diff --git a/pillar/logstash/fleet.sls b/pillar/logstash/fleet.sls new file mode 100644 index 000000000..fb70e7f0d --- /dev/null +++ b/pillar/logstash/fleet.sls @@ -0,0 +1,6 @@ +logstash: + pipelines: + fleet: + config: + - so/0012_input_elastic_agent.conf + - so/9806_output_lumberjack_fleet.conf.jinja \ No newline at end of file diff --git a/pillar/logstash/init.sls b/pillar/logstash/init.sls index 7ad31cf9b..b94ae2c44 100644 --- a/pillar/logstash/init.sls +++ b/pillar/logstash/init.sls @@ -4,6 +4,7 @@ logstash: - 0.0.0.0:3765:3765 - 0.0.0.0:5044:5044 - 0.0.0.0:5055:5055 + - 0.0.0.0:5056:5056 - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 - 0.0.0.0:6051:6051 diff --git a/pillar/logstash/manager.sls b/pillar/logstash/manager.sls index 41a2197fd..cee8eec02 100644 --- a/pillar/logstash/manager.sls +++ b/pillar/logstash/manager.sls @@ -3,6 +3,6 @@ logstash: manager: config: - so/0011_input_endgame.conf - - so/0012_input_elastic_agent.conf - - so/9999_output_redis.conf.jinja - + - so/0012_input_elastic_agent.conf + - so/0013_input_lumberjack_fleet.conf + - so/9999_output_redis.conf.jinja \ No newline at end of file diff --git a/pillar/top.sls b/pillar/top.sls index 438aff576..a7d4e365f 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -224,6 +224,18 @@ base: - minions.{{ grains.id }} - minions.adv_{{ grains.id }} + '*_fleet': + - soc_global + - adv_global + - backup.soc_backup + - backup.adv_backup + - logstash + - logstash.fleet + - logstash.soc_logstash + - logstash.adv_logstash + - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} + '*_workstation': - minions.{{ grains.id }} - minions.adv_{{ grains.id }} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index a837950e4..9f652e389 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -191,6 +191,16 @@ 'tcpreplay', 'docker_clean' ], + 'so-fleet': [ + 'ssl', + 'telegraf', + 'firewall', + 'logstash', + 'healthcheck', + 'schedule', + 'elasticfleet', + 'docker_clean' + ], 'so-receiver': [ 'ssl', 'telegraf', diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index ea5cc703e..bc5e318ae 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -160,6 +160,39 @@ disable_fastestmirror() { sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf } +elastic_fleet_integration_create() { + + JSON_STRING=$1 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + +elastic_fleet_policy_create() { + + NAME=$1 + DESC=$2 + FLEETSERVER=$3 + + JSON_STRING=$( jq -n \ + --arg NAME "$NAME" \ + --arg DESC "$DESC" \ + --arg FLEETSERVER "$FLEETSERVER" \ + '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":$FLEETSERVER}' + ) + # Create Fleet Policy + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + +} + +elastic_fleet_policy_update() { + + POLICYID=$1 + JSON_STRING=$2 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + + elastic_license() { read -r -d '' message <<- EOM diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/common/tools/sbin/so-elastic-agent-gen-installers index 128f894e4..805f6152a 100755 --- a/salt/common/tools/sbin/so-elastic-agent-gen-installers +++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers @@ -12,22 +12,22 @@ ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key') -FLEETHOST=$(lookup_pillar "server:url" "elasticfleet") +#FLEETHOST=$(lookup_pillar "server:url" "elasticfleet") +FLEETHOST="{{ GLOBALS.manager_ip }}" #FLEETHOST=$1 #ENROLLMENTOKEN=$2 CONTAINERGOOS=( "linux" "darwin" "windows" ) -rm -rf /tmp/elastic-agent-workspace -mkdir -p /tmp/elastic-agent-workspace +#rm -rf /tmp/elastic-agent-workspace +#mkdir -p /tmp/elastic-agent-workspace for OS in "${CONTAINERGOOS[@]}" do printf "\n\nGenerating $OS Installer..." - cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz + #cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz docker run -e CGO_ENABLED=0 -e GOOS=$OS \ --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ - --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS printf "\n $OS Installer Generated..." diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 4efdd5784..a65e29244 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -6,132 +6,16 @@ . /usr/sbin/so-common -{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} -{%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} -{%- set RITAENABLED = salt['pillar.get']('rita:enabled', False) %} +# Initial Endpoints +for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/endpoints-initial/*.json +do + printf "\n\nInitial Endpoint Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_create "@$INTEGRATION" +done -wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" - -# Let's snag a cookie from Kibana -SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') - -# Disable certain Features from showing up in the Kibana UI -echo -echo "Disable certain Features from showing up in the Kibana UI" -so-kibana-space-defaults -echo - -# Suricata logs -echo -echo "Setting up Suricata package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "suricata", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", "custom": "pipeline: suricata.common" }}}}}}' -echo - -# Zeek logs -echo -echo "Setting up Zeek package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' -echo - - -# Import - EVTX -echo -echo "Setting up EVTX import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "package": { "name": "log", "version": "1.1.0" }, "name": "import-evtx-logs", "namespace": "so", "description": "Import Windows EVTX logs", "policy_id": "so-grid-nodes", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/import/*/evtx/data.json" ], "data_stream.dataset": "import", "custom": "pipeline: import.wel", "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- add_fields:\n target: event\n fields:\n module: windows_eventlog\n imported: true", "tags": [] } } } } } }' -echo - -# Import - Suricata logs -echo -echo "Setting up Suricata import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "import", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }' -echo - -# Import - Zeek logs -echo -echo "Setting up Zeek import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' -echo - -# Strelka logs -echo -echo "Setting up Strelka package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "strelka", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' -echo - -# Syslog TCP Port 514 -echo -echo "Setting up Syslog TCP package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "tcp", "version": "1.5.0" }, "id": "syslog-tcp-514", "name": "syslog-tcp-514", "description": "Syslog Over TCP Port 514", "namespace": "so", "inputs": { "tcp-tcp": { "enabled": true, "streams": { "tcp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "processors": "- add_fields:\n target: event\n fields:\n module: syslog", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }' -echo - -# Syslog UDP Port 514 -echo -echo "Setting up Syslog UDP