Initial Support - Live Query to Hunt

salt/logstash/pipelines/config/so/0008_input_redis.conf.jinja

@@ -0,0 +1,17 @@
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+
+## TO DO - Add this to Logstash Pipeline Pillar - Manager
+
+input {
+	redis {
+		host => '{{ MANAGER }}'
+		port => 6379
+		data_type => 'pattern_channel'
+		key => 'results_*'
+		type => 'osq'
+		threads => {{ THREADS }}
+		batch_count => {{ BATCH }}
+	}
+}

salt/logstash/pipelines/config/so/9001_output_osq.conf.jinja

@@ -0,0 +1,41 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
+{%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+
+## TO DO - Add this to Logstash Pipeline Pillar - Search
+
+filter {
+  if [type] =~ "osq" {
+
+ split {
+   field => "rows"
+  }
+ mutate {
+   rename => { 
+      "[rows][cmdline]" => "[process][commandline]"
+      "[rows][name]" => "[process][name]" 
+    }
+    }
+ }
+}
+
+
+output {
+  if [type] =~ "osq" {
+    elasticsearch {
+      pipeline => "common" 
+      hosts => "{{ ES }}"
+      index => "so-osquery"
+      template_name => "so-osquery"
+      template => "/templates/so-osquery-template.json"
+      template_overwrite => true
+      {%- if grains['role'] in ['so-node','so-heavynode'] %}
+      ssl => true
+      ssl_certificate_verification => false
+      {%- endif %}
+    }
+  }
+}