diff --git a/salt/logstash/pipelines/config/so/0800_input_eval.conf b/salt/logstash/pipelines/config/so/0800_input_eval.conf index b499c3b0f..35a977d04 100644 --- a/salt/logstash/pipelines/config/so/0800_input_eval.conf +++ b/salt/logstash/pipelines/config/so/0800_input_eval.conf @@ -9,182 +9,182 @@ input { } file { path => "/nsm/zeek/logs/current/conn*.log" - type => "bro_conn" - tags => ["bro"] + type => "zeek.conn" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dce_rpc*.log" - type => "bro_dce_rpc" - tags => ["bro"] + type => "zeek.dce_rpc" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dhcp*.log" - type => "bro_dhcp" - tags => ["bro"] + type => "zeek.dhcp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dnp3*.log" - type => "bro_dnp3" - tags => ["bro"] + type => "zeek.dnp3" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dns*.log" - type => "bro_dns" - tags => ["bro"] + type => "zeek.dns" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dpd*.log" - type => "bro_dpd" - tags => ["bro"] + type => "zeek.dpd" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/files*.log" - type => "bro_files" - tags => ["bro"] + type => "zeek.files" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ftp*.log" - type => "bro_ftp" - tags => ["bro"] + type => "zeek.ftp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/http*.log" - type => "bro_http" - tags => ["bro"] + type => "zeek.http" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/intel*.log" - type => "bro_intel" - tags => ["bro"] + type => "zeek.intel" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/irc*.log" - type => "bro_irc" - tags => ["bro"] + type => "zeek.irc" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/kerberos*.log" - type => "bro_kerberos" - tags => ["bro"] + type => "zeek.kerberos" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/modbus*.log" - type => "bro_modbus" - tags => ["bro"] + type => "zeek.modbus" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/mysql*.log" - type => "bro_mysql" - tags => ["bro"] + type => "zeek.mysql" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/notice*.log" - type => "bro_notice" - tags => ["bro"] + type => "zeek.notice" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ntlm*.log" - type => "bro_ntlm" - tags => ["bro"] + type => "zeek.ntlm" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/pe*.log" - type => "bro_pe" - tags => ["bro"] + type => "zeek.pe" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/radius*.log" - type => "bro_radius" - tags => ["bro"] + type => "zeek.radius" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/rdp*.log" - type => "bro_rdp" - tags => ["bro"] + type => "zeek.rdp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/rfb*.log" - type => "bro_rfb" - tags => ["bro"] + type => "zeek.rfb" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/signatures*.log" - type => "bro_signatures" - tags => ["bro"] + type => "zeek.signatures" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/sip*.log" - type => "bro_sip" - tags => ["bro"] + type => "zeek.sip" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smb_files*.log" - type => "bro_smb_files" - tags => ["bro"] + type => "zeek.smb_files" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smb_mapping*.log" - type => "bro_smb_mapping" - tags => ["bro"] + type => "zeek.smb_mapping" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smtp*.log" - type => "bro_smtp" - tags => ["bro"] + type => "zeek.smtp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/snmp*.log" - type => "bro_snmp" - tags => ["bro"] + type => "zeek.snmp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/socks*.log" - type => "bro_socks" - tags => ["bro"] + type => "zeek.socks" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/software*.log" - type => "bro_software" - tags => ["bro"] + type => "zeek.software" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ssh*.log" - type => "bro_ssh" - tags => ["bro"] + type => "zeek.ssh" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ssl*.log" - type => "bro_ssl" - tags => ["bro"] + type => "zeek.ssl" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/syslog*.log" - type => "bro_syslog" - tags => ["bro"] + type => "zeek.syslog" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/tunnel*.log" - type => "bro_tunnels" - tags => ["bro"] + type => "zeek.tunnels" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/weird*.log" - type => "bro_weird" - tags => ["bro"] + type => "zeek.weird" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/x509*.log" - type => "bro_x509" - tags => ["bro"] + type => "zeek.x509" + tags => ["zeek"] } file { path => "/wazuh/alerts/alerts.json" type => "ossec" } - file { - path => "/wazuh/archives/archives.json" - type => "ossec_archive" - } +# file { +# path => "/wazuh/archives/archives.json" +# type => "ossec_archive" +# } file { path => "/osquery/logs/result.log" type => "osquery" diff --git a/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf b/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf index 383fd9827..c7a37e15c 100644 --- a/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf +++ b/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf @@ -4,5 +4,6 @@ filter { mutate { rename => [ "type", "event_type" ] + remove_field => [ "host" ] } } diff --git a/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja index acc31ae00..9ce08edf8 100644 --- a/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja @@ -10,21 +10,21 @@ filter { - if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] { + if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] { mutate { ##add_tag => [ "conf_file_9000"] } } } output { - if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] { + if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] { # stdout { codec => rubydebug } elasticsearch { pipeline => "%{event_type}" hosts => "{{ ES }}" - index => "logstash-bro-%{+YYYY.MM.dd}" - template_name => "logstash-bro" - template => "/logstash-bro-template.json" + index => "so-zeek-%{+YYYY.MM.dd}" + template_name => "so-zeek" + template => "/so-zeek-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja index 949a738ab..0fc30c4b0 100644 --- a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja +++ b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-switch-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-switch-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 1b691df6b..2b7db9370 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -18,9 +18,9 @@ output { # stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-import-%{+YYYY.MM.dd}" + index => "so-import-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 3dbd34f16..2fd427129 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-flow-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-flow-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja index a63ac5f98..f7f3d8060 100644 --- a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja +++ b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja @@ -20,7 +20,7 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja index 229de6b9c..7de501bf8 100644 --- a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja +++ b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja @@ -19,7 +19,7 @@ output { if [event_type] == "esxi" and "test_data" not in [tags] { elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja index a6d16b95d..544e62856 100644 --- a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja +++ b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja @@ -19,7 +19,7 @@ output { if [event_type] == "greensql" and "test_data" not in [tags] { elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja index 6650d8a7d..7de10b974 100644 --- a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja @@ -20,7 +20,7 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja index ca982967d..bb3ec0714 100644 --- a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja +++ b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja @@ -20,7 +20,7 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 6c310b91e..dc9c5f7e1 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -20,9 +20,9 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-ids-%{+YYYY.MM.dd}" + index => "so-ids-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 56a6527b8..33b841c08 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -19,9 +19,9 @@ output { if "syslog" in [tags] and "test_data" not in [tags] { elasticsearch { hosts => "{{ ES }}" - index => "logstash-syslog-%{+YYYY.MM.dd}" + index => "so-syslog-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index e95119562..63fd3c25b 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -12,8 +12,8 @@ output { if "osquery" in [tags] { elasticsearch { hosts => "{{ ES }}" - index => "logstash-osquery-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-osquery-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index b2ad43963..17e774976 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -20,9 +20,9 @@ output { # stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-firewall-%{+YYYY.MM.dd}" + index => "so-firewall-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja index d3f9d1919..9779d01a5 100644 --- a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-windows-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-windows-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja index 8a56b7044..dc6bbbda4 100644 --- a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 4bffd7f0a..a85fba758 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-ids-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-ids-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 30900cb93..dcfefa852 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -16,9 +16,9 @@ output { if "beat" in [tags] { elasticsearch { hosts => "{{ ES }}" - index => "logstash-beats-%{+YYYY.MM.dd}" - template_name => "logstash-beats" - template => "/beats-template.json" + index => "so-beats-%{+YYYY.MM.dd}" + template_name => "so-beats" + template => "/so-beats-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 71d0c28aa..28391b29a 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -19,10 +19,11 @@ filter { output { if [event_type] =~ "ossec" or "ossec" in [tags] { elasticsearch { + pipeline => "%{event_type}" hosts => "{{ ES }}" - index => "logstash-ossec-%{+YYYY.MM.dd}" - template_name => "logstash-ossec" - template => "/logstash-ossec-template.json" + index => "so-ossec-%{+YYYY.MM.dd}" + template_name => "so-ossec" + template => "/so-ossec-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index c562cedc7..48ed75f72 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -20,9 +20,9 @@ output { if [event_type] =~ "strelka" { elasticsearch { hosts => "{{ ES }}" - index => "logstash-strelka-%{+YYYY.MM.dd}" - template_name => "logstash-strelka" - template => "/logstash-strelka-template.json" + index => "so-strelka-%{+YYYY.MM.dd}" + template_name => "so-strelka" + template => "/so-strelka-template.json" template_overwrite => true } }