package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "udp", "version": "1.5.0" }, "id": "syslog-udp-514", "name": "syslog-udp-514", "description": "Syslog over UDP Port 514", "namespace": "so", "inputs": { "udp-udp": { "enabled": true, "streams": { "udp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }' -echo - -# Kratos logs -echo -echo "Setting up Kratos package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"custom":"pipeline: kratos","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos" }}}}}}' -echo - -# RITA Logs -#echo -#echo "Setting up RITA package policy..." -#curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-logs", "name": "rita-logs", "description": "RITA Beacon logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/beacons.csv", "/nsm/rita/long-connections.csv", "/nsm/rita/short-connections.csv", "/nsm/rita/exploded-dns.csv" ], "data_stream.dataset": "rita", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita\n- if:\n log.file.path: beacons.csv\n then: \n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: rita.beacon\n- if:\n regexp:\n log.file.path: \"*connections.csv\"\n then: \n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: rita.connection\n- if:\n log.file.path: \"exploded-dns.csv\"\n then: \n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: rita.dns" }}}}}}' -#echo - -# Elasticsearch logs -echo -echo "Setting up Elasticsearch package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "elasticsearch", "version": "1.0.0" }, "id": "elasticsearch-logs", "name": "elasticsearch-logs", "description": "Elasticsearch Logs", "namespace": "default", "inputs": { "elasticsearch-logfile": { "enabled": true, "streams": { "elasticsearch.audit": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_audit.json" ] } }, "elasticsearch.deprecation": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_deprecation.json" ] } }, "elasticsearch.gc": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/gc.log.[0-9]*", "/var/log/elasticsearch/gc.log" ] } }, "elasticsearch.server": { "enabled": true, "vars": { "paths": [ "/opt/so/log/elasticsearch/*.log" ] } }, "elasticsearch.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_index_search_slowlog.json", "/var/log/elasticsearch/*_index_indexing_slowlog.json" ] } } } }, "elasticsearch-elasticsearch/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9200" ], "scope": "node" }, "streams": { "elasticsearch.stack_monitoring.ccr": { "enabled": false }, "elasticsearch.stack_monitoring.cluster_stats": { "enabled": false }, "elasticsearch.stack_monitoring.enrich": { "enabled": false }, "elasticsearch.stack_monitoring.index": { "enabled": false }, "elasticsearch.stack_monitoring.index_recovery": { "enabled": false, "vars": { "active.only": true } }, "elasticsearch.stack_monitoring.index_summary": { "enabled": false }, "elasticsearch.stack_monitoring.ml_job": { "enabled": false }, "elasticsearch.stack_monitoring.node": { "enabled": false }, "elasticsearch.stack_monitoring.node_stats": { "enabled": false }, "elasticsearch.stack_monitoring.pending_tasks": { "enabled": false }, "elasticsearch.stack_monitoring.shard": { "enabled": false } } } } }' -echo - -# Logstash logs -#echo -#echo "Setting up Logstash package policy..." -#curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "logstash", "version": "2.0.0" }, "id": "logstash-logs", "name": "logstash-logs", "description": "Logstash logs", "namespace": "default", "inputs": { "logstash-logfile": { "enabled": true, "streams": { "logstash.log": { "enabled": true, "vars": { "paths": [ "/opt/so/logs/logstash/logstash.log" ] } }, "logstash.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/logstash/logstash-slowlog-plain*.log", "/var/log/logstash/logstash-slowlog-json*.log" ] } } } }, "logstash-logstash/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9600" ], "period": "10s" }, "streams": { "logstash.stack_monitoring.node": { "enabled": false }, "logstash.stack_monitoring.node_stats": { "enabled": false } } } } }' -#echo - -# Kibana logs -#echo -#echo "Setting up Kibana package policy..." -#curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "kibana", "version": "2.0.0" }, "id": "kibana-logs", "name": "kibana-logs", "description": "Kibana logs", "namespace": "default", "inputs": { "kibana-logfile": { "enabled": true, "streams": { "kibana.audit": { "enabled": false, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } }, "kibana.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } } } }, "kibana-kibana/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:5601" ] }, "streams": { "kibana.stack_monitoring.cluster_actions": { "enabled": false }, "kibana.stack_monitoring.cluster_rules": { "enabled": false }, "kibana.stack_monitoring.node_actions": { "enabled": false }, "kibana.stack_monitoring.node_rules": { "enabled": false }, "kibana.stack_monitoring.stats": { "enabled": false }, "kibana.stack_monitoring.status": { "enabled": false } } } } }' -#echo - -# Redis logs -echo -echo "Setting up Redis package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }' -echo - -# IDH logs -echo -echo "Setting up IDH package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}' -echo - -# SOC - Server logs -echo -echo "Setting up SOC - Server Logs package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-server-logs","namespace":"so","description":"Security Onion Console Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/sensoroni-server.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true","tags":[]}}}}}}' -echo - -# SOC - Sensoroni logs -echo -echo "Setting up SOC - Sensoroni Logs package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-sensoroni-logs","namespace":"so","description":"Security Onion - Sensoroni - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/sensoroni/sensoroni.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true","tags":[]}}}}}}' -echo - -# SOC - Elastic Auth Sync logs -echo -echo "Setting up SOC - Elastic Auth Sync Logs package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-auth-sync-logs","namespace":"so","description":"Security Onion - Elastic Auth Sync - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/sync.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync","tags":[]}}}}}}' -echo - -# SOC - Salt Relay logs -echo -echo "Setting up SOC - Salt_Relay Logs package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-salt-relay-logs","namespace":"so","description":"Security Onion - Salt Relay - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/salt-relay.