From e3cd8a9c6a24fa0edea802b43dd4ddf0baba68e1 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 14 Sep 2022 14:20:08 +0000 Subject: [PATCH] Remove main pipeline configuration --- .../config/so/2000_network_flow.conf | 59 ---- .../pipelines/config/so/6000_bro.conf | 228 -------------- .../pipelines/config/so/6001_bro_import.conf | 16 - .../pipelines/config/so/6002_syslog.conf | 11 - .../config/so/6101_switch_brocade.conf | 33 -- .../config/so/6200_firewall_fortinet.conf | 281 ------------------ .../config/so/6201_firewall_pfsense.conf | 56 ---- .../pipelines/config/so/6300_windows.conf | 161 ---------- .../pipelines/config/so/6301_dns_windows.conf | 49 --- .../pipelines/config/so/6400_suricata.conf | 92 ------ .../pipelines/config/so/6500_ossec.conf | 160 ---------- .../config/so/6501_ossec_sysmon.conf | 118 -------- .../config/so/6502_ossec_autoruns.conf | 43 --- .../config/so/6600_winlogbeat_sysmon.conf | 23 -- .../pipelines/config/so/6700_winlogbeat.conf | 17 -- .../pipelines/config/so/7100_osquery_wel.conf | 23 -- .../pipelines/config/so/7200_strelka.conf | 8 - 17 files changed, 1378 deletions(-) delete mode 100644 salt/logstash/pipelines/config/so/2000_network_flow.conf delete mode 100644 salt/logstash/pipelines/config/so/6000_bro.conf delete mode 100644 salt/logstash/pipelines/config/so/6001_bro_import.conf delete mode 100644 salt/logstash/pipelines/config/so/6002_syslog.conf delete mode 100644 salt/logstash/pipelines/config/so/6101_switch_brocade.conf delete mode 100644 salt/logstash/pipelines/config/so/6200_firewall_fortinet.conf delete mode 100644 salt/logstash/pipelines/config/so/6201_firewall_pfsense.conf delete mode 100644 salt/logstash/pipelines/config/so/6300_windows.conf delete mode 100644 salt/logstash/pipelines/config/so/6301_dns_windows.conf delete mode 100644 salt/logstash/pipelines/config/so/6400_suricata.conf delete mode 100644 salt/logstash/pipelines/config/so/6500_ossec.conf delete mode 100644 salt/logstash/pipelines/config/so/6501_ossec_sysmon.conf delete mode 100644 salt/logstash/pipelines/config/so/6502_ossec_autoruns.conf delete mode 100644 salt/logstash/pipelines/config/so/6600_winlogbeat_sysmon.conf delete mode 100644 salt/logstash/pipelines/config/so/6700_winlogbeat.conf delete mode 100644 salt/logstash/pipelines/config/so/7100_osquery_wel.conf delete mode 100644 salt/logstash/pipelines/config/so/7200_strelka.conf diff --git a/salt/logstash/pipelines/config/so/2000_network_flow.conf b/salt/logstash/pipelines/config/so/2000_network_flow.conf deleted file mode 100644 index 40a060955..000000000 --- a/salt/logstash/pipelines/config/so/2000_network_flow.conf +++ /dev/null @@ -1,59 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [type] == "sflow" { - if [message] =~ /CNTR/ { - drop { } - } - - grok { - match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" } - } - - if "_grokparsefailure" in [tags] { - drop { } - } - - mutate { - add_field => { - "[source_hostname]" => "%{source_ip}" - "[destination_hostname]" => "%{destination_ip}" - "[sflow_source_hostname]" => "%{sflow_source_ip}" - } - } - - translate { - field => "[source_port]" - destination => "[source_service]" - dictionary_path => "/lib/dictionaries/iana_services.yaml" - } - - translate { - field => "[destination_port]" - destination => "[destination_service]" - dictionary_path => "/lib/dictionaries/iana_services.yaml" - } - - translate { - field => "[protocol]" - destination => "[protocol_name]" - dictionary_path => "/lib/dictionaries/iana_protocols.yaml" - } - - translate { - field => "[tcp_flags]" - destination => "[tcp_flag]" - dictionary_path => "/lib/dictionaries/tcp_flags.yaml" - } - - mutate { - add_field => { "ips" => [ "%{sflow_source_ip}" ] } - } - mutate { - #add_tag => [ "conf_file_2000"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6000_bro.conf b/salt/logstash/pipelines/config/so/6000_bro.conf deleted file mode 100644 index 4ba3d3989..000000000 --- a/salt/logstash/pipelines/config/so/6000_bro.conf +++ /dev/null @@ -1,228 +0,0 @@ -# Original Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Updated by: Doug Burks -# Last Update: 2/10/2018 -# -filter { - if "bro" in [tags] { - - # Bro logs have a high quality timestamp, so let's copy that to @timestamp. - # Before we do, let's copy the existing logstash @timestamp to timestamp. - mutate { - add_field => { "logstash_timestamp" => "%{@timestamp}" } - } - mutate { - convert => { "logstash_timestamp" => "string" } - } - mutate { - convert => { "timestamp" => "string" } - } - # New Bro JSON logs use ISO8601 timestamps. - # Old Bro TSV logs use UNIX timestamps. - date { - match => [ "timestamp", "ISO8601", "UNIX" ] - } - mutate { - rename => { "logstash_timestamp" => "timestamp" } - } - - if [duration] == "-" { - mutate { - replace => [ "duration", "0" ] - } - } - if [original_bytes] == "-" { - mutate { - replace => [ "original_bytes", "0" ] - } - } - # If MissedBytes is unspecified set it to zero so it is an integer - if [missed_bytes] == "-" { - mutate { - replace => [ "missed_bytes", "0" ] - } - } - # If OriginalIPBytes is unspecified set it to zero so it is an integer - if [original_ip_bytes] == "-" { - mutate { - replace => [ "original_ip_bytes", "0" ] - } - } - # If RespondBytes is unspecified set it to zero so it is an integer - if [respond_bytes] == "-" { - mutate { - replace => [ "respond_bytes", "0" ] - } - } - # If RespondIPBytes is unspecified set it to zero so it is an integer - if [respond_ip_bytes] == "-" { - mutate { - replace => [ "respond_ip_bytes", "0" ] - } - } - if [request_body_length] == "-" { - mutate { - replace => [ "request_body_length", "0" ] - } - } - if [response_body_length] == "-" { - mutate { - replace => [ "response_body_length", "0" ] - } - } - if [source_port] == "-" { - mutate { - remove_field => ["source_port"] - } - } - if [destination_port] == "-" { - mutate { - remove_field => ["destination_port"] - } - } - if [virtual_host] == "-" { - mutate { - remove_field => ["virtual_host"] - } - } - if [x_originating_ip] == "-" { - mutate { - remove_field => ["x_originating_ip"] - } - } - if [basic_constraints_path_length] == "-" { - mutate { - remove_field => ["basic_constraints_path_length"] - } - } - if [data_channel_source_ip] == "-" { - mutate { - remove_field => ["data_channel_source_ip"] - } - } - if [data_channel_destination_ip] == "-" { - mutate { - remove_field => ["data_channel_destination_ip"] - } - } - if [desktop_width] == "-" { - mutate { - remove_field => ["desktop_width"] - } - } - if [desktop_height] == "-" { - mutate { - remove_field => ["desktop_height"] - } - } - if [height] == "-" { - mutate { - remove_field => ["height"] - } - } - - - # I renamed conn_uids to uid so that it is easy to pivot to all things tied to a connection - mutate { - rename => [ "connection_uids", "uid" ] - } - # If total_bytes is set to "-" change it to 0 so it is an integer - if [total_bytes] == "-" { - mutate { - replace => [ "total_bytes", "0" ] - } - } - # If seen_bytes is set to "-" change it to 0 so it is an integer - if [seen_bytes] == "-" { - mutate { - replace => [ "seen_bytes", "0" ] - } - } - # If missing_bytes is set to "-" change it to 0 so it is an integer - if [missing_bytes] == "-" { - mutate { - replace => [ "missing_bytes", "0" ] - } - } - # If overflow_bytes is set to "-" change it to 0 so it is an integer - if [overflow_bytes] == "-" { - mutate { - replace => [ "overflow_bytes", "0" ] - } - } - if [dcc_file_size] == "-" { - mutate { - replace => [ "dcc_file_size", "0" ] - } - } - if [authentication_attempts] == "-" { - mutate { - replace => [ "authentication_attempts", "0" ] - } - } - if [file_size] == "-" { - mutate { - replace => [ "file_size", "0" ] - } - } - if [original_ip_bytes] == "-" { - mutate { - replace => [ "original_ip_bytes", "0" ] - } - } - - # I recommend changing the field types below to integer or floats so searches can do greater than or less than - # and also so math functions can be ran against them - mutate { - convert => [ "bound_port", "integer" ] - convert => [ "data_channel_destination_port", "integer" ] - convert => [ "destination_port", "integer" ] - convert => [ "depth", "integer" ] - #convert => [ "duration", "float" ] - convert => [ "info_code", "integer" ] - convert => [ "missed_bytes", "integer" ] - convert => [ "missing_bytes", "integer" ] - convert => [ "n", "integer" ] - convert => [ "original_bytes", "integer" ] - convert => [ "original_packets", "integer" ] - convert => [ "original_ip_bytes", "integer" ] - convert => [ "overflow_bytes", "integer" ] - convert => [ "p", "integer" ] - convert => [ "query_class", "integer" ] - convert => [ "query_type", "integer" ] - convert => [ "rcode", "integer" ] - convert => [ "request_body_length", "integer" ] - convert => [ "request_port", "integer" ] - convert => [ "respond_bytes", "integer" ] - convert => [ "respond_packets", "integer" ] - convert => [ "respond_ip_bytes", "integer" ] - convert => [ "response_body_length", "integer" ] - convert => [ "seen_bytes", "integer" ] - convert => [ "source_port", "integer" ] - convert => [ "status_code", "integer" ] - #convert => [ "suppress_for", "float" ] - convert => [ "total_bytes", "integer" ] - convert => [ "trans_depth", "integer" ] - convert => [ "transaction_id", "integer" ] - # convert the following boolean to text for now - convert => [ "local_respond", "string" ] - convert => [ "tc", "string" ] - convert => [ "is_orig", "string" ] - convert => [ "local_orig", "string" ] - lowercase => [ "query" ] - #remove_field => [ "timestamp" ] - } - - # Combine OriginalBytes and RespondBytes and save the value to total_bytes - if [original_bytes] { - if [respond_bytes] { - ruby { - code => "event.set('total_bytes', event.get('original_bytes') + event.get('respond_bytes'))" - } - } - } - mutate { - #add_tag => [ "conf_file_6000"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6001_bro_import.conf b/salt/logstash/pipelines/config/so/6001_bro_import.conf deleted file mode 100644 index 34c43f6ae..000000000 --- a/salt/logstash/pipelines/config/so/6001_bro_import.conf +++ /dev/null @@ -1,16 +0,0 @@ -# Updated by: Doug Burks -# Last Update: 2/10/2018 -# -filter { - if "import" in [tags] and "bro" in [tags] { - - # we're setting timestamp in 6000 now - #date { - # match => [ "timestamp", "UNIX" ] - #} - - mutate { - #add_tag => [ "conf_file_6001"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6002_syslog.conf b/salt/logstash/pipelines/config/so/6002_syslog.conf deleted file mode 100644 index f82f81a25..000000000 --- a/salt/logstash/pipelines/config/so/6002_syslog.conf +++ /dev/null @@ -1,11 +0,0 @@ -# Updated by: Doug Burks -# Last Update: 5/16/2017 -# -filter { - if "syslog" in [tags] { - mutate { - #convert => [ "status_code", "integer" ] - #add_tag => [ "conf_file_6002"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6101_switch_brocade.conf b/salt/logstash/pipelines/config/so/6101_switch_brocade.conf deleted file mode 100644 index dd2f3126c..000000000 --- a/salt/logstash/pipelines/config/so/6101_switch_brocade.conf +++ /dev/null @@ -1,33 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [type] == "brocade" { - grok { - match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"] - } - grok { - match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" } - add_field => [ "received_at", "%{@timestamp}" ] - } - if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" { - grok { - match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" } - } - mutate { - add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" } - } - } - date { - match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] - timezone => "America/Chicago" - remove_field => "syslog_timestamp" - remove_field => "received_at" - } - mutate { - #add_tag => [ "conf_file_6101"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6200_firewall_fortinet.conf b/salt/logstash/pipelines/config/so/6200_firewall_fortinet.conf deleted file mode 100644 index b33c89bb8..000000000 --- a/salt/logstash/pipelines/config/so/6200_firewall_fortinet.conf +++ /dev/null @@ -1,281 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [type] == "fortinet" { - mutate { - gsub => [ "message", "= ", "=NA " ] - } - - grok { - match => ["message", "type=%{DATA:event_type}\s+"] - tag_on_failure => [] - } - grok { - match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"] - tag_on_failure => [] - } - kv { - source => "kv" - exclude_keys => [ "type" ] - } - mutate { - gsub => [ "log", "= ", "=NA " ] - } - kv { - source => "log" - target => "SubLog" - } - grok { - match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"] - tag_on_failure => [ "" ] - } - mutate { - rename => { "action" => "action" } - rename => { "addr" => "addr_ip" } - rename => { "age" => "age" } - rename => { "assigned" => "assigned_ip" } - rename => { "assignip" => "assign_ip" } - rename => { "ap" => "access_point" } - rename => { "app" => "application" } - rename => { "appcat" => "application_category" } - rename => { "applist" => "application_list" } - rename => { "apprisk" => "application_risk" } - rename => { "approfile" => "accessPoint_profile" } - rename => { "apscan" => "access_point_scan" } - rename => { "apstatus" => "acces_point_status" } - rename => { "aptype" => "access_point_type" } - rename => { "authproto" => "authentication_protocol" } - rename => { "bandwidth" => "bandwidth" } - rename => { "banned_src" => "banned_source" } - rename => { "cat" => "category" } - rename => { "catdesc" => "category_description" } - rename => { "cfgattr" => "configuration_attribute" } - rename => { "cfgobj" => "configuration_object" } - rename => { "cfgpath" => "configuration_path" } - rename => { "cfgtid" => "configuration_transaction_id" } - rename => { "channel" => "channel" } - rename => { "community" => "community" } - rename => { "cookies" => "cookies" } - rename => { "craction" => "cr_action" } - rename => { "crlevel" => "cr_level" } - rename => { "crscore" => "cr_score" } - rename => { "datarange" => "data_range" } - rename => { "desc" => "description" } - rename => { "detectionmethod" => "detection_method" } - rename => { "devid" => "device_id" } - rename => { "devname" => "device_name" } - rename => { "devtype" => "device_type" } - rename => { "dhcp_msg" => "dhcp_message" } - rename => { "disklograte" => "disk_lograte" } - rename => { "dstcountry" => "destination_country" } - rename => { "dstintf" => "destination_interface" } - rename => { "dstip" => "destination_ip" } - rename => { "dstport" => "destination_port" } - rename => { "duration" => "elapsed_time" } - rename => { "error_num" => "error_number" } - rename => { "espauth" => "esp_authentication" } - rename => { "esptransform" => "esp_transform" } - rename => { "eventid" => "event_id" } - rename => { "eventtype" => "event_type" } - rename => { "fazlograte" => "faz_lograte" } - rename => { "filename" => "file_name" } - rename => { "filesize" => "file_size" } - rename => { "filetype" => "file_type" } - rename => { "hostname" => "hostname" } - rename => { "ip" => "source_ip" } - rename => { "localip" => "source_ip" } - rename => { "locip" => "local_ip" } - rename => { "locport" => "source_port" } - rename => { "logid" => "log_id" } - rename => { "logver" => "log_version" } - rename => { "manuf" => "manufacturer" } - rename => { "mem" => "memory" } - rename => { "meshmode" => "mesh_mode" } - rename => { "msg" => "message" } - rename => { "nextstat" => "next_stat" } - rename => { "onwire" => "on_wire" } - rename => { "osname" => "os_name" } - rename => { "osversion" => "unauthenticated_user" } - rename => { "outintf" => "outbound_interface" } - rename => { "peer_notif" => "peer_notification" } - rename => { "phase2_name" => "phase2_name" } - rename => { "policyid" => "policy_id" } - rename => { "policytype" => "policy_type" } - rename => { "port" => "port" } - rename => { "probeproto" => "probe_protocol" } - rename => { "proto" => "protocol_number" } - rename => { "radioband" => "radio_band" } - rename => { "radioidclosest" => "radio_id_closest" } - rename => { "radioiddetected" => "radio_id_detected" } - rename => { "rcvd" => "bytes_received" } - rename => { "rcvdbyte" => "bytes_received" } - rename => { "rcvdpkt" => "packets_received" } - rename => { "remip" => "destination_ip" } - rename => { "remport" => "remote_port" } - rename => { "reqtype" => "request_type" } - rename => { "scantime" => "scan_time" } - rename => { "securitymode" => "security_mode" } - rename => { "sent" => "bytes_sent" } - rename => { "sentbyte" => "bytes_sent" } - rename => { "sentpkt" => "packets_sent" } - rename => { "session_id" => "session_id" } - rename => { "setuprate" => "setup_rate" } - rename => { "sn" => "serial" } - rename => { "snclosest" => "serial_closest_access_point" } - rename => { "sndetected" => "serial_access_point_that_detected_rogue_ap" } - rename => { "snmeshparent" => "serial_mesh_parent" } - rename => { "srccountry" => "source_country" } - rename => { "srcip" => "source_ip" } - rename => { "srcmac" => "source_mac" } - rename => { "srcname" => "source_name" } - rename => { "srcintf" => "source_interface" } - rename => { "srcport" => "source_port" } - rename => { "stacount" => "station_count" } - rename => { "stamac" => "static_mac" } - rename => { "srccountry" => "source_country" } - rename => { "srcip" => "source_ip" } - rename => { "srcmac" => "source_mac" } - rename => { "srcname" => "source_name" } - rename => { "sn" => "serial" } - rename => { "srcintf" => "source_interface" } - rename => { "srcport" => "source_port" } - rename => { "total" => "total_bytes" } - rename => { "totalsession" => "total_sessions" } - rename => { "trandisp" => "nat_translation_type" } - rename => { "tranip" => "nat_destination_ip" } - rename => { "tranport" => "nat_destination_port" } - rename => { "transip" => "nat_source_ip" } - rename => { "transport" => "nat_source_port" } - rename => { "tunnelid" => "tunnel_id" } - rename => { "tunnelip" => "tunnel_ip" } - rename => { "tunneltype" => "tunnel_type" } - rename => { "unauthuser" => "unauthenticated_user_source" } - rename => { "unauthusersource" => "os_version" } - rename => { "vendorurl" => "vendor_url" } - rename => { "vpntunnel" => "vpn_tunnel" } - rename => { "vulncat" => "vulnerability_category" } - rename => { "vulncmt" => "vulnerability_count" } - rename => { "vulnid" => "vulnerability_id" } - rename => { "vulnname" => "vulnerability_name" } - rename => { "vulnref" => "vulnerability_reference" } - rename => { "vulnscore" => "vulnerability_score" } - rename => { "xauthgroup" => "x_authentication_group" } - rename => { "xauthuser" => "x_authentication_user" } - rename => { "[SubLog][appid]" => "sub_application_id" } - rename => { "[SubLog][devid]" => "sub_device_id" } - rename => { "[SubLog][dstip]" => "sub_destination_ip" } - rename => { "[SubLog][srcip]" => "sub_source_ip" } - rename => { "[SubLog][dstport]" => "sub_destination_port" } - rename => { "[SubLog][eventtype]" => "sub_event_type" } - rename => { "[SubLog][proto]" => "sub_protocol_number" } - rename => { "[SubLog][date]" => "sub_date" } - rename => { "[SubLog][time]" => "sub_time" } - rename => { "[SubLog][srcport]" => "sub_source_port" } - rename => { "[SubLog][subtype]" => "sub_subtype" } - rename => { "[SubLog][devname]" => "sub_device_name" } - rename => { "[SubLog][itime]" => "sub_itime" } - rename => { "[SubLog][level]" => "sub_level" } - rename => { "[SubLog][logid]" => "sub_log_id" } - rename => { "[SubLog][logver]" => "sub_log_version" } - rename => { "[SubLog][type]" => "sub_event_type" } - rename => { "[SubLog][vd]" => "sub_vd" } - rename => { "[SubLog][action]" => "sub_action" } - rename => { "[SubLog][logdesc]" => "sub_destination_ip" } - rename => { "[SubLog][policyid]" => "sub_olicy_id" } - rename => { "[SubLog][reason]" => "sub_reason" } - rename => { "[SubLog][service]" => "sub_service" } - rename => { "[SubLog][sessionid]" => "sub_session_id" } - rename => { "[SubLog][src]" => "sub_source_ip" } - rename => { "[SubLog][status]" => "sub_status" } - rename => { "[SubLog][ui]" => "sub_ui" } - rename => { "[SubLog][urlfilteridx]" => "sub_url_filter_idx" } - strip => [ "bytes_sent", "bytes_received" ] - convert => [ "bytes_sent", "integer" ] - convert => [ "bytes_received", "integer" ] - convert => [ "cr_score", "integer" ] - convert => [ "cr_action", "integer" ] - convert => [ "elapsed_time", "integer" ] - convert => [ "destination_port", "integer" ] - convert => [ "source_port", "integer" ] - convert => [ "local_port", "integer" ] - convert => [ "remote_port", "integer" ] - convert => [ "packets_sent", "integer" ] - convert => [ "packets_received", "integer" ] - convert => [ "port", "integer" ] - convert => [ "ProtocolNumber", "integer" ] - convert => [ "XAuthUser", "string" ] - remove_field => [ "kv", "log" ] - } - if [tunnel_ip] == "N/A" { - mutate { - remove_field => [ "tunnel_ip" ] - } - } - if [nat_destination_ip] { - mutate { - add_field => { "ips" => [ "%{nat_destination_ip}" ] } - add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] } - } - } - if [sub_destination_ip] { - mutate { - add_field => { "ips" => [ "%{sub_destination_ip}" ] } - add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] } - } - } - if [nat_source_ip] { - mutate { - add_field => { "ips" => [ "%{nat_source_ip}" ] } - add_field => { "source_ips" => [ "%{nat_source_ip}" ] } - } - } - if [sub_source_ip] { - mutate { - add_field => { "ips" => [ "%{sub_source_ip}" ] } - add_field => { "source_ips" => [ "%{sub_source_ip}" ] } - } - } - if [addr_ip] { - mutate { - add_field => { "ips" => [ "%{addr_ip}" ] } - } - } - if [assign_ip] { - mutate { - add_field => { "ips" => [ "%{assign_ip}" ] } - } - } - if [assigned_ip] { - mutate { - add_field => { "ips" => [ "%{assigned_ip}" ] } - } - } - grok { - match => ["message", "type=%{DATA:event_type}\s+"] - } - if [date] and [time] { - mutate { - add_field => { "receive_time" => "%{date} %{time}" } - remove_field => [ "date", "time" ] - } - date { - timezone => "America/Chicago" - match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ] - target => "receive_time" - } - mutate { - rename => { "receive_time" => "@timestamp" } - } - } else { - mutate { - add_tag => [ "missing_date" ] - } - } - mutate { - #add_tag => [ "conf_file_6200"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6201_firewall_pfsense.conf b/salt/logstash/pipelines/config/so/6201_firewall_pfsense.conf deleted file mode 100644 index acd08eba0..000000000 --- a/salt/logstash/pipelines/config/so/6201_firewall_pfsense.conf +++ /dev/null @@ -1,56 +0,0 @@ -# Author: Wes Lambert -# Updated by: Doug Burks - -filter { - if [type] == "filterlog" { - dissect { - mapping => { - "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}" - } - } - if [ip_version] == "4" { - dissect { - mapping => { - "sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}" - } - } - } - if [ip_version] == "6" { - dissect { - mapping => { - "sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}" - } - } - } - if [protocol] == "tcp" { - dissect { - mapping => { - "ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags}," - } - } - } - if [protocol] == "udp" { - dissect { - mapping => { - "ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}" - } - } - } - if [protocol] == "Options" { - mutate { - copy => { "ip_sub_msg" => "options" } - } - mutate { - split => { "options" => "," } - } - } - mutate { - convert => [ "destination_port", "integer" ] - convert => [ "source_port", "integer" ] - convert => [ "ip_version", "integer" ] - replace => { "type" => "firewall" } - add_tag => [ "pfsense","firewall" ] - remove_field => [ "sub_msg", "ip_sub_msg" ] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6300_windows.conf b/salt/logstash/pipelines/config/so/6300_windows.conf deleted file mode 100644 index 34450af2b..000000000 --- a/salt/logstash/pipelines/config/so/6300_windows.conf +++ /dev/null @@ -1,161 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [type] == "windows" { -# json { -# source => "message" -# } - date { - match => ["EventTime", "YYYY-MM-dd HH:mm:ss"] - remove_field => [ "EventTime" ] - } - if [EventID] == 4634 { - mutate { - add_tag => [ "logoff" ] - } - } - if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 { - mutate { - add_tag => [ "logon" ] - add_tag => [ "alert_data" ] - } - } - if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 { - mutate { - add_tag => [ "logon_failure" ] - add_tag => [ "alert_data" ] - } - } - # Critical event IDs to monitor - if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 { - mutate { - add_tag => [ "alert_data" ] - } - } - # Critical event IDs to monitor - if [EventID] == 5152 { drop {} } - if [EventID] == 4688 { drop {} } - if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon - if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} } - if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} } - if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} } - # Whitelist/Blacklist check - if [EventID] == 7045 { - translate { - field => "ServiceName" - destination => "ServiceCheck" - dictionary_path => "/lib/dictionaries/services.yaml" - } - } - if [EventID] == 7045 and !([ServiceCheck]) { - mutate { - add_tag => [ "alert_data","new_service" ] - } - } - if [ServiceCheck] == 'whitelist' { - mutate { - remove_field => [ "ServiceCheck" ] - add_tag => [ "whitelist" ] - } - } - if [ServiceCheck] == 'blacklist' { - mutate { - remove_field => [ "ServiceCheck" ] - add_tag => [ "blacklist" ] - } - } - if [EventID] == 5158 { - if [Application] == "System" { drop {} } - if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} } - if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} } - if [Application] =~ "mcafee" { drop {} } - if [Application] =~ "carestream" { drop {} } - if [Application] =~ "Softdent" { drop {} } - } - if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} } - if [EventID] == 4690 { drop {} } - if [EventID] == 861 and [AccountName] == "ntp" { drop {} } - if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} } - if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} } - if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} } - if [EventID] == 5447 { drop {} } - - mutate { - rename => [ "AccountName", "user" ] - rename => [ "AccountType", "account_type" ] - rename => [ "ActivityID", "activity_id" ] - rename => [ "Category", "category" ] - rename => [ "ClientAddress", "client_ip" ] - rename => [ "Channel", "channel" ] - rename => [ "DCIPAddress", "domain_controller_ip" ] - rename => [ "DCName", "domain_controller_name" ] - rename => [ "EventID", "event_id" ] - rename => [ "EventReceivedTime", "event_received_time" ] - rename => [ "EventType", "event_type" ] - rename => [ "GatewayIPAddress", "gateway_ip" ] - rename => [ "IPAddress", "client_ip" ] - rename => [ "Ipaddress", "client_ip" ] - rename => [ "IpAddress", "client_ip" ] - rename => [ "IPPort", "source_port" ] - rename => [ "OpcodeValue", "opcode_value" ] - rename => [ "PreAuthType", "preauthentication_type" ] - rename => [ "PrincipleSAMName", "user" ] - rename => [ "ProcessID", "process_id" ] - rename => [ "ProviderGUID", "providerguid" ] - rename => [ "RecordNumber", "record_number" ] - rename => [ "RemoteAddress", "destination_ip" ] - rename => [ "ServiceName", "service_name" ] - rename => [ "ServiceID", "service_id" ] - rename => [ "SeverityValue", "severity_value" ] - rename => [ "SourceAddress", "client_ip" ] - rename => [ "SourceModuleName", "source_module_name" ] - rename => [ "SourceModuleType", "source_module_type" ] - rename => [ "SourceName", "source_name" ] - rename => [ "SubjectUserName", "user" ] - rename => [ "TaskName", "task_name" ] - rename => [ "TargetDomainName", "target_domain_name" ] - rename => [ "TargetUserName", "user" ] - rename => [ "ThreadID", "thread_id" ] - rename => [ "User_ID", "user" ] - rename => [ "UserID", "user" ] - rename => [ "username", "user" ] - } - # For any accounts that are service accounts or special accounts add the tag of service_account - # This example applies the tag to any username that starts with SVC_. If you use a different - # standard change this. - if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" { - mutate { - add_tag => [ "service_account" ] - } - } - # This looks for events that are typically noisy but may be of use for deep dive investigations - # A tag of noise is added to quickly filter out noise - if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" { - mutate { - add_tag => [ "noise" ] - } - } - #Identify machine accounts - if [user] =~ /\$/ { - mutate { - add_tag => [ "machine", "noise" ] - } - } - # Lower case all field names - ruby { - code => " - event_hash = event.to_hash - new_event = {} - event_hash.keys.each do |key| - new_event[key.downcase] = event[key] - end - event.instance_variable_set(:@data, new_event)" - } - mutate { - #add_tag => [ "conf_file_6300"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6301_dns_windows.conf b/salt/logstash/pipelines/config/so/6301_dns_windows.conf deleted file mode 100644 index 1ef5077a6..000000000 --- a/salt/logstash/pipelines/config/so/6301_dns_windows.conf +++ /dev/null @@ -1,49 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [type] == "dns" and "bro" not in [tags] { - json { - source => "message" - } - # strip whitespace from message field - mutate { - strip => "message" - } - # If the message is blank, drop the log - if [Message] =~ /^$/ { - drop { } - } else { - if [type] == "dns" { - # This section is lookup for a match against the log and parsing out the fields - grok { - match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - # Server 2003 DNS logs do not include slashes or AM/PM in timestamp - match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - match => { "Message" => "(?%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"} - remove_field => [ "Message" ] - } - # This section attempts to convert the dns_domain into the traditional domain.com format - mutate { - gsub => [ "dns_domain", "(\(\d+\))", "." ] - } - grok { - match => { "dns_domain" => "\.%{DATA:query}\.$" } - remove_field => [ "dns_domain" ] - } - } - } - mutate { - #add_tag => [ "conf_file_6301"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6400_suricata.conf b/salt/logstash/pipelines/config/so/6400_suricata.conf deleted file mode 100644 index 11f185ddf..000000000 --- a/salt/logstash/pipelines/config/so/6400_suricata.conf +++ /dev/null @@ -1,92 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 -# -# This conf file is based on accepting logs for suricata json events -filter { - if [type] == "suricata" { - if "test_data" not in [tags] { - date { - match => [ "timestamp", "ISO8601" ] - } - } else { - mutate { - remove_field => [ "netflow.start","netflow.end","timestamp" ] - } - } - if [event_type] == "fileinfo" { - ruby { - code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" - } - } - # I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs - mutate { - rename => [ "src_ip", "source_ip" ] - rename => [ "dest_ip", "destination_ip" ] - rename => [ "src_port", "source_port" ] - rename => [ "dest_port", "destination_port" ] - } - # This will translate the alert.severity field into a severity field of either High, Medium, or Low - if [event_type] == "alert" { - if [alert][severity] == 1 { - mutate { - add_field => { "severity" => "High" } - } - } - if [alert][severity] == 2 { - mutate { - add_field => { "severity" => "Medium" } - } - } - if [alert][severity] == 3 { - mutate { - add_field => { "severity" => "Low" } - } - } - # If the alert is a Snort GPL alert break it apart for easier reading and categorization - if [alert][signature] =~ "GPL " { - # This will parse out the category type from the alert - grok { - match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" } - } - # This will store the category - mutate { - add_field => { "rule_type" => "Snort GPL" } - lowercase => [ "category" ] - } - } - # If the alert is an Emerging Threat alert break it apart for easier reading and categorization - if [alert][signature] =~ "ET " { - # This will parse out the category type from the alert - grok { - match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" } - } - # This will store the category - mutate { - add_field => { "rule_type" => "Emerging Threats" } - lowercase => [ "category" ] - } - } - # This section adds URLs to lookup information about a rule online - if [rule_type] == "Snort GPL" { - mutate { - add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ] - } - } - if [rule_type] == "Emerging Threats" { - mutate { - add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ] - } - } - } - if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] { - # mutate { - # remove_field => [ "message" ] - # } - } - mutate { - #add_tag => [ "conf_file_6400"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/6500_ossec.conf b/salt/logstash/pipelines/config/so/6500_ossec.conf deleted file mode 100644 index 292fea49b..000000000 --- a/salt/logstash/pipelines/config/so/6500_ossec.conf +++ /dev/null @@ -1,160 +0,0 @@ -# Author: Wes Lambert -# -# Last Update: 09/19/2018 -# -# This conf file is based on accepting logs from OSSEC - -filter { - # OSSEC Alerts - if [type] == "ossec" { - - # Sysmon/Autoruns logs transported by OSSEC - if [message] =~ "Microsoft-Windows-Sysmon" { - mutate { - replace => { "type" => "sysmon" } - add_tag => [ "ossec" ] - } - } - if [message] =~ "AR-LOG" { - mutate { - replace => { "type" => "autoruns" } - add_tag => [ "ossec" ] - } - } - - # If message looks like json, try to parse it as such. Otherwise, grok. - if [message] =~ /^{.