Change Suricata Paths and Added Logstash Files

salt/logstash/files/dynamic/9000_output_bro.conf

@@ -0,0 +1,24 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9000"]
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}

salt/logstash/files/dynamic/9001_output_switch.conf

@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9002_output_import.conf

@@ -0,0 +1,22 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template_name => "logstash-*"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}

salt/logstash/files/dynamic/9004_output_flow.conf

@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9026_output_dhcp.conf

@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9029_output_esxi.conf

@@ -0,0 +1,20 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9030_output_greensql.conf

@@ -0,0 +1,20 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9031_output_iis.conf

@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9032_output_mcafee.conf

@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9033_output_snort.conf

@@ -0,0 +1,24 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "snort" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "snort" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}

salt/logstash/files/dynamic/9034_output_syslog.conf

@@ -0,0 +1,23 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}

salt/logstash/files/dynamic/9200_output_firewall.conf

@@ -0,0 +1,24 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}

salt/logstash/files/dynamic/9300_output_windows.conf

@@ -0,0 +1,23 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
+

salt/logstash/files/dynamic/9301_output_dns_windows.conf

@@ -0,0 +1,23 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
+

salt/logstash/files/dynamic/9400_output_suricata.conf

@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9400"]
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/logstash/files/dynamic/9500_output_beats.conf

@@ -0,0 +1,20 @@
+# Author: Wes Lambert
+# Last Update: 12/11/2017
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9000"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template_name => "logstash-beats"
+      template => "/beats-template.json"
+      template_overwrite => true
+    }
+  }
+}

salt/logstash/files/dynamic/9998_output_test_data.conf

@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "test_data" in [tags] {
+    mutate {
+	  #add_tag => [ "conf_file_9998"]
+	}
+  }
+}
+output {
+  if "test_data" in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-test-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}

salt/suricata/init.sls

@@ -72,7 +72,7 @@ so-suricata:
     - environment:
       - INTERFACE={{ interface }}
     - binds:
-      - /opt/so/conf/suricata/suricata.yaml:/usr/local/etc/suricata/suricata.yaml:ro
-      - /opt/so/conf/suricata/rules:/usr/local/etc/suricata/rules:ro
-      - /opt/so/log/suricata/:/usr/local/var/log/suricata/:rw
+      - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
+      - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
+      - /opt/so/log/suricata/:/var/log/suricata/:rw
     - network_mode: host