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay","tags":[]}}}}}}' -echo +# Grid Nodes +for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/grid-nodes/*.json +do + printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_create "@$INTEGRATION" +done \ No newline at end of file diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index ab54d42a5..7fe336625 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -8,68 +8,63 @@ . /usr/sbin/so-common - -# Create ES Token +printf "\n### Create ES Token ###\n" ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) -printf "ESTOKEN = $ESTOKEN \n" -# Add SO-Manager Fleet URL -## This array replaces whatever URLs are currently configured -printf "\n" -curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}' -printf "\n\n" - -# Configure certificates -mkdir -p /opt/so/conf/elastic-fleet/certs -cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs -cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs - -{% if grains.role in ['so-import', 'so-standalone', 'so-eval', 'so-manager', 'so-managersearch'] %} -# Add SO-Manager Elasticsearch Ouput -ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) +### Create Outputs & Fleet URLs ### +printf "\nAdd Manager Elasticsearch Ouput...\n" +ESCACRT=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) JSON_STRING=$( jq -n \ --arg ESCACRT "$ESCACRT" \ - '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' ) + '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' ) curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n" -{% else %} -# Create Logstash Output payload -LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt) -LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/elastic-fleet/certs/elasticfleet.key) -LOGSTASHCA=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) +printf "\nCreate Logstash Output if node is not an Import or Eval install\n" +{% if grains.role not in ['so-import', 'so-eval'] %} +LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt) +LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-logstash.key) +LOGSTASHCA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) JSON_STRING=$( jq -n \ --arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \ --arg LOGSTASHCA "$LOGSTASHCA" \ - '{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}' + '{"name":"grid-logstash","is_default":true,"is_default_monitoring":true,"id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055", "{{ GLOBALS.manager }}:5055"],"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]},"proxy_id":null}' ) - -# Add SO-Manager Logstash Ouput curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n" {%- endif %} -# Add Elastic Fleet Integrations +printf "\nAdd SO-Manager Fleet URL\n" +## This array replaces whatever URLs are currently configured +curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220", "https://{{ GLOBALS.manager }}:8220"]}' +printf "\n\n" -# Add Elastic Fleet Server Agent Policy -#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ -#-X POST "localhost:5601/api/fleet/agent_policies" \ -#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ -#-d '{"name":"SO-Manager","id":"so-manager","description":"SO Manager Fleet Server Policy","namespace":"default","monitoring_enabled":["logs"],"has_fleet_server":true}' -# Add Agent Policy - SOS Grid Nodes -#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ -#-X POST "localhost:5601/api/fleet/agent_policies" \ -#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ -#-d '{"name":"SO-Grid","id":"so-grid","description":"SO Grid Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' +### Create Policies & Associated Integration Configuration ### -# Add Agent Policy - Default endpoints -#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ -#-X POST "localhost:5601/api/fleet/agent_policies" \ -#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ -#-d '{"name":"Endpoints-Initalization","id":"endpoints","description":"Initial Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' +# Manager Fleet Server Host +elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" | jq +#Temp Fixup for ES Output bug +JSON_STRING=$( jq -n \ + --arg NAME "FleetServer_{{ GLOBALS.hostname }}" \ + '{"name": $NAME,"description": $NAME,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}' + ) +curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_{{ GLOBALS.hostname }}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + +# Initial Endpoints Policy +elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" + +# Grid Nodes Policy +elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false" + +# Load Integrations for default policies +so-elastic-fleet-integration-policy-load + +### Finalization ### + +# Query for Enrollment Tokens for default policies ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-default")) | .api_key') GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes")) | .api_key') @@ -81,7 +76,6 @@ printf '%s\n'\ " es_token: '$ESTOKEN'"\ " endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\ " grid_enrollment: '$GRIDNODESENROLLMENTOKEN'"\ - " url: '{{ GLOBALS.manager_ip }}'"\ "" >> "$pillar_file" #Store Grid Nodes Enrollment token in Global pillar @@ -91,19 +85,4 @@ printf '%s\n'\ "" >> "$global_pillar_file" # Call Elastic-Fleet Salt State -salt-call state.apply elasticfleet queue=True - -# Load Elastic Fleet integrations -/usr/sbin/so-elastic-fleet-integration-policy-load - -# Temp -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.7.0/so-elastic-agent-8.7.0-darwin-x86_64.tar.gz -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.7.0/so-elastic-agent-8.7.0-linux-x86_64.tar.gz -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.7.0/so-elastic-agent-8.7.0-windows-x86_64.tar.gz - -#git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git -#cd securityonion-image/so-elastic-agent-builder -#docker build -t so-elastic-agent-builder . - -so-elastic-agent-gen-installers -salt-call state.apply elasticfleet.install_agent_grid queue=True +salt-call state.apply elasticfleet queue=True \ No newline at end of file diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 16dcdf729..32fa84f3c 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -43,7 +43,7 @@ APPLY=${APPLY,,} function rolecall() { THEROLE=$1 - THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog" + THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval fleet heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog" for AROLE in $THEROLES; do if [ "$AROLE" = "$THEROLE" ]; then diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion index 19ea26864..0465f0bbb 100755 --- a/salt/common/tools/sbin/so-firewall-minion +++ b/salt/common/tools/sbin/so-firewall-minion @@ -56,8 +56,11 @@ fi so-firewall --role=sensors --ip="$IP" so-firewall --apply=true --role=searchnodes --ip="$IP" ;; - 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') + 'FLEET' | 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') case "$ROLE" in + 'FLEET') + so-firewall --apply=true --role=fleet --ip="$IP" + ;; 'SENSOR') so-firewall --apply=true --role=sensors --ip="$IP" ;; diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index dc9d1e2fa..2f506863d 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -132,6 +132,22 @@ function add_elastic_to_minion() { " " >> $PILLARFILE } +# Add Elastic Fleet Server