CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-12 03:03:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11476 from Security-Onion-Solutions/2.4/dev

Browse Source 
2.4.20
This commit is contained in:
Mike Reeves
2023-10-06 16:45:11 -04:00
committed by GitHub
parent 658d132c38 32c1d6f95c
commit fc0e3c0124
125 changed files with 2493 additions and 15688 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.4.10-20230821 ISO image released on 2023/08/21
### 2.4.20-20231006 ISO image released on 2023/10/06
### Download and Verify
2.4.10-20230821 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
2.4.20-20231006 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
MD5: 353EB36F807DC947F08F79B3DCFA420E
SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56
SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC
MD5: 269F00308C53976BF0EAE788D1DB29DB
SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27
SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso
gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013
gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

2
HOTFIX
View File

@@ -1 +1 @@
20230821

2
VERSION
View File

@@ -1 +1 @@
2.4.10
2.4.20

12
pillar/top.sls
View File

@@ -4,14 +4,9 @@ base:
- global.adv_global
- docker.soc_docker
- docker.adv_docker
- firewall.soc_firewall
- firewall.adv_firewall
- influxdb.token
- logrotate.soc_logrotate
- logrotate.adv_logrotate
- nginx.soc_nginx
- nginx.adv_nginx
- node_data.ips
- ntp.soc_ntp
- ntp.adv_ntp
- patch.needs_restarting
@@ -22,6 +17,13 @@ base:
- telegraf.soc_telegraf
- telegraf.adv_telegraf
'* and not *_desktop':
- firewall.soc_firewall
- firewall.adv_firewall
- nginx.soc_nginx
- nginx.adv_nginx
- node_data.ips
'*_manager or *_managersearch':
- match: compound
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}

3
salt/allowed_states.map.jinja
View File

@@ -188,6 +188,9 @@
'docker_clean'
],
'so-desktop': [
'ssl',
'docker_clean',
'telegraf'
],
}, grain='role') %}

16
salt/common/packages.sls
View File

@@ -21,7 +21,6 @@ commonpkgs:
- python3-dateutil
- python3-docker
- python3-packaging
- python3-watchdog
- python3-lxml
- git
- rsync
@@ -47,10 +46,16 @@ python-rich:
{% endif %}
{% if GLOBALS.os_family == 'RedHat' %}
remove_mariadb:
pkg.removed:
- name: mariadb-devel
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- python3-dnf-plugin-versionlock
- curl
- device-mapper-persistent-data
- fuse
@@ -63,26 +68,19 @@ commonpkgs:
- httpd-tools
- jq
- lvm2
{% if GLOBALS.os == 'CentOS Stream' %}
- MariaDB-devel
{% else %}
- mariadb-devel
{% endif %}
- net-tools
- nmap-ncat
- openssl
- procps-ng
- python3-dnf-plugin-versionlock
- python3-docker
- python3-m2crypto
- python3-packaging
- python3-pyyaml
- python3-rich
- python3-watchdog
- rsync
- sqlite
- tcpdump
- unzip
- wget
- yum-utils
{% endif %}

3
salt/common/soup_scripts.sls
View File

@@ -19,4 +19,5 @@ soup_manager_scripts:
- source: salt://manager/tools/sbin
- include_pat:
- so-firewall
- soup
- so-repo-sync
- soup

12
salt/common/tools/sbin/so-common
View File

@@ -154,13 +154,11 @@ check_salt_minion_status() {
return $status
}
copy_new_files() {
# Copy new files over to the salt dir
cd $UPDATE_DIR
rsync -a salt $DEFAULT_SALT_DIR/
rsync -a pillar $DEFAULT_SALT_DIR/
rsync -a salt $DEFAULT_SALT_DIR/ --delete
rsync -a pillar $DEFAULT_SALT_DIR/ --delete
chown -R socore:socore $DEFAULT_SALT_DIR/
chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
cd /tmp
@@ -242,7 +240,7 @@ gpg_rpm_import() {
else
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
fi
RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
for RPMKEY in "${RPMKEYS[@]}"; do
rpm --import $RPMKEYSLOC/$RPMKEY
echo "Imported $RPMKEY"
@@ -446,6 +444,10 @@ set_os() {
OS=centos
OSVER=9
is_centos=true
elif grep -q "Oracle Linux Server release 9" /etc/system-release; then
OS=oel
OSVER=9
is_oracle=true
fi
cron_service_name="crond"
else

