CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix merge conflict

Browse Source
This commit is contained in:
m0duspwnens
2021-05-25 17:16:44 -04:00
parent dfaf40f583 543154f037
commit ecf7e25a51
71 changed files with 5 additions and 2281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/filebeat/init.sls
View File

@@ -80,7 +80,7 @@ filebeatmoduleconfsync:
sodefaults_module_conf:
file.managed:
- name: /opt/so/conf/filebeat/etc/securityonion.yml
- name: /opt/so/conf/filebeat/modules/securityonion.yml
- source: salt://filebeat/etc/module_config.yml.jinja
- template: jinja
- defaults:
@@ -88,7 +88,7 @@ sodefaults_module_conf:
thirdparty_module_conf:
file.managed:
- name: /opt/so/conf/filebeat/etc/thirdparty.yml
- name: /opt/so/conf/filebeat/modules/thirdparty.yml
- source: salt://filebeat/etc/module_config.yml.jinja
- template: jinja
- defaults:

19
salt/filebeat/modules/activemq.yml.disabled
View File

@@ -1,19 +0,0 @@
# Module: activemq
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-activemq.html
- module: activemq
# Audit logs
audit:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Application logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

19
salt/filebeat/modules/apache.yml.disabled
View File

@@ -1,19 +0,0 @@
# Module: apache
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-apache.html
- module: apache
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

10
salt/filebeat/modules/auditd.yml.disabled
View File

@@ -1,10 +0,0 @@
# Module: auditd
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-auditd.html
- module: auditd
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