settings to the minion file +function add_fleet_to_minion() { + + # Create ES Token for Fleet server (Curl to Kibana API) + # TODO: Add error handling + ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) + + # Write out settings to minion file + printf '%s\n'\ + "elasticfleet:"\ + " server:"\ + " es_token: '$ESTOKEN'"\ + " " >> $PILLARFILE +} + + # Add IDH Services info to the minion file function add_idh_to_minion() { printf '%s\n'\ @@ -202,6 +218,43 @@ function add_sensor_to_minion() { echo " enabled: True" >> $PILLARFILE } +function create_fleet_policy() { + + JSON_STRING=$( jq -n \ + --arg NAME "FleetServer_$LSHOSTNAME" \ + --arg DESC "Fleet Server - $LSHOSTNAME" \ + '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":true}' + ) + + # Create Fleet Sever Policy + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + + JSON_STRING_UPDATE=$( jq -n \ + --arg NAME "FleetServer_$LSHOSTNAME" \ + --arg DESC "Fleet Server - $LSHOSTNAME" \ + '{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"data_output_id":"so-manager_elasticsearch"}' + ) + + # Update Fleet Policy - ES Output + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_$LSHOSTNAME" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING_UPDATE" +} + +function update_fleet_host_urls() { + # Query for current Fleet Host URLs & append New Fleet Node Hostname & IP + JSON_STRING=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts' | jq --arg HOSTNAME "https://$LSHOSTNAME:8220" --arg IP "https://$MAINIP:8220" -r '.items[].host_urls += [ $HOSTNAME, $IP ] | {"name":"Default","host_urls": .items[].host_urls,"is_default":true,"proxy_id":null}') + + # Update Fleet Host URLs + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/fleet_server_hosts/fleet-default-fleet-server-host" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + +function update_logstash_outputs() { + # Query for current Logstash outputs & append New Fleet Node Hostname & IP + JSON_STRING=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_logstash' | jq --arg HOSTNAME "$LSHOSTNAME:5055" --arg IP "$MAINIP:5055" -r '.item.hosts += [ $HOSTNAME, $IP ] | {"name":"grid-logstash","type":"logstash","hosts": .item.hosts,"is_default":true,"is_default_monitoring":true,"config_yaml":""}') + + # Update Logstash Outputs + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_logstash" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + function updateMine() { salt "$MINION_ID" mine.send network.ip_addrs interface="$MNIC" } @@ -214,6 +267,14 @@ function createEVAL() { add_sensor_to_minion } +function createFLEET() { + add_fleet_to_minion + add_logstash_to_minion + create_fleet_policy + update_fleet_host_urls + update_logstash_outputs +} + function createIDH() { add_idh_to_minion } diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 83e30066d..0fb1d91b8 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -38,6 +38,7 @@ docker: - 0.0.0.0:3765:3765 - 0.0.0.0:5044:5044 - 0.0.0.0:5055:5055 + - 0.0.0.0:5056:5056 - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 - 0.0.0.0:6051:6051 diff --git a/salt/elasticfleet/files/certs/placeholder b/salt/elasticfleet/files/certs/placeholder new file mode 100644 index 000000000..e69de29bb diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/osquery.json b/salt/elasticfleet/files/integrations/endpoints-initial/osquery.json new file mode 100644 index 000000000..71d2345a5 --- /dev/null +++ b/salt/elasticfleet/files/integrations/endpoints-initial/osquery.json @@ -0,0 +1,20 @@ +{ + "package": { + "name": "osquery_manager", + "version": "1.6.0" + }, + "name": "osquery-endpoints", + "namespace": "default", + "policy_id": "endpoints-initial", + "inputs": { + "osquery_manager-osquery": { + "enabled": true, + "streams": { + "osquery_manager.result": { + "enabled": true, + "vars": {} + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json new file mode 100644 index 000000000..eb5ef74e9 --- /dev/null +++ b/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json @@ -0,0 +1,76 @@ +{ + "package": { + "name": "system", + "version": "1.25.2" + }, + "name": "system-endpoints", + "namespace": "default", + "policy_id": "endpoints-initial", + "inputs": { + "system-logfile": { + "enabled": true, + "streams": { + "system.auth": { + "enabled": true, + "vars": { + "ignore_older": "72h", + "paths": [ + "/var/log/auth.log*", + "/var/log/secure*" + ], + "preserve_original_event": false, + "tags": [ + "system-auth" + ] + } + }, + "system.syslog": { + "enabled": true, + "vars": { + "paths": [ + "/var/log/messages*", + "/var/log/syslog*" + ], + "tags": [], + "ignore_older": "72h" + } + } + } + }, + "system-winlog": { + "enabled": true, + "streams": { + "system.application": { + "enabled": true, + "vars": { + "preserve_original_event": false, + "ignore_older": "72h", + "language": 0, + "tags": [] + } + }, + "system.security": { + "enabled": true, + "vars": { + "preserve_original_event": false, + "ignore_older": "72h", + "language": 0, + "tags": [] + } + }, + "system.system": { + "enabled": true, + "vars": { + "preserve_original_event": false, + "ignore_older": "72h", + "language": 0, + "tags": [] + } + } + } + }, + "system-system/metrics": { + "enabled": false + } + } +} diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json new file mode 100644 index 000000000..9b647c8ab --- /dev/null +++ b/salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json @@ -0,0 +1,59 @@ +{ + "package": { + "name": "windows", + "version": "1.19.1" + }, + "name": "windows-endpoints", + "namespace": "default", + "policy_id": "endpoints-initial", + "inputs": { + "windows-winlog": { + "enabled": true, + "streams": { + "windows.forwarded": { + "enabled": true, + "vars": { + "preserve_original_event": false, + "ignore_older": "72h", + "language": 0, + "tags": [ + "forwarded" + ] + } + }, + "windows.powershell": { + "enabled": true, + "vars": { + "preserve_original_event": false, + "event_id": "400, 403, 600, 800", + "ignore_older": "72h", + "language": 0, + "tags": [] + } + }, + "windows.powershell_operational": { + "enabled": true, + "vars": { + "preserve_original_event": false, + "event_id": "4103, 4104, 4105, 4106", + "ignore_older": "72h", + "language": 0, + "tags": [] + } + }, + "windows.sysmon_operational": { + "enabled": true, + "vars": { + "preserve_original_event": false, + "ignore_older": "72h", + "language": 0, + "tags": [] + } + } + } + }, + "windows-windows/metrics": { + "enabled": false + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/elasticsearch-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/elasticsearch-logs.json new file mode 100644 index 000000000..1a93a9022 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/elasticsearch-logs.json @@ -0,0 +1,106 @@ +{ + "package": { + "name": "elasticsearch", + "version": "1.0.0" + }, + "name": "elasticsearch-logs", + "namespace": "default", + "description": "Elasticsearch Logs", + "policy_id": "so-grid-nodes", + "inputs": { + "elasticsearch-logfile": { + "enabled": true, + "streams": { + "elasticsearch.audit": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_audit.json" + ] + } + }, + "elasticsearch.deprecation": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_deprecation.json" + ] + } + }, + "elasticsearch.gc": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/gc.log.