fix merge conflict

2025-12-07 01:32:47 +01:00 · 2021-05-25 17:16:44 -04:00
parent dfaf40f583 543154f037
commit ecf7e25a51
71 changed files with 5 additions and 2281 deletions
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -80,7 +80,7 @@ filebeatmoduleconfsync:
 sodefaults_module_conf:
  file.managed:
-    - name: /opt/so/conf/filebeat/etc/securityonion.yml
+    - name: /opt/so/conf/filebeat/modules/securityonion.yml
    - source: salt://filebeat/etc/module_config.yml.jinja
    - template: jinja
    - defaults:
@@ -88,7 +88,7 @@ sodefaults_module_conf:
 thirdparty_module_conf:
  file.managed:
-    - name: /opt/so/conf/filebeat/etc/thirdparty.yml
+    - name: /opt/so/conf/filebeat/modules/thirdparty.yml
    - source: salt://filebeat/etc/module_config.yml.jinja
    - template: jinja
    - defaults:
--- a/salt/filebeat/modules/activemq.yml.disabled
+++ b/salt/filebeat/modules/activemq.yml.disabled
@@ -1,19 +0,0 @@
 # Module: activemq
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-activemq.html
 - module: activemq
  # Audit logs
  audit:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Application logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/apache.yml.disabled
+++ b/salt/filebeat/modules/apache.yml.disabled
@@ -1,19 +0,0 @@
 # Module: apache
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-apache.html
 - module: apache
  # Access logs
  access:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Error logs
  error:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/auditd.yml.disabled
+++ b/salt/filebeat/modules/auditd.yml.disabled
@@ -1,10 +0,0 @@
 # Module: auditd
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-auditd.html
 - module: auditd
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/aws.yml.disabled
+++ b/salt/filebeat/modules/aws.yml.disabled
@@ -1,255 +0,0 @@
 # Module: aws
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-aws.html
 - module: aws
  cloudtrail:
    enabled: false
    # AWS SQS queue url
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    # Process CloudTrail logs
    # default is true, set to false to skip Cloudtrail logs
    # var.process_cloudtrail_logs: false
    # Process CloudTrail Digest logs
    # default true, set to false to skip CloudTrail Digest logs
    # var.process_digest_logs: false
    # Process CloudTrail Insight logs
    # default true, set to false to skip CloudTrail Insight logs
    # var.process_insight_logs: false
    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws
    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    #var.visibility_timeout: 300s
    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s
    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com
    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
    #var.fips_enabled: false
    # The maximum number of messages to return from SQS. Valid values: 1 to 10.
    #var.max_number_of_messages: 5
  cloudwatch:
    enabled: false
    # AWS SQS queue url
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws
    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    #var.visibility_timeout: 300s
    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s
    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com
    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
    #var.fips_enabled: false
    # The maximum number of messages to return from SQS. Valid values: 1 to 10.
    #var.max_number_of_messages: 5
  ec2:
    enabled: false
    # AWS SQS queue url
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws
    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    #var.visibility_timeout: 300s
    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s
    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com
    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
    #var.fips_enabled: false
    # The maximum number of messages to return from SQS. Valid values: 1 to 10.
    #var.max_number_of_messages: 5
  elb:
    enabled: false
    # AWS SQS queue url
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws
    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    #var.visibility_timeout: 300s
    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s
    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com
    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
    #var.fips_enabled: false
    # The maximum number of messages to return from SQS. Valid values: 1 to 10.
    #var.max_number_of_messages: 5
  s3access:
    enabled: false
    # AWS SQS queue url
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws
    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    #var.visibility_timeout: 300s
    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s
    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com
    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
    #var.fips_enabled: false
    # The maximum number of messages to return from SQS. Valid values: 1 to 10.
    #var.max_number_of_messages: 5
  vpcflow:
    enabled: false
    # AWS SQS queue url
    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
    # Filename of AWS credential file
    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
    # "%UserProfile%\.aws\credentials" is used on Windows
    #var.shared_credential_file: /etc/filebeat/aws_credentials
    # Profile name for aws credential
    # If not set the default profile is used
    #var.credential_profile_name: fb-aws
    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
    #var.access_key_id: access_key_id
    #var.secret_access_key: secret_access_key
    #var.session_token: session_token
    # The duration that the received messages are hidden from ReceiveMessage request
    # Default to be 300s
    #var.visibility_timeout: 300s
    # Maximum duration before AWS API request will be interrupted
    # Default to be 120s
    #var.api_timeout: 120s
    # Custom endpoint used to access AWS APIs
    #var.endpoint: amazonaws.com
    # AWS IAM Role to assume
    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
    # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
    #var.fips_enabled: false
    # The maximum number of messages to return from SQS. Valid values: 1 to 10.
    #var.max_number_of_messages: 5
--- a/salt/filebeat/modules/azure.yml.disabled
+++ b/salt/filebeat/modules/azure.yml.disabled
@@ -1,45 +0,0 @@
 # Module: azure
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-azure.html
 - module: azure
  # All logs
  activitylogs:
    enabled: true
    var:
      # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
      eventhub: "insights-operational-logs"
      # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
      consumer_group: "$Default"
      # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string
      connection_string: ""
      # the name of the storage account the state/offsets will be stored and updated
      storage_account: ""
      # the storage account key, this key will be used to authorize access to data in your storage account
      storage_account_key: ""
  platformlogs:
    enabled: false
  #  var:
  #    eventhub: ""
  #    consumer_group: "$Default"
  #    connection_string: ""
  #    storage_account: ""
  #    storage_account_key: ""
  auditlogs:
    enabled: false
 #   var:
 #     eventhub: "insights-logs-auditlogs"
 #     consumer_group: "$Default"
 #     connection_string: ""
 #     storage_account: ""
 #     storage_account_key: ""
  signinlogs:
    enabled: false
 #   var:
 #     eventhub: "insights-logs-signinlogs"
 #     consumer_group: "$Default"
 #     connection_string: ""
 #     storage_account: ""
 #     storage_account_key: ""
--- a/salt/filebeat/modules/barracuda.yml.disabled
+++ b/salt/filebeat/modules/barracuda.yml.disabled
@@ -1,41 +0,0 @@
 # Module: barracuda
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-barracuda.html
 - module: barracuda
  waf:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9503
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  spamfirewall:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9524
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/bluecoat.yml.disabled
+++ b/salt/filebeat/modules/bluecoat.yml.disabled
@@ -1,22 +0,0 @@
 # Module: bluecoat
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-bluecoat.html
 - module: bluecoat
  director:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9505
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/cef.yml.disabled
+++ b/salt/filebeat/modules/cef.yml.disabled
@@ -1,17 +0,0 @@
 # Module: cef
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cef.html
 - module: cef
  log:
    enabled: true
    var:
      syslog_host: localhost
      syslog_port: 9003
      # Set internal security zones. used to override parsed network.direction
      # based on zone egress and ingress
      #var.internal_zones: [ "Internal" ]
      # Set external security zones. used to override parsed network.direction
      # based on zone egress and ingress
      #var.external_zones: [ "External" ]
--- a/salt/filebeat/modules/checkpoint.yml.disabled
+++ b/salt/filebeat/modules/checkpoint.yml.disabled
@@ -1,24 +0,0 @@
 # Module: checkpoint
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-checkpoint.html
 - module: checkpoint
  firewall:
    enabled: true
    # Set which input to use between syslog (default) or file.
    #var.input: syslog
    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost
    # The UDP port to listen for syslog traffic. Defaults to 9001.
    #var.syslog_port: 9001
    # Set internal security zones. used to override parsed network.direction
    # based on zone egress and ingress
    #var.internal_zones: [ "Internal" ]
    # Set external security zones. used to override parsed network.direction
    # based on zone egress and ingress
    #var.external_zones: [ "External" ]
--- a/salt/filebeat/modules/cisco.yml.disabled
+++ b/salt/filebeat/modules/cisco.yml.disabled
@@ -1,142 +0,0 @@
 # Module: cisco
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cisco.html
 - module: cisco
  asa:
    enabled: true
    # Set which input to use between syslog (default) or file.
    #var.input: syslog
    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost
    # The UDP port to listen for syslog traffic. Defaults to 9001.
    #var.syslog_port: 9001
    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
    #var.log_level: 7
    # Set internal security zones. used to override parsed network.direction
    # based on zone egress and ingress
    #var.internal_zones: [ "Internal" ]
    # Set external security zones. used to override parsed network.direction
    # based on zone egress and ingress
    #var.external_zones: [ "External" ]
  ftd:
    enabled: true
    # Set which input to use between syslog (default) or file.
    #var.input: syslog
    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost
    # The UDP port to listen for syslog traffic. Defaults to 9003.
    #var.syslog_port: 9003
    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
    #var.log_level: 7
    # Set internal security zones. used to override parsed network.direction
    # based on zone egress and ingress
    #var.internal_zones: [ "Internal" ]
    # Set external security zones. used to override parsed network.direction
    # based on zone egress and ingress
    #var.external_zones: [ "External" ]
  ios:
    enabled: true
    # Set which input to use between syslog (default) or file.
    #var.input: syslog
    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost
    # The UDP port to listen for syslog traffic. Defaults to 9002.
    #var.syslog_port: 9002
    # Set custom paths for the log files when using file input. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  nexus:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9506
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  meraki:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9525
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  umbrella:
    enabled: true
    #var.input: aws-s3
    # AWS SQS queue url
    #var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue
    # Access ID to authenticate with the S3 input
    #var.access_key_id: 123456
    # Access key to authenticate with the S3 input
    #var.secret_access_key: PASSWORD
    # The duration that the received messages are hidden from ReceiveMessage request
    #var.visibility_timeout: 300s
    # Maximum duration before AWS API request will be interrupted
    #var.api_timeout: 120s
  amp:
    enabled: true
    # Set which input to use between httpjson (default) or file.
    #var.input: httpjson
    # The API URL
    #var.url: https://api.amp.cisco.com/v1/events
    # The client ID used as a username for the API requests.
    #var.client_id:
    # The API key related to the client ID.
    #var.api_key:
    # How far to look back the first time the module is started. Expects an amount of hours.
    #var.first_interval: 24h
    # Overriding the default request timeout, optional.
    #var.request_timeout: 60s
--- a/salt/filebeat/modules/coredns.yml.disabled
+++ b/salt/filebeat/modules/coredns.yml.disabled
@@ -1,11 +0,0 @@
 # Module: coredns
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-coredns.html
 - module: coredns
  # Fileset for native deployment
  log: 
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/crowdstrike.yml.disabled
+++ b/salt/filebeat/modules/crowdstrike.yml.disabled
@@ -1,11 +0,0 @@
 # Module: crowdstrike
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-crowdstrike.html
 - module: crowdstrike
  falcon:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/cyberark.yml.disabled
+++ b/salt/filebeat/modules/cyberark.yml.disabled
@@ -1,22 +0,0 @@
 # Module: cyberark
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberark.html
 - module: cyberark
  corepas:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9527
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/cylance.yml.disabled
+++ b/salt/filebeat/modules/cylance.yml.disabled
@@ -1,22 +0,0 @@
 # Module: cylance
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cylance.html
 - module: cylance
  protect:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9508
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/elasticsearch.yml.disabled
+++ b/salt/filebeat/modules/elasticsearch.yml.disabled
@@ -1,35 +0,0 @@
 # Module: elasticsearch
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-elasticsearch.html
 - module: elasticsearch
  # Server log
  server:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  gc:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  audit:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  slowlog:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  deprecation:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/envoyproxy.yml.disabled
+++ b/salt/filebeat/modules/envoyproxy.yml.disabled
@@ -1,11 +0,0 @@
 # Module: envoyproxy
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-envoyproxy.html
 - module: envoyproxy
  # Fileset for native deployment
  log: 
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/f5.yml.disabled
+++ b/salt/filebeat/modules/f5.yml.disabled
@@ -1,41 +0,0 @@
 # Module: f5
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-f5.html
 - module: f5
  bigipapm:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9504
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  bigipafm:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9528
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/fortinet.yml.disabled
+++ b/salt/filebeat/modules/fortinet.yml.disabled
@@ -1,83 +0,0 @@
 # Module: fortinet
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-fortinet.html
 - module: fortinet
  firewall:
    enabled: true
    # Set which input to use between tcp, udp (default) or file.
    #var.input: udp
    # The interface to listen to syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost
    # The port to listen for syslog traffic. Defaults to 9004.
    #var.syslog_port: 9004
    # Set internal interfaces. used to override parsed network.direction
    # based on a tagged interface. Both internal and external interfaces must be
    # set to leverage this functionality.
    #var.internal_interfaces: [ "LAN" ]
    # Set external interfaces. used to override parsed network.direction
    # based on a tagged interface. Both internal and external interfaces must be
    # set to leverage this functionality.
    #var.external_interfaces: [ "WAN" ]
  clientendpoint:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9510
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  fortimail:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9529
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  fortimanager:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9530
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/gcp.yml.disabled
+++ b/salt/filebeat/modules/gcp.yml.disabled
@@ -1,76 +0,0 @@
 # Module: gcp
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gcp.html
 - module: gcp
  vpcflow:
    enabled: true
    # Google Cloud project ID.
    var.project_id: my-gcp-project-id
    # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
    # configured to use this topic as a sink for VPC flow logs.
    var.topic: gcp-vpc-flowlogs
    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-vpc-flowlogs-sub
    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
    # Set internal networks. This is used to classify network.direction based
    # off of what networks are considered "internal" either base off of a CIDR
    # block or named network conditions. If this is not specified, then traffic
    # direction is determined by whether it is between source and destination
    # instance information rather than IP.
    #
    # For a full list of network conditions see:
    # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
    #var.internal_networks: [ "private" ]
  firewall:
    enabled: true
    # Google Cloud project ID.
    var.project_id: my-gcp-project-id
    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
    # configured to use this topic as a sink for firewall logs.
    var.topic: gcp-vpc-firewall
    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-firewall-sub
    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
    # Set internal networks. This is used to classify network.direction based
    # off of what networks are considered "internal" either base off of a CIDR
    # block or named network conditions. If this is not specified, then traffic
    # is taken from the direction data in the rule_details event payload.
    #
    # For a full list of network conditions see:
    # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
    #var.internal_networks: [ "private" ]
  audit:
    enabled: true
    # Google Cloud project ID.
    var.project_id: my-gcp-project-id
    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
    # configured to use this topic as a sink for firewall logs.
    var.topic: gcp-vpc-audit
    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-audit
    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
--- a/salt/filebeat/modules/google_workspace.yml.disabled
+++ b/salt/filebeat/modules/google_workspace.yml.disabled
@@ -1,53 +0,0 @@
 # Module: google_workspace
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-google_workspace.html
 - module: google_workspace
  saml:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  user_accounts:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  login:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  admin:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  drive:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  groups:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
--- a/salt/filebeat/modules/googlecloud.yml.disabled
+++ b/salt/filebeat/modules/googlecloud.yml.disabled
@@ -1,58 +0,0 @@
 # Module: googlecloud
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-googlecloud.html
 # googlecloud module is deprecated, please use gcp instead
 - module: gcp
  vpcflow:
    enabled: true
    # Google Cloud project ID.
    var.project_id: my-gcp-project-id
    # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
    # configured to use this topic as a sink for VPC flow logs.
    var.topic: gcp-vpc-flowlogs
    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-vpc-flowlogs-sub
    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
  firewall:
    enabled: true
    # Google Cloud project ID.
    var.project_id: my-gcp-project-id
    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
    # configured to use this topic as a sink for firewall logs.
    var.topic: gcp-vpc-firewall
    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-firewall-sub
    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
  audit:
    enabled: true
    # Google Cloud project ID.
    var.project_id: my-gcp-project-id
    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
    # configured to use this topic as a sink for firewall logs.
    var.topic: gcp-vpc-audit
    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-audit
    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
--- a/salt/filebeat/modules/gsuite.yml.disabled
+++ b/salt/filebeat/modules/gsuite.yml.disabled
@@ -1,53 +0,0 @@
 # Module: gsuite
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gsuite.html
 # Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead.
 - module: gsuite
  saml:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  user_accounts:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  login:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  admin:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  drive:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
  groups:
    enabled: true
    # var.jwt_file: credentials.json
    # var.delegated_account: admin@example.com
    # var.initial_interval: 24h
    # var.http_client_timeout: 60s
    # var.user_key: all
    # var.interval: 2h
--- a/salt/filebeat/modules/haproxy.yml.disabled
+++ b/salt/filebeat/modules/haproxy.yml.disabled
@@ -1,14 +0,0 @@
 # Module: haproxy
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-haproxy.html
 - module: haproxy
  # All logs
  log:
    enabled: true
    # Set which input to use between syslog (default) or file.
    #var.input:
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/ibmmq.yml.disabled
+++ b/salt/filebeat/modules/ibmmq.yml.disabled
@@ -1,11 +0,0 @@
 # Module: ibmmq
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-ibmmq.html
 - module: ibmmq
  # All logs
  errorlog:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/icinga.yml.disabled
+++ b/salt/filebeat/modules/icinga.yml.disabled
@@ -1,27 +0,0 @@
 # Module: icinga
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-icinga.html
 - module: icinga
  # Main logs
  main:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Debug logs
  debug:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Startup logs
  startup:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/iis.yml.disabled
+++ b/salt/filebeat/modules/iis.yml.disabled
@@ -1,20 +0,0 @@
 # Module: iis
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iis.html
 - module: iis
  # Access logs
  access:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Error logs
  error:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/imperva.yml.disabled
+++ b/salt/filebeat/modules/imperva.yml.disabled
@@ -1,22 +0,0 @@
 # Module: imperva
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-imperva.html
 - module: imperva
  securesphere:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9511
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/infoblox.yml.disabled
+++ b/salt/filebeat/modules/infoblox.yml.disabled
@@ -1,22 +0,0 @@
 # Module: infoblox
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-infoblox.html
 - module: infoblox
  nios:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9512
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/iptables.yml.disabled
+++ b/salt/filebeat/modules/iptables.yml.disabled
@@ -1,13 +0,0 @@
 # Module: iptables
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iptables.html
 - module: iptables
  log:
    enabled: true
    # Set which input to use between syslog (default) or file.
    #var.input:
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/juniper.yml.disabled
+++ b/salt/filebeat/modules/juniper.yml.disabled
@@ -1,54 +0,0 @@
 # Module: juniper
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-juniper.html
 - module: juniper
  junos:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9513
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  netscreen:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9523
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
  srx:
    enabled: true
    # Set which input to use between tcp, udp (default) or file.
    #var.input: udp
    # The interface to listen to syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost
    # The port to listen for syslog traffic. Defaults to 9006.
    #var.syslog_port: 9006
--- a/salt/filebeat/modules/kafka.yml.disabled
+++ b/salt/filebeat/modules/kafka.yml.disabled
@@ -1,15 +0,0 @@
 # Module: kafka
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kafka.html
 - module: kafka
  # All logs
  log:
    enabled: true
    # Set custom paths for Kafka. If left empty,
    # Filebeat will look under /opt.
    #var.kafka_home:
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/kibana.yml.disabled
+++ b/salt/filebeat/modules/kibana.yml.disabled
@@ -1,19 +0,0 @@
 # Module: kibana
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kibana.html
 - module: kibana
  # Server logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Audit logs
  audit:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/logstash.yml.disabled
+++ b/salt/filebeat/modules/logstash.yml.disabled
@@ -1,18 +0,0 @@
 # Module: logstash
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-logstash.html
 - module: logstash
  # logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Slow logs
  slowlog:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/microsoft.yml.disabled
+++ b/salt/filebeat/modules/microsoft.yml.disabled
@@ -1,49 +0,0 @@
 # Module: microsoft
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-microsoft.html
 - module: microsoft
  # ATP configuration
  defender_atp:
    enabled: true
    # How often the API should be polled
    #var.interval: 5m
    # Oauth Client ID
    #var.oauth2.client.id: ""
    # Oauth Client Secret
    #var.oauth2.client.secret: ""
    # Oauth Token URL, should include the tenant ID
    #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
  m365_defender:
    enabled: true
    # How often the API should be polled
    #var.interval: 5m
    # Oauth Client ID
    #var.oauth2.client.id: ""
    # Oauth Client Secret
    #var.oauth2.client.secret: ""
    # Oauth Token URL, should include the tenant ID
    #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
  dhcp:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9515
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/misp.yml.disabled
+++ b/salt/filebeat/modules/misp.yml.disabled
@@ -1,17 +0,0 @@
 # Module: misp
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-misp.html
 - module: misp
  threat:
    enabled: true
    # API key to access MISP
    #var.api_key
    # Array object in MISP response
    #var.http_request_body.limit: 1000
    # URL of the MISP REST API
    #var.url
    # You can also pass SSL options. For example:
    #var.ssl.verification_mode: none
--- a/salt/filebeat/modules/mongodb.yml.disabled
+++ b/salt/filebeat/modules/mongodb.yml.disabled
@@ -1,11 +0,0 @@
 # Module: mongodb
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mongodb.html
 - module: mongodb
  # All logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/mssql.yml.disabled
+++ b/salt/filebeat/modules/mssql.yml.disabled
@@ -1,11 +0,0 @@
 # Module: mssql
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mssql.html
 - module: mssql
  # Fileset for native deployment
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*']
--- a/salt/filebeat/modules/mysql.yml.disabled
+++ b/salt/filebeat/modules/mysql.yml.disabled
@@ -1,19 +0,0 @@
 # Module: mysql
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysql.html
 - module: mysql
  # Error logs
  error:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Slow logs
  slowlog:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/mysqlenterprise.yml.disabled
+++ b/salt/filebeat/modules/mysqlenterprise.yml.disabled
@@ -1,14 +0,0 @@
 # Module: mysqlenterprise
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysqlenterprise.html
 - module: mysqlenterprise
  audit:
    enabled: true
    # Sets the input type. Currently only supports file
    #var.input: file
    # Set paths for the log files when file input is used.
    # Should only be used together with file input
    # var.paths:
    #  - /home/user/mysqlauditlogs/audit.*.log
--- a/salt/filebeat/modules/nats.yml.disabled
+++ b/salt/filebeat/modules/nats.yml.disabled
@@ -1,11 +0,0 @@
 # Module: nats
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nats.html
 - module: nats
  # All logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/netflow.yml.disabled
+++ b/salt/filebeat/modules/netflow.yml.disabled
@@ -1,14 +0,0 @@
 # Module: netflow
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netflow.html
 - module: netflow
  log:
    enabled: true
    var:
      netflow_host: localhost
      netflow_port: 2055
      # internal_networks specifies which networks are considered internal or private
      # you can specify either a CIDR block or any of the special named ranges listed
      # at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
      internal_networks:
        - private
--- a/salt/filebeat/modules/netscout.yml.disabled
+++ b/salt/filebeat/modules/netscout.yml.disabled
@@ -1,22 +0,0 @@
 # Module: netscout
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netscout.html
 - module: netscout
  sightline:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9502
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/nginx.yml.disabled
+++ b/salt/filebeat/modules/nginx.yml.disabled
@@ -1,27 +0,0 @@
 # Module: nginx
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nginx.html
 - module: nginx
  # Access logs
  access:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Error logs
  error:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
  ingress_controller:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/o365.yml.disabled
+++ b/salt/filebeat/modules/o365.yml.disabled
@@ -1,48 +0,0 @@
 # Module: o365
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-o365.html
 - module: o365
  audit:
    enabled: true
    # Set the application_id (also known as client ID):
    var.application_id: "<MyApplicationID>"
    # Configure the tenants to monitor:
    # Use the tenant ID (also known as directory ID) and the domain name.
    # var.tenants:
    #  - id: "tenant_id_1"
    #    name: "mydomain.onmicrosoft.com"
    #  - id: "tenant_id_2"
    #    name: "mycompany.com"
    var.tenants:
     - id: "<MyTenantID>"
       name: "mytenant.onmicrosoft.com"
    # List of content-types to fetch. By default all known content-types
    # are retrieved:
    # var.content_type:
    #  - "Audit.AzureActiveDirectory"
    #  - "Audit.Exchange"
    #  - "Audit.SharePoint"
    #  - "Audit.General"
    #  - "DLP.All"
    # Use the following settings to enable certificate-based authentication:
    # var.certificate: "/path/to/certificate.pem"
    # var.key: "/path/to/private_key.pem"
    # var.key_passphrase: "myPrivateKeyPassword"
    # Client-secret based authentication:
    # Comment the following line if using certificate authentication.
    var.client_secret: "<YourClientSecretHere>"
    # Advanced settings, use with care:
    # var.api:
    #   # Settings for custom endpoints:
    #   authentication_endpoint: "https://login.microsoftonline.us/"
    #   resource: "https://manage.office365.us"
    #
    #   max_retention: 168h
    #   max_requests_per_minute: 2000
    #   poll_interval: 3m
--- a/salt/filebeat/modules/okta.yml.disabled
+++ b/salt/filebeat/modules/okta.yml.disabled
@@ -1,10 +0,0 @@
 # Module: okta
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-okta.html
 - module: okta
  system:
    enabled: true
    # You must configure the URL with your Okta domain and provide an
    # API token to access the logs API.
    #var.url: https://yourOktaDomain/api/v1/logs
    #var.api_key: 'yourApiTokenHere'
--- a/salt/filebeat/modules/oracle.yml.disabled
+++ b/salt/filebeat/modules/oracle.yml.disabled
@@ -1,13 +0,0 @@
 # Module: oracle
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-oracle.html
 - module: oracle
  database_audit:
    enabled: true
    # Set which input to use between syslog or file (default).
    #var.input: file
    # Set paths for the log files when file input is used.
    # Should only be used together with file input
    # var.paths: /home/user/oracleauditlogs/*.aud
--- a/salt/filebeat/modules/osquery.yml.disabled
+++ b/salt/filebeat/modules/osquery.yml.disabled
@@ -1,15 +0,0 @@
 # Module: osquery
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-osquery.html
 - module: osquery
  result:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
    # If true, all fields created by this module are prefixed with
    # `osquery.result`. Set to false to copy the fields in the root
    # of the document. The default is true.
    #var.use_namespace: true
--- a/salt/filebeat/modules/panw.yml.disabled
+++ b/salt/filebeat/modules/panw.yml.disabled
@@ -1,22 +0,0 @@
 # Module: panw
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-panw.html
 - module: panw
  panos:
    enabled: true
    # Set which input to use between syslog (default) or file.
    #var.input:
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
    # Set internal security zones. used to determine network.direction
    # default "trust"
    #var.internal_zones:
    # Set external security zones. used to determine network.direction
    # default "untrust"
    #var.external_zones:
--- a/salt/filebeat/modules/pensando.yml.disabled
+++ b/salt/filebeat/modules/pensando.yml.disabled
@@ -1,13 +0,0 @@
 # Module: pensando
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-pensando.html
 - module: pensando
 # Firewall logs
  dfw:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    # var.paths:
--- a/salt/filebeat/modules/postgresql.yml.disabled
+++ b/salt/filebeat/modules/postgresql.yml.disabled
@@ -1,11 +0,0 @@
 # Module: postgresql
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-postgresql.html
 - module: postgresql
  # All logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/proofpoint.yml.disabled
+++ b/salt/filebeat/modules/proofpoint.yml.disabled
@@ -1,22 +0,0 @@
 # Module: proofpoint
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-proofpoint.html
 - module: proofpoint
  emailsecurity:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9531
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/rabbitmq.yml.disabled
+++ b/salt/filebeat/modules/rabbitmq.yml.disabled
@@ -1,11 +0,0 @@
 # Module: rabbitmq
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-rabbitmq.html
 - module: rabbitmq
  # All logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"]
--- a/salt/filebeat/modules/radware.yml.disabled
+++ b/salt/filebeat/modules/radware.yml.disabled
@@ -1,22 +0,0 @@
 # Module: radware
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-radware.html
 - module: radware
  defensepro:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9518
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/redis.yml.disabled
+++ b/salt/filebeat/modules/redis.yml.disabled
@@ -1,21 +0,0 @@
 # Module: redis
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-redis.html
 - module: redis
  # Main logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths: ["/var/log/redis/redis-server.log*"]
  # Slow logs, retrieved via the Redis API (SLOWLOG)
  slowlog:
    enabled: true
    # The Redis hosts to connect to.
    #var.hosts: ["localhost:6379"]
    # Optional, the password to use when connecting to Redis.
    #var.password:
--- a/salt/filebeat/modules/santa.yml.disabled
+++ b/salt/filebeat/modules/santa.yml.disabled
@@ -1,9 +0,0 @@
 # Module: santa
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-santa.html
 - module: santa
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the the default path.
    #var.paths:
--- a/salt/filebeat/modules/snort.yml.disabled
+++ b/salt/filebeat/modules/snort.yml.disabled
@@ -1,22 +0,0 @@
 # Module: snort
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snort.html
 - module: snort
  log:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9532
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/snyk.yml.disabled
+++ b/salt/filebeat/modules/snyk.yml.disabled
@@ -1,112 +0,0 @@
 # Module: snyk
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snyk.html
 - module: snyk
  audit:
    enabled: true
    # Set which input to use between httpjson (default) or file.
    #var.input: httpjson
    #
    # What audit type to collect, can be either "group" or "organization".
    #var.audit_type: organization
    #
    # The ID related to the audit_type. If audit type is group, then this value should be
    # the group ID and if it is organization it should be the organization ID to collect from.
    #var.audit_id: 1235432-asdfdf-2341234-asdgjhg
    # How often the API should be polled, defaults to 1 hour.
    #var.interval: 1h
    # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc).
    #var.first_interval: 24h
    # The API token that is created for a specific user, found in the Snyk management dashboard.
    #var.api_token:
    # Event filtering.
    # All configuration items below is OPTIONAL and the default options will be overwritten
    # for each entry that is not commented out.
    # Will return only logs for this specific project.
    #var.project_id: ""
    # User public ID. Will fetch only audit logs originated from this user's actions.
    #var.user_id: ""
    # Will return only logs for this specific event.
    #var.event: ""
    # User email address. Will fetch only audit logs originated from this user's actions.
    #var.email_address: ""
  vulnerabilities:
    enabled: true
    # Set which input to use between httpjson (default) or file.
    #var.input: httpjson
    # How often the API should be polled. Data from the Snyk API is automatically updated
    # once per day, so the default interval is 24 hours.
    #var.interval: 24h
    # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc).