233
salt/common/tools/sbin/so-log-check Executable file
View File

@@ -0,0 +1,233 @@
#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
RECENT_LOG_LINES=200
EXCLUDE_STARTUP_ERRORS=N
EXCLUDE_FALSE_POSITIVE_ERRORS=N
EXCLUDE_KNOWN_ERRORS=N
while [[ $# -gt 0 ]]; do
case $1 in
--exclude-connection-errors)
EXCLUDE_STARTUP_ERRORS=Y
;;
--exclude-false-positives)
EXCLUDE_FALSE_POSITIVE_ERRORS=Y
;;
--exclude-known-errors)
EXCLUDE_KNOWN_ERRORS=Y
;;
--unknown)
EXCLUDE_STARTUP_ERRORS=Y
EXCLUDE_FALSE_POSITIVE_ERRORS=Y
EXCLUDE_KNOWN_ERRORS=Y
;;
--recent-log-lines)
shift
RECENT_LOG_LINES=$1
;;
*)
echo "Usage: $0 [options]"
echo ""
echo "where options are:"
echo " --recent-log-lines N looks at the most recent N log lines per file or container; defaults to 200"
echo " --exclude-connection-errors exclude errors caused by a recent server or container restart"
echo " --exclude-false-positives exclude logs that are known false positives"
echo " --exclude-known-errors exclude errors that are known and non-critical issues"
echo " --unknown exclude everything mentioned above; only show unknown errors"
echo ""
echo "A non-zero return value indicates errors were found"
exit 1
;;
esac
shift
done
echo "Security Onion Log Check - $(date)"
echo "-------------------------------------------"
echo ""
echo "- RECENT_LOG_LINES: $RECENT_LOG_LINES"
echo "- EXCLUDE_STARTUP_ERRORS: $EXCLUDE_STARTUP_ERRORS"
echo "- EXCLUDE_FALSE_POSITIVE_ERRORS: $EXCLUDE_FALSE_POSITIVE_ERRORS"
echo "- EXCLUDE_KNOWN_ERRORS: $EXCLUDE_KNOWN_ERRORS"
echo ""
function status() {
header "$1"
}
function exclude_container() {
name=$1
exclude_id=$(docker ps | grep "$name" | awk '{print $1}')
if [[ -n "$exclude_id" ]]; then
CONTAINER_IDS=$(echo $CONTAINER_IDS | sed -e "s/$exclude_id//g")
return $?
fi
return $?
}
function exclude_log() {
name=$1
cat /tmp/log_check_files | grep -v $name > /tmp/log_check_files.new
mv /tmp/log_check_files.new /tmp/log_check_files
}
function check_for_errors() {
if cat /tmp/log_check | grep -i error | grep -vEi "$EXCLUDED_ERRORS"; then
RESULT=1
fi
}
EXCLUDED_ERRORS="__LOG_CHECK_PLACEHOLDER_EXCLUSION__"
if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|database is locked" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|econnreset" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unreachable" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request.py" # server not yet ready (python stack output)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|httperror" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|servfail" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connect" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502" # server not yet ready (nginx waiting on upstream)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded" # server not yet ready (telegraf waiting on elasticsearch)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes" # server not yet ready (telegraf waiting on influx)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at" # server not yet ready (telegraf waiting on health data)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key" # server not yet ready (salt minion waiting on key acceptance)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll" # server not yet ready (sensoroni waiting on soc)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non" # server not yet ready (salt waiting on minions)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term" # server not yet ready (influxdb not yet setup)
fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|outofmemoryerror" # false positive (elastic command line)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding component template" # false positive (elastic security)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index template" # false positive (elastic security)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fs_errors" # false positive (suricata stats)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error-template" # false positive (elastic templates)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|deprecated" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|windows" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|could cause errors" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_error.yml" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|id.orig_h" # false positive (zeek test data)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|emerging-all.rules" # false positive (error in rulename)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input" # false positive (Invalid user input in hunt query)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example" # false positive (example test data)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200" # false positive (request successful, contained error string in content)
fi
if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|eof"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|raise" # redis/python generic stack line, rely on other lines for actual error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)" # redis/python generic stack line, rely on other lines for actual error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror" # idstools connection timeout
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror" # idstools connection timeout
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden" # playbook
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml" # Elastic ML errors
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled" # elastic agent during shutdown
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128" # soctopus errors during forced restart by highstate
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update" # airgap can't update GeoIP DB
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror" # bug in 2.4.10 filecheck salt state caused duplicate cronjobs
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check" # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord" # playbook expected error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics" # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf" # known issue with reposync on pre-2.4.20
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record" # stenographer corrupt index
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field." # known ingest type collisions issue with earlier versions of SO
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|bookkeeper"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noindices"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to start transient scope"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so-user.lock exists"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|systemd-run"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|retcode: 1"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|telemetry-task"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|redisqueue"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fleet_detail_query"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|num errors=0"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/alerting"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/notifiers"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisoning/plugins"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|active-responses.log"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|scanentropy"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integration policy"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|blob unknown"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|token required"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|zeekcaptureloss"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unable to create detection"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error installing new prebuilt rules"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parent.error"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip" # known issue in GH
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail" # zeek
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
fi
RESULT=0
# Check Security Onion container stdout/stderr logs
CONTAINER_IDS=$(docker ps -q)
exclude_container so-kibana # kibana error logs are too verbose with large varieties of errors most of which are temporary
exclude_container so-idstools # ignore due to known issues and noisy logging
exclude_container so-playbook # ignore due to several playbook known issues
for container_id in $CONTAINER_IDS; do
container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names")
status "Checking container $container_name"
docker logs -n $RECENT_LOG_LINES $container_id > /tmp/log_check 2>&1
check_for_errors
done
# Check Security Onion related log files
find /opt/so/log/ /nsm -name \*.log > /tmp/log_check_files
if [[ -f /var/log/cron ]]; then
echo "/var/log/cron" >> /tmp/log_check_files
fi
exclude_log "kibana.log" # kibana error logs are too verbose with large varieties of errors most of which are temporary
exclude_log "spool" # disregard zeek analyze logs as this is data specific
exclude_log "import" # disregard imported test data the contains error strings
exclude_log "update.log" # ignore playbook updates due to several known issues
exclude_log "playbook.log" # ignore due to several playbook known issues
for log_file in $(cat /tmp/log_check_files); do
status "Checking log file $log_file"
tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check
check_for_errors
done
# Cleanup temp files
rm -f /tmp/log_check_files
rm -f /tmp/log_check
if [[ $RESULT -eq 0 ]]; then
echo -e "\nResult: No errors found"
else
echo -e "\nResult: One or more errors found"
fi
exit $RESULT

10
salt/common/tools/sbin/so-test
View File

@@ -5,4 +5,14 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
set -e
# Playback live sample data onto monitor interface
so-tcpreplay /opt/samples/* 2> /dev/null
# Ingest sample pfsense log entry
if is_sensor_node; then
echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 127.0.0.1 514 > /dev/null 2>&1
fi

60
salt/common/tools/sbin_jinja/so-import-evtx
View File

@@ -80,8 +80,8 @@ function evtx2es() {
-e "SHIFTTS=$SHIFTDATE" \
-v "$EVTX:/tmp/data.evtx" \
-v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-v "/nsm/import/evtx-end_newest:/tmp/newest" \
-v "/nsm/import/evtx-start_oldest:/tmp/oldest" \
-v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
-v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
--entrypoint "/evtx_calc_timestamps.sh" \
{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
}
@@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0
VALID_EVTXS_COUNT=0
SKIPPED_EVTXS_COUNT=0
touch /nsm/import/evtx-start_oldest
touch /nsm/import/evtx-end_newest
echo $START_OLDEST > /nsm/import/evtx-start_oldest
echo $END_NEWEST > /nsm/import/evtx-end_newest
# paths must be quoted in case they include spaces
for EVTX in $INPUT_FILES; do
EVTX=$(/usr/bin/realpath "$EVTX")
@@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do
status "- this EVTX has already been imported; skipping"
SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
else
# create EVTX directory
EVTX_DIR=$HASH_DIR/evtx
mkdir -p $EVTX_DIR
# create import timestamp files
for i in evtx-start_oldest evtx-end_newest; do
if ! [ -f "$i" ]; then
touch /nsm/import/$HASH/$i
fi
done
# import evtx and write them to import ingest pipeline
status "- importing logs to Elasticsearch..."
@@ -154,28 +155,37 @@ for EVTX in $INPUT_FILES; do
VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
fi
# compare $START to $START_OLDEST
START=$(cat /nsm/import/evtx-start_oldest)
START_COMPARE=$(date -d $START +%s)
START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
START_OLDEST=$START
fi
# compare $ENDNEXT to $END_NEWEST
END=$(cat /nsm/import/evtx-end_newest)
ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
END_NEWEST=$ENDNEXT
fi
cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
chmod 644 "${EVTX_DIR}"/data.evtx
fi # end of valid evtx
# determine start and end and make sure they aren't reversed
START=$(cat /nsm/import/$HASH/evtx-start_oldest)
END=$(cat /nsm/import/$HASH/evtx-end_newest)
START_EPOCH=`date -d "$START" +"%s"`
END_EPOCH=`date -d "$END" +"%s"`
if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then
TEMP=$START
START=$END
END=$TEMP
fi
# compare $START to $START_OLDEST
START_COMPARE=$(date -d $START +%s)
START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
START_OLDEST=$START
fi
# compare $ENDNEXT to $END_NEWEST
ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
END_NEWEST=$ENDNEXT
fi
status
done # end of for-loop processing evtx files