[0-9]*", + "/var/log/elasticsearch/gc.log" + ] + } + }, + "elasticsearch.server": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/elasticsearch/*.log" + ] + } + }, + "elasticsearch.slowlog": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_index_search_slowlog.json", + "/var/log/elasticsearch/*_index_indexing_slowlog.json" + ] + } + } + } + }, + "elasticsearch-elasticsearch/metrics": { + "enabled": false, + "vars": { + "hosts": [ + "http://localhost:9200" + ], + "scope": "node" + }, + "streams": { + "elasticsearch.stack_monitoring.ccr": { + "enabled": false + }, + "elasticsearch.stack_monitoring.cluster_stats": { + "enabled": false + }, + "elasticsearch.stack_monitoring.enrich": { + "enabled": false + }, + "elasticsearch.stack_monitoring.index": { + "enabled": false + }, + "elasticsearch.stack_monitoring.index_recovery": { + "enabled": false, + "vars": { + "active.only": true + } + }, + "elasticsearch.stack_monitoring.index_summary": { + "enabled": false + }, + "elasticsearch.stack_monitoring.ml_job": { + "enabled": false + }, + "elasticsearch.stack_monitoring.node": { + "enabled": false + }, + "elasticsearch.stack_monitoring.node_stats": { + "enabled": false + }, + "elasticsearch.stack_monitoring.pending_tasks": { + "enabled": false + }, + "elasticsearch.stack_monitoring.shard": { + "enabled": false + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/idh-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/idh-logs.json new file mode 100644 index 000000000..1b918be1a --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/idh-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.1" + }, + "name": "idh-logs", + "namespace": "so", + "description": "IDH integration", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/idh/opencanary.log" + ], + "data_stream.dataset": "idh", + "tags": [], + "processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '[\"prospector\", \"input\", \"offset\", \"beat\"]'\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json new file mode 100644 index 000000000..aa54f7226 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.0" + }, + "name": "import-evtx-logs", + "namespace": "so", + "description": "Import Windows EVTX logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/import/*/evtx/data.json" + ], + "data_stream.dataset": "import", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- add_fields:\n target: event\n fields:\n module: windows_eventlog\n imported: true", + "custom": "pipeline: import.wel" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/import-suricata-logs.json new file mode 100644 index 000000000..e8b05a7d1 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/import-suricata-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.0" + }, + "name": "import-suricata-logs", + "namespace": "so", + "description": "Import Suricata logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/import/*/suricata/eve*.json" + ], + "data_stream.dataset": "import", + "tags": [], + "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", + "custom": "pipeline: suricata.common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json new file mode 100644 index 000000000..ab752eaec --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.0" + }, + "name": "import-zeek-logs", + "namespace": "so", + "description": "Zeek Import logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/import/*/zeek/logs/*.log" + ], + "data_stream.dataset": "import", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", + "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/kratos-logs.json new file mode 100644 index 000000000..87c4fc82c --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/kratos-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.0" + }, + "name": "kratos-logs", + "namespace": "so", + "description": "Kratos logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/kratos/kratos.log" + ], + "data_stream.dataset": "kratos", + "tags": [], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos", + "custom": "pipeline: kratos" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/osquery-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes/osquery-grid-nodes.json new file mode 100644 index 000000000..92f10f591 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/osquery-grid-nodes.json @@ -0,0 +1,20 @@ +{ + "package": { + "name": "osquery_manager", + "version": "1.6.0" + }, + "name": "osquery-grid-nodes", + "namespace": "default", + "policy_id": "so-grid-nodes", + "inputs": { + "osquery_manager-osquery": { + "enabled": true, + "streams": { + "osquery_manager.result": { + "enabled": true, + "vars": {} + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/redis-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/redis-logs.json new file mode 100644 index 000000000..8b71cbac7 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/redis-logs.json @@ -0,0 +1,76 @@ +{ + "package": { + "name": "redis", + "version": "1.4.0" + }, + "name": "redis-logs", + "namespace": "default", + "description": "Redis logs", + "policy_id": "so-grid-nodes", + "inputs": { + "redis-logfile": { + "enabled": true, + "streams": { + "redis.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/redis/redis.log" + ], + "tags": [ + "redis-log" + ], + "preserve_original_event": false + } + } + } + }, + "redis-redis": { + "enabled": false, + "streams": { + "redis.slowlog": { + "enabled": false, + "vars": { + "hosts": [ + "127.0.0.1:6379" + ], + "password": "" + } + } + } + }, + "redis-redis/metrics": { + "enabled": false, + "vars": { + "hosts": [ + "127.0.0.1:6379" + ], + "idle_timeout": "20s", + "maxconn": 10, + "network": "tcp", + "password": "" + }, + "streams": { + "redis.info": { + "enabled": false, + "vars": { + "period": "10s" + } + }, + "redis.key": { + "enabled": false, + "vars": { + "key.patterns": "- limit: 20\n pattern: *\n", + "period": "10s" + } + }, + "redis.keyspace": { + "enabled": false, + "vars": { + "period": "10s" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/soc-auth-sync-logs.json new file mode 100644 index 000000000..e5067490d --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/soc-auth-sync-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.2" + }, + "name": "soc-auth-sync-logs", + "namespace": "so", + "description": "Security Onion - Elastic Auth Sync - Logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/soc/sync.log" + ], + "data_stream.dataset": "soc", + "tags": [], + "processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/soc-salt-relay-logs.json new file mode 100644 