CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 03:02:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

use global vars in states

Browse Source
This commit is contained in:
m0duspwnens
2022-10-11 11:57:15 -04:00
parent 46bdd1acad
commit b526532ab6
219 changed files with 412 additions and 472 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/logstash/pipelines/config/so/0899_input_minio.conf.jinja
View File

@@ -1,7 +1,7 @@
{%- if grains.role == 'so-heavynode' %}
{%- set MANAGER = salt['grains.get']('host') %}
{%- set HOST = GLOBALS.hostname %}
{%- else %}
{%- set MANAGER = salt['grains.get']('master') %}
{%- set HOST = GLOBALS.manager %}
{% endif -%}
{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
{%- set access_key = salt['pillar.get']('minio:access_key', '') %}
@@ -11,7 +11,7 @@ input {
s3 {
access_key_id => "{{ access_key }}"
secret_access_key => "{{ access_secret }}"
endpoint => "https://{{ MANAGER }}:9595"
endpoint => "https://{{ HOST }}:9595"
bucket => "logstash"
delete => true
interval => {{ INTERVAL }}

5
salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "zeek" and "import" not in [tags] {
elasticsearch {
pipeline => "%{module}.%{dataset}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-zeek"

5
salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if "import" in [tags] {
elasticsearch {
pipeline => "%{module}.%{dataset}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-import"

5
salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "syslog" {
elasticsearch {
pipeline => "%{module}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-syslog"

5
salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja
View File

@@ -1,12 +1,9 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if "filebeat" in [metadata][pipeline] {
elasticsearch {
id => "filebeat_modules_metadata_pipeline"
pipeline => "%{[metadata][pipeline]}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-%{[event][module]}-%{+YYYY.MM.dd}"

5
salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "osquery" and "live_query" not in [dataset] {
elasticsearch {
pipeline => "%{module}.%{dataset}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-osquery"

5
salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
View File

@@ -1,10 +1,7 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [dataset] =~ "firewall" {
elasticsearch {
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-firewall"

5
salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "suricata" and "import" not in [tags] {
elasticsearch {
pipeline => "%{module}.%{dataset}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-ids"

7
salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
View File

@@ -1,12 +1,9 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if "beat-ext" in [tags] and "import" not in [tags] and "filebeat" not in [metadata][pipeline] {
if [metadata][_id] {
elasticsearch {
pipeline => "beats.common"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-beats"
@@ -17,7 +14,7 @@ output {
} else {
elasticsearch {
pipeline => "beats.common"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-beats"

5
salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "ossec" {
elasticsearch {
pipeline => "%{module}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-ossec"

5
salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "strelka" {
elasticsearch {
pipeline => "%{module}.%{dataset}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-strelka"

6
salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja
View File

@@ -1,13 +1,9 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "logscan" {
elasticsearch {
id => "logscan_pipeline"
pipeline => "logscan.alert"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-logscan"

5
salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja
View File

@@ -1,11 +1,8 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if [module] =~ "rita" and "import" not in [tags] {
elasticsearch {
pipeline => "%{module}.%{dataset}"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "so-rita"

5
salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja
View File

@@ -1,10 +1,7 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
output {
if "elastic-agent" in [tags] and "import" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"

5
salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja
View File

@@ -1,6 +1,3 @@
{%- set ES = salt['grains.get']('master') -%}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
filter {
if [event][module] =~ "endgame" {
mutate {
@@ -12,7 +9,7 @@ output {
if [event][module] =~ "endgame" {
elasticsearch {
id => "endgame_es_output"
hosts => "{{ ES }}"
hosts => "{{ GLOBALS.manager }}"
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
index => "endgame-%{+YYYY.MM.dd}"

4
salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
View File

@@ -1,7 +1,7 @@
{%- if grains.role in ['so-heavynode', 'so-receiver'] %}
{%- set HOST = salt['grains.get']('host') %}
{%- set HOST = GLOBALS.hostname %}
{%- else %}
{%- set HOST = salt['grains.get']('master') %}
{%- set HOST = GLOBALS.manager %}
{%- endif %}
{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
output {