Initial EG stuff

2025-12-06 09:12:45 +01:00 · 2021-10-13 17:13:07 +00:00
parent 2561480371
commit e1629d7ec4
8 changed files with 2910 additions and 1 deletions
--- a/salt/logstash/pipelines/config/so/0011_input_endgame.conf
+++ b/salt/logstash/pipelines/config/so/0011_input_endgame.conf
@@ -0,0 +1,12 @@
+input {
+  http {
+    id => "endgame_data"
+    port => 3765
+    codec => es_bulk
+    ssl => true
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    ssl_verify_mode => "peer"
+  }
+}
--- a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
+{%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
+filter {
+  if [event][module] =~ "endgame" {
+    mutate {
+      remove_field => ["headers", "host"]
+    }
+  }
+}
+output {
+  if [event][module] =~ "endgame" {
+    elasticsearch {
+      id => "endgame_es_output"
+      hosts => "{{ ES }}"
+    {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
+      user => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
+    {% endif %}
+      index => "endgame-%{+YYYY.MM.dd}"
+      ssl => true
+      ssl_certificate_verification => false
+    }
+  }
+}