index 000000000..90ac79824 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/soc-salt-relay-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.2" + }, + "name": "soc-salt-relay-logs", + "namespace": "so", + "description": "Security Onion - Salt Relay - Logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/soc/salt-relay.log" + ], + "data_stream.dataset": "soc", + "tags": [], + "processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/soc-sensoroni-logs.json new file mode 100644 index 000000000..8d94f2d8d --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/soc-sensoroni-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.2" + }, + "name": "soc-sensoroni-logs", + "namespace": "so", + "description": "Security Onion - Sensoroni - Logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/sensoroni/sensoroni.log" + ], + "data_stream.dataset": "soc", + "tags": [], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/soc-server-logs.json new file mode 100644 index 000000000..908b1a782 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/soc-server-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.2" + }, + "name": "soc-server-logs", + "namespace": "so", + "description": "Security Onion Console Logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/soc/sensoroni-server.log" + ], + "data_stream.dataset": "soc", + "tags": [], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/strelka-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/strelka-logs.json new file mode 100644 index 000000000..75bd9d73c --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/strelka-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.0" + }, + "name": "strelka-logs", + "namespace": "so", + "description": "Strelka logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/strelka/log/strelka.log" + ], + "data_stream.dataset": "strelka", + "tags": [], + "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", + "custom": "pipeline: strelka.file" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/suricata-logs.json new file mode 100644 index 000000000..623513c34 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/suricata-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.0" + }, + "name": "suricata-logs", + "namespace": "so", + "description": "Suricata integration", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/suricata/eve*.json" + ], + "data_stream.dataset": "suricata", + "tags": [], + "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", + "custom": "pipeline: suricata.common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/syslog-tcp-514.json b/salt/elasticfleet/files/integrations/grid-nodes/syslog-tcp-514.json new file mode 100644 index 000000000..a6321f19b --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/syslog-tcp-514.json @@ -0,0 +1,32 @@ +{ + "package": { + "name": "tcp", + "version": "1.5.0" + }, + "name": "syslog-tcp-514", + "namespace": "so", + "description": "Syslog Over TCP Port 514", + "policy_id": "so-grid-nodes", + "inputs": { + "tcp-tcp": { + "enabled": true, + "streams": { + "tcp.generic": { + "enabled": true, + "vars": { + "listen_address": "0.0.0.0", + "listen_port": "514", + "data_stream.dataset": "syslog", + "pipeline": "syslog", + "processors": "- add_fields:\n target: event\n fields:\n module: syslog", + "tags": [ + "syslog" + ], + "syslog_options": "field: message\n#format: auto\n#timezone: Local", + "ssl": "" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/syslog-udp-514.json b/salt/elasticfleet/files/integrations/grid-nodes/syslog-udp-514.json new file mode 100644 index 000000000..b9dd14640 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/syslog-udp-514.json @@ -0,0 +1,33 @@ +{ + "package": { + "name": "udp", + "version": "1.5.0" + }, + "name": "syslog-udp-514", + "namespace": "so", + "description": "Syslog over UDP Port 514", + "policy_id": "so-grid-nodes", + "inputs": { + "udp-udp": { + "enabled": true, + "streams": { + "udp.generic": { + "enabled": true, + "vars": { + "listen_address": "0.0.0.0", + "listen_port": "514", + "data_stream.dataset": "syslog", + "pipeline": "syslog", + "max_message_size": "10KiB", + "keep_null": false, + "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", + "tags": [ + "syslog" + ], + "syslog_options": "field: message\n#format: auto\n#timezone: Local" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json new file mode 100644 index 000000000..866bae8cd --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json @@ -0,0 +1,47 @@ +{ + "package": { + "name": "system", + "version": "1.25.2" + }, + "name": "system-grid-nodes", + "namespace": "default", + "policy_id": "so-grid-nodes", + "inputs": { + "system-logfile": { + "enabled": true, + "streams": { + "system.auth": { + "enabled": true, + "vars": { + "ignore_older": "72h", + "paths": [ + "/var/log/auth.log*", + "/var/log/secure*" + ], + "preserve_original_event": false, + "tags": [ + "system-auth" + ] + } + }, + "system.syslog": { + "enabled": true, + "vars": { + "paths": [ + "/var/log/messages*", + "/var/log/syslog*" + ], + "tags": [], + "ignore_older": "72h" + } + } + } + }, + "system-winlog": { + "enabled": false + }, + "system-system/metrics": { + "enabled": false + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json new file mode 100644 index 000000000..a4e0c94ee --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "1.1.0" + }, + "name": "zeek-logs", + "namespace": "so", + "description": "Zeek logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/zeek/logs/current/*.log" + ], + "data_stream.dataset": "zeek", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", + "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" + } + } + } + } + } +} diff --git a/salt/elasticfleet/init.sls b/salt/elasticfleet/init.sls index 4218eca67..da735ffac 100644 --- a/salt/elasticfleet/init.sls +++ b/salt/elasticfleet/init.sls @@ -8,8 +8,8 @@ # These values are generated during node install and stored in minion pillar {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} -{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %} -{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %} +#{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %} +#{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %} # Add EA Group elasticsagentgroup: @@ -45,35 +45,32 @@ so-elastic-fleet: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} - name: so-elastic-fleet - - hostname: Fleet-{{ GLOBALS.hostname }} + - hostname: FleetServer-{{ GLOBALS.hostname }} - detach: True - user: 947 - networks: - sobridge: - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: - {% if GLOBALS.is_manager %} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {% else %} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: - - /opt/so/conf/elastic-fleet/certs:/etc/pki:ro - - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw + - /etc/pki:/etc/pki:ro + #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw - environment: - FLEET_SERVER_ENABLE=true - - FLEET_URL=https://{{ FLEETURL }}:8220 + - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220 - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200 - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} - - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt + - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }} + - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key - - FLEET_CA=/etc/pki/intca.crt + - FLEET_CA=/etc/pki/tls/certs/intca.crt {% endif %} append_so-elastic-fleet_so-status.conf: diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index cb02691f9..b9a8f7fb2 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -66,6 +66,41 @@ role: localhost: portgroups: - {{ portgroups.all }} + fleet: + chain: + DOCKER-USER: + hostgroups: + sensors: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + standalone: + portgroups: + - {{ portgroups.salt_manager }} + sensors: + portgroups: + - {{ portgroups.salt_manager }} + searchnodes: + portgroups: + - {{ portgroups.salt_manager }} + heavynodes: + portgroups: + - {{ portgroups.salt_manager }} manager: chain: DOCKER-USER: @@ -272,12 +307,25 @@ role: - {{ portgroups.yum }} - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} + - {{ portgroups.beats_5056 }} - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} - {{ portgroups.endgame }} - {{ portgroups.strelka_frontend }} + fleet: + portgroups: + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} + - {{ portgroups.sensoroni }} + - {{ portgroups.yum }} + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + - {{ portgroups.beats_5056 }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} sensors: portgroups: - {{ portgroups.docker_registry }} @@ -286,6 +334,7 @@ role: - {{ portgroups.yum }} - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} + - {{ portgroups.beats_5056 }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} searchnodes: @@ -342,6 +391,9 @@ role: dockernet: portgroups: - {{ portgroups.all }} + fleet: + portgroups: + - {{ portgroups.salt_manager }} localhost: portgroups: - {{ portgroups.all }} diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index a2114258f..617b4a216 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -93,6 +93,12 @@ 'so-idh', ] %} +{% elif GLOBALS.role == 'so-fleet' %} +{% set NODE_CONTAINERS = [ + 'so-elastic-fleet', + 'so-logstash', +] %} + {% elif GLOBALS.role == 'so-sensor' %} {% set NODE_CONTAINERS = [] %} diff --git a/salt/firewall/hostgroups/fleet b/salt/firewall/hostgroups/fleet new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/ports/ports.yaml b/salt/firewall/ports/ports.yaml index de0539258..79bdf93b4 100644 --- a/salt/firewall/ports/ports.yaml +++ b/salt/firewall/ports/ports.yaml @@ -17,6 +17,9 @@ firewall: beats_5066: tcp: - 5066 + beats_5056: + tcp: + - 5056 docker_registry: tcp: - 5000 @@ -32,7 +35,6 @@ firewall: elastic_agent_data: tcp: - 5055 - - 9200 endgame: tcp: - 3765 diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 64a5646e5..45dacd1da 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -30,63 +30,4 @@ kibana: secureCookies: true reporting: kibanaServer: - hostname: localhost - fleet: - packages: - - name: fleet_server - version: latest - - name: log - version: latest - - name: osquery_manager - version: latest - - name: system - version: latest - - name: windows - version: latest - agentPolicies: - - name: SO-Manager - id: so-manager - description: "SO Manager Fleet Server Policy" - namespace: default - is_default_fleet_server: true - monitoring_enabled: ['logs'] - package_policies: - - name: fleet-server_manager - package: - name: fleet_server - - name: SO-Grid-Nodes - id: so-grid-nodes - description: "SO Grid Node Policy" - namespace: default - monitoring_enabled: ['logs'] - package_policies: - - name: osquery-grid-nodes - package: - name: osquery_manager - - name: system-grid-nodes - package: - name: system - inputs: - - type: system/metrics - enabled: false - - name: Endpoints-Initial - id: endpoints-default - description: "Initial Endpoint Policy" - namespace: default - monitoring_enabled: ['logs'] - package_policies: - - name: system-endpoints - package: - name: system - inputs: - - type: system/metrics - enabled: false - - name: osquery-endpoints - package: - name: osquery_manager - - name: windows-endpoints - package: - name: windows - inputs: - - type: windows/metrics - enabled: false + hostname: localhost \ No newline at end of file diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index ba1413c74..a974dcf48 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -108,12 +108,6 @@ append_so-kibana_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-kibana -osquery_hunt_link: - cmd.script: - - source: salt://kibana/files/live_query_fixup.sh - - cwd: /root - - template: jinja - {% else %} {{sls}}_state_not_allowed: diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 1b4aeb334..7f3aef0aa 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -22,7 +22,7 @@ include: - ssl - {% if GLOBALS.role not in ['so-receiver'] %} + {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} - elasticsearch {% endif %} @@ -164,6 +164,10 @@ so-logstash: - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro {% endif %} + {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-eval','so-fleet'] %} + - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro + - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro + {% endif %} {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {% else %} diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 553144b45..e23f944a2 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -4,7 +4,7 @@ {% set node_data = salt['pillar.get']('logstash:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %} {% for node_type, node_details in node_data.items() | sort %} -{% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} +{% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch', 'so-fleet'] %} {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} {% for hostname in node_data[node_type].keys() %} {% do REDIS_NODES.append({hostname:node_details[hostname].ip}) %} diff --git a/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf index ba89001b6..2cb31ed45 100644 --- a/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf +++ b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf @@ -4,8 +4,8 @@ input { tags => [ "elastic-agent" ] ssl => true ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] - ssl_certificate => "/usr/share/logstash/filebeat.crt" - ssl_key => "/usr/share/logstash/filebeat.key" + ssl_certificate => "/usr/share/logstash/elasticfleet-logstash.crt" + ssl_key => "/usr/share/logstash/elasticfleet-logstash.key" ssl_verify_mode => "force_peer" ecs_compatibility => v8 } diff --git a/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf b/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf new file mode 100644 index 000000000..894ecddb2 --- /dev/null +++ b/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf @@ -0,0 +1,13 @@ +input { + http { + additional_codecs => { "application/json" => "json_lines" } + port => 5056 + tags => [ "elastic-agent" ] + ssl => true + ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] + ssl_certificate => "/usr/share/logstash/filebeat.crt" + ssl_key => "/usr/share/logstash/filebeat.key" + ssl_verify_mode => "peer" + ecs_compatibility => v8 + } +} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja b/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja new file mode 100644 index 000000000..eec2bd74f --- /dev/null +++ b/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja @@ -0,0 +1,11 @@ +output { + http { + url => 'https://{{ GLOBALS.manager }}:5056' + cacert => ["/usr/share/filebeat/ca.crt"] + http_method => post + retry_non_idempotent => true + format => json_batch + http_compression => true + ecs_compatibility => v8 + } +} \ No newline at end of file diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 9d280ff36..e2acf546f 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -138,7 +138,9 @@ rediskeyperms: - group: 939 {% endif %} -{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet'] %} +# Create cert for Elastic Fleet Host + etc_elasticfleet_key: x509.private_key_managed: - name: /etc/pki/elasticfleet.key @@ -187,33 +189,149 @@ efperms: - mode: 640 - group: 939 -chownilogstashelasticfleetp8: +chownelasticfleetcrt: file.managed: - replace: False - - name: /etc/pki/elasticfleet.p8 + - name: /etc/pki/elasticfleet.crt - mode: 640 - user: 947 - group: 939 -# Create Symlinks to the keys so I can distribute it to all the things +chownelasticfleetkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet.key + - mode: 640 + - user: 947 + - group: 939 + +# Create Symlinks to the keys to distribute it to all the things elasticfleetdircerts: file.directory: - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs - makedirs: True -efkeylink: - file.symlink: - - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.p8 - - target: /etc/pki/elasticfleet.p8 - - user: socore - - group: socore - efcrtlink: file.symlink: - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.crt - target: /etc/pki/elasticfleet.crt - user: socore - group: socore + + +{% if grains.role not in ['so-fleet'] %} +# Create Cert for Elastic Fleet Logstash Input (Same cert used across all Fleet nodes) + +etc_elasticfleetlogstash_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet-logstash.key + - CN: {{ COMMONNAME }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%} + - prereq: + - x509: etc_elasticfleet_crt + {%- endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +# Request a cert and drop it where it needs to go to be distributed +etc_elasticfleetlogstash_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet-logstash.crt + - ca_server: {{ ca_server }} + - signing_policy: elasticfleet + - public_key: /etc/pki/elasticfleet-logstash.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True +{% if grains.role not in ['so-heavynode'] %} + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt" + - onchanges: + - x509: etc_elasticfleet_key + +eflogstashperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.key + - mode: 640 + - group: 939 + +chownilogstashelasticfleetp8: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.p8 + - mode: 640 + - user: 947 + - group: 939 + +chownilogstashelasticfleetlogstashcrt: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.crt + - mode: 640 + - user: 947 + - group: 939 + +chownilogstashelasticfleetlogstashkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.key + - mode: 640 + - user: 947 + - group: 939 + +eflogstashkeylink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet-logstash.p8 + - target: /etc/pki/elasticfleet.p8 + - user: socore + - group: socore + +eflogstashcrtlink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet-logstash.crt + - target: /etc/pki/elasticfleet.crt + - user: socore + - group: socore + +{% endif %} + +/opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8: + file.managed: + - replace: True + - source: salt://elasticfleet/files/certs/elasticfleet-logstash.p8 + - makedirs: True + - mode: 640 + - user: 931 + - group: 939 + +/opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt: + file.managed: + - replace: True + - source: salt://elasticfleet/files/certs/elasticfleet-logstash.crt + - makedirs: True + - mode: 640 + - user: 931 + - group: 939 + {% endif %} {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} diff --git a/salt/top.sls b/salt/top.sls index cfcb8220e..372c64115 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -339,6 +339,18 @@ base: - docker_clean - idh + '*_fleet and G@saltversion:{{saltversion}}': + - match: compound + - ssl + - sensoroni + - telegraf + - firewall + - logstash + - elasticfleet + - elasticfleet.install_agent_grid + - schedule + - docker_clean + 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': - match: compound - workstation diff --git a/salt/vars/fleet.map.jinja b/salt/vars/fleet.map.jinja new file mode 100644 index 000000000..964f69663 --- /dev/null +++ b/salt/vars/fleet.map.jinja @@ -0,0 +1 @@ +{% set ROLE_GLOBALS = {} %} diff --git a/setup/so-setup b/setup/so-setup index 4a9aca6ff..aa35a459a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -444,7 +444,19 @@ if ! [[ -f $install_opt_file ]]; then whiptail_sensor_nics set_minion_info whiptail_end_settings - + + elif [[ $is_fleet ]]; then + check_requirements "fleet" + networking_needful + check_network_manager_conf + set_network_dev_status_list + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + detect_cloud + set_minion_info + whiptail_end_settings + elif [[ $is_searchnode ]]; then #ubuntu_check installer_prereq_packages @@ -629,11 +641,13 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply -l info manager" logCmd "salt-call state.apply influxdb -l info" logCmd "salt-call state.highstate -l info" + title "Setting up Kibana Default Space" + logCmd "so-kibana-space-defaults" add_web_user info "Restarting SOC to pick up initial user" logCmd "so-soc-restart" title "Setting up Elastic Fleet" - logCmd "so-elastic-fleet-setup" + logCmd "so-elastic-fleet-setup" if [[ ! $is_import ]]; then title "Setting up Playbook" logCmd "so-playbook-reset" diff --git a/setup/so-whiptail b/setup/so-whiptail index ea7740ab1..84e9958ab 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -617,7 +617,7 @@ whiptail_install_type_dist_existing() { install_type=$(whiptail --title "$whiptail_title" --menu "$node_msg" 19 75 6 \ "SENSOR" "Create a forward only sensor " \ "SEARCHNODE" "Add a search node with parsing " \ - "FLEET" "Dedicated Fleet Osquery Node " \ + "FLEET" "Dedicated Elastic Fleet Node " \ "HEAVYNODE" "Sensor + Search Node " \ "IDH" "Intrusion Detection Honeypot Node " \ "RECEIVER" "Receiver Node " \