Add RITA Logstash config

2025-12-07 09:42:46 +01:00 · 2022-03-22 17:36:18 +00:00
parent a3f8a10eb9
commit f613d8ad86
3 changed files with 72 additions and 0 deletions
--- a/pillar/logstash/search.sls
+++ b/pillar/logstash/search.sls
@@ -13,4 +13,5 @@ logstash:
        - so/9600_output_ossec.conf.jinja
        - so/9700_output_strelka.conf.jinja
        - so/9800_output_logscan.conf.jinja
+        - so/9801_output_rita.conf.jinja
        - so/9900_output_endgame.conf.jinja
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -10,6 +10,7 @@
 {%- set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('global:wazuh', '0') %}
 {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %}
+{%- set RITAENABLED = salt['pillar.get']('rita:enabled', False) -%}
 {%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%}
 {%- set FBMEMEVENTS = salt['pillar.get']('filebeat:mem_events', 2048) -%}
@@ -264,6 +265,54 @@ filebeat.inputs:

 {%- endif %}

+{%- if RITAENABLED %}
+- type: filestream
+  paths:
+    - /nsm/rita/beacons.csv
+  exclude_lines: ['^Score', '^Source', '^Domain']
+  fields:
+    module: rita
+    dataset: beacon
+    category: network
+  processors:
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+  fields_under_root: true
+  pipeline: "rita.beacon"
+  index: "so-rita"
+
+- type: filestream
+  paths:
+    - //nsm/rita/logs/long-connections.csv
+    - /nsm/rita/logs/open-connections.csv
+  exclude_lines: ['^Source']
+  fields:
+    module: rita
+    dataset: connection
+    category: network
+  processors:
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+  fields_under_root: true
+  pipeline: "rita.connection"
+  index: "so-rita"
+
+- type: filestream
+  paths:
+    - /nsm/rita/exploded-dns.csv
+  exclude_lines: ['^Domain']
+  fields:
+    module: rita
+    dataset: dns
+    category: network
+  processors:
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+  fields_under_root: true
+  pipeline: "rita.dns"
+  index: "so-rita"
+{%- endif %}
+
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager',  'so-managersearch', 'so-import'] %}
 - type: log
  paths:
--- a/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja
@@ -0,0 +1,22 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
+{%- endif %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
+output {
+  if [module] =~ "rita" and "import" not in [tags] {
+    elasticsearch {
+      pipeline => "%{module}.%{dataset}"
+      hosts => "{{ ES }}"
+{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
+      user => "{{ ES_USER }}"
+      password => "{{ ES_PASS }}"
+{% endif %}
+      index => "so-rita"
+      ssl => true
+      ssl_certificate_verification => false
+    }
+  }
+}