255
salt/filebeat/modules/aws.yml.disabled
View File

@@ -1,255 +0,0 @@
# Module: aws
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-aws.html
- module: aws
cloudtrail:
enabled: false
# AWS SQS queue url
#var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
# Process CloudTrail logs
# default is true, set to false to skip Cloudtrail logs
# var.process_cloudtrail_logs: false
# Process CloudTrail Digest logs
# default true, set to false to skip CloudTrail Digest logs
# var.process_digest_logs: false
# Process CloudTrail Insight logs
# default true, set to false to skip CloudTrail Insight logs
# var.process_insight_logs: false
# Filename of AWS credential file
# If not set "$HOME/.aws/credentials" is used on Linux/Mac
# "%UserProfile%\.aws\credentials" is used on Windows
#var.shared_credential_file: /etc/filebeat/aws_credentials
# Profile name for aws credential
# If not set the default profile is used
#var.credential_profile_name: fb-aws
# Use access_key_id, secret_access_key and/or session_token instead of shared credential file
#var.access_key_id: access_key_id
#var.secret_access_key: secret_access_key
#var.session_token: session_token
# The duration that the received messages are hidden from ReceiveMessage request
# Default to be 300s
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
# Default to be 120s
#var.api_timeout: 120s
# Custom endpoint used to access AWS APIs
#var.endpoint: amazonaws.com
# AWS IAM Role to assume
#var.role_arn: arn:aws:iam::123456789012:role/test-mb
# Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
#var.fips_enabled: false
# The maximum number of messages to return from SQS. Valid values: 1 to 10.
#var.max_number_of_messages: 5
cloudwatch:
enabled: false
# AWS SQS queue url
#var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
# Filename of AWS credential file
# If not set "$HOME/.aws/credentials" is used on Linux/Mac
# "%UserProfile%\.aws\credentials" is used on Windows
#var.shared_credential_file: /etc/filebeat/aws_credentials
# Profile name for aws credential
# If not set the default profile is used
#var.credential_profile_name: fb-aws
# Use access_key_id, secret_access_key and/or session_token instead of shared credential file
#var.access_key_id: access_key_id
#var.secret_access_key: secret_access_key
#var.session_token: session_token
# The duration that the received messages are hidden from ReceiveMessage request
# Default to be 300s
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
# Default to be 120s
#var.api_timeout: 120s
# Custom endpoint used to access AWS APIs
#var.endpoint: amazonaws.com
# AWS IAM Role to assume
#var.role_arn: arn:aws:iam::123456789012:role/test-mb
# Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
#var.fips_enabled: false
# The maximum number of messages to return from SQS. Valid values: 1 to 10.
#var.max_number_of_messages: 5
ec2:
enabled: false
# AWS SQS queue url
#var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
# Filename of AWS credential file
# If not set "$HOME/.aws/credentials" is used on Linux/Mac
# "%UserProfile%\.aws\credentials" is used on Windows
#var.shared_credential_file: /etc/filebeat/aws_credentials
# Profile name for aws credential
# If not set the default profile is used
#var.credential_profile_name: fb-aws
# Use access_key_id, secret_access_key and/or session_token instead of shared credential file
#var.access_key_id: access_key_id
#var.secret_access_key: secret_access_key
#var.session_token: session_token
# The duration that the received messages are hidden from ReceiveMessage request
# Default to be 300s
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
# Default to be 120s
#var.api_timeout: 120s
# Custom endpoint used to access AWS APIs
#var.endpoint: amazonaws.com
# AWS IAM Role to assume
#var.role_arn: arn:aws:iam::123456789012:role/test-mb
# Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
#var.fips_enabled: false
# The maximum number of messages to return from SQS. Valid values: 1 to 10.
#var.max_number_of_messages: 5
elb:
enabled: false
# AWS SQS queue url
#var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
# Filename of AWS credential file
# If not set "$HOME/.aws/credentials" is used on Linux/Mac
# "%UserProfile%\.aws\credentials" is used on Windows
#var.shared_credential_file: /etc/filebeat/aws_credentials
# Profile name for aws credential
# If not set the default profile is used
#var.credential_profile_name: fb-aws
# Use access_key_id, secret_access_key and/or session_token instead of shared credential file
#var.access_key_id: access_key_id
#var.secret_access_key: secret_access_key
#var.session_token: session_token
# The duration that the received messages are hidden from ReceiveMessage request
# Default to be 300s
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
# Default to be 120s
#var.api_timeout: 120s
# Custom endpoint used to access AWS APIs
#var.endpoint: amazonaws.com
# AWS IAM Role to assume
#var.role_arn: arn:aws:iam::123456789012:role/test-mb
# Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
#var.fips_enabled: false
# The maximum number of messages to return from SQS. Valid values: 1 to 10.
#var.max_number_of_messages: 5
s3access:
enabled: false
# AWS SQS queue url
#var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
# Filename of AWS credential file
# If not set "$HOME/.aws/credentials" is used on Linux/Mac
# "%UserProfile%\.aws\credentials" is used on Windows
#var.shared_credential_file: /etc/filebeat/aws_credentials
# Profile name for aws credential
# If not set the default profile is used
#var.credential_profile_name: fb-aws
# Use access_key_id, secret_access_key and/or session_token instead of shared credential file
#var.access_key_id: access_key_id
#var.secret_access_key: secret_access_key
#var.session_token: session_token
# The duration that the received messages are hidden from ReceiveMessage request
# Default to be 300s
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
# Default to be 120s
#var.api_timeout: 120s
# Custom endpoint used to access AWS APIs
#var.endpoint: amazonaws.com
# AWS IAM Role to assume
#var.role_arn: arn:aws:iam::123456789012:role/test-mb
# Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
#var.fips_enabled: false
# The maximum number of messages to return from SQS. Valid values: 1 to 10.
#var.max_number_of_messages: 5
vpcflow:
enabled: false
# AWS SQS queue url
#var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
# Filename of AWS credential file
# If not set "$HOME/.aws/credentials" is used on Linux/Mac
# "%UserProfile%\.aws\credentials" is used on Windows
#var.shared_credential_file: /etc/filebeat/aws_credentials
# Profile name for aws credential
# If not set the default profile is used
#var.credential_profile_name: fb-aws
# Use access_key_id, secret_access_key and/or session_token instead of shared credential file
#var.access_key_id: access_key_id
#var.secret_access_key: secret_access_key
#var.session_token: session_token
# The duration that the received messages are hidden from ReceiveMessage request
# Default to be 300s
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
# Default to be 120s
#var.api_timeout: 120s
# Custom endpoint used to access AWS APIs
#var.endpoint: amazonaws.com
# AWS IAM Role to assume
#var.role_arn: arn:aws:iam::123456789012:role/test-mb
# Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
#var.fips_enabled: false
# The maximum number of messages to return from SQS. Valid values: 1 to 10.
#var.max_number_of_messages: 5

45
salt/filebeat/modules/azure.yml.disabled
View File

@@ -1,45 +0,0 @@
# Module: azure
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-azure.html
- module: azure
# All logs
activitylogs:
enabled: true
var:
# eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
eventhub: "insights-operational-logs"
# consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
consumer_group: "$Default"
# the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string
connection_string: ""
# the name of the storage account the state/offsets will be stored and updated
storage_account: ""
# the storage account key, this key will be used to authorize access to data in your storage account
storage_account_key: ""
platformlogs:
enabled: false
# var:
# eventhub: ""
# consumer_group: "$Default"
# connection_string: ""
# storage_account: ""
# storage_account_key: ""
auditlogs:
enabled: false
# var:
# eventhub: "insights-logs-auditlogs"
# consumer_group: "$Default"
# connection_string: ""
# storage_account: ""
# storage_account_key: ""
signinlogs:
enabled: false
# var:
# eventhub: "insights-logs-signinlogs"
# consumer_group: "$Default"
# connection_string: ""
# storage_account: ""
# storage_account_key: ""

