From b8137214e4b4b7f690f8c2a9e8b3fcd05d416e6a Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 26 Feb 2021 08:08:09 -0500
Subject: [PATCH] Initial Support - Live Query to Hunt

---
 .../config/so/0008_input_redis.conf.jinja     | 17 ++++++++
 .../config/so/9001_output_osq.conf.jinja      | 41 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 salt/logstash/pipelines/config/so/0008_input_redis.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/so/9001_output_osq.conf.jinja

diff --git a/salt/logstash/pipelines/config/so/0008_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0008_input_redis.conf.jinja
new file mode 100644
index 000000000..694b997bb
--- /dev/null
+++ b/salt/logstash/pipelines/config/so/0008_input_redis.conf.jinja
@@ -0,0 +1,17 @@
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+
+## TO DO - Add this to Logstash Pipeline Pillar - Manager
+
+input {
+	redis {
+		host => '{{ MANAGER }}'
+		port => 6379
+		data_type => 'pattern_channel'
+		key => 'results_*'
+		type => 'osq'
+		threads => {{ THREADS }}
+		batch_count => {{ BATCH }}
+	}
+}
diff --git a/salt/logstash/pipelines/config/so/9001_output_osq.conf.jinja b/salt/logstash/pipelines/config/so/9001_output_osq.conf.jinja
new file mode 100644
index 000000000..6a4c564f0
--- /dev/null
+++ b/salt/logstash/pipelines/config/so/9001_output_osq.conf.jinja
@@ -0,0 +1,41 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
+{%- endif %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+
+## TO DO - Add this to Logstash Pipeline Pillar - Search
+
+filter {
+  if [type] =~ "osq" {
+
+ split {
+   field => "rows"
+  }
+ mutate {
+   rename => { 
+      "[rows][cmdline]" => "[process][commandline]"
+      "[rows][name]" => "[process][name]" 
+    }
+    }
+ }
+}
+
+
+output {
+  if [type] =~ "osq" {
+    elasticsearch {
+      pipeline => "common" 
+      hosts => "{{ ES }}"
+      index => "so-osquery"
+      template_name => "so-osquery"
+      template => "/templates/so-osquery-template.json"
+      template_overwrite => true
+      {%- if grains['role'] in ['so-node','so-heavynode'] %}
+      ssl => true
+      ssl_certificate_verification => false
+      {%- endif %}
+    }
+  }
+}