diff --git a/salt/logstash/files/dynamic/9000_output_bro.conf b/salt/logstash/files/dynamic/9000_output_bro.conf new file mode 100644 index 000000000..5d5073bdc --- /dev/null +++ b/salt/logstash/files/dynamic/9000_output_bro.conf @@ -0,0 +1,24 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9000"] + } + } +} +output { + if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] { +# stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-bro-%{+YYYY.MM.dd}" + template_name => "logstash" + template => "/logstash-template.json" + template_overwrite => true + } + } +} diff --git a/salt/logstash/files/dynamic/9001_output_switch.conf b/salt/logstash/files/dynamic/9001_output_switch.conf new file mode 100644 index 000000000..2a1b37eba --- /dev/null +++ b/salt/logstash/files/dynamic/9001_output_switch.conf @@ -0,0 +1,22 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if "switch" in [tags] and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9001"] + } + } +} +output { + if "switch" in [tags] and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-switch-%{+YYYY.MM.dd}" + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9002_output_import.conf b/salt/logstash/files/dynamic/9002_output_import.conf new file mode 100644 index 000000000..38f5b0f90 --- /dev/null +++ b/salt/logstash/files/dynamic/9002_output_import.conf @@ -0,0 +1,22 @@ +# Updated by: Doug Burks +# Last Update: 5/16/2017 + +filter { + if "import" in [tags] and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9002"] + } + } +} +output { + if "import" in [tags] and "test_data" not in [tags] { +# stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-import-%{+YYYY.MM.dd}" + template_name => "logstash-*" + template => "/logstash-template.json" + template_overwrite => true + } + } +} diff --git a/salt/logstash/files/dynamic/9004_output_flow.conf b/salt/logstash/files/dynamic/9004_output_flow.conf new file mode 100644 index 000000000..be125243e --- /dev/null +++ b/salt/logstash/files/dynamic/9004_output_flow.conf @@ -0,0 +1,22 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "sflow" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9004"] + } + } +} +output { + if [event_type] == "sflow" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-flow-%{+YYYY.MM.dd}" + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9026_output_dhcp.conf b/salt/logstash/files/dynamic/9026_output_dhcp.conf new file mode 100644 index 000000000..7365cea35 --- /dev/null +++ b/salt/logstash/files/dynamic/9026_output_dhcp.conf @@ -0,0 +1,21 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "dhcp" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9026"] + } + } +} +output { + if [event_type] == "dhcp" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9029_output_esxi.conf b/salt/logstash/files/dynamic/9029_output_esxi.conf new file mode 100644 index 000000000..09547e248 --- /dev/null +++ b/salt/logstash/files/dynamic/9029_output_esxi.conf @@ -0,0 +1,20 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "esxi" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9029"] + } + } +} +output { + if [event_type] == "esxi" and "test_data" not in [tags] { + elasticsearch { + hosts => elasticsearch + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9030_output_greensql.conf b/salt/logstash/files/dynamic/9030_output_greensql.conf new file mode 100644 index 000000000..c08315397 --- /dev/null +++ b/salt/logstash/files/dynamic/9030_output_greensql.conf @@ -0,0 +1,20 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "greensql" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9030"] + } + } +} +output { + if [event_type] == "greensql" and "test_data" not in [tags] { + elasticsearch { + hosts => elasticsearch + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9031_output_iis.conf b/salt/logstash/files/dynamic/9031_output_iis.conf new file mode 100644 index 000000000..c130cc2fb --- /dev/null +++ b/salt/logstash/files/dynamic/9031_output_iis.conf @@ -0,0 +1,21 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "iis" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9031"] + } + } +} +output { + if [event_type] == "iis" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9032_output_mcafee.conf b/salt/logstash/files/dynamic/9032_output_mcafee.conf new file mode 100644 index 000000000..537381529 --- /dev/null +++ b/salt/logstash/files/dynamic/9032_output_mcafee.conf @@ -0,0 +1,21 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "mcafee" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9032"] + } + } +} +output { + if [event_type] == "mcafee" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9033_output_snort.conf b/salt/logstash/files/dynamic/9033_output_snort.conf new file mode 100644 index 000000000..0a3bdcb68 --- /dev/null +++ b/salt/logstash/files/dynamic/9033_output_snort.conf @@ -0,0 +1,24 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "snort" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9033"] + } + } +} +output { + if [event_type] == "snort" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-ids-%{+YYYY.MM.dd}" + template_name => "logstash" + template => "/logstash-template.json" + template_overwrite => true + } + } +} diff --git a/salt/logstash/files/dynamic/9034_output_syslog.conf b/salt/logstash/files/dynamic/9034_output_syslog.conf new file mode 100644 index 000000000..01b462b4e --- /dev/null +++ b/salt/logstash/files/dynamic/9034_output_syslog.conf @@ -0,0 +1,23 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Updated by: Doug Burks +# Last Update: 5/15/2017 + +filter { + if "syslog" in [tags] and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9034"] + } + } +} +output { + if "syslog" in [tags] and "test_data" not in [tags] { + elasticsearch { + hosts => elasticsearch + index => "logstash-syslog-%{+YYYY.MM.dd}" + template_name => "logstash" + template => "/logstash-template.json" + template_overwrite => true + } + } +} diff --git a/salt/logstash/files/dynamic/9200_output_firewall.conf b/salt/logstash/files/dynamic/9200_output_firewall.conf new file mode 100644 index 000000000..ab1019990 --- /dev/null +++ b/salt/logstash/files/dynamic/9200_output_firewall.conf @@ -0,0 +1,24 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if "firewall" in [tags] and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9200"] + } + } +} +output { + if "firewall" in [tags] and "test_data" not in [tags] { +# stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-firewall-%{+YYYY.MM.dd}" + template_name => "logstash" + template => "/logstash-template.json" + template_overwrite => true + } + } +} diff --git a/salt/logstash/files/dynamic/9300_output_windows.conf b/salt/logstash/files/dynamic/9300_output_windows.conf new file mode 100644 index 000000000..9c6470cb7 --- /dev/null +++ b/salt/logstash/files/dynamic/9300_output_windows.conf @@ -0,0 +1,23 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "windows" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9300"] + } + } +} +output { + if [event_type] == "windows" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-windows-%{+YYYY.MM.dd}" + template => "/logstash-template.json" + } + } +} + diff --git a/salt/logstash/files/dynamic/9301_output_dns_windows.conf b/salt/logstash/files/dynamic/9301_output_dns_windows.conf new file mode 100644 index 000000000..97d3cb872 --- /dev/null +++ b/salt/logstash/files/dynamic/9301_output_dns_windows.conf @@ -0,0 +1,23 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "dns" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9301"] + } + } +} +output { + if [event_type] == "dns" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-%{+YYYY.MM.dd}" + template => "/logstash-template.json" + } + } +} + diff --git a/salt/logstash/files/dynamic/9400_output_suricata.conf b/salt/logstash/files/dynamic/9400_output_suricata.conf new file mode 100644 index 000000000..76b4526ec --- /dev/null +++ b/salt/logstash/files/dynamic/9400_output_suricata.conf @@ -0,0 +1,22 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if [event_type] == "suricata" and "test_data" not in [tags] { + mutate { + ##add_tag => [ "conf_file_9400"] + } + } +} +output { + if [event_type] == "suricata" and "test_data" not in [tags] { + #stdout { codec => rubydebug } + elasticsearch { + hosts => elasticsearch + index => "logstash-ids-%{+YYYY.MM.dd}" + template => "/logstash-template.json" + } + } +} diff --git a/salt/logstash/files/dynamic/9500_output_beats.conf b/salt/logstash/files/dynamic/9500_output_beats.conf new file mode 100644 index 000000000..be231c8e3 --- /dev/null +++ b/salt/logstash/files/dynamic/9500_output_beats.conf @@ -0,0 +1,20 @@ +# Author: Wes Lambert +# Last Update: 12/11/2017 +filter { + if "beat" in [tags] { + mutate { + ##add_tag => [ "conf_file_9000"] + } + } +} +output { + if "beat" in [tags] { + elasticsearch { + hosts => elasticsearch + index => "logstash-beats-%{+YYYY.MM.dd}" + template_name => "logstash-beats" + template => "/beats-template.json" + template_overwrite => true + } + } +} diff --git a/salt/logstash/files/dynamic/9998_output_test_data.conf b/salt/logstash/files/dynamic/9998_output_test_data.conf new file mode 100644 index 000000000..fd11e32d7 --- /dev/null +++ b/salt/logstash/files/dynamic/9998_output_test_data.conf @@ -0,0 +1,21 @@ +# Author: Justin Henderson +# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics +# Email: justin@hasecuritysolution.com +# Last Update: 12/9/2016 + +filter { + if "test_data" in [tags] { + mutate { + #add_tag => [ "conf_file_9998"] + } + } +} +output { + if "test_data" in [tags] { + elasticsearch { + hosts => elasticsearch + index => "logstash-test-%{+YYYY.MM.dd}" + template => "/logstash-template.json" + } + } +} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index d071e0087..b2752f6a9 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -72,7 +72,7 @@ so-suricata: - environment: - INTERFACE={{ interface }} - binds: - - /opt/so/conf/suricata/suricata.yaml:/usr/local/etc/suricata/suricata.yaml:ro - - /opt/so/conf/suricata/rules:/usr/local/etc/suricata/rules:ro - - /opt/so/log/suricata/:/usr/local/var/log/suricata/:rw + - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro + - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro + - /opt/so/log/suricata/:/var/log/suricata/:rw - network_mode: host