41
salt/filebeat/modules/barracuda.yml.disabled
View File

@@ -1,41 +0,0 @@
# Module: barracuda
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-barracuda.html
- module: barracuda
waf:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9503
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
spamfirewall:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9524
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

22
salt/filebeat/modules/bluecoat.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: bluecoat
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-bluecoat.html
- module: bluecoat
director:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9505
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

17
salt/filebeat/modules/cef.yml.disabled
View File

@@ -1,17 +0,0 @@
# Module: cef
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cef.html
- module: cef
log:
enabled: true
var:
syslog_host: localhost
syslog_port: 9003
# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]
# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

24
salt/filebeat/modules/checkpoint.yml.disabled
View File

@@ -1,24 +0,0 @@
# Module: checkpoint
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-checkpoint.html
- module: checkpoint
firewall:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 9001
# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]
# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

142
salt/filebeat/modules/cisco.yml.disabled
View File

@@ -1,142 +0,0 @@
# Module: cisco
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cisco.html
- module: cisco
asa:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 9001
# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
#var.log_level: 7
# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]
# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]
ftd:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9003.
#var.syslog_port: 9003
# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
#var.log_level: 7
# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]
# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]
ios:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9002.
#var.syslog_port: 9002
# Set custom paths for the log files when using file input. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
nexus:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9506
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
meraki:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9525
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
umbrella:
enabled: true
#var.input: aws-s3
# AWS SQS queue url
#var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue
# Access ID to authenticate with the S3 input
#var.access_key_id: 123456
# Access key to authenticate with the S3 input
#var.secret_access_key: PASSWORD
# The duration that the received messages are hidden from ReceiveMessage request
#var.visibility_timeout: 300s
# Maximum duration before AWS API request will be interrupted
#var.api_timeout: 120s
amp:
enabled: true
# Set which input to use between httpjson (default) or file.
#var.input: httpjson
# The API URL
#var.url: https://api.amp.cisco.com/v1/events
# The client ID used as a username for the API requests.
#var.client_id:
# The API key related to the client ID.
#var.api_key:
# How far to look back the first time the module is started. Expects an amount of hours.
#var.first_interval: 24h
# Overriding the default request timeout, optional.
#var.request_timeout: 60s

11
salt/filebeat/modules/coredns.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: coredns
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-coredns.html
- module: coredns
# Fileset for native deployment
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

11
salt/filebeat/modules/crowdstrike.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: crowdstrike
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-crowdstrike.html
- module: crowdstrike
falcon:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

22
salt/filebeat/modules/cyberark.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: cyberark
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberark.html
- module: cyberark
corepas:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9527
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

22
salt/filebeat/modules/cylance.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: cylance
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cylance.html
- module: cylance
protect:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9508
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

35
salt/filebeat/modules/elasticsearch.yml.disabled
View File

@@ -1,35 +0,0 @@
# Module: elasticsearch
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-elasticsearch.html
- module: elasticsearch
# Server log
server:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
gc:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
audit:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
slowlog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
deprecation:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

11
salt/filebeat/modules/envoyproxy.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: envoyproxy
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-envoyproxy.html
- module: envoyproxy
# Fileset for native deployment
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

41
salt/filebeat/modules/f5.yml.disabled
View File

@@ -1,41 +0,0 @@
# Module: f5
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-f5.html
- module: f5
bigipapm:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9504
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
bigipafm:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9528
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

83
salt/filebeat/modules/fortinet.yml.disabled
View File

@@ -1,83 +0,0 @@
# Module: fortinet
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-fortinet.html
- module: fortinet
firewall:
enabled: true
# Set which input to use between tcp, udp (default) or file.
#var.input: udp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The port to listen for syslog traffic. Defaults to 9004.
#var.syslog_port: 9004
# Set internal interfaces. used to override parsed network.direction
# based on a tagged interface. Both internal and external interfaces must be
# set to leverage this functionality.
#var.internal_interfaces: [ "LAN" ]
# Set external interfaces. used to override parsed network.direction
# based on a tagged interface. Both internal and external interfaces must be
# set to leverage this functionality.
#var.external_interfaces: [ "WAN" ]
clientendpoint:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9510
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
fortimail:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9529
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
fortimanager:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9530
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

