CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

modify Filebeat config

Browse Source
This commit is contained in:
Wes Lambert
2020-03-14 12:05:16 +00:00
parent c52220330b
commit d2016d3ff2
1 changed files with 67 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
salt/filebeat/etc/filebeat.yml
View File

@@ -19,7 +19,7 @@ name: {{ HOSTNAME }}
# Sets log level. The default log level is info. # Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug # Available log levels are: error, warning, info, debug
logging.level: error logging.level: debug
# Enable debug output for selected components. To enable all selectors use ["*"] # Enable debug output for selected components. To enable all selectors use ["*"]
# Other available selectors are "beat", "publish", "service" # Other available selectors are "beat", "publish", "service"
@@ -80,9 +80,13 @@ filebeat.prospectors:
paths: paths:
- /nsm/zeek/logs/current/{{ LOGNAME }}.log - /nsm/zeek/logs/current/{{ LOGNAME }}.log
fields: fields:
type: bro_{{ LOGNAME }} module: zeek
dataset: {{ LOGNAME }}
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
tags: ["bro"]
clean_removed: false clean_removed: false
close_removed: false close_removed: false
@@ -93,8 +97,13 @@ filebeat.prospectors:
paths: paths:
- /suricata/eve.json - /suricata/eve.json
fields: fields:
type: ids module: suricata
engine: suricata dataset: alert
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
@@ -106,19 +115,25 @@ filebeat.prospectors:
paths: paths:
- /wazuh/alerts/alerts.json - /wazuh/alerts/alerts.json
fields: fields:
type: ossec module: ossec
dataset: alert
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
- type: log # - type: log
paths: # paths:
- /wazuh/archives/archives.json # - /wazuh/archives/archives.json
fields: # fields:
type: ossec_archive # type: ossec_archive
fields_under_root: true # fields_under_root: true
clean_removed: false # clean_removed: false
close_removed: false # close_removed: false
{%- endif %} {%- endif %}
@@ -129,6 +144,11 @@ filebeat.prospectors:
- /osquery/logs/result.log - /osquery/logs/result.log
fields: fields:
type: osquery type: osquery
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
@@ -141,34 +161,56 @@ filebeat.prospectors:
paths: paths:
- /opt/so/log/strelka/strelka.log - /opt/so/log/strelka/strelka.log
fields: fields:
type: strelka module: strelka
dataset: file
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- endif %} {%- endif %}
#----------------------------- Logstash output --------------------------------- #----------------------------- Logstash output ---------------------------------
output.logstash: output.elasticsearch:
# Boolean flag to enable or disable the output module.
enabled: true enabled: true
hosts: ["{{ MASTER }}:9200"]
pipelines:
- pipeline: "%{[module]}.%{[dataset]}"
indices:
- index: "so-zeek-%{+yyyy.MM.dd}"
when.contains:
module: "zeek"
- index: "so-ids-%{+yyyy.MM.dd}"
when.contains:
module: "suricata"
- index: "so-ossec-%{+yyyy.MM.dd}"
when.contains:
module: "ossec"
#output.logstash:
# Boolean flag to enable or disable the output module.
#enabled: true
# The Logstash hosts # The Logstash hosts
hosts: ["{{ MASTER }}:5644"] #hosts: ["{{ MASTER }}:5644"]
# Number of workers per Logstash host. # Number of workers per Logstash host.
worker: 1 #worker: 1
# Set gzip compression level. # Set gzip compression level.
compression_level: 3 #compression_level: 3
# Enable SSL support. SSL is automatically enabled, if any SSL setting is set. # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
ssl.enabled: true #ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts # Configure SSL verification mode. If `none` is configured, all server hosts
# and certificates will be accepted. In this mode, SSL based connections are # and certificates will be accepted. In this mode, SSL based connections are
# susceptible to man-in-the-middle attacks. Use only for testing. Default is # susceptible to man-in-the-middle attacks. Use only for testing. Default is
# `full`. # `full`.
ssl.verification_mode: full #ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled. # 1.2 are enabled.
@@ -176,16 +218,14 @@ output.logstash:
# Optional SSL configuration options. SSL is off by default. # Optional SSL configuration options. SSL is off by default.
# List of root certificates for HTTPS server verifications # List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] #ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
# Certificate for SSL client authentication # Certificate for SSL client authentication
ssl.certificate: "/usr/share/filebeat/filebeat.crt" #ssl.certificate: "/usr/share/filebeat/filebeat.crt"
# Client Certificate Key # Client Certificate Key
ssl.key: "/usr/share/filebeat/filebeat.key" #ssl.key: "/usr/share/filebeat/filebeat.key"
# Elasticsearch template settings
#setup.template.settings:
# A dictionary of settings to place into the settings.index dictionary # A dictionary of settings to place into the settings.index dictionary
# of the Elasticsearch template. For more details, please check # of the Elasticsearch template. For more details, please check