CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Logstash EVAL pipeline fix - osquery

Browse Source
This commit is contained in:
Josh Brower
2020-02-05 08:12:08 -05:00
parent de04cc6631
commit c1dd26d97e
2 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/logstash/conf/pipelines/eval/0800_input_eval.conf
View File

@@ -188,6 +188,7 @@ input {
file { file {
path => "/osquery/logs/result.log" path => "/osquery/logs/result.log"
type => "osquery" type => "osquery"
tags => ["osquery"]
} }
file { file {
path => "/strelka/strelka.log" path => "/strelka/strelka.log"

21
salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
View File

@@ -3,11 +3,24 @@
{%- else %} {%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%} {%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %} {%- endif %}
# Author: Josh Brower # Author: Security Onion Solutions
# Last Update: 12/29/2018 # Last Update: 2/3/2020
# Output to ES for osquery tagged logs # Output to ES for osquery tagged logs - EVAL install
filter {
if "osquery" in [tags] {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
}
json {
source => "message"
target => "osquery"
}
}
}
output { output {
if "osquery" in [tags] { if "osquery" in [tags] {
elasticsearch { elasticsearch {
@@ -16,4 +29,4 @@ output {
template => "/logstash-template.json" template => "/logstash-template.json"
} }
} }
} }