*}$/ { - json { - source => "message" - } - mutate { - rename => { "rule" => "wazuh-rule" } - rename => { "[wazuh-rule][level]" => "alert_level" } - rename => { "[wazuh-rule][description]" => "description" } - rename => { "[data][srcuser]" => "username" } - rename => { "[data][dstuser]" => "escalated_user" } - rename => { "[data][command]" => "command" } - rename => { "[predecoder][program_name]" => "process" } - - } - # Wazuh 3.8.2 - if [data][EventChannel] { - mutate { - rename => { "[data][EventChannel][EventData][User]" => "username" } - rename => { "[data][EventChannel][System][EventID]" => "event_id" } - rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" } - rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" } - rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" } - rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" } - rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" } - rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" } - } - } - # Wazuh 3.9.2 - if [data][win] { - mutate { - rename => { "[data][win][eventdata][user]" => "username" } - rename => { "[data][win][system][eventID]" => "event_id" } - rename => { "[data][win][eventdata][destinationPort]" => "destination_port" } - rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" } - rename => { "[data][win][eventdata][sourcePort]" => "source_port" } - rename => { "[data][win][eventdata][sourceIp]" => "source_ip" } - rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" } - rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } - } - } - } else { - grok { - match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.", - "message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}", - "message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"] - } - } - - # Add tag for OSSEC alerts - if [alert_level] { - mutate { - add_tag => [ "alert" ] - } - } - - translate { - field => "alert_level" - - destination => "classification" - - dictionary => [ - "1", "None", - "2", "System low priority notification", - "3", "Successful/authorized event", - "4", "System low priority error", - "5", "User generated error", - "6", "Low relevance attack", - "7", '"Bad word" matching', - "8", "First time seen", - "9", "Error from invalid source", - "10", "Multiple user generated errors", - "11", "Integrity checking warning", - "12", "High importance event", - "13", "Unusal error (high importance)", - "14", "High importance security event", - "15", "Severe attack" - ] - } - } - - # OSSEC Archive Logs - if [type] == "ossec_archive" { - - # Sysmon/Autoruns logs transported by OSSEC - if [message] =~ "Microsoft-Windows-Sysmon" { - mutate { - replace => { "type" => "sysmon" } - add_tag => [ "ossec" ] - } - } - if [message] =~ "AR-LOG" { - mutate { - replace => { "type" => "autoruns" } - add_tag => [ "ossec" ] - } - } - - # If message looks like json, try to parse it as such. Otherwise, grok. - if [message] =~ /^{.*}$/ { - json { - source => "message" - } - mutate { - rename => [ "rule", "wazuh-rule" ] - rename => [ "[wazuh-rule][level]", "alert_level" ] - rename => [ "[wazuh-rule][description]", "description" ] - rename => [ "[data][srcuser]", "username" ] - rename => [ "[data][dstuser]", "escalated_user" ] - rename => [ "[data][command]", "command" ] - rename => [ "[predecoder][program_name]", "process" ] - } - } else { - grok { - match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"', - "message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)", - "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", - "message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'", - "message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"] - remove_field => [ "ossec_timestamp" ] - } - mutate { - convert => [ "status_code", "integer" ] - } - } - } -} diff --git a/salt/logstash/pipelines/config/so/6501_ossec_sysmon.conf b/salt/logstash/pipelines/config/so/6501_ossec_sysmon.conf deleted file mode 100644 index 6ebf10487..000000000 --- a/salt/logstash/pipelines/config/so/6501_ossec_sysmon.conf +++ /dev/null @@ -1,118 +0,0 @@ -# Author: Wes Lambert -# wlambertts@gmail.com -# -# This conf file is based on accepting Sysmon logs from OSSEC -# -# Parse using grok -filter { - # OSSEC Logs and Alerts - if [type] == "sysmon" or "sysmon" in [tags] { - if [message] !~ /^{.*}$/ { - #mutate { replace => { "type" => "sysmon" } } - grok { - # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"] - match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"] - } - mutate { - convert => ["event_id", "integer"] - remove_field => ["timestamp"] - remove_field => ["year"] - } - if [event_id] == 1 { - grok { - match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}", - "rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}', - "rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"] - } - mutate { - convert => ["process_guid", "integer"] - convert => ["process_id", "integer"] - add_tag => ["process_creation"] - } - } - if [event_id] == 3 { - mutate { - remove_field => ["source_ip"] - } - grok { - match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"] - } - mutate { - convert => ["process_guid", "integer"] - convert => ["process_id", "integer"] - convert => ["source_port", "integer"] - convert => ["destination_port", "integer"] - add_tag => ["network_connection"] - } - } - if [event_id] == 5 { - grok { - match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"] - } - mutate { - convert => ["process_guid", "integer"] - convert => ["process_id", "integer"] - add_tag => ["process_termination"] - } - } - if [event_id] == 11 { - grok { - match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"] - } - mutate { - convert => ["process_guid", "integer"] - convert => ["process_id", "integer"] - add_tag => ["file_created"] - } - } - mutate { - remove_field => ["rest_of_msg"] - } - } else { - mutate { - rename => { "[data][srcuser]" => "username" } - rename => { "[data][id]" => "event_id" } - rename => { "[data][dstport]" => "destination_port" } - rename => { "[data][dstip]" => "destination_ip" } - rename => { "[data][srcip]" => "source_ip" } - rename => { "[data][sysmon][image]" => "image_path" } - rename => { "[data][sysmon][parentImage]" => "parent_image_path" } - rename => { "[data][sysmon][targetfilename]" => "target_filename" } - rename => { "[data][sysmon][sourceHostname]" => "source_hostname" } - rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" } - } - # Wazuh 