_next_link_id", "target_field": "opcua.browse_next_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_response_references",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_browse_response_references" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_result",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_browse_result" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_create_session" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session_discovery",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_create_session_discovery" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session_endpoints",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_create_session_endpoints" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session_user_token",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_create_session_user_token" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_subscription",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_create_subscription" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_diag_info_detail",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_diag_info_detail" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_description",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_description" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_discovery",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_discovery" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_locale_id",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_locale_id" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_profile_uri",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_profile_uri" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.profile_uri_link_id", "target_field": "opcua.profile_uri_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_user_token",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_user_token" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_opensecure_channel",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_opensecure_channel" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_read" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_array_dims",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_array_dims_link",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims_link" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.variant_data_array_dim_link_id", "target_field": "opcua.variant_data_array_dim_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_diagnostic_info",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_read_diagnostic_info" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.read_diag_info_link_id", "target_field": "opcua.read_diag_info_link_id", "ignore_missing": true } },
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_extension_object",
|
||||
"processors" : [
|
||||
{ "set": { "field": "event.dataset", "value": "opcua_binary_read_extension_object" } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } },
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user