76
salt/filebeat/modules/gcp.yml.disabled
View File

@@ -1,76 +0,0 @@
# Module: gcp
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gcp.html
- module: gcp
vpcflow:
enabled: true
# Google Cloud project ID.
var.project_id: my-gcp-project-id
# Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
# configured to use this topic as a sink for VPC flow logs.
var.topic: gcp-vpc-flowlogs
# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-gcp-vpc-flowlogs-sub
# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json
# Set internal networks. This is used to classify network.direction based
# off of what networks are considered "internal" either base off of a CIDR
# block or named network conditions. If this is not specified, then traffic
# direction is determined by whether it is between source and destination
# instance information rather than IP.
#
# For a full list of network conditions see:
# https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
#var.internal_networks: [ "private" ]
firewall:
enabled: true
# Google Cloud project ID.
var.project_id: my-gcp-project-id
# Google Pub/Sub topic containing firewall logs. Stackdriver must be
# configured to use this topic as a sink for firewall logs.
var.topic: gcp-vpc-firewall
# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-gcp-firewall-sub
# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json
# Set internal networks. This is used to classify network.direction based
# off of what networks are considered "internal" either base off of a CIDR
# block or named network conditions. If this is not specified, then traffic
# is taken from the direction data in the rule_details event payload.
#
# For a full list of network conditions see:
# https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
#var.internal_networks: [ "private" ]
audit:
enabled: true
# Google Cloud project ID.
var.project_id: my-gcp-project-id
# Google Pub/Sub topic containing firewall logs. Stackdriver must be
# configured to use this topic as a sink for firewall logs.
var.topic: gcp-vpc-audit
# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-gcp-audit
# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json

53
salt/filebeat/modules/google_workspace.yml.disabled
View File

@@ -1,53 +0,0 @@
# Module: google_workspace
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-google_workspace.html
- module: google_workspace
saml:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
user_accounts:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
login:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
admin:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
drive:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
groups:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h

58
salt/filebeat/modules/googlecloud.yml.disabled
View File

@@ -1,58 +0,0 @@
# Module: googlecloud
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-googlecloud.html
# googlecloud module is deprecated, please use gcp instead
- module: gcp
vpcflow:
enabled: true
# Google Cloud project ID.
var.project_id: my-gcp-project-id
# Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
# configured to use this topic as a sink for VPC flow logs.
var.topic: gcp-vpc-flowlogs
# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-gcp-vpc-flowlogs-sub
# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json
firewall:
enabled: true
# Google Cloud project ID.
var.project_id: my-gcp-project-id
# Google Pub/Sub topic containing firewall logs. Stackdriver must be
# configured to use this topic as a sink for firewall logs.
var.topic: gcp-vpc-firewall
# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-gcp-firewall-sub
# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json
audit:
enabled: true
# Google Cloud project ID.
var.project_id: my-gcp-project-id
# Google Pub/Sub topic containing firewall logs. Stackdriver must be
# configured to use this topic as a sink for firewall logs.
var.topic: gcp-vpc-audit
# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-gcp-audit
# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json

53
salt/filebeat/modules/gsuite.yml.disabled
View File

@@ -1,53 +0,0 @@
# Module: gsuite
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gsuite.html
# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead.
- module: gsuite
saml:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
user_accounts:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
login:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
admin:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
drive:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h
groups:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: admin@example.com
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 2h

14
salt/filebeat/modules/haproxy.yml.disabled
View File

@@ -1,14 +0,0 @@
# Module: haproxy
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-haproxy.html
- module: haproxy
# All logs
log:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input:
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

11
salt/filebeat/modules/ibmmq.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: ibmmq
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-ibmmq.html
- module: ibmmq
# All logs
errorlog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

27
salt/filebeat/modules/icinga.yml.disabled
View File

@@ -1,27 +0,0 @@
# Module: icinga
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-icinga.html
- module: icinga
# Main logs
main:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Debug logs
debug:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Startup logs
startup:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

20
salt/filebeat/modules/iis.yml.disabled
View File

@@ -1,20 +0,0 @@
# Module: iis
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iis.html
- module: iis
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

22
salt/filebeat/modules/imperva.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: imperva
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-imperva.html
- module: imperva
securesphere:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9511
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

22
salt/filebeat/modules/infoblox.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: infoblox
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-infoblox.html
- module: infoblox
nios:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9512
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

13
salt/filebeat/modules/iptables.yml.disabled
View File

@@ -1,13 +0,0 @@
# Module: iptables
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iptables.html
- module: iptables
log:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input:
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

54
salt/filebeat/modules/juniper.yml.disabled
View File

@@ -1,54 +0,0 @@
# Module: juniper
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-juniper.html
- module: juniper
junos:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9513
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
netscreen:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9523
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
srx:
enabled: true
# Set which input to use between tcp, udp (default) or file.
#var.input: udp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The port to listen for syslog traffic. Defaults to 9006.
#var.syslog_port: 9006

15
salt/filebeat/modules/kafka.yml.disabled
View File

@@ -1,15 +0,0 @@
# Module: kafka
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kafka.html
- module: kafka
# All logs
log:
enabled: true
# Set custom paths for Kafka. If left empty,
# Filebeat will look under /opt.
#var.kafka_home:
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

