CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8703 from Security-Onion-Solutions/funstuff

Browse Source 
Fix yaml for idh,es,kib,esalert
This commit is contained in:
Mike Reeves
2022-09-09 15:38:07 -04:00
committed by GitHub
parent 54f7cefa28 1f3b170213
commit cc08e5a42c
8 changed files with 15 additions and 389 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
salt/elastalert/defaults.yaml
View File

@@ -3,8 +3,6 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
elastalert: elastalert:
config: config:
rules_folder: /opt/elastalert/rules/ rules_folder: /opt/elastalert/rules/
@@ -16,7 +14,6 @@ elastalert:
minutes: 10 minutes: 10
old_query_limit: old_query_limit:
minutes: 5 minutes: 5
es_host: {{salt['pillar.get']('global:managerip', '')}}
es_port: 9200 es_port: 9200
es_conn_timeout: 55 es_conn_timeout: 55
max_query_size: 5000 max_query_size: 5000
@@ -26,8 +23,6 @@ elastalert:
use_ssl: true use_ssl: true
verify_certs: false verify_certs: false
#es_send_get_body_as: GET #es_send_get_body_as: GET
es_username: "{{ ES_USER }}"
es_password: "{{ ES_PASS }}"
writeback_index: elastalert_status writeback_index: elastalert_status
alert_time_limit: alert_time_limit:
days: 2 days: 2

8
salt/elastalert/elastalert_config.map.jinja
View File

@@ -1,4 +1,8 @@
{% import_yaml 'elastalert/defaults.yaml' as elastalert_defaults with context %} {% import_yaml 'elastalert/defaults.yaml' as ELASTALERT with context %}
{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
{% do salt['defaults.merge'](elastalert_defaults.elastalert.config, elastalert_pillar, in_place=True) %} {% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %}
{% do ELASTALERT.elastalert.config.update({'es_host': pillar.global.managerip}) %}
{% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
{% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}

3
salt/elasticsearch/config.map.jinja
View File

@@ -31,6 +31,9 @@
{# merge with the elasticsearch pillar #} {# merge with the elasticsearch pillar #}
{% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %} {% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %}
{% do ESCONFIG.elasticsearch.config.node.update({'name': grains.host}) %}
{% do ESCONFIG.elasticsearch.config.cluster.update({'name': grains.host}) %}
{% do ESCONFIG.elasticsearch.config.transport.update({'publish_host': grains.host}) %}
{% if salt['pillar.get']('elasticsearch:config:path:repo', False) %} {% if salt['pillar.get']('elasticsearch:config:path:repo', False) %}
{% for repo in pillar.elasticsearch.config.path.repo %} {% for repo in pillar.elasticsearch.config.path.repo %}

377
salt/elasticsearch/defaults.yaml
View File

@@ -1,11 +1,9 @@
elasticsearch: elasticsearch:
config: config:
node: node:
name: {{ grains.host }}
attr: attr:
box_type: hot box_type: hot
cluster: cluster:
name: {{ grains.host }}
routing: routing:
allocation: allocation:
disk: disk:
@@ -22,7 +20,6 @@ elasticsearch:
destructive_requires_name: true destructive_requires_name: true
transport: transport:
bind_host: 0.0.0.0 bind_host: 0.0.0.0
publish_host: {{ grains.host }}
publish_port: 9300 publish_port: 9300
xpack: xpack:
ml: ml:
@@ -60,380 +57,6 @@ elasticsearch:
elasticsearch: elasticsearch:
deprecation: ERROR deprecation: ERROR
index_settings: index_settings:
so-logs-elastic_agent.apm_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.apm_server-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.apm_server@package"
- "so-logs-elastic_agent.apm_server@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.auditbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.auditbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.auditbeat@package"
- "so-logs-elastic_agent.auditbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.cloudbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.cloudbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.cloudbeat@package"
- "so-logs-elastic_agent.cloudbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.endpoint_security:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.endpoint_security-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.endpoint_security@package"
- "so-logs-elastic_agent.endpoint_security@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.filebeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.filebeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.filebeat@package"
- "so-logs-elastic_agent.filebeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.fleet_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.fleet_server-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.fleet_server@package"
- "so-logs-elastic_agent.fleet_server@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.heartbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.heartbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.heartbeat@package"
- "so-logs-elastic_agent.heartbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent@package"
- "so-logs-elastic_agent@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.metricbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.metricbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.metricbeat@package"
- "so-logs-elastic_agent.metricbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.osquerybeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.osquerybeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.osquerybeat@package"
- "so-logs-elastic_agent.osquerybeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.packetbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.packetbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.packetbeat@package"
- "so-logs-elastic_agent.packetbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-aws: so-aws:
warm: 7 warm: 7
close: 30 close: 30

1
salt/idh/defaults/defaults.yaml
View File

@@ -1,7 +1,6 @@
idh: idh:
opencanary: opencanary:
config: config:
device.node_id: {{ grains.host }}
logger: logger:
class: PyLogger class: PyLogger
kwargs: kwargs:

4
salt/idh/opencanary_config.map.jinja
View File

@@ -6,4 +6,6 @@
{% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %} {% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %}
{% endfor %} {% endfor %}
{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %}
{% do OPENCANARYCONFIG.idh.opencanary.config.update({'device.node_id': grains.host}) %}

3
salt/kibana/config.map.jinja
View File

@@ -1,6 +1,9 @@
{% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %} {% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %}
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ pillar.global.url_base ~ '/kibana'}) %}
{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ pillar.global.managerip ~ ':9200']}) %}
{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
{% if salt['pillar.get']('kibana:secrets') %} {% if salt['pillar.get']('kibana:secrets') %}

3
salt/kibana/defaults.yaml
View File

@@ -5,10 +5,7 @@ kibana:
name: kibana name: kibana
host: "0.0.0.0" host: "0.0.0.0"
basePath: /kibana basePath: /kibana
publicBaseUrl: https://{{salt['pillar.get']('global:url_base')}}/kibana
elasticsearch: elasticsearch:
hosts:
- https://{{salt['pillar.get']('global:managerip')}}:9200
ssl: ssl:
verificationMode: none verificationMode: none
requestTimeout: 90000 requestTimeout: 90000