Merge pull request #8816 from Security-Onion-Solutions/funstuff

2025-12-06 09:12:45 +01:00 · 2022-09-26 18:15:14 -04:00
parent ea8d9362ae 2066efcabf
commit e032a9f449
3 changed files with 6 additions and 3 deletions
--- a/salt/filebeat/defaults.yaml
+++ b/salt/filebeat/defaults.yaml
@@ -1,6 +1,5 @@
 filebeat:
  config:
-  
  zeek_logs_enabled:
    - conn
    - dce_rpc
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -131,7 +131,11 @@ filebeat.inputs:

 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
  {%- if ZEEKVER != 'SURICATA' %}
-    {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
+  {% import_yaml 'filebeat/defaults.yaml' as FBD with context %}
+
+  {% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %}
+
+    {%- for LOGNAME in FBCONFIG.zeek_logs_enabled %}
 - type: filestream
  id: zeek-{{ LOGNAME }}
  paths:
--- a/salt/idstools/sync_files.sls
+++ b/salt/idstools/sync_files.sls
@@ -30,7 +30,7 @@ rulesdir:
 synclocalnidsrules:
  file.recurse:
    - name: /opt/so/rules/nids/
-    - source: salt://idstools/
+    - source: salt://idstools/rules/
    - user: 939
    - group: 939
    - show_changes: False