19
salt/filebeat/modules/kibana.yml.disabled
View File

@@ -1,19 +0,0 @@
# Module: kibana
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kibana.html
- module: kibana
# Server logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Audit logs
audit:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

18
salt/filebeat/modules/logstash.yml.disabled
View File

@@ -1,18 +0,0 @@
# Module: logstash
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-logstash.html
- module: logstash
# logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Slow logs
slowlog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

49
salt/filebeat/modules/microsoft.yml.disabled
View File

@@ -1,49 +0,0 @@
# Module: microsoft
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-microsoft.html
- module: microsoft
# ATP configuration
defender_atp:
enabled: true
# How often the API should be polled
#var.interval: 5m
# Oauth Client ID
#var.oauth2.client.id: ""
# Oauth Client Secret
#var.oauth2.client.secret: ""
# Oauth Token URL, should include the tenant ID
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
m365_defender:
enabled: true
# How often the API should be polled
#var.interval: 5m
# Oauth Client ID
#var.oauth2.client.id: ""
# Oauth Client Secret
#var.oauth2.client.secret: ""
# Oauth Token URL, should include the tenant ID
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
dhcp:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9515
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

17
salt/filebeat/modules/misp.yml.disabled
View File

@@ -1,17 +0,0 @@
# Module: misp
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-misp.html
- module: misp
threat:
enabled: true
# API key to access MISP
#var.api_key
# Array object in MISP response
#var.http_request_body.limit: 1000
# URL of the MISP REST API
#var.url
# You can also pass SSL options. For example:
#var.ssl.verification_mode: none

11
salt/filebeat/modules/mongodb.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: mongodb
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mongodb.html
- module: mongodb
# All logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

11
salt/filebeat/modules/mssql.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: mssql
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mssql.html
- module: mssql
# Fileset for native deployment
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*']

19
salt/filebeat/modules/mysql.yml.disabled
View File

@@ -1,19 +0,0 @@
# Module: mysql
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysql.html
- module: mysql
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Slow logs
slowlog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

14
salt/filebeat/modules/mysqlenterprise.yml.disabled
View File

@@ -1,14 +0,0 @@
# Module: mysqlenterprise
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysqlenterprise.html
- module: mysqlenterprise
audit:
enabled: true
# Sets the input type. Currently only supports file
#var.input: file
# Set paths for the log files when file input is used.
# Should only be used together with file input
# var.paths:
# - /home/user/mysqlauditlogs/audit.*.log

11
salt/filebeat/modules/nats.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: nats
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nats.html
- module: nats
# All logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

14
salt/filebeat/modules/netflow.yml.disabled
View File

@@ -1,14 +0,0 @@
# Module: netflow
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netflow.html
- module: netflow
log:
enabled: true
var:
netflow_host: localhost
netflow_port: 2055
# internal_networks specifies which networks are considered internal or private
# you can specify either a CIDR block or any of the special named ranges listed
# at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
internal_networks:
- private

22
salt/filebeat/modules/netscout.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: netscout
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netscout.html
- module: netscout
sightline:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9502
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

27
salt/filebeat/modules/nginx.yml.disabled
View File

@@ -1,27 +0,0 @@
# Module: nginx
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nginx.html
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
ingress_controller:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

48
salt/filebeat/modules/o365.yml.disabled
View File

@@ -1,48 +0,0 @@
# Module: o365
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-o365.html
- module: o365
audit:
enabled: true
# Set the application_id (also known as client ID):
var.application_id: "<MyApplicationID>"
# Configure the tenants to monitor:
# Use the tenant ID (also known as directory ID) and the domain name.
# var.tenants:
# - id: "tenant_id_1"
# name: "mydomain.onmicrosoft.com"
# - id: "tenant_id_2"
# name: "mycompany.com"
var.tenants:
- id: "<MyTenantID>"
name: "mytenant.onmicrosoft.com"
# List of content-types to fetch. By default all known content-types
# are retrieved:
# var.content_type:
# - "Audit.AzureActiveDirectory"
# - "Audit.Exchange"
# - "Audit.SharePoint"
# - "Audit.General"
# - "DLP.All"
# Use the following settings to enable certificate-based authentication:
# var.certificate: "/path/to/certificate.pem"
# var.key: "/path/to/private_key.pem"
# var.key_passphrase: "myPrivateKeyPassword"
# Client-secret based authentication:
# Comment the following line if using certificate authentication.
var.client_secret: "<YourClientSecretHere>"
# Advanced settings, use with care:
# var.api:
# # Settings for custom endpoints:
# authentication_endpoint: "https://login.microsoftonline.us/"
# resource: "https://manage.office365.us"
#
# max_retention: 168h
# max_requests_per_minute: 2000
# poll_interval: 3m

10
salt/filebeat/modules/okta.yml.disabled
View File

@@ -1,10 +0,0 @@
# Module: okta
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-okta.html
- module: okta
system:
enabled: true
# You must configure the URL with your Okta domain and provide an
# API token to access the logs API.
#var.url: https://yourOktaDomain/api/v1/logs
#var.api_key: 'yourApiTokenHere'

13
salt/filebeat/modules/oracle.yml.disabled
View File

@@ -1,13 +0,0 @@
# Module: oracle
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-oracle.html
- module: oracle
database_audit:
enabled: true
# Set which input to use between syslog or file (default).
#var.input: file
# Set paths for the log files when file input is used.
# Should only be used together with file input
# var.paths: /home/user/oracleauditlogs/*.aud

15
salt/filebeat/modules/osquery.yml.disabled
View File

@@ -1,15 +0,0 @@
# Module: osquery
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-osquery.html
- module: osquery
result:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# If true, all fields created by this module are prefixed with
# `osquery.result`. Set to false to copy the fields in the root
# of the document. The default is true.
#var.use_namespace: true

22
salt/filebeat/modules/panw.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: panw
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-panw.html
- module: panw
panos:
enabled: true
# Set which input to use between syslog (default) or file.
#var.input:
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Set internal security zones. used to determine network.direction
# default "trust"
#var.internal_zones:
# Set external security zones. used to determine network.direction
# default "untrust"
#var.external_zones:

13
salt/filebeat/modules/pensando.yml.disabled
View File

@@ -1,13 +0,0 @@
# Module: pensando
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-pensando.html
- module: pensando
# Firewall logs
dfw:
enabled: true
var.syslog_host: 0.0.0.0
var.syslog_port: 9001
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
# var.paths:

11
salt/filebeat/modules/postgresql.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: postgresql
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-postgresql.html
- module: postgresql
# All logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

22
salt/filebeat/modules/proofpoint.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: proofpoint
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-proofpoint.html
- module: proofpoint
emailsecurity:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9531
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

11
salt/filebeat/modules/rabbitmq.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: rabbitmq
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-rabbitmq.html
- module: rabbitmq
# All logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"]

22
salt/filebeat/modules/radware.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: radware
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-radware.html
- module: radware
defensepro:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9518
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

21
salt/filebeat/modules/redis.yml.disabled
View File

@@ -1,21 +0,0 @@
# Module: redis
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-redis.html
- module: redis
# Main logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ["/var/log/redis/redis-server.log*"]
# Slow logs, retrieved via the Redis API (SLOWLOG)
slowlog:
enabled: true
# The Redis hosts to connect to.
#var.hosts: ["localhost:6379"]
# Optional, the password to use when connecting to Redis.
#var.password:

9
salt/filebeat/modules/santa.yml.disabled
View File

@@ -1,9 +0,0 @@
# Module: santa
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-santa.html
- module: santa
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the the default path.
#var.paths:

22
salt/filebeat/modules/snort.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: snort
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snort.html
- module: snort
log:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9532
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

112
salt/filebeat/modules/snyk.yml.disabled
View File

@@ -1,112 +0,0 @@
# Module: snyk
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snyk.html
- module: snyk
audit:
enabled: true
# Set which input to use between httpjson (default) or file.
#var.input: httpjson
#
# What audit type to collect, can be either "group" or "organization".
#var.audit_type: organization
#
# The ID related to the audit_type. If audit type is group, then this value should be
# the group ID and if it is organization it should be the organization ID to collect from.
#var.audit_id: 1235432-asdfdf-2341234-asdgjhg
# How often the API should be polled, defaults to 1 hour.
#var.interval: 1h
# How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc).
#var.first_interval: 24h
# The API token that is created for a specific user, found in the Snyk management dashboard.
#var.api_token:
# Event filtering.
# All configuration items below is OPTIONAL and the default options will be overwritten
# for each entry that is not commented out.
# Will return only logs for this specific project.
#var.project_id: ""
# User public ID. Will fetch only audit logs originated from this user's actions.
#var.user_id: ""
# Will return only logs for this specific event.
#var.event: ""
# User email address. Will fetch only audit logs originated from this user's actions.
#var.email_address: ""
vulnerabilities:
enabled: true
# Set which input to use between httpjson (default) or file.
#var.input: httpjson
# How often the API should be polled. Data from the Snyk API is automatically updated
# once per day, so the default interval is 24 hours.
#var.interval: 24h
# How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc).
#var.first_interval: 24h
# The API token that is created for a specific user, found in the Snyk management dashboard.
#var.api_token:
# The list of org IDs to filter the results by.
# One organization ID per line, starting with a - sign
#var.orgs:
# - 12354-asdfdf-123543-asdsdfg
# - 76554-jhggfd-654342-hgrfasd
# Event filtering.
# All configuration items below is OPTIONAL and the default options will be overwritten
# for each entry that is not commented out.
# The severity levels of issues to filter the results by.
#var.included_severity:
# - high
# - medium
# - low
#
# The exploit maturity levels of issues to filter the results by.
#var.exploit_maturity:
# - mature
# - proof-of-concept
# - no-known-exploit
# - no-data
#
# The type of issues to filter the results by.
#var.types:
# - vuln
# - license
#
# The type of languages to filter the results by.
#var.languages:
# - javascript
# - ruby
# - java
# - scala
# - python
# - golang
# - php
# - dotnet
# - swift
# - docker
#
# Search term to filter issue name by, or an exact CVE or CWE.
#var.identifier:
# - ""
#
# If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored.
#var.ignored: false
#var.patched: false
#var.fixable: false
#var.is_fixed: false
#var.is_patchable: false
#var.is_pinnable: false
#
# The priority score ranging between 0-1000
#var.min_priority_score: 0
#var.max_priority_score: 1000

