CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13877 from Security-Onion-Solutions/2.4/lookuprev2

Browse Source 
Initial support for local lookup
This commit is contained in:
Josh Brower
2024-10-29 11:22:39 -04:00
committed by GitHub
parent 6a3e5415cf 4c5099d429
commit ac359839e2
3 changed files with 84 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
salt/elasticfleet/config.sls
View File

@@ -63,6 +63,14 @@ eastatedir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
custommappingsdir:
file.directory:
- name: /nsm/custom-mappings
- user: 947
- group: 939
- makedirs: True
eapackageupgrade: eapackageupgrade:
file.managed: file.managed:
- name: /usr/sbin/so-elastic-fleet-package-upgrade - name: /usr/sbin/so-elastic-fleet-package-upgrade

35
salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json Normal file
View File

@@ -0,0 +1,35 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "so-ip-mappings",
"namespace": "so",
"description": "IP Description mappings",
"policy_id": "so-grid-nodes_general",
"vars": {},
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [
"/nsm/custom-mappings/ip-descriptions.csv"
],
"data_stream.dataset": "hostnamemappings",
"tags": [
"so-ip-mappings"
],
"processors": "- decode_csv_fields:\n fields:\n message: decoded.csv\n separator: \",\"\n ignore_missing: false\n overwrite_keys: true\n trim_leading_space: true\n fail_on_error: true\n\n- extract_array:\n field: decoded.csv\n mappings:\n so.ip_address: '0'\n so.description: '1'\n\n- script:\n lang: javascript\n source: >\n function process(event) {\n var ip = event.Get('so.ip_address');\n var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n if (!validIpRegex.test(ip)) {\n event.Cancel();\n }\n }\n- fingerprint:\n fields: [\"so.ip_address\"]\n target_field: \"@metadata._id\"\n",
"custom": ""
}
}
}
}
},
"force": true
}

67
salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja
View File

@@ -1,18 +1,45 @@
output { output {
if "elastic-agent" in [tags] { if "elastic-agent" in [tags] and "so-ip-mappings" in [tags] {
if [metadata][pipeline] { elasticsearch {
if [metadata][_id] { hosts => "{{ GLOBALS.hostname }}"
elasticsearch { data_stream => false
hosts => "{{ GLOBALS.hostname }}" user => "{{ ES_USER }}"
ecs_compatibility => v8 password => "{{ ES_PASS }}"
data_stream => true document_id => "%{[metadata][_id]}"
user => "{{ ES_USER }}" index => "so-ip-mappings"
password => "{{ ES_PASS }}" silence_errors_in_log => ["version_conflict_engine_exception"]
document_id => "%{[metadata][_id]}" ssl => true
pipeline => "%{[metadata][pipeline]}" ssl_certificate_verification => false
silence_errors_in_log => ["version_conflict_engine_exception"] }
ssl => true }
ssl_certificate_verification => false else {
if "elastic-agent" in [tags] {
if [metadata][pipeline] {
if [metadata][_id] {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
document_id => "%{[metadata][_id]}"
pipeline => "%{[metadata][pipeline]}"
silence_errors_in_log => ["version_conflict_engine_exception"]
ssl => true
ssl_certificate_verification => false
}
}
else {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
pipeline => "%{[metadata][pipeline]}"
ssl => true
ssl_certificate_verification => false
}
} }
} }
else { else {
@@ -22,22 +49,10 @@ output {
data_stream => true data_stream => true
user => "{{ ES_USER }}" user => "{{ ES_USER }}"
password => "{{ ES_PASS }}" password => "{{ ES_PASS }}"
pipeline => "%{[metadata][pipeline]}"
ssl => true ssl => true
ssl_certificate_verification => false ssl_certificate_verification => false
} }
} }
} }
else {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
ssl => true
ssl_certificate_verification => false
}
}
} }
} }