0
salt/common/tools/sbin/so-salt-minion-check → salt/common/tools/sbin_jinja/so-salt-minion-check
View File

4
salt/desktop/packages.sls
View File

@@ -1,7 +1,5 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %}
{% if grains.os == 'OEL' %}
desktop_packages:
pkg.installed:

4
salt/desktop/remove_gui.sls
View File

@@ -1,7 +1,5 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %}
{% if grains.os == 'OEL' %}
remove_graphical_target:
file.symlink:

4
salt/desktop/scripts/convert-gnome-classic.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
echo "Setting default session to gnome-classic"
cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/
sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard

9
salt/desktop/xwindows.sls
View File

@@ -1,7 +1,5 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %}
{% if grains.os == 'OEL' %}
include:
- desktop.packages
@@ -14,10 +12,7 @@ graphical_target:
- require:
- desktop_packages
convert_gnome_classic:
cmd.script:
- name: salt://desktop/scripts/convert-gnome-classic.sh
{# set users to use gnome-classic #}
{% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %}
{% set username = username.split('/')[2] %}
{% if username != 'zeek' %}

3
salt/docker/defaults.yaml
View File

@@ -178,6 +178,9 @@ docker:
extra_env: []
'so-elastic-agent':
final_octet: 46
port_bindings:
- 0.0.0.0:514:514/tcp
- 0.0.0.0:514:514/udp
custom_bind_mounts: []
extra_hosts: []
extra_env: []

21
salt/docker/soc_docker.yaml
View File

@@ -8,7 +8,7 @@ docker:
helpLink: docker.html
advanced: True
containers:
so-curator: &dockerOptions
so-dockerregistry: &dockerOptions
final_octet:
description: Last octet of the container IP address.
helpLink: docker.html
@@ -20,6 +20,7 @@ docker:
helpLink: docker.html
advanced: True
multiline: True
forcedType: "[]string"
custom_bind_mounts:
description: List of custom local volume bindings.
advanced: True
@@ -38,12 +39,8 @@ docker:
helpLink: docker.html
multiline: True
forcedType: "[]string"
so-dockerregistry: *dockerOptions
so-elastalert: *dockerOptions
so-elastic-fleet-package-registry: *dockerOptions
so-elastic-fleet: *dockerOptions
so-elasticsearch: *dockerOptions
so-idh: *dockerOptions
so-idstools: *dockerOptions
so-influxdb: *dockerOptions
so-kibana: *dockerOptions
@@ -53,11 +50,21 @@ docker:
so-nginx: *dockerOptions
so-playbook: *dockerOptions
so-redis: *dockerOptions
so-sensoroni: *dockerOptions
so-soc: *dockerOptions
so-soctopus: *dockerOptions
so-strelka-backend: *dockerOptions
so-strelka-coordinator: *dockerOptions
so-strelka-filestream: *dockerOptions
so-strelka-frontend: *dockerOptions
so-strelka-gatekeeper: *dockerOptions
so-strelka-manager: *dockerOptions
so-strelka-gatekeeper: *dockerOptions
so-strelka-coordinator: *dockerOptions
so-elastalert: *dockerOptions
so-curator: *dockerOptions
so-elastic-fleet-package-registry: *dockerOptions
so-idh: *dockerOptions
so-elastic-agent: *dockerOptions
so-telegraf: *dockerOptions
so-steno: *dockerOptions
so-suricata: *dockerOptions
so-zeek: *dockerOptions

1
salt/docker_clean/init.sls
View File

@@ -9,6 +9,7 @@
prune_images:
cmd.run:
- name: so-docker-prune
- order: last
{% else %}

4
salt/elasticagent/enabled.sls
View File

@@ -31,6 +31,10 @@ so-elastic-agent:
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds:
- /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
- /opt/so/log/elasticagent:/usr/share/elastic-agent/logs

51
salt/elasticagent/files/elastic-agent.yml.jinja
View File

@@ -430,3 +430,54 @@ inputs:
exclude_files:
- >-
broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
- id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
name: syslog-udp-514
revision: 3
type: udp
use_output: default
meta:
package:
name: udp
version: 1.10.0
data_stream:
namespace: so
package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
streams:
- id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
data_stream:
dataset: syslog
pipeline: syslog
host: '0.0.0.0:514'
max_message_size: 10KiB
processors:
- add_fields:
fields:
module: syslog
target: event
tags:
- syslog
- id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
name: syslog-tcp-514
revision: 3
type: tcp
use_output: default
meta:
package:
name: tcp
version: 1.10.0
data_stream:
namespace: so
package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
streams:
- id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
data_stream:
dataset: syslog
pipeline: syslog
host: '0.0.0.0:514'
processors:
- add_fields:
fields:
module: syslog
target: event
tags:
- syslog

11
salt/elasticfleet/config.sls
View File

@@ -37,6 +37,8 @@ elasticfleet_sbin_jinja:
- group: 939
- file_mode: 755
- template: jinja
- exclude_pat:
- so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes
eaconfdir:
file.directory:
@@ -59,6 +61,14 @@ eastatedir:
- group: 939
- makedirs: True
eapackageupgrade:
file.managed:
- name: /usr/sbin/so-elastic-fleet-package-upgrade
- source: salt://elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
- user: 947
- group: 939
- template: jinja
{% if GLOBALS.role != "so-fleet" %}
eaintegrationsdir:
file.directory:
@@ -88,6 +98,7 @@ ea-integrations-load:
- onchanges:
- file: eaintegration
- file: eadynamicintegration
- file: eapackageupgrade
{% endif %}
{% else %}