22
salt/filebeat/modules/sonicwall.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: sonicwall
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sonicwall.html
- module: sonicwall
firewall:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9519
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

46
salt/filebeat/modules/sophos.yml.disabled
View File

@@ -1,46 +0,0 @@
# Module: sophos
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sophos.html
- module: sophos
xg:
enabled: true
# Set which input to use between tcp, udp (default) or file.
#var.input: udp
# The interface to listen to syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost
# The port to listen for syslog traffic. Defaults to 9004.
#var.syslog_port: 9005
# firewall default hostname
#var.default_host_name: firewall.localgroup.local
# known firewalls
#var.known_devices:
#- serial_number: "1234567890123457"
# hostname: "a.host.local"
#- serial_number: "1234234590678557"
# hostname: "b.host.local"
utm:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9533
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

22
salt/filebeat/modules/squid.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: squid
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-squid.html
- module: squid
log:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9520
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

12
salt/filebeat/modules/suricata.yml
View File

@@ -1,12 +0,0 @@
# Module: suricata
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html
- module: suricata
# All logs
eve:
enabled: true
var.paths: ["/nsm/suricata/eve*.json"]
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

19
salt/filebeat/modules/system.yml.disabled
View File

@@ -1,19 +0,0 @@
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-system.html
- module: system
# Syslog
syslog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Authorization logs
auth:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

105
salt/filebeat/modules/threatintel.yml.disabled
View File

@@ -1,105 +0,0 @@
# Module: threatintel
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-threatintel.html
- module: threatintel
abuseurl:
enabled: true
# Input used for ingesting threat intel data.
var.input: httpjson
# The URL used for Threat Intel API calls.
var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/
# The interval to poll the API for updates.
var.interval: 10m
abusemalware:
enabled: true
# Input used for ingesting threat intel data.
var.input: httpjson
# The URL used for Threat Intel API calls.
var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/
# The interval to poll the API for updates.
var.interval: 10m
misp:
enabled: true
# Input used for ingesting threat intel data, defaults to JSON.
var.input: httpjson
# The URL of the MISP instance, should end with "/events/restSearch".
var.url: https://SERVER/events/restSearch
# The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI.
var.api_token: API_KEY
# Configures the type of SSL verification done, if MISP is running on self signed certificates
# then the certificate would either need to be trusted, or verification_mode set to none.
#var.ssl.verification_mode: none
# Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context.
# For examples please reference the filebeat module documentation.
#var.filters:
# - threat_level: [4, 5]
# - to_ids: true
# How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer
# than the last event that was already ingested.
var.first_interval: 300h
# The interval to poll the API for updates.
var.interval: 5m
otx:
enabled: true
# Input used for ingesting threat intel data
var.input: httpjson
# The URL used for OTX Threat Intel API calls.
var.url: https://otx.alienvault.com/api/v1/indicators/export
# The authentication token used to contact the OTX API, can be found on the OTX UI.
var.api_token: API_KEY
# Optional filters that can be applied to retrieve only specific indicators.
#var.types: "domain,IPv4,hostname,url,FileHash-SHA256"
# The timeout of the HTTP client connecting to the OTX API
#var.http_client_timeout: 120s
# How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module.
var.lookback_range: 1h
# How far back to look once the beat starts up for the first time, the value has to be in hours.
var.first_interval: 400h
# The interval to poll the API for updates
var.interval: 5m
anomali:
enabled: true
# Input used for ingesting threat intel data
var.input: httpjson
# The URL used for Threat Intel API calls. Limo has multiple different possibilities for URL's depending
# on the type of threat intel source that is needed.
var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects
# The Username used by anomali Limo, defaults to guest.
#var.username: guest
# The password used by anomali Limo, defaults to guest.
#var.password: guest
# How far back to look once the beat starts up for the first time, the value has to be in hours.
var.first_interval: 400h
# The interval to poll the API for updates
var.interval: 5m

