Strelka - Filebeat config

salt/filebeat/etc/filebeat.yml

@@ -3,6 +3,7 @@
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
 {%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %}
+{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
 
 name: {{ HOSTNAME }}
 
@@ -66,7 +67,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
@@ -126,6 +127,19 @@ filebeat.prospectors:
     clean_removed: false
     close_removed: false
 
+{%- endif %}
+
+{%- if STRELKAENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /opt/so/log/strelka/strelka.log
+    fields:
+      type: strelka
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
 {%- endif %}
 #----------------------------- Logstash output ---------------------------------
 output.logstash:

salt/strelka/init.sls

@@ -55,9 +55,9 @@ strelkastagedir:
     - makedirs: True
 
 
-#so-strelka-frontendimage:
+so-strelka-frontendimage:
-# cmd.run:
+ cmd.run:
-#   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
 
 so-strelka-coordinatorimage:
  cmd.run: