From cd3e355f848536e2c7d7241c498f9c51315d8ebe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 25 May 2021 16:54:20 -0400 Subject: [PATCH 1/2] Fix zeek depth --- salt/zeek/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 02c1cc1ba..4e597f597 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -76,9 +76,9 @@ zeekpolicysync: # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: file.directory: - - name: /nsm/zeek/spool + - name: /nsm/zeek - user: 937 - - max_depth: 0 + - max_depth: 1 - recurse: - user From 543154f037453377c0780d4375dc4b52613b14db Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 25 May 2021 16:58:18 -0400 Subject: [PATCH 2/2] Remove old modules --- salt/filebeat/init.sls | 4 +- salt/filebeat/modules/activemq.yml.disabled | 19 -- salt/filebeat/modules/apache.yml.disabled | 19 -- salt/filebeat/modules/auditd.yml.disabled | 10 - salt/filebeat/modules/aws.yml.disabled | 255 ------------------ salt/filebeat/modules/azure.yml.disabled | 45 ---- salt/filebeat/modules/barracuda.yml.disabled | 41 --- salt/filebeat/modules/bluecoat.yml.disabled | 22 -- salt/filebeat/modules/cef.yml.disabled | 17 -- salt/filebeat/modules/checkpoint.yml.disabled | 24 -- salt/filebeat/modules/cisco.yml.disabled | 142 ---------- salt/filebeat/modules/coredns.yml.disabled | 11 - .../filebeat/modules/crowdstrike.yml.disabled | 11 - salt/filebeat/modules/cyberark.yml.disabled | 22 -- salt/filebeat/modules/cylance.yml.disabled | 22 -- .../modules/elasticsearch.yml.disabled | 35 --- salt/filebeat/modules/envoyproxy.yml.disabled | 11 - salt/filebeat/modules/f5.yml.disabled | 41 --- salt/filebeat/modules/fortinet.yml.disabled | 83 ------ salt/filebeat/modules/gcp.yml.disabled | 76 ------ .../modules/google_workspace.yml.disabled | 53 ---- .../filebeat/modules/googlecloud.yml.disabled | 58 ---- salt/filebeat/modules/gsuite.yml.disabled | 53 ---- salt/filebeat/modules/haproxy.yml.disabled | 14 - salt/filebeat/modules/ibmmq.yml.disabled | 11 - salt/filebeat/modules/icinga.yml.disabled | 27 -- salt/filebeat/modules/iis.yml.disabled | 20 -- salt/filebeat/modules/imperva.yml.disabled | 22 -- salt/filebeat/modules/infoblox.yml.disabled | 22 -- salt/filebeat/modules/iptables.yml.disabled | 13 - salt/filebeat/modules/juniper.yml.disabled | 54 ---- salt/filebeat/modules/kafka.yml.disabled | 15 -- salt/filebeat/modules/kibana.yml.disabled | 19 -- salt/filebeat/modules/logstash.yml.disabled | 18 -- salt/filebeat/modules/microsoft.yml.disabled | 49 ---- salt/filebeat/modules/misp.yml.disabled | 17 -- salt/filebeat/modules/mongodb.yml.disabled | 11 - salt/filebeat/modules/mssql.yml.disabled | 11 - salt/filebeat/modules/mysql.yml.disabled | 19 -- .../modules/mysqlenterprise.yml.disabled | 14 - salt/filebeat/modules/nats.yml.disabled | 11 - salt/filebeat/modules/netflow.yml.disabled | 14 - salt/filebeat/modules/netscout.yml.disabled | 22 -- salt/filebeat/modules/nginx.yml.disabled | 27 -- salt/filebeat/modules/o365.yml.disabled | 48 ---- salt/filebeat/modules/okta.yml.disabled | 10 - salt/filebeat/modules/oracle.yml.disabled | 13 - salt/filebeat/modules/osquery.yml.disabled | 15 -- salt/filebeat/modules/panw.yml.disabled | 22 -- salt/filebeat/modules/pensando.yml.disabled | 13 - salt/filebeat/modules/postgresql.yml.disabled | 11 - salt/filebeat/modules/proofpoint.yml.disabled | 22 -- salt/filebeat/modules/rabbitmq.yml.disabled | 11 - salt/filebeat/modules/radware.yml.disabled | 22 -- salt/filebeat/modules/redis.yml.disabled | 21 -- salt/filebeat/modules/santa.yml.disabled | 9 - salt/filebeat/modules/snort.yml.disabled | 22 -- salt/filebeat/modules/snyk.yml.disabled | 112 -------- salt/filebeat/modules/sonicwall.yml.disabled | 22 -- salt/filebeat/modules/sophos.yml.disabled | 46 ---- salt/filebeat/modules/squid.yml.disabled | 22 -- salt/filebeat/modules/suricata.yml | 12 - salt/filebeat/modules/system.yml.disabled | 19 -- .../filebeat/modules/threatintel.yml.disabled | 105 -------- salt/filebeat/modules/tomcat.yml.disabled | 22 -- salt/filebeat/modules/traefik.yml.disabled | 11 - salt/filebeat/modules/zeek.yml | 122 --------- salt/filebeat/modules/zoom.yml.disabled | 22 -- salt/filebeat/modules/zscaler.yml.disabled | 22 -- salt/filebeat/securityoniondefaults.yaml | 2 +- 70 files changed, 3 insertions(+), 2279 deletions(-) delete mode 100644 salt/filebeat/modules/activemq.yml.disabled delete mode 100644 salt/filebeat/modules/apache.yml.disabled delete mode 100644 salt/filebeat/modules/auditd.yml.disabled delete mode 100644 salt/filebeat/modules/aws.yml.disabled delete mode 100644 salt/filebeat/modules/azure.yml.disabled delete mode 100644 salt/filebeat/modules/barracuda.yml.disabled delete mode 100644 salt/filebeat/modules/bluecoat.yml.disabled delete mode 100644 salt/filebeat/modules/cef.yml.disabled delete mode 100644 salt/filebeat/modules/checkpoint.yml.disabled delete mode 100644 salt/filebeat/modules/cisco.yml.disabled delete mode 100644 salt/filebeat/modules/coredns.yml.disabled delete mode 100644 salt/filebeat/modules/crowdstrike.yml.disabled delete mode 100644 salt/filebeat/modules/cyberark.yml.disabled delete mode 100644 salt/filebeat/modules/cylance.yml.disabled delete mode 100644 salt/filebeat/modules/elasticsearch.yml.disabled delete mode 100644 salt/filebeat/modules/envoyproxy.yml.disabled delete mode 100644 salt/filebeat/modules/f5.yml.disabled delete mode 100644 salt/filebeat/modules/fortinet.yml.disabled delete mode 100644 salt/filebeat/modules/gcp.yml.disabled delete mode 100644 salt/filebeat/modules/google_workspace.yml.disabled delete mode 100644 salt/filebeat/modules/googlecloud.yml.disabled delete mode 100644 salt/filebeat/modules/gsuite.yml.disabled delete mode 100644 salt/filebeat/modules/haproxy.yml.disabled delete mode 100644 salt/filebeat/modules/ibmmq.yml.disabled delete mode 100644 salt/filebeat/modules/icinga.yml.disabled delete mode 100644 salt/filebeat/modules/iis.yml.disabled delete mode 100644 salt/filebeat/modules/imperva.yml.disabled delete mode 100644 salt/filebeat/modules/infoblox.yml.disabled delete mode 100644 salt/filebeat/modules/iptables.yml.disabled delete mode 100644 salt/filebeat/modules/juniper.yml.disabled delete mode 100644 salt/filebeat/modules/kafka.yml.disabled delete mode 100644 salt/filebeat/modules/kibana.yml.disabled delete mode 100644 salt/filebeat/modules/logstash.yml.disabled delete mode 100644 salt/filebeat/modules/microsoft.yml.disabled delete mode 100644 salt/filebeat/modules/misp.yml.disabled delete mode 100644 salt/filebeat/modules/mongodb.yml.disabled delete mode 100644 salt/filebeat/modules/mssql.yml.disabled delete mode 100644 salt/filebeat/modules/mysql.yml.disabled delete mode 100644 salt/filebeat/modules/mysqlenterprise.yml.disabled delete mode 100644 salt/filebeat/modules/nats.yml.disabled delete mode 100644 salt/filebeat/modules/netflow.yml.disabled delete mode 100644 salt/filebeat/modules/netscout.yml.disabled delete mode 100644 salt/filebeat/modules/nginx.yml.disabled delete mode 100644 salt/filebeat/modules/o365.yml.disabled delete mode 100644 salt/filebeat/modules/okta.yml.disabled delete mode 100644 salt/filebeat/modules/oracle.yml.disabled delete mode 100644 salt/filebeat/modules/osquery.yml.disabled delete mode 100644 salt/filebeat/modules/panw.yml.disabled delete mode 100644 salt/filebeat/modules/pensando.yml.disabled delete mode 100644 salt/filebeat/modules/postgresql.yml.disabled delete mode 100644 salt/filebeat/modules/proofpoint.yml.disabled delete mode 100644 salt/filebeat/modules/rabbitmq.yml.disabled delete mode 100644 salt/filebeat/modules/radware.yml.disabled delete mode 100644 salt/filebeat/modules/redis.yml.disabled delete mode 100644 salt/filebeat/modules/santa.yml.disabled delete mode 100644 salt/filebeat/modules/snort.yml.disabled delete mode 100644 salt/filebeat/modules/snyk.yml.disabled delete mode 100644 salt/filebeat/modules/sonicwall.yml.disabled delete mode 100644 salt/filebeat/modules/sophos.yml.disabled delete mode 100644 salt/filebeat/modules/squid.yml.disabled delete mode 100644 salt/filebeat/modules/suricata.yml delete mode 100644 salt/filebeat/modules/system.yml.disabled delete mode 100644 salt/filebeat/modules/threatintel.yml.disabled delete mode 100644 salt/filebeat/modules/tomcat.yml.disabled delete mode 100644 salt/filebeat/modules/traefik.yml.disabled delete mode 100644 salt/filebeat/modules/zeek.yml delete mode 100644 salt/filebeat/modules/zoom.yml.disabled delete mode 100644 salt/filebeat/modules/zscaler.yml.disabled diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index b1a91b133..18ca9b8c1 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -81,7 +81,7 @@ filebeatmoduleconfsync: sodefaults_module_conf: file.managed: - - name: /opt/so/conf/filebeat/etc/securityonion.yml + - name: /opt/so/conf/filebeat/modules/securityonion.yml - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: @@ -89,7 +89,7 @@ sodefaults_module_conf: thirdparty_module_conf: file.managed: - - name: /opt/so/conf/filebeat/etc/thirdparty.yml + - name: /opt/so/conf/filebeat/modules/thirdparty.yml - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: diff --git a/salt/filebeat/modules/activemq.yml.disabled b/salt/filebeat/modules/activemq.yml.disabled deleted file mode 100644 index 43536ecbc..000000000 --- a/salt/filebeat/modules/activemq.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: activemq -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-activemq.html - -- module: activemq - # Audit logs - audit: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Application logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/apache.yml.disabled b/salt/filebeat/modules/apache.yml.disabled deleted file mode 100644 index b923dd581..000000000 --- a/salt/filebeat/modules/apache.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: apache -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-apache.html - -- module: apache - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/auditd.yml.disabled b/salt/filebeat/modules/auditd.yml.disabled deleted file mode 100644 index 76296ec85..000000000 --- a/salt/filebeat/modules/auditd.yml.disabled +++ /dev/null @@ -1,10 +0,0 @@ -# Module: auditd -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-auditd.html - -- module: auditd - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/aws.yml.disabled b/salt/filebeat/modules/aws.yml.disabled deleted file mode 100644 index 904bd976c..000000000 --- a/salt/filebeat/modules/aws.yml.disabled +++ /dev/null @@ -1,255 +0,0 @@ -# Module: aws -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-aws.html - -- module: aws - cloudtrail: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Process CloudTrail logs - # default is true, set to false to skip Cloudtrail logs - # var.process_cloudtrail_logs: false - - # Process CloudTrail Digest logs - # default true, set to false to skip CloudTrail Digest logs - # var.process_digest_logs: false - - # Process CloudTrail Insight logs - # default true, set to false to skip CloudTrail Insight logs - # var.process_insight_logs: false - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - cloudwatch: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - ec2: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - elb: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - s3access: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - vpcflow: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 diff --git a/salt/filebeat/modules/azure.yml.disabled b/salt/filebeat/modules/azure.yml.disabled deleted file mode 100644 index 3b2bc1ecf..000000000 --- a/salt/filebeat/modules/azure.yml.disabled +++ /dev/null @@ -1,45 +0,0 @@ -# Module: azure -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-azure.html - -- module: azure - # All logs - activitylogs: - enabled: true - var: - # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub - eventhub: "insights-operational-logs" - # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module - consumer_group: "$Default" - # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string - connection_string: "" - # the name of the storage account the state/offsets will be stored and updated - storage_account: "" - # the storage account key, this key will be used to authorize access to data in your storage account - storage_account_key: "" - - platformlogs: - enabled: false - # var: - # eventhub: "" - # consumer_group: "$Default" - # connection_string: "" - # storage_account: "" - # storage_account_key: "" - - - auditlogs: - enabled: false - # var: - # eventhub: "insights-logs-auditlogs" - # consumer_group: "$Default" - # connection_string: "" - # storage_account: "" - # storage_account_key: "" - signinlogs: - enabled: false - # var: - # eventhub: "insights-logs-signinlogs" - # consumer_group: "$Default" - # connection_string: "" - # storage_account: "" - # storage_account_key: "" diff --git a/salt/filebeat/modules/barracuda.yml.disabled b/salt/filebeat/modules/barracuda.yml.disabled deleted file mode 100644 index 99ff85036..000000000 --- a/salt/filebeat/modules/barracuda.yml.disabled +++ /dev/null @@ -1,41 +0,0 @@ -# Module: barracuda -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-barracuda.html - -- module: barracuda - waf: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9503 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - spamfirewall: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9524 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/bluecoat.yml.disabled b/salt/filebeat/modules/bluecoat.yml.disabled deleted file mode 100644 index 6550c8eed..000000000 --- a/salt/filebeat/modules/bluecoat.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: bluecoat -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-bluecoat.html - -- module: bluecoat - director: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9505 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/cef.yml.disabled b/salt/filebeat/modules/cef.yml.disabled deleted file mode 100644 index 2de22edcc..000000000 --- a/salt/filebeat/modules/cef.yml.disabled +++ /dev/null @@ -1,17 +0,0 @@ -# Module: cef -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cef.html - -- module: cef - log: - enabled: true - var: - syslog_host: localhost - syslog_port: 9003 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/checkpoint.yml.disabled b/salt/filebeat/modules/checkpoint.yml.disabled deleted file mode 100644 index 9d34b8d72..000000000 --- a/salt/filebeat/modules/checkpoint.yml.disabled +++ /dev/null @@ -1,24 +0,0 @@ -# Module: checkpoint -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-checkpoint.html - -- module: checkpoint - firewall: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9001. - #var.syslog_port: 9001 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/cisco.yml.disabled b/salt/filebeat/modules/cisco.yml.disabled deleted file mode 100644 index 9e4658045..000000000 --- a/salt/filebeat/modules/cisco.yml.disabled +++ /dev/null @@ -1,142 +0,0 @@ -# Module: cisco -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cisco.html - -- module: cisco - asa: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9001. - #var.syslog_port: 9001 - - # Set the log level from 1 (alerts only) to 7 (include all messages). - # Messages with a log level higher than the specified will be dropped. - # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html - #var.log_level: 7 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] - - ftd: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9003. - #var.syslog_port: 9003 - - # Set the log level from 1 (alerts only) to 7 (include all messages). - # Messages with a log level higher than the specified will be dropped. - # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html - #var.log_level: 7 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] - - ios: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9002. - #var.syslog_port: 9002 - - # Set custom paths for the log files when using file input. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - nexus: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9506 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - meraki: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9525 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - umbrella: - enabled: true - - #var.input: aws-s3 - # AWS SQS queue url - #var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue - # Access ID to authenticate with the S3 input - #var.access_key_id: 123456 - # Access key to authenticate with the S3 input - #var.secret_access_key: PASSWORD - # The duration that the received messages are hidden from ReceiveMessage request - #var.visibility_timeout: 300s - # Maximum duration before AWS API request will be interrupted - #var.api_timeout: 120s - - amp: - enabled: true - - # Set which input to use between httpjson (default) or file. - #var.input: httpjson - - # The API URL - #var.url: https://api.amp.cisco.com/v1/events - # The client ID used as a username for the API requests. - #var.client_id: - # The API key related to the client ID. - #var.api_key: - # How far to look back the first time the module is started. Expects an amount of hours. - #var.first_interval: 24h - # Overriding the default request timeout, optional. - #var.request_timeout: 60s diff --git a/salt/filebeat/modules/coredns.yml.disabled b/salt/filebeat/modules/coredns.yml.disabled deleted file mode 100644 index 46e9e55c1..000000000 --- a/salt/filebeat/modules/coredns.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: coredns -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-coredns.html - -- module: coredns - # Fileset for native deployment - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/crowdstrike.yml.disabled b/salt/filebeat/modules/crowdstrike.yml.disabled deleted file mode 100644 index 8d2c8531d..000000000 --- a/salt/filebeat/modules/crowdstrike.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: crowdstrike -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-crowdstrike.html - -- module: crowdstrike - - falcon: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/cyberark.yml.disabled b/salt/filebeat/modules/cyberark.yml.disabled deleted file mode 100644 index e97955adf..000000000 --- a/salt/filebeat/modules/cyberark.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: cyberark -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberark.html - -- module: cyberark - corepas: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/cylance.yml.disabled b/salt/filebeat/modules/cylance.yml.disabled deleted file mode 100644 index 342d654d2..000000000 --- a/salt/filebeat/modules/cylance.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: cylance -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cylance.html - -- module: cylance - protect: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9508 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/elasticsearch.yml.disabled b/salt/filebeat/modules/elasticsearch.yml.disabled deleted file mode 100644 index e6074c05e..000000000 --- a/salt/filebeat/modules/elasticsearch.yml.disabled +++ /dev/null @@ -1,35 +0,0 @@ -# Module: elasticsearch -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-elasticsearch.html - -- module: elasticsearch - # Server log - server: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - gc: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - audit: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - slowlog: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - deprecation: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/envoyproxy.yml.disabled b/salt/filebeat/modules/envoyproxy.yml.disabled deleted file mode 100644 index 543b17be5..000000000 --- a/salt/filebeat/modules/envoyproxy.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: envoyproxy -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-envoyproxy.html - -- module: envoyproxy - # Fileset for native deployment - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/f5.yml.disabled b/salt/filebeat/modules/f5.yml.disabled deleted file mode 100644 index 959842174..000000000 --- a/salt/filebeat/modules/f5.yml.disabled +++ /dev/null @@ -1,41 +0,0 @@ -# Module: f5 -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-f5.html - -- module: f5 - bigipapm: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9504 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - bigipafm: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9528 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/fortinet.yml.disabled b/salt/filebeat/modules/fortinet.yml.disabled deleted file mode 100644 index 281b7d788..000000000 --- a/salt/filebeat/modules/fortinet.yml.disabled +++ /dev/null @@ -1,83 +0,0 @@ -# Module: fortinet -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-fortinet.html - -- module: fortinet - firewall: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9004. - #var.syslog_port: 9004 - - # Set internal interfaces. used to override parsed network.direction - # based on a tagged interface. Both internal and external interfaces must be - # set to leverage this functionality. - #var.internal_interfaces: [ "LAN" ] - - # Set external interfaces. used to override parsed network.direction - # based on a tagged interface. Both internal and external interfaces must be - # set to leverage this functionality. - #var.external_interfaces: [ "WAN" ] - - clientendpoint: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9510 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimail: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9529 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimanager: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9530 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/gcp.yml.disabled b/salt/filebeat/modules/gcp.yml.disabled deleted file mode 100644 index a09d0fe36..000000000 --- a/salt/filebeat/modules/gcp.yml.disabled +++ /dev/null @@ -1,76 +0,0 @@ -# Module: gcp -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gcp.html - -- module: gcp - vpcflow: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be - # configured to use this topic as a sink for VPC flow logs. - var.topic: gcp-vpc-flowlogs - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-vpc-flowlogs-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - # Set internal networks. This is used to classify network.direction based - # off of what networks are considered "internal" either base off of a CIDR - # block or named network conditions. If this is not specified, then traffic - # direction is determined by whether it is between source and destination - # instance information rather than IP. - # - # For a full list of network conditions see: - # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network - #var.internal_networks: [ "private" ] - - firewall: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-firewall - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-firewall-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - # Set internal networks. This is used to classify network.direction based - # off of what networks are considered "internal" either base off of a CIDR - # block or named network conditions. If this is not specified, then traffic - # is taken from the direction data in the rule_details event payload. - # - # For a full list of network conditions see: - # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network - #var.internal_networks: [ "private" ] - - audit: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-audit - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-audit - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/google_workspace.yml.disabled b/salt/filebeat/modules/google_workspace.yml.disabled deleted file mode 100644 index 6d364af98..000000000 --- a/salt/filebeat/modules/google_workspace.yml.disabled +++ /dev/null @@ -1,53 +0,0 @@ -# Module: google_workspace -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-google_workspace.html - -- module: google_workspace - saml: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - diff --git a/salt/filebeat/modules/googlecloud.yml.disabled b/salt/filebeat/modules/googlecloud.yml.disabled deleted file mode 100644 index 9a28dc036..000000000 --- a/salt/filebeat/modules/googlecloud.yml.disabled +++ /dev/null @@ -1,58 +0,0 @@ -# Module: googlecloud -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-googlecloud.html - -# googlecloud module is deprecated, please use gcp instead -- module: gcp - vpcflow: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be - # configured to use this topic as a sink for VPC flow logs. - var.topic: gcp-vpc-flowlogs - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-vpc-flowlogs-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - firewall: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-firewall - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-firewall-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - audit: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-audit - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-audit - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/gsuite.yml.disabled b/salt/filebeat/modules/gsuite.yml.disabled deleted file mode 100644 index 6aec3b65d..000000000 --- a/salt/filebeat/modules/gsuite.yml.disabled +++ /dev/null @@ -1,53 +0,0 @@ -# Module: gsuite -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gsuite.html - -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h diff --git a/salt/filebeat/modules/haproxy.yml.disabled b/salt/filebeat/modules/haproxy.yml.disabled deleted file mode 100644 index b2615dbb8..000000000 --- a/salt/filebeat/modules/haproxy.yml.disabled +++ /dev/null @@ -1,14 +0,0 @@ -# Module: haproxy -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-haproxy.html - -- module: haproxy - # All logs - log: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/ibmmq.yml.disabled b/salt/filebeat/modules/ibmmq.yml.disabled deleted file mode 100644 index bfaf3792d..000000000 --- a/salt/filebeat/modules/ibmmq.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: ibmmq -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-ibmmq.html - -- module: ibmmq - # All logs - errorlog: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/icinga.yml.disabled b/salt/filebeat/modules/icinga.yml.disabled deleted file mode 100644 index a7c3ac6e1..000000000 --- a/salt/filebeat/modules/icinga.yml.disabled +++ /dev/null @@ -1,27 +0,0 @@ -# Module: icinga -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-icinga.html - -- module: icinga - # Main logs - main: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Debug logs - debug: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Startup logs - startup: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/iis.yml.disabled b/salt/filebeat/modules/iis.yml.disabled deleted file mode 100644 index 44c200ba1..000000000 --- a/salt/filebeat/modules/iis.yml.disabled +++ /dev/null @@ -1,20 +0,0 @@ -# Module: iis -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iis.html - -- module: iis - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - \ No newline at end of file diff --git a/salt/filebeat/modules/imperva.yml.disabled b/salt/filebeat/modules/imperva.yml.disabled deleted file mode 100644 index 8e53deaa6..000000000 --- a/salt/filebeat/modules/imperva.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: imperva -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-imperva.html - -- module: imperva - securesphere: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9511 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/infoblox.yml.disabled b/salt/filebeat/modules/infoblox.yml.disabled deleted file mode 100644 index 9e82f8340..000000000 --- a/salt/filebeat/modules/infoblox.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: infoblox -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-infoblox.html - -- module: infoblox - nios: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9512 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/iptables.yml.disabled b/salt/filebeat/modules/iptables.yml.disabled deleted file mode 100644 index 1147e14dd..000000000 --- a/salt/filebeat/modules/iptables.yml.disabled +++ /dev/null @@ -1,13 +0,0 @@ -# Module: iptables -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iptables.html - -- module: iptables - log: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/juniper.yml.disabled b/salt/filebeat/modules/juniper.yml.disabled deleted file mode 100644 index 71112679d..000000000 --- a/salt/filebeat/modules/juniper.yml.disabled +++ /dev/null @@ -1,54 +0,0 @@ -# Module: juniper -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-juniper.html - -- module: juniper - junos: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9513 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - netscreen: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9523 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - srx: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9006. - #var.syslog_port: 9006 diff --git a/salt/filebeat/modules/kafka.yml.disabled b/salt/filebeat/modules/kafka.yml.disabled deleted file mode 100644 index 23362c8a1..000000000 --- a/salt/filebeat/modules/kafka.yml.disabled +++ /dev/null @@ -1,15 +0,0 @@ -# Module: kafka -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kafka.html - -- module: kafka - # All logs - log: - enabled: true - - # Set custom paths for Kafka. If left empty, - # Filebeat will look under /opt. - #var.kafka_home: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/kibana.yml.disabled b/salt/filebeat/modules/kibana.yml.disabled deleted file mode 100644 index a4956c4b6..000000000 --- a/salt/filebeat/modules/kibana.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: kibana -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kibana.html - -- module: kibana - # Server logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Audit logs - audit: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/logstash.yml.disabled b/salt/filebeat/modules/logstash.yml.disabled deleted file mode 100644 index f14229409..000000000 --- a/salt/filebeat/modules/logstash.yml.disabled +++ /dev/null @@ -1,18 +0,0 @@ -# Module: logstash -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-logstash.html - -- module: logstash - # logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Slow logs - slowlog: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/microsoft.yml.disabled b/salt/filebeat/modules/microsoft.yml.disabled deleted file mode 100644 index b0a1b10c6..000000000 --- a/salt/filebeat/modules/microsoft.yml.disabled +++ /dev/null @@ -1,49 +0,0 @@ -# Module: microsoft -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-microsoft.html - -- module: microsoft - # ATP configuration - defender_atp: - enabled: true - # How often the API should be polled - #var.interval: 5m - - # Oauth Client ID - #var.oauth2.client.id: "" - - # Oauth Client Secret - #var.oauth2.client.secret: "" - - # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" - m365_defender: - enabled: true - # How often the API should be polled - #var.interval: 5m - - # Oauth Client ID - #var.oauth2.client.id: "" - - # Oauth Client Secret - #var.oauth2.client.secret: "" - - # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" - dhcp: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9515 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/misp.yml.disabled b/salt/filebeat/modules/misp.yml.disabled deleted file mode 100644 index 9a489fa0f..000000000 --- a/salt/filebeat/modules/misp.yml.disabled +++ /dev/null @@ -1,17 +0,0 @@ -# Module: misp -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-misp.html - -- module: misp - threat: - enabled: true - # API key to access MISP - #var.api_key - - # Array object in MISP response - #var.http_request_body.limit: 1000 - - # URL of the MISP REST API - #var.url - - # You can also pass SSL options. For example: - #var.ssl.verification_mode: none diff --git a/salt/filebeat/modules/mongodb.yml.disabled b/salt/filebeat/modules/mongodb.yml.disabled deleted file mode 100644 index 266d2e4e8..000000000 --- a/salt/filebeat/modules/mongodb.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: mongodb -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mongodb.html - -- module: mongodb - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/mssql.yml.disabled b/salt/filebeat/modules/mssql.yml.disabled deleted file mode 100644 index bfe4c6e64..000000000 --- a/salt/filebeat/modules/mssql.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: mssql -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mssql.html - -- module: mssql - # Fileset for native deployment - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*'] diff --git a/salt/filebeat/modules/mysql.yml.disabled b/salt/filebeat/modules/mysql.yml.disabled deleted file mode 100644 index e6be4045b..000000000 --- a/salt/filebeat/modules/mysql.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: mysql -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysql.html - -- module: mysql - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Slow logs - slowlog: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/mysqlenterprise.yml.disabled b/salt/filebeat/modules/mysqlenterprise.yml.disabled deleted file mode 100644 index 37e10d0eb..000000000 --- a/salt/filebeat/modules/mysqlenterprise.yml.disabled +++ /dev/null @@ -1,14 +0,0 @@ -# Module: mysqlenterprise -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysqlenterprise.html - -- module: mysqlenterprise - audit: - enabled: true - - # Sets the input type. Currently only supports file - #var.input: file - - # Set paths for the log files when file input is used. - # Should only be used together with file input - # var.paths: - # - /home/user/mysqlauditlogs/audit.*.log diff --git a/salt/filebeat/modules/nats.yml.disabled b/salt/filebeat/modules/nats.yml.disabled deleted file mode 100644 index 65e44962d..000000000 --- a/salt/filebeat/modules/nats.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: nats -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nats.html - -- module: nats - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/netflow.yml.disabled b/salt/filebeat/modules/netflow.yml.disabled deleted file mode 100644 index 781748b00..000000000 --- a/salt/filebeat/modules/netflow.yml.disabled +++ /dev/null @@ -1,14 +0,0 @@ -# Module: netflow -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netflow.html - -- module: netflow - log: - enabled: true - var: - netflow_host: localhost - netflow_port: 2055 - # internal_networks specifies which networks are considered internal or private - # you can specify either a CIDR block or any of the special named ranges listed - # at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network - internal_networks: - - private diff --git a/salt/filebeat/modules/netscout.yml.disabled b/salt/filebeat/modules/netscout.yml.disabled deleted file mode 100644 index 215349046..000000000 --- a/salt/filebeat/modules/netscout.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: netscout -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netscout.html - -- module: netscout - sightline: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9502 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/nginx.yml.disabled b/salt/filebeat/modules/nginx.yml.disabled deleted file mode 100644 index e2fa44a78..000000000 --- a/salt/filebeat/modules/nginx.yml.disabled +++ /dev/null @@ -1,27 +0,0 @@ -# Module: nginx -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nginx.html - -- module: nginx - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs - ingress_controller: - enabled: false - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/o365.yml.disabled b/salt/filebeat/modules/o365.yml.disabled deleted file mode 100644 index 578ff365d..000000000 --- a/salt/filebeat/modules/o365.yml.disabled +++ /dev/null @@ -1,48 +0,0 @@ -# Module: o365 -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-o365.html - -- module: o365 - audit: - enabled: true - - # Set the application_id (also known as client ID): - var.application_id: "" - - # Configure the tenants to monitor: - # Use the tenant ID (also known as directory ID) and the domain name. - # var.tenants: - # - id: "tenant_id_1" - # name: "mydomain.onmicrosoft.com" - # - id: "tenant_id_2" - # name: "mycompany.com" - var.tenants: - - id: "" - name: "mytenant.onmicrosoft.com" - - # List of content-types to fetch. By default all known content-types - # are retrieved: - # var.content_type: - # - "Audit.AzureActiveDirectory" - # - "Audit.Exchange" - # - "Audit.SharePoint" - # - "Audit.General" - # - "DLP.All" - - # Use the following settings to enable certificate-based authentication: - # var.certificate: "/path/to/certificate.pem" - # var.key: "/path/to/private_key.pem" - # var.key_passphrase: "myPrivateKeyPassword" - - # Client-secret based authentication: - # Comment the following line if using certificate authentication. - var.client_secret: "" - - # Advanced settings, use with care: - # var.api: - # # Settings for custom endpoints: - # authentication_endpoint: "https://login.microsoftonline.us/" - # resource: "https://manage.office365.us" - # - # max_retention: 168h - # max_requests_per_minute: 2000 - # poll_interval: 3m diff --git a/salt/filebeat/modules/okta.yml.disabled b/salt/filebeat/modules/okta.yml.disabled deleted file mode 100644 index 4fc943592..000000000 --- a/salt/filebeat/modules/okta.yml.disabled +++ /dev/null @@ -1,10 +0,0 @@ -# Module: okta -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-okta.html - -- module: okta - system: - enabled: true - # You must configure the URL with your Okta domain and provide an - # API token to access the logs API. - #var.url: https://yourOktaDomain/api/v1/logs - #var.api_key: 'yourApiTokenHere' diff --git a/salt/filebeat/modules/oracle.yml.disabled b/salt/filebeat/modules/oracle.yml.disabled deleted file mode 100644 index 3bd576ee1..000000000 --- a/salt/filebeat/modules/oracle.yml.disabled +++ /dev/null @@ -1,13 +0,0 @@ -# Module: oracle -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-oracle.html - -- module: oracle - database_audit: - enabled: true - - # Set which input to use between syslog or file (default). - #var.input: file - - # Set paths for the log files when file input is used. - # Should only be used together with file input - # var.paths: /home/user/oracleauditlogs/*.aud diff --git a/salt/filebeat/modules/osquery.yml.disabled b/salt/filebeat/modules/osquery.yml.disabled deleted file mode 100644 index 7a9a09dd8..000000000 --- a/salt/filebeat/modules/osquery.yml.disabled +++ /dev/null @@ -1,15 +0,0 @@ -# Module: osquery -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-osquery.html - -- module: osquery - result: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # If true, all fields created by this module are prefixed with - # `osquery.result`. Set to false to copy the fields in the root - # of the document. The default is true. - #var.use_namespace: true diff --git a/salt/filebeat/modules/panw.yml.disabled b/salt/filebeat/modules/panw.yml.disabled deleted file mode 100644 index eb094a25a..000000000 --- a/salt/filebeat/modules/panw.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: panw -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-panw.html - -- module: panw - panos: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Set internal security zones. used to determine network.direction - # default "trust" - #var.internal_zones: - - # Set external security zones. used to determine network.direction - # default "untrust" - #var.external_zones: - diff --git a/salt/filebeat/modules/pensando.yml.disabled b/salt/filebeat/modules/pensando.yml.disabled deleted file mode 100644 index 66bd60d76..000000000 --- a/salt/filebeat/modules/pensando.yml.disabled +++ /dev/null @@ -1,13 +0,0 @@ -# Module: pensando -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-pensando.html - -- module: pensando -# Firewall logs - dfw: - enabled: true - var.syslog_host: 0.0.0.0 - var.syslog_port: 9001 - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - # var.paths: diff --git a/salt/filebeat/modules/postgresql.yml.disabled b/salt/filebeat/modules/postgresql.yml.disabled deleted file mode 100644 index 804b7f34f..000000000 --- a/salt/filebeat/modules/postgresql.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: postgresql -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-postgresql.html - -- module: postgresql - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/proofpoint.yml.disabled b/salt/filebeat/modules/proofpoint.yml.disabled deleted file mode 100644 index 9aeebd5fe..000000000 --- a/salt/filebeat/modules/proofpoint.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: proofpoint -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-proofpoint.html - -- module: proofpoint - emailsecurity: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9531 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/rabbitmq.yml.disabled b/salt/filebeat/modules/rabbitmq.yml.disabled deleted file mode 100644 index e61a0a0c9..000000000 --- a/salt/filebeat/modules/rabbitmq.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: rabbitmq -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-rabbitmq.html - -- module: rabbitmq - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] diff --git a/salt/filebeat/modules/radware.yml.disabled b/salt/filebeat/modules/radware.yml.disabled deleted file mode 100644 index f9ab3e519..000000000 --- a/salt/filebeat/modules/radware.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: radware -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-radware.html - -- module: radware - defensepro: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9518 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/redis.yml.disabled b/salt/filebeat/modules/redis.yml.disabled deleted file mode 100644 index 9b621dc2d..000000000 --- a/salt/filebeat/modules/redis.yml.disabled +++ /dev/null @@ -1,21 +0,0 @@ -# Module: redis -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-redis.html - -- module: redis - # Main logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: ["/var/log/redis/redis-server.log*"] - - # Slow logs, retrieved via the Redis API (SLOWLOG) - slowlog: - enabled: true - - # The Redis hosts to connect to. - #var.hosts: ["localhost:6379"] - - # Optional, the password to use when connecting to Redis. - #var.password: diff --git a/salt/filebeat/modules/santa.yml.disabled b/salt/filebeat/modules/santa.yml.disabled deleted file mode 100644 index 1a7363547..000000000 --- a/salt/filebeat/modules/santa.yml.disabled +++ /dev/null @@ -1,9 +0,0 @@ -# Module: santa -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-santa.html - -- module: santa - log: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the the default path. - #var.paths: diff --git a/salt/filebeat/modules/snort.yml.disabled b/salt/filebeat/modules/snort.yml.disabled deleted file mode 100644 index 8c9bcc471..000000000 --- a/salt/filebeat/modules/snort.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: snort -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snort.html - -- module: snort - log: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9532 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/snyk.yml.disabled b/salt/filebeat/modules/snyk.yml.disabled deleted file mode 100644 index 0b13f8155..000000000 --- a/salt/filebeat/modules/snyk.yml.disabled +++ /dev/null @@ -1,112 +0,0 @@ -# Module: snyk -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snyk.html - -- module: snyk - audit: - enabled: true - - # Set which input to use between httpjson (default) or file. - #var.input: httpjson - # - # What audit type to collect, can be either "group" or "organization". - #var.audit_type: organization - # - # The ID related to the audit_type. If audit type is group, then this value should be - # the group ID and if it is organization it should be the organization ID to collect from. - #var.audit_id: 1235432-asdfdf-2341234-asdgjhg - - # How often the API should be polled, defaults to 1 hour. - #var.interval: 1h - # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). - #var.first_interval: 24h - - # The API token that is created for a specific user, found in the Snyk management dashboard. - #var.api_token: - - # Event filtering. - # All configuration items below is OPTIONAL and the default options will be overwritten - # for each entry that is not commented out. - - # Will return only logs for this specific project. - #var.project_id: "" - # User public ID. Will fetch only audit logs originated from this user's actions. - #var.user_id: "" - # Will return only logs for this specific event. - #var.event: "" - # User email address. Will fetch only audit logs originated from this user's actions. - #var.email_address: "" - - vulnerabilities: - enabled: true - - # Set which input to use between httpjson (default) or file. - #var.input: httpjson - - # How often the API should be polled. Data from the Snyk API is automatically updated - # once per day, so the default interval is 24 hours. - #var.interval: 24h - - # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). - #var.first_interval: 24h - - # The API token that is created for a specific user, found in the Snyk management dashboard. - #var.api_token: - - # The list of org IDs to filter the results by. - # One organization ID per line, starting with a - sign - #var.orgs: - # - 12354-asdfdf-123543-asdsdfg - # - 76554-jhggfd-654342-hgrfasd - - - # Event filtering. - # All configuration items below is OPTIONAL and the default options will be overwritten - # for each entry that is not commented out. - - # The severity levels of issues to filter the results by. - #var.included_severity: - # - high - # - medium - # - low - # - # The exploit maturity levels of issues to filter the results by. - #var.exploit_maturity: - # - mature - # - proof-of-concept - # - no-known-exploit - # - no-data - # - # The type of issues to filter the results by. - #var.types: - # - vuln - # - license - # - # The type of languages to filter the results by. - #var.languages: - # - javascript - # - ruby - # - java - # - scala - # - python - # - golang - # - php - # - dotnet - # - swift - # - docker - # - # Search term to filter issue name by, or an exact CVE or CWE. - #var.identifier: - # - "" - # - # If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored. - #var.ignored: false - #var.patched: false - #var.fixable: false - #var.is_fixed: false - #var.is_patchable: false - #var.is_pinnable: false - # - # The priority score ranging between 0-1000 - #var.min_priority_score: 0 - #var.max_priority_score: 1000 - diff --git a/salt/filebeat/modules/sonicwall.yml.disabled b/salt/filebeat/modules/sonicwall.yml.disabled deleted file mode 100644 index de457109d..000000000 --- a/salt/filebeat/modules/sonicwall.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: sonicwall -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sonicwall.html - -- module: sonicwall - firewall: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9519 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/sophos.yml.disabled b/salt/filebeat/modules/sophos.yml.disabled deleted file mode 100644 index 8fc346540..000000000 --- a/salt/filebeat/modules/sophos.yml.disabled +++ /dev/null @@ -1,46 +0,0 @@ -# Module: sophos -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sophos.html - -- module: sophos - xg: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9004. - #var.syslog_port: 9005 - - # firewall default hostname - #var.default_host_name: firewall.localgroup.local - - # known firewalls - #var.known_devices: - #- serial_number: "1234567890123457" - # hostname: "a.host.local" - #- serial_number: "1234234590678557" - # hostname: "b.host.local" - - - utm: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9533 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/squid.yml.disabled b/salt/filebeat/modules/squid.yml.disabled deleted file mode 100644 index a47807253..000000000 --- a/salt/filebeat/modules/squid.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: squid -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-squid.html - -- module: squid - log: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9520 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/suricata.yml b/salt/filebeat/modules/suricata.yml deleted file mode 100644 index b7cc11e85..000000000 --- a/salt/filebeat/modules/suricata.yml +++ /dev/null @@ -1,12 +0,0 @@ -# Module: suricata -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html - -- module: suricata - # All logs - eve: - enabled: true - var.paths: ["/nsm/suricata/eve*.json"] - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/system.yml.disabled b/salt/filebeat/modules/system.yml.disabled deleted file mode 100644 index d633bac04..000000000 --- a/salt/filebeat/modules/system.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: system -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-system.html - -- module: system - # Syslog - syslog: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Authorization logs - auth: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/threatintel.yml.disabled b/salt/filebeat/modules/threatintel.yml.disabled deleted file mode 100644 index b461d91e2..000000000 --- a/salt/filebeat/modules/threatintel.yml.disabled +++ /dev/null @@ -1,105 +0,0 @@ -# Module: threatintel -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-threatintel.html - -- module: threatintel - abuseurl: - enabled: true - - # Input used for ingesting threat intel data. - var.input: httpjson - - # The URL used for Threat Intel API calls. - var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ - - # The interval to poll the API for updates. - var.interval: 10m - - abusemalware: - enabled: true - - # Input used for ingesting threat intel data. - var.input: httpjson - - # The URL used for Threat Intel API calls. - var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ - - # The interval to poll the API for updates. - var.interval: 10m - - misp: - enabled: true - - # Input used for ingesting threat intel data, defaults to JSON. - var.input: httpjson - - # The URL of the MISP instance, should end with "/events/restSearch". - var.url: https://SERVER/events/restSearch - - # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. - var.api_token: API_KEY - - # Configures the type of SSL verification done, if MISP is running on self signed certificates - # then the certificate would either need to be trusted, or verification_mode set to none. - #var.ssl.verification_mode: none - - # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. - # For examples please reference the filebeat module documentation. - #var.filters: - # - threat_level: [4, 5] - # - to_ids: true - - # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer - # than the last event that was already ingested. - var.first_interval: 300h - - # The interval to poll the API for updates. - var.interval: 5m - - otx: - enabled: true - - # Input used for ingesting threat intel data - var.input: httpjson - - # The URL used for OTX Threat Intel API calls. - var.url: https://otx.alienvault.com/api/v1/indicators/export - - # The authentication token used to contact the OTX API, can be found on the OTX UI. - var.api_token: API_KEY - - # Optional filters that can be applied to retrieve only specific indicators. - #var.types: "domain,IPv4,hostname,url,FileHash-SHA256" - - # The timeout of the HTTP client connecting to the OTX API - #var.http_client_timeout: 120s - - # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module. - var.lookback_range: 1h - - # How far back to look once the beat starts up for the first time, the value has to be in hours. - var.first_interval: 400h - - # The interval to poll the API for updates - var.interval: 5m - - anomali: - enabled: true - - # Input used for ingesting threat intel data - var.input: httpjson - - # The URL used for Threat Intel API calls. Limo has multiple different possibilities for URL's depending - # on the type of threat intel source that is needed. - var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects - - # The Username used by anomali Limo, defaults to guest. - #var.username: guest - - # The password used by anomali Limo, defaults to guest. - #var.password: guest - - # How far back to look once the beat starts up for the first time, the value has to be in hours. - var.first_interval: 400h - - # The interval to poll the API for updates - var.interval: 5m diff --git a/salt/filebeat/modules/tomcat.yml.disabled b/salt/filebeat/modules/tomcat.yml.disabled deleted file mode 100644 index 84f4619d5..000000000 --- a/salt/filebeat/modules/tomcat.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: tomcat -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-tomcat.html - -- module: tomcat - log: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9501 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/traefik.yml.disabled b/salt/filebeat/modules/traefik.yml.disabled deleted file mode 100644 index 657d5ccd9..000000000 --- a/salt/filebeat/modules/traefik.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: traefik -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-traefik.html - -- module: traefik - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/zeek.yml b/salt/filebeat/modules/zeek.yml deleted file mode 100644 index 9fd61c448..000000000 --- a/salt/filebeat/modules/zeek.yml +++ /dev/null @@ -1,122 +0,0 @@ -# Module: zeek -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html - -- module: zeek - capture_loss: - enabled: false - var.paths: ["/nsm/zeek/logs/current/capture_loss.log"] - connection: - enabled: true - var.paths: ["/nsm/zeek/logs/current/conn.log"] - dce_rpc: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dce_rpc.log"] - dhcp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dhcp.log"] - dnp3: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dnp3.log"] - dns: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dns.log"] - dpd: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dpd.log"] - files: - enabled: true - var.paths: ["/nsm/zeek/logs/current/files.log"] - ftp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ftp.log"] - http: - enabled: true - var.paths: ["/nsm/zeek/logs/current/http.log"] - intel: - enabled: true - var.paths: ["/nsm/zeek/logs/current/intel.log"] - irc: - enabled: true - var.paths: ["/nsm/zeek/logs/current/irc.log"] - kerberos: - enabled: true - var.paths: ["/nsm/zeek/logs/current/kerberos.log"] - modbus: - enabled: true - var.paths: ["/nsm/zeek/logs/current/modbus.log"] - mysql: - enabled: true - var.paths: ["/nsm/zeek/logs/current/mysql.log"] - notice: - enabled: true - var.paths: ["/nsm/zeek/logs/current/notice.log"] - ntlm: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ntlm.log"] - ocsp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/oscp.log"] - pe: - enabled: true - var.paths: ["/nsm/zeek/logs/current/pe.log"] - radius: - enabled: true - var.paths: ["/nsm/zeek/logs/current/radius.log"] - rdp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/rdp.log"] - rfb: - enabled: true - var.paths: ["/nsm/zeek/logs/current/rfb.log"] - signature: - enabled: true - var.paths: ["/nsm/zeek/logs/current/signature.log"] - sip: - enabled: true - var.paths: ["/nsm/zeek/logs/current/sip.log"] - smb_cmd: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smb_cmd.log"] - smb_files: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smb_files.log"] - smb_mapping: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smb_mapping.log"] - smtp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smtp.log"] - snmp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/snmp.log"] - socks: - enabled: true - var.paths: ["/nsm/zeek/logs/current/socks.log"] - ssh: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ssh.log"] - ssl: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ssl.log"] - stats: - enabled: false - var.paths: ["/nsm/zeek/logs/current/stats.log"] - syslog: - enabled: false - var.paths: ["/nsm/zeek/logs/current/syslog.log"] - traceroute: - enabled: false - var.paths: ["/nsm/zeek/logs/current/traceroute.log.log"] - tunnel: - enabled: true - var.paths: ["/nsm/zeek/logs/current/tunnel.log"] - weird: - enabled: true - var.paths: ["/nsm/zeek/logs/current/weird.log"] - x509: - enabled: true - var.paths: ["/nsm/zeek/logs/current/x509.log"] - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/zoom.yml.disabled b/salt/filebeat/modules/zoom.yml.disabled deleted file mode 100644 index 15fa9d4b2..000000000 --- a/salt/filebeat/modules/zoom.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: zoom -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zoom.html - -- module: zoom - webhook: - enabled: true - - # The type of input to use - #var.input: http_endpoint - - # The interface to listen for incoming HTTP requests. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.listen_address: localhost - - # The port to bind to - #var.listen_port: 80 - - # The header Zoom uses to send its secret token, defaults to "Authorization" - #secret.header: Authorization - - # The secret token value created by Zoom - #secret.value: ZOOMTOKEN diff --git a/salt/filebeat/modules/zscaler.yml.disabled b/salt/filebeat/modules/zscaler.yml.disabled deleted file mode 100644 index accdec9ea..000000000 --- a/salt/filebeat/modules/zscaler.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: zscaler -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zscaler.html - -- module: zscaler - zia: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9521 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index 8bcecd618..19826a708 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -26,7 +26,7 @@ securityonion_filebeat: zeek: {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} {{ LOGNAME }}: - enabled: false + enabled: true var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"] {%- endfor %} {%- endif %}