CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

add zeekloglookup to translate zeeklogs to filebeat filesets

Browse Source
This commit is contained in:
m0duspwnens
2021-05-25 17:14:26 -04:00
parent 2eee6b45bc
commit dfaf40f583
3 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/filebeat/init.sls
View File

@@ -23,7 +23,6 @@
{% from 'filebeat/map.jinja' import THIRDPARTY with context %}
{% from 'filebeat/map.jinja' import SO with context %}
filebeatetcdir:
file.directory:
- name: /opt/so/conf/filebeat/etc

4
salt/filebeat/map.jinja
View File

@@ -4,3 +4,7 @@
{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
{% set SO = SODEFAULTS.securityonion_filebeat %}
{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
{% set ZEEKLOGLOOKUP = {
'conn': 'connection',
} %}

11
salt/filebeat/securityoniondefaults.yaml
View File

@@ -1,4 +1,6 @@
{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
{% from 'filebeat/map.jinja' import ZEEKLOGLOOKUP with context %}
securityonion_filebeat:
modules:
elasticsearch:
@@ -25,9 +27,14 @@ securityonion_filebeat:
{%- if ZEEKVER != 'SURICATA' %}
zeek:
{%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %}
{{ LOGNAME }}:
{% if LOGNAME in ZEEKLOGLOOKUP.keys() %}
{% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %}
{% else %}
{% set FILESET = LOGNAME %}
{% endif %}
{{ FILESET }}:
enabled: false
var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
{%- endfor %}
{%- endif %}
{%- endif %}
{%- endif %}