36
salt/elasticfleet/defaults.yaml
View File

@@ -13,7 +13,10 @@ elasticfleet:
- broker
- capture_loss
- cluster
- conn-summary
- console
- ecat_arp_info
- known_certs
- known_hosts
- known_services
- loaded_scripts
@@ -25,20 +28,53 @@ elasticfleet:
- stderr
- stdout
packages:
- apache
- auditd
- aws
- azure
- barracuda
- cisco_asa
- cloudflare
- crowdstrike
- darktrace
- elasticsearch
- endpoint
- f5_bigip
- fleet_server
- fim
- fortinet
- fortinet_fortigate
- gcp
- github
- google_workspace
- http_endpoint
- httpjson
- juniper
- juniper_srx
- kafka_log
- lastpass
- log
- m365_defender
- microsoft_defender_endpoint
- microsoft_dhcp
- netflow
- o365
- okta
- osquery_manager
- panw
- pfsense
- redis
- sentinel_one
- sonicwall_firewall
- symantec_endpoint
- system
- tcp
- ti_abusech
- ti_misp
- ti_otx
- ti_recordedfuture
- udp
- windows
- zscaler_zia
- zscaler_zpa
- 1password

12
salt/elasticfleet/enabled.sls
View File

@@ -68,11 +68,6 @@ so-elastic-fleet:
- /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
{% if GLOBALS.os_family == 'Debian' %}
- /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
- /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
- /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
{% endif %}
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
@@ -87,13 +82,8 @@ so-elastic-fleet:
- FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
- FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
- FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
{% if GLOBALS.os_family == 'Debian' %}
- FLEET_CA=/etc/ssl/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
{% else %}
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
{% endif %}
- LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}

4
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -46,7 +46,7 @@ do
done
printf "\n### Stripping out unused components"
find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete
find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete
printf "\n### Tarring everything up again"
for OS in "${OSARCH[@]}"
@@ -65,7 +65,7 @@ do
if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi
printf "\n\n### Generating $GOOS/$GOARCH Installer...\n"
docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \
--mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
--mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_${GOOS}_${GOARCH}

1
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
View File

@@ -15,3 +15,4 @@ elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
echo
{%- endfor %}
echo
/usr/sbin/so-elasticsearch-templates-load

4
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -6,11 +6,7 @@
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.os_family == 'Debian' %}
INTCA=/etc/ssl/certs/intca.crt
{% else %}
INTCA=/etc/pki/tls/certs/intca.crt
{% endif %}
. /usr/sbin/so-elastic-fleet-common

2
salt/elasticsearch/config.map.jinja
View File

@@ -21,7 +21,7 @@
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
{% endfor %}
{% if grains.id.split('_') | last == 'manager' %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client','transform']}) %}
{% else %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
{% endif %}

1214
salt/elasticsearch/defaults.yaml
View File

File diff suppressed because it is too large Load Diff

3
salt/elasticsearch/enabled.sls
View File

@@ -59,7 +59,7 @@ so-elasticsearch:
{% if GLOBALS.is_manager %}
- /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% else %}
- /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
- /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
{% endif %}
- /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
- /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
@@ -108,6 +108,7 @@ escomponenttemplates:
- source: salt://elasticsearch/templates/component
- user: 930
- group: 939
- clean: True
- onchanges_in:
- cmd: so-elasticsearch-templates

1
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
View File

@@ -80,6 +80,7 @@
{ "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } },
{ "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } },
{ "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
],

4
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -63,8 +63,8 @@
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.pe?.image_version == 0", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == '0'", "field": "scan.entropy.entropy", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.pe?.image_version == '0'", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" }},
{ "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },

78
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -47,6 +47,16 @@ elasticsearch:
global: True
helpLink: elasticsearch.html
index_settings:
global_overrides:
index_template:
template:
settings:
index:
number_of_replicas:
description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
forcedType: int
global: True
helpLink: elasticsearch.html
so-logs: &indexSettings
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
@@ -64,6 +74,7 @@ elasticsearch:
index:
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
forcedType: int
global: True
helpLink: elasticsearch.html
mapping:
@@ -190,6 +201,9 @@ elasticsearch:
so-logs-windows_x_powershell: *indexSettings
so-logs-windows_x_powershell_operational: *indexSettings
so-logs-windows_x_sysmon_operational: *indexSettings
so-logs-apache_x_access: *indexSettings
so-logs-apache_x_error: *indexSettings
so-logs-auditd_x_log: *indexSettings
so-logs-aws_x_cloudtrail: *indexSettings
so-logs-aws_x_cloudwatch_logs: *indexSettings
so-logs-aws_x_ec2_logs: *indexSettings
@@ -210,9 +224,27 @@ elasticsearch:
so-logs-azure_x_provisioning: *indexSettings
so-logs-azure_x_signinlogs: *indexSettings
so-logs-azure_x_springcloudlogs: *indexSettings
so-logs-barracuda_x_waf: *indexSettings
so-logs-cisco_asa_x_log: *indexSettings
so-logs-cloudflare_x_audit: *indexSettings
so-logs-cloudflare_x_logpull: *indexSettings
so-logs-crowdstrike_x_falcon: *indexSettings
so-logs-crowdstrike_x_fdr: *indexSettings
so-logs-darktrace_x_ai_analyst_alert: *indexSettings
so-logs-darktrace_x_model_breach_alert: *indexSettings
so-logs-darktrace_x_system_status_alert: *indexSettings
so-logs-f5_bigip_x_log: *indexSettings
so-logs-fim_x_event: *indexSettings
so-logs-fortinet_x_clientendpoint: *indexSettings
so-logs-fortinet_x_firewall: *indexSettings
so-logs-fortinet_x_fortimail: *indexSettings
so-logs-fortinet_x_fortimanager: *indexSettings
so-logs-fortinet_x_fortigate: *indexSettings
so-logs-gcp_x_audit: *indexSettings
so-logs-gcp_x_dns: *indexSettings
so-logs-gcp_x_firewall: *indexSettings
so-logs-gcp_x_loadbalancing_logs: *indexSettings
so-logs-gcp_x_vpcflow: *indexSettings
so-logs-github_x_audit: *indexSettings
so-logs-github_x_code_scanning: *indexSettings
so-logs-github_x_dependabot: *indexSettings
@@ -232,6 +264,52 @@ elasticsearch:
so-logs-google_workspace_x_saml: *indexSettings
so-logs-google_workspace_x_token: *indexSettings
so-logs-google_workspace_x_user_accounts: *indexSettings
so-logs-http_endpoint_x_generic: *indexSettings
so-logs-httpjson_x_generic: *indexSettings
so-logs-juniper_x_junos: *indexSettings
so-logs-juniper_x_netscreen: *indexSettings
so-logs-juniper_x_srx: *indexSettings
so-logs-juniper_srx_x_log: *indexSettings
so-logs-kafka_log_x_generic: *indexSettings
so-logs-lastpass_x_detailed_shared_folder: *indexSettings
so-logs-lastpass_x_event_report: *indexSettings
so-logs-lastpass_x_user: *indexSettings
so-logs-m365_defender_x_event: *indexSettings
so-logs-m365_defender_x_incident: *indexSettings
so-logs-m365_defender_x_log: *indexSettings
so-logs-microsoft_defender_endpoint_x_log: *indexSettings
so-logs-microsoft_dhcp_x_log: *indexSettings
so-logs-netflow_x_log: *indexSettings
so-logs-o365_x_audit: *indexSettings
so-logs-okta_x_system: *indexSettings
so-logs-panw_x_panos: *indexSettings
so-logs-pfsense_x_log: *indexSettings
so-logs-sentinel_one_x_activity: *indexSettings
so-logs-sentinel_one_x_agent: *indexSettings
so-logs-sentinel_one_x_alert: *indexSettings
so-logs-sentinel_one_x_group: *indexSettings
so-logs-sentinel_one_x_threat: *indexSettings
so-logs-sonicwall_firewall_x_log: *indexSettings
so-logs-symantec_endpoint_x_log: *indexSettings
so-logs-ti_abusech_x_malware: *indexSettings
so-logs-ti_abusech_x_malwarebazaar: *indexSettings
so-logs-ti_abusech_x_threatfox: *indexSettings
so-logs-ti_abusech_x_url: *indexSettings
so-logs-ti_misp_x_threat: *indexSettings
so-logs-ti_misp_x_threat_attributes: *indexSettings
so-logs-ti_otx_x_threat: *indexSettings
so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings
so-logs-ti_recordedfuture_x_threat: *indexSettings
so-logs-zscaler_zia_x_alerts: *indexSettings
so-logs-zscaler_zia_x_dns: *indexSettings
so-logs-zscaler_zia_x_firewall: *indexSettings
so-logs-zscaler_zia_x_tunnel: *indexSettings
so-logs-zscaler_zia_x_web: *indexSettings
so-logs-zscaler_zpa_x_app_connector_status: *indexSettings
so-logs-zscaler_zpa_x_audit: *indexSettings
so-logs-zscaler_zpa_x_browser_access: *indexSettings
so-logs-zscaler_zpa_x_user_activity: *indexSettings
so-logs-zscaler_zpa_x_user_status: *indexSettings
so-logs-1password_x_item_usages: *indexSettings
so-logs-1password_x_signin_attempts: *indexSettings
so-logs-osquery-manager-actions: *indexSettings

37
salt/elasticsearch/template.map.jinja
View File

@@ -1,11 +1,28 @@
{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
{%- set ES_INDEX_SETTINGS_ORIG = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{% set ES_INDEX_SETTINGS = {} %}
{% for index, settings in ES_INDEX_SETTINGS_ORIG.items() %}
{% if settings.index_template is defined %}
{% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
{% do settings.index_template.template.settings.index.pop('sort') %}
{% endif %}
{% endif %}
{% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_ORIG[index]}) %}
{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
{% set DEFAULT_GLOBAL_OVERRIDES = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings.pop('global_overrides') %}
{% set PILLAR_GLOBAL_OVERRIDES = {} %}
{% if salt['pillar.get']('elasticsearch:index_settings') is defined %}
{% set ES_INDEX_PILLAR = salt['pillar.get']('elasticsearch:index_settings') %}
{% if ES_INDEX_PILLAR.global_overrides is defined %}
{% set PILLAR_GLOBAL_OVERRIDES = ES_INDEX_PILLAR.pop('global_overrides') %}
{% endif %}
{% endif %}
{% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %}
{% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %}
{% for index in ES_INDEX_SETTINGS_ORIG.keys() %}
{% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %}
{% endfor %}
{% set ES_INDEX_SETTINGS = {} %}
{% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update(salt['defaults.merge'](ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_PILLAR, in_place=False)) %}
{% for index, settings in ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.items() %}
{% if settings.index_template is defined %}
{% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
{% do settings.index_template.template.settings.index.pop('sort') %}
{% endif %}
{% endif %}
{% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_GLOBAL_OVERRIDES[index]}) %}
{% endfor %}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.apm_server-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.auditbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

339
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json
View File

@@ -1,339 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"decision_id",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "match_only_text"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"result": {
"type": "object"
},
"input": {
"type": "object"
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"decision_id": {
"type": "text"
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.filebeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.fleet_server-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.heartbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.metricbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

322
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json
View File

@@ -1,322 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.packetbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