    #var.first_interval: 24h
    # The API token that is created for a specific user, found in the Snyk management dashboard.
    #var.api_token:
    # The list of org IDs to filter the results by.
    # One organization ID per line, starting with a - sign
    #var.orgs:
    #  - 12354-asdfdf-123543-asdsdfg
    #  - 76554-jhggfd-654342-hgrfasd
    # Event filtering.
    # All configuration items below is OPTIONAL and the default options will be overwritten
    # for each entry that is not commented out.
    # The severity levels of issues to filter the results by.
    #var.included_severity:
    #  - high
    #  - medium
    #  - low
    #
    # The exploit maturity levels of issues to filter the results by.
    #var.exploit_maturity:
    #  - mature
    #  - proof-of-concept
    #  - no-known-exploit
    #  - no-data
    #
    # The type of issues to filter the results by.
    #var.types:
    #  - vuln
    #  - license
    #
    # The type of languages to filter the results by.
    #var.languages:
    #  - javascript
    #  - ruby
    #  - java
    #  - scala
    #  - python
    #  - golang
    #  - php
    #  - dotnet
    #  - swift
    #  - docker
    #
    # Search term to filter issue name by, or an exact CVE or CWE.
    #var.identifier:
    #  - ""
    #
    # If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
    #var.ignored: false
    #var.patched: false
    #var.fixable: false
    #var.is_fixed: false
    #var.is_patchable: false
    #var.is_pinnable: false
    #
    # The priority score ranging between 0-1000
    #var.min_priority_score: 0
    #var.max_priority_score: 1000
--- a/salt/filebeat/modules/sonicwall.yml.disabled
+++ b/salt/filebeat/modules/sonicwall.yml.disabled
@@ -1,22 +0,0 @@
 # Module: sonicwall
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sonicwall.html
 - module: sonicwall
  firewall:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9519
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/sophos.yml.disabled
+++ b/salt/filebeat/modules/sophos.yml.disabled
@@ -1,46 +0,0 @@
 # Module: sophos
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sophos.html
 - module: sophos
  xg:
    enabled: true
    # Set which input to use between tcp, udp (default) or file.
    #var.input: udp
    # The interface to listen to syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost
    # The port to listen for syslog traffic. Defaults to 9004.
    #var.syslog_port: 9005
    # firewall default hostname
    #var.default_host_name: firewall.localgroup.local
    # known firewalls
    #var.known_devices:
      #- serial_number: "1234567890123457"
      #  hostname: "a.host.local"
      #- serial_number: "1234234590678557"
      #  hostname: "b.host.local"
  utm:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9533
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/squid.yml.disabled
+++ b/salt/filebeat/modules/squid.yml.disabled
@@ -1,22 +0,0 @@
 # Module: squid
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-squid.html
 - module: squid
  log:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9520
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/suricata.yml
+++ b/salt/filebeat/modules/suricata.yml
@@ -1,12 +0,0 @@
 # Module: suricata
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html
 - module: suricata
  # All logs
  eve:
    enabled: true
    var.paths: ["/nsm/suricata/eve*.json"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/system.yml.disabled
+++ b/salt/filebeat/modules/system.yml.disabled
@@ -1,19 +0,0 @@
 # Module: system
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-system.html
 - module: system
  # Syslog
  syslog:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Authorization logs
  auth:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/threatintel.yml.disabled
+++ b/salt/filebeat/modules/threatintel.yml.disabled
@@ -1,105 +0,0 @@
 # Module: threatintel
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-threatintel.html
 - module: threatintel
  abuseurl:
    enabled: true
    # Input used for ingesting threat intel data.
    var.input: httpjson
    # The URL used for Threat Intel API calls.
    var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/
    # The interval to poll the API for updates.
    var.interval: 10m
  abusemalware:
    enabled: true
    # Input used for ingesting threat intel data.
    var.input: httpjson
    # The URL used for Threat Intel API calls.
    var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/
    # The interval to poll the API for updates.
    var.interval: 10m
  misp:
    enabled: true
    # Input used for ingesting threat intel data, defaults to JSON.
    var.input: httpjson
    # The URL of the MISP instance, should end with "/events/restSearch".
    var.url: https://SERVER/events/restSearch
    # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI.
    var.api_token: API_KEY
    # Configures the type of SSL verification done, if MISP is running on self signed certificates
    # then the certificate would either need to be trusted, or verification_mode set to none.
    #var.ssl.verification_mode: none
    # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context.