3.8.2 - if [data][EventChannel] { - mutate { - rename => { "[data][EventChannel][EventData][User]" => "username" } - rename => { "[data][EventChannel][System][EventID]" => "event_id" } - rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" } - rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" } - rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" } - rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" } - rename => { "[data][EventChannel][EventData][Image]" => "image_path" } - rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" } - rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" } - rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" } - rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" } - } - } - # Wazuh 3.9.2 - if [data][win] { - mutate { - rename => { "[data][win][eventdata][user]" => "username" } - rename => { "[data][win][system][eventID]" => "event_id" } - rename => { "[data][win][eventdata][destinationPort]" => "destination_port" } - rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" } - rename => { "[data][win][eventdata][sourcePort]" => "source_port" } - rename => { "[data][win][eventdata][sourceIp]" => "source_ip" } - rename => { "[data][win][eventdata][image]" => "image_path" } - rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" } - rename => { "[data][win][eventdata][targetFilename]" => "target_filename" } - rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" } - rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } - } - } - } - } -} diff --git a/salt/logstash/pipelines/config/so/6502_ossec_autoruns.conf b/salt/logstash/pipelines/config/so/6502_ossec_autoruns.conf deleted file mode 100644 index 5d7207891..000000000 --- a/salt/logstash/pipelines/config/so/6502_ossec_autoruns.conf +++ /dev/null @@ -1,43 +0,0 @@ -# Author: Wes Lambert -# wlambertts@gmail.com -# -# Updated by: Dustin Lee -# Last Update: 06/13/2019 -# -# This conf file is based on accepting Autoruns logs from OSSEC -# -# Parse using grok -filter { - if [type] == "autoruns" or "autoruns" in [tags] { - if [message] !~ /^{.*}$/ { - grok { - match => [ - "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}", - "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}" - ] - } - #csv { -# columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"] -# separator => "|" -# } - mutate { - remove_field => [ "year" ] - remove_field => [ "timestamp" ] - } - } else { - grok { - match => [ - "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}", - "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}" - ] - } - mutate { - # Rename fields - } - } - date { - match => [ "image_timestamp", "yyyyMMdd-HHmmss" ] - target => "image_timestamp" - } - } -} diff --git a/salt/logstash/pipelines/config/so/6600_winlogbeat_sysmon.conf b/salt/logstash/pipelines/config/so/6600_winlogbeat_sysmon.conf deleted file mode 100644 index 200b58497..000000000 --- a/salt/logstash/pipelines/config/so/6600_winlogbeat_sysmon.conf +++ /dev/null @@ -1,23 +0,0 @@ -# Author: Wes Lambert -# -# Last Update: 09/24/2018 -# -# This conf file is based on accepting Sysmon logs from winlogbeat - -filter { - if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" { - mutate { - replace => { "type" => "sysmon" } - rename => { "[event_data][User]" => "username" } - rename => { "[event_data][DestinationPort]" => "destination_port" } - rename => { "[event_data][DestinationIp]" => "destination_ip" } - rename => { "[event_data][SourceIp]" => "source_ip" } - rename => { "[event_data][Image]" => "image_path" } - rename => { "[event_data][ParentImage]" => "parent_image_path" } - rename => { "[data][sysmon][targetfilename]" => "target_filename" } - rename => { "[event_data][SourceHostname]" => "source_hostname" } - rename => { "[event_data][DestinationHostname]" => "destination_hostname" } - rename => { "[event_data][TargetFilename]" => "target_filename" } - } - } -} diff --git a/salt/logstash/pipelines/config/so/6700_winlogbeat.conf b/salt/logstash/pipelines/config/so/6700_winlogbeat.conf deleted file mode 100644 index 222757956..000000000 --- a/salt/logstash/pipelines/config/so/6700_winlogbeat.conf +++ /dev/null @@ -1,17 +0,0 @@ -# Author: Doug Burks -# -# Last Update: 09/24/2018 -# -# This conf file is for beat data - -filter { - if "beat" in [tags] { - mutate { - # As of beats 6.3.0, host is now an object: - # https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html - # This creates a conflict with our existing host string. - # So let's rename the host object to beat_host. - rename => { "host" => "beat_host" } - } - } -} diff --git a/salt/logstash/pipelines/config/so/7100_osquery_wel.conf b/salt/logstash/pipelines/config/so/7100_osquery_wel.conf deleted file mode 100644 index b4d77d83f..000000000 --- a/salt/logstash/pipelines/config/so/7100_osquery_wel.conf +++ /dev/null @@ -1,23 +0,0 @@ -# Author: Josh Brower -# Last Update: 12/28/2018 -# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column - -filter { - if "osquery" in [tags] and [osquery][columns][eventid] { - - mutate { - gsub => ["[osquery][columns][data]", "\\x0A", ""] - } - - json { - source => "[osquery][columns][data]" - target => "[osquery][columns][data]" - } - - mutate { - merge => { "[osquery][columns]" => "[osquery][columns][data]" } - remove_field => ["[osquery][columns][data]"] - } - - } -} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/7200_strelka.conf b/salt/logstash/pipelines/config/so/7200_strelka.conf deleted file mode 100644 index b2b57bf05..000000000 --- a/salt/logstash/pipelines/config/so/7200_strelka.conf +++ /dev/null @@ -1,8 +0,0 @@ -filter { - if [type] =~ "strelka" { - json { - source => "message" - } - } -} -