22
salt/filebeat/modules/tomcat.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: tomcat
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-tomcat.html
- module: tomcat
log:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9501
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

11
salt/filebeat/modules/traefik.yml.disabled
View File

@@ -1,11 +0,0 @@
# Module: traefik
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-traefik.html
- module: traefik
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

122
salt/filebeat/modules/zeek.yml
View File

@@ -1,122 +0,0 @@
# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html
- module: zeek
capture_loss:
enabled: false
var.paths: ["/nsm/zeek/logs/current/capture_loss.log"]
connection:
enabled: true
var.paths: ["/nsm/zeek/logs/current/conn.log"]
dce_rpc:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dce_rpc.log"]
dhcp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dhcp.log"]
dnp3:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dnp3.log"]
dns:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dns.log"]
dpd:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dpd.log"]
files:
enabled: true
var.paths: ["/nsm/zeek/logs/current/files.log"]
ftp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ftp.log"]
http:
enabled: true
var.paths: ["/nsm/zeek/logs/current/http.log"]
intel:
enabled: true
var.paths: ["/nsm/zeek/logs/current/intel.log"]
irc:
enabled: true
var.paths: ["/nsm/zeek/logs/current/irc.log"]
kerberos:
enabled: true
var.paths: ["/nsm/zeek/logs/current/kerberos.log"]
modbus:
enabled: true
var.paths: ["/nsm/zeek/logs/current/modbus.log"]
mysql:
enabled: true
var.paths: ["/nsm/zeek/logs/current/mysql.log"]
notice:
enabled: true
var.paths: ["/nsm/zeek/logs/current/notice.log"]
ntlm:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ntlm.log"]
ocsp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/oscp.log"]
pe:
enabled: true
var.paths: ["/nsm/zeek/logs/current/pe.log"]
radius:
enabled: true
var.paths: ["/nsm/zeek/logs/current/radius.log"]
rdp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/rdp.log"]
rfb:
enabled: true
var.paths: ["/nsm/zeek/logs/current/rfb.log"]
signature:
enabled: true
var.paths: ["/nsm/zeek/logs/current/signature.log"]
sip:
enabled: true
var.paths: ["/nsm/zeek/logs/current/sip.log"]
smb_cmd:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smb_cmd.log"]
smb_files:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smb_files.log"]
smb_mapping:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smb_mapping.log"]
smtp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smtp.log"]
snmp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/snmp.log"]
socks:
enabled: true
var.paths: ["/nsm/zeek/logs/current/socks.log"]
ssh:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ssh.log"]
ssl:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ssl.log"]
stats:
enabled: false
var.paths: ["/nsm/zeek/logs/current/stats.log"]
syslog:
enabled: false
var.paths: ["/nsm/zeek/logs/current/syslog.log"]
traceroute:
enabled: false
var.paths: ["/nsm/zeek/logs/current/traceroute.log.log"]
tunnel:
enabled: true
var.paths: ["/nsm/zeek/logs/current/tunnel.log"]
weird:
enabled: true
var.paths: ["/nsm/zeek/logs/current/weird.log"]
x509:
enabled: true
var.paths: ["/nsm/zeek/logs/current/x509.log"]
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

22
salt/filebeat/modules/zoom.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: zoom
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zoom.html
- module: zoom
webhook:
enabled: true
# The type of input to use
#var.input: http_endpoint
# The interface to listen for incoming HTTP requests. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.listen_address: localhost
# The port to bind to
#var.listen_port: 80
# The header Zoom uses to send its secret token, defaults to "Authorization"
#secret.header: Authorization
# The secret token value created by Zoom
#secret.value: ZOOMTOKEN

22
salt/filebeat/modules/zscaler.yml.disabled
View File

@@ -1,22 +0,0 @@
# Module: zscaler
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zscaler.html
- module: zscaler
zia:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9521
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local

2
salt/filebeat/securityoniondefaults.yaml
View File

@@ -33,7 +33,7 @@ securityonion_filebeat:
{% set FILESET = LOGNAME %}
{% endif %}
{{ FILESET }}:
enabled: false
enabled: true
var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
{%- endfor %}
{%- endif %}

4
salt/zeek/init.sls
View File

@@ -76,9 +76,9 @@ zeekpolicysync:
# Ensure the zeek spool tree (and state.db) ownership is correct
zeekspoolownership:
file.directory:
- name: /nsm/zeek/spool
- name: /nsm/zeek
- user: 937
- max_depth: 0
- max_depth: 1
- recurse:
- user