    # For examples please reference the filebeat module documentation.
    #var.filters:
    #  - threat_level: [4, 5] 
    #  - to_ids: true
    # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer
    # than the last event that was already ingested.
    var.first_interval: 300h
    # The interval to poll the API for updates.
    var.interval: 5m
  otx:
    enabled: true
    # Input used for ingesting threat intel data
    var.input: httpjson
    # The URL used for OTX Threat Intel API calls.
    var.url: https://otx.alienvault.com/api/v1/indicators/export
    # The authentication token used to contact the OTX API, can be found on the OTX UI.
    var.api_token: API_KEY
    # Optional filters that can be applied to retrieve only specific indicators.
    #var.types: "domain,IPv4,hostname,url,FileHash-SHA256"
    # The timeout of the HTTP client connecting to the OTX API
    #var.http_client_timeout: 120s
    # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module.
    var.lookback_range: 1h
    # How far back to look once the beat starts up for the first time, the value has to be in hours.
    var.first_interval: 400h
    # The interval to poll the API for updates
    var.interval: 5m
  anomali:
    enabled: true
    # Input used for ingesting threat intel data
    var.input: httpjson
    # The URL used for Threat Intel API calls. Limo has multiple different possibilities for URL's depending
    # on the type of threat intel source that is needed.
    var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects
    # The Username used by anomali Limo, defaults to guest.
    #var.username: guest
    # The password used by anomali Limo, defaults to guest.
    #var.password: guest
    # How far back to look once the beat starts up for the first time, the value has to be in hours.
    var.first_interval: 400h
    # The interval to poll the API for updates
    var.interval: 5m
--- a/salt/filebeat/modules/tomcat.yml.disabled
+++ b/salt/filebeat/modules/tomcat.yml.disabled
@@ -1,22 +0,0 @@
 # Module: tomcat
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-tomcat.html
 - module: tomcat
  log:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9501
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/modules/traefik.yml.disabled
+++ b/salt/filebeat/modules/traefik.yml.disabled
@@ -1,11 +0,0 @@
 # Module: traefik
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-traefik.html
 - module: traefik
  # Access logs
  access:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/zeek.yml
+++ b/salt/filebeat/modules/zeek.yml
@@ -1,122 +0,0 @@
 # Module: zeek
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html
 - module: zeek
  capture_loss:
    enabled: false
    var.paths: ["/nsm/zeek/logs/current/capture_loss.log"]
  connection:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/conn.log"]
  dce_rpc:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/dce_rpc.log"]
  dhcp:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/dhcp.log"]
  dnp3:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/dnp3.log"]
  dns:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/dns.log"]
  dpd:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/dpd.log"]
  files:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/files.log"]
  ftp:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/ftp.log"]
  http:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/http.log"]
  intel:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/intel.log"]
  irc:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/irc.log"]
  kerberos:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/kerberos.log"]
  modbus:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/modbus.log"]
  mysql:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/mysql.log"]
  notice:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/notice.log"]
  ntlm:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/ntlm.log"]
  ocsp:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/oscp.log"]
  pe:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/pe.log"]
  radius:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/radius.log"]
  rdp:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/rdp.log"]
  rfb:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/rfb.log"]
  signature:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/signature.log"]
  sip:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/sip.log"]
  smb_cmd:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/smb_cmd.log"]
  smb_files:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/smb_files.log"]
  smb_mapping:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/smb_mapping.log"]
  smtp:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/smtp.log"]
  snmp:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/snmp.log"]
  socks:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/socks.log"]
  ssh:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/ssh.log"]
  ssl:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/ssl.log"]
  stats:
    enabled: false
    var.paths: ["/nsm/zeek/logs/current/stats.log"]
  syslog:
    enabled: false
    var.paths: ["/nsm/zeek/logs/current/syslog.log"]
  traceroute:
    enabled: false
    var.paths: ["/nsm/zeek/logs/current/traceroute.log.log"]
  tunnel:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/tunnel.log"]
  weird:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/weird.log"]
  x509:
    enabled: true
    var.paths: ["/nsm/zeek/logs/current/x509.log"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
--- a/salt/filebeat/modules/zoom.yml.disabled
+++ b/salt/filebeat/modules/zoom.yml.disabled
@@ -1,22 +0,0 @@
 # Module: zoom
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zoom.html
 - module: zoom
  webhook:
    enabled: true
    # The type of input to use
    #var.input: http_endpoint
    # The interface to listen for incoming HTTP requests. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.listen_address: localhost
    # The port to bind to
    #var.listen_port: 80
    # The header Zoom uses to send its secret token, defaults to "Authorization"
    #secret.header: Authorization
    # The secret token value created by Zoom
    #secret.value: ZOOMTOKEN
--- a/salt/filebeat/modules/zscaler.yml.disabled
+++ b/salt/filebeat/modules/zscaler.yml.disabled
@@ -1,22 +0,0 @@
 # Module: zscaler
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zscaler.html
 - module: zscaler
  zia:
    enabled: true
    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9521
    # Set paths for the log files when file input is used.
    # var.paths:
    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true
    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -33,7 +33,7 @@ securityonion_filebeat:
            {% set FILESET = LOGNAME %}
          {% endif %}
      {{ FILESET }}:
-        enabled: false
+        enabled: true
        var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
        {%- endfor %}
      {%- endif %}
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -76,9 +76,9 @@ zeekpolicysync:
 # Ensure the zeek spool tree (and state.db) ownership is correct
 zeekspoolownership:
  file.directory:
-    - name: /nsm/zeek/spool
+    - name: /nsm/zeek
    - user: 937
-    - max_depth: 0
+    - max_depth: 1
    - recurse:
      - user