952
salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json
View File

@@ -1,952 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.application-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"event.code",
"event.original",
"error.message",
"message",
"winlog.api",
"winlog.activity_id",
"winlog.computer_name",
"winlog.event_data.AuthenticationPackageName",
"winlog.event_data.Binary",
"winlog.event_data.BitlockerUserInputTime",
"winlog.event_data.BootMode",
"winlog.event_data.BootType",
"winlog.event_data.BuildVersion",
"winlog.event_data.Company",
"winlog.event_data.CorruptionActionState",
"winlog.event_data.CreationUtcTime",
"winlog.event_data.Description",
"winlog.event_data.Detail",
"winlog.event_data.DeviceName",
"winlog.event_data.DeviceNameLength",
"winlog.event_data.DeviceTime",
"winlog.event_data.DeviceVersionMajor",
"winlog.event_data.DeviceVersionMinor",
"winlog.event_data.DriveName",
"winlog.event_data.DriverName",
"winlog.event_data.DriverNameLength",
"winlog.event_data.DwordVal",
"winlog.event_data.EntryCount",
"winlog.event_data.ExtraInfo",
"winlog.event_data.FailureName",
"winlog.event_data.FailureNameLength",
"winlog.event_data.FileVersion",
"winlog.event_data.FinalStatus",
"winlog.event_data.Group",
"winlog.event_data.IdleImplementation",
"winlog.event_data.IdleStateCount",
"winlog.event_data.ImpersonationLevel",
"winlog.event_data.IntegrityLevel",
"winlog.event_data.IpAddress",
"winlog.event_data.IpPort",
"winlog.event_data.KeyLength",
"winlog.event_data.LastBootGood",
"winlog.event_data.LastShutdownGood",
"winlog.event_data.LmPackageName",
"winlog.event_data.LogonGuid",
"winlog.event_data.LogonId",
"winlog.event_data.LogonProcessName",
"winlog.event_data.LogonType",
"winlog.event_data.MajorVersion",
"winlog.event_data.MaximumPerformancePercent",
"winlog.event_data.MemberName",
"winlog.event_data.MemberSid",
"winlog.event_data.MinimumPerformancePercent",
"winlog.event_data.MinimumThrottlePercent",
"winlog.event_data.MinorVersion",
"winlog.event_data.NewProcessId",
"winlog.event_data.NewProcessName",
"winlog.event_data.NewSchemeGuid",
"winlog.event_data.NewTime",
"winlog.event_data.NominalFrequency",
"winlog.event_data.Number",
"winlog.event_data.OldSchemeGuid",
"winlog.event_data.OldTime",
"winlog.event_data.OriginalFileName",
"winlog.event_data.Path",
"winlog.event_data.PerformanceImplementation",
"winlog.event_data.PreviousCreationUtcTime",
"winlog.event_data.PreviousTime",
"winlog.event_data.PrivilegeList",
"winlog.event_data.ProcessId",
"winlog.event_data.ProcessName",
"winlog.event_data.ProcessPath",
"winlog.event_data.ProcessPid",
"winlog.event_data.Product",
"winlog.event_data.PuaCount",
"winlog.event_data.PuaPolicyId",
"winlog.event_data.QfeVersion",
"winlog.event_data.Reason",
"winlog.event_data.SchemaVersion",
"winlog.event_data.ScriptBlockText",
"winlog.event_data.ServiceName",
"winlog.event_data.ServiceVersion",
"winlog.event_data.ShutdownActionType",
"winlog.event_data.ShutdownEventCode",
"winlog.event_data.ShutdownReason",
"winlog.event_data.Signature",
"winlog.event_data.SignatureStatus",
"winlog.event_data.Signed",
"winlog.event_data.StartTime",
"winlog.event_data.State",
"winlog.event_data.Status",
"winlog.event_data.StopTime",
"winlog.event_data.SubjectDomainName",
"winlog.event_data.SubjectLogonId",
"winlog.event_data.SubjectUserName",
"winlog.event_data.SubjectUserSid",
"winlog.event_data.TSId",
"winlog.event_data.TargetDomainName",
"winlog.event_data.TargetInfo",
"winlog.event_data.TargetLogonGuid",
"winlog.event_data.TargetLogonId",
"winlog.event_data.TargetServerName",
"winlog.event_data.TargetUserName",
"winlog.event_data.TargetUserSid",
"winlog.event_data.TerminalSessionId",
"winlog.event_data.TokenElevationType",
"winlog.event_data.TransmittedServices",
"winlog.event_data.UserSid",
"winlog.event_data.Version",
"winlog.event_data.Workstation",
"winlog.event_data.param1",
"winlog.event_data.param2",
"winlog.event_data.param3",
"winlog.event_data.param4",
"winlog.event_data.param5",
"winlog.event_data.param6",
"winlog.event_data.param7",
"winlog.event_data.param8",
"winlog.event_id",
"winlog.keywords",
"winlog.channel",
"winlog.record_id",
"winlog.related_activity_id",
"winlog.opcode",
"winlog.provider_guid",
"winlog.provider_name",
"winlog.task",
"winlog.user.identifier",
"winlog.user.name",
"winlog.user.domain",
"winlog.user.type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"winlog.user_data": {
"path_match": "winlog.user_data.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"dataset": {
"type": "constant_keyword",
"value": "system.application"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

530
salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json
View File

@@ -1,530 +0,0 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.auth-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.os.full",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.outcome",
"event.provider",
"event.type",
"ecs.version",
"error.message",
"group.id",
"group.name",
"message",
"process.name",
"related.hosts",
"related.user",
"source.as.organization.name",
"source.geo.city_name",
"source.geo.continent_name",
"source.geo.country_iso_code",
"source.geo.country_name",
"source.geo.region_iso_code",
"source.geo.region_name",
"user.effective.name",
"user.id",
"user.name",
"system.auth.ssh.method",
"system.auth.ssh.signature",
"system.auth.ssh.event",
"system.auth.sudo.error",
"system.auth.sudo.tty",
"system.auth.sudo.pwd",
"system.auth.sudo.user",
"system.auth.sudo.command",
"system.auth.useradd.home",
"system.auth.useradd.shell",
"version"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
}
}
},
"source": {
"properties": {
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"port": {
"type": "long"
},
"ip": {
"type": "ip"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"@timestamp": {
"type": "date"
},
"system": {
"properties": {
"auth": {
"properties": {
"ssh": {
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_ip": {
"type": "ip"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
},
"event": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sudo": {
"properties": {
"tty": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"ignore_above": 1024,
"type": "keyword"
},
"pwd": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"useradd": {
"properties": {
"shell": {
"ignore_above": 1024,
"type": "keyword"
},
"home": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"related": {
"properties": {
"hosts": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword",
"value": "logs"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.auth"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"properties": {
"effective": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1840
salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

327
salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json
View File

@@ -1,327 +0,0 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.syslog-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.os.full",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.outcome",
"event.provider",
"event.type",
"ecs.version",
"message",
"process.name"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword",
"value": "logs"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.syslog"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

986
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json
View File

@@ -1,986 +0,0 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.system-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.original",
"event.outcome",
"event.provider",
"event.type",
"error.message",
"message",
"winlog.api",
"winlog.activity_id",
"winlog.computer_name",
"winlog.event_data.AuthenticationPackageName",
"winlog.event_data.Binary",
"winlog.event_data.BitlockerUserInputTime",
"winlog.event_data.BootMode",
"winlog.event_data.BootType",
"winlog.event_data.BuildVersion",
"winlog.event_data.Company",
"winlog.event_data.CorruptionActionState",
"winlog.event_data.CreationUtcTime",
"winlog.event_data.Description",
"winlog.event_data.Detail",
"winlog.event_data.DeviceName",
"winlog.event_data.DeviceNameLength",
"winlog.event_data.DeviceTime",
"winlog.event_data.DeviceVersionMajor",
"winlog.event_data.DeviceVersionMinor",
"winlog.event_data.DriveName",
"winlog.event_data.DriverName",
"winlog.event_data.DriverNameLength",
"winlog.event_data.DwordVal",
"winlog.event_data.EntryCount",
"winlog.event_data.ExtraInfo",
"winlog.event_data.FailureName",
"winlog.event_data.FailureNameLength",
"winlog.event_data.FileVersion",
"winlog.event_data.FinalStatus",
"winlog.event_data.Group",
"winlog.event_data.IdleImplementation",
"winlog.event_data.IdleStateCount",
"winlog.event_data.ImpersonationLevel",
"winlog.event_data.IntegrityLevel",
"winlog.event_data.IpAddress",
"winlog.event_data.IpPort",
"winlog.event_data.KeyLength",
"winlog.event_data.LastBootGood",
"winlog.event_data.LastShutdownGood",
"winlog.event_data.LmPackageName",
"winlog.event_data.LogonGuid",
"winlog.event_data.LogonId",
"winlog.event_data.LogonProcessName",
"winlog.event_data.LogonType",
"winlog.event_data.MajorVersion",
"winlog.event_data.MaximumPerformancePercent",
"winlog.event_data.MemberName",
"winlog.event_data.MemberSid",
"winlog.event_data.MinimumPerformancePercent",
"winlog.event_data.MinimumThrottlePercent",
"winlog.event_data.MinorVersion",
"winlog.event_data.NewProcessId",
"winlog.event_data.NewProcessName",
"winlog.event_data.NewSchemeGuid",
"winlog.event_data.NewTime",
"winlog.event_data.NominalFrequency",
"winlog.event_data.Number",
"winlog.event_data.OldSchemeGuid",
"winlog.event_data.OldTime",
"winlog.event_data.OriginalFileName",
"winlog.event_data.Path",
"winlog.event_data.PerformanceImplementation",
"winlog.event_data.PreviousCreationUtcTime",
"winlog.event_data.PreviousTime",
"winlog.event_data.PrivilegeList",
"winlog.event_data.ProcessId",
"winlog.event_data.ProcessName",
"winlog.event_data.ProcessPath",
"winlog.event_data.ProcessPid",
"winlog.event_data.Product",
"winlog.event_data.PuaCount",
"winlog.event_data.PuaPolicyId",
"winlog.event_data.QfeVersion",
"winlog.event_data.Reason",
"winlog.event_data.SchemaVersion",
"winlog.event_data.ScriptBlockText",
"winlog.event_data.ServiceName",
"winlog.event_data.ServiceVersion",
"winlog.event_data.ShutdownActionType",
"winlog.event_data.ShutdownEventCode",
"winlog.event_data.ShutdownReason",
"winlog.event_data.Signature",
"winlog.event_data.SignatureStatus",
"winlog.event_data.Signed",
"winlog.event_data.StartTime",
"winlog.event_data.State",
"winlog.event_data.Status",
"winlog.event_data.StopTime",
"winlog.event_data.SubjectDomainName",
"winlog.event_data.SubjectLogonId",
"winlog.event_data.SubjectUserName",
"winlog.event_data.SubjectUserSid",
"winlog.event_data.TSId",
"winlog.event_data.TargetDomainName",
"winlog.event_data.TargetInfo",
"winlog.event_data.TargetLogonGuid",
"winlog.event_data.TargetLogonId",
"winlog.event_data.TargetServerName",
"winlog.event_data.TargetUserName",
"winlog.event_data.TargetUserSid",
"winlog.event_data.TerminalSessionId",
"winlog.event_data.TokenElevationType",
"winlog.event_data.TransmittedServices",
"winlog.event_data.UserSid",
"winlog.event_data.Version",
"winlog.event_data.Workstation",
"winlog.event_data.param1",
"winlog.event_data.param2",
"winlog.event_data.param3",
"winlog.event_data.param4",
"winlog.event_data.param5",
"winlog.event_data.param6",
"winlog.event_data.param7",
"winlog.event_data.param8",
"winlog.event_id",
"winlog.keywords",
"winlog.channel",
"winlog.record_id",
"winlog.related_activity_id",
"winlog.opcode",
"winlog.provider_guid",
"winlog.provider_name",
"winlog.task",
"winlog.user.identifier",
"winlog.user.name",
"winlog.user.domain",
"winlog.user.type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"winlog.user_data": {
"path_match": "winlog.user_data.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.system"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

2544
salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1335
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1334
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1752
salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json
View File

File diff suppressed because it is too large Load Diff

16
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -20,7 +20,10 @@
"type": "float"
}
}
}
},
"image_version": {
"type": "float"
}
}
},
"elf": {
@@ -33,10 +36,17 @@
}
}
}
}
},
"entropy": {
"properties": {
"entropy": {
"type": "float"
}
}
}
}
}
}
}
}
}
}

1
salt/firewall/containers.map.jinja
View File

@@ -58,6 +58,7 @@
{% set NODE_CONTAINERS = [
'so-curator',
'so-elasticsearch',
'so-elastic-agent',
'so-logstash',
'so-nginx',
'so-redis',

32
salt/firewall/defaults.yaml
View File

@@ -289,6 +289,11 @@ firewall:
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
desktop:
portgroups:
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -463,7 +468,13 @@ firewall:
- endgame
desktop:
portgroups:
- docker_registry
- influxdb
- sensoroni
- yum
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -651,7 +662,13 @@ firewall:
- endgame
desktop:
portgroups:
- docker_registry
- influxdb
- sensoroni
- yum
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -847,7 +864,13 @@ firewall:
- strelka_frontend
desktop:
portgroups:
- docker_registry
- influxdb
- sensoroni
- yum
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -1141,6 +1164,12 @@ firewall:
localhost:
portgroups:
- all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -1199,9 +1228,6 @@ firewall:
analyst:
portgroups:
- nginx
desktop:
portgroups:
- yum
customhostgroup0:
portgroups: []
customhostgroup1:

2
salt/idh/soc_idh.yaml
View File

@@ -23,7 +23,7 @@ idh:
class: *loggingOptions
filename: *loggingOptions
portscan_x_enabled: &serviceOptions
description: To enable this opencanary module, set this value to true. To disable set to false.
description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
helpLink: idh.html
portscan_x_logfile: *loggingOptions
portscan_x_synrate:

5
salt/idstools/enabled.sls
View File

@@ -26,8 +26,8 @@ so-idstools:
- http_proxy={{ proxy }}
- https_proxy={{ proxy }}
- no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
{% if DOCKER.containers['so-elastalert'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
{% if DOCKER.containers['so-idstools'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-idstools'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
@@ -77,6 +77,7 @@ run_so-rule-update:
- docker_container: so-idstools
- onchanges:
- file: idstoolsetcsync
- file: synclocalnidsrules
- order: last
{% else %}

4
salt/idstools/etc/rulecat.conf
View File

@@ -3,8 +3,8 @@
--merged=/opt/so/rules/nids/all.rules
--local=/opt/so/rules/nids/local.rules
{%- if GLOBALS.md_engine == "SURICATA" %}
--local=/opt/so/rules/nids/sorules/extraction.rules
--local=/opt/so/rules/nids/sorules/filters.rules
--local=/opt/so/rules/nids/extraction.rules
--local=/opt/so/rules/nids/filters.rules
{%- endif %}
--url=http://{{ GLOBALS.manager }}:7788/suricata/emerging-all.rules
--disable=/opt/so/idstools/etc/disable.conf

26
salt/idstools/sorules/extraction.rules
View File

@@ -1,26 +0,0 @@
# Extract all PDF mime type
alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100000; rev:1;)
alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100001; rev:1;)
alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100002; rev:1;)
alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100003; rev:1;)
# Extract EXE/DLL file types
alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100004; rev:1;)
alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100005; rev:1;)
alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100006; rev:1;)
alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100007; rev:1;)
alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100008; rev:1;)
alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100009; rev:1;)
alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100010; rev:1;)
alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100011; rev:1;)
# Extract all Zip files
alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100012; rev:1;)
alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100013; rev:1;)
alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100014; rev:1;)
alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100015; rev:1;)
# Extract Word Docs
alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100016; rev:1;)
alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100017; rev:1;)
alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100018; rev:1;)
alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100019; rev:1;)

11
salt/idstools/sorules/filters.rules
View File

@@ -1,11 +0,0 @@
# Start the filters at sid 1200000
# Example of filtering out *google.com from being in the dns log.
#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;)
# Example of filtering out *google.com from being in the http log.
#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;)
# Example of filtering out someuseragent from being in the http log.
#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;)
# Example of filtering out Google's certificate from being in the ssl log.
#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;)
# Example of filtering out a md5 of a file from being in the files log.
#config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;)

17
salt/idstools/sync_files.sls
View File

@@ -26,13 +26,6 @@ rulesdir:
- group: 939
- makedirs: True
SOrulesdir:
file.directory:
- name: /opt/so/rules/nids/sorules
- user: 939
- group: 939
- makedirs: True
# Don't show changes because all.rules can be large
synclocalnidsrules:
file.recurse:
@@ -42,13 +35,3 @@ synclocalnidsrules:
- group: 939
- show_changes: False
- include_pat: 'E@.rules'
# Don't show changes because all.rules can be large
syncnidsSOrules:
file.recurse:
- name: /opt/so/rules/nids/sorules
- source: salt://idstools/sorules/
- user: 939
- group: 939
- show_changes: False
- include_pat: 'E@.rules'

8
salt/influxdb/config.sls
View File

@@ -25,6 +25,14 @@ influxlogdir:
- group: 939
- makedirs: True
influxetcdir:
file.directory:
- name: /opt/so/conf/influxdb/etc
- dir_mode: 750
- user: 939
- group: 939
- makedirs: True
influxdbdir:
file.directory:
- name: /nsm/influxdb

1
salt/influxdb/enabled.sls
View File

@@ -38,6 +38,7 @@ so-influxdb:
- binds:
- /opt/so/log/influxdb/:/log:rw
- /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
- /opt/so/conf/influxdb/etc:/etc/influxdb2:rw
- /nsm/influxdb:/var/lib/influxdb2:rw
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
- /etc/pki/influxdb.key:/conf/influxdb.key:ro

1
salt/logrotate/init.sls
View File

@@ -3,6 +3,7 @@
logrotateconfdir:
file.directory:
- name: /opt/so/conf/logrotate
- makedirs: True
commonlogrotatescript:
file.managed:

2
salt/logstash/enabled.sls
View File

@@ -73,7 +73,7 @@ so-logstash:
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
- /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
{% else %}
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
- /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
{% endif %}
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %}
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro

105
salt/manager/init.sls
View File

@@ -26,6 +26,15 @@ repo_log_dir:
- user
- group
yara_log_dir:
file.directory:
- name: /opt/so/log/yarasync
- user: socore
- group: socore
- recurse:
- user
- group
repo_conf_dir:
file.directory:
- name: /opt/so/conf/reposync
@@ -52,21 +61,23 @@ manager_sbin:
- group: 939
- file_mode: 755
#manager_sbin_jinja:
# file.recurse:
# - name: /usr/sbin
# - source: salt://manager/tools/sbin_jinja
# - user: 939
# - group: 939
# - file_mode: 755
# - template: jinja
yara_update_scripts:
file.recurse:
- name: /usr/sbin/
- source: salt://manager/tools/sbin_jinja/
- user: socore
- group: socore
- file_mode: 755
- template: jinja
- defaults:
EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
so-repo-sync:
{% if MANAGERMERGED.reposync.enabled %}
{% if MANAGERMERGED.reposync.enabled %}
cron.present:
{% else %}
{% else %}
cron.absent:
{% endif %}
{% endif %}
- user: socore
- name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1'
- identifier: so-repo-sync
@@ -82,7 +93,15 @@ socore_own_saltstack:
- user
- group
{% if STRELKAMERGED.rules.enabled %}
rules_dir:
file.directory:
- name: /nsm/rules/yara
- user: socore
- group: socore
- makedirs: True
{% if STRELKAMERGED.rules.enabled %}
strelkarepos:
file.managed:
- name: /opt/so/conf/strelka/repos.txt
@@ -91,67 +110,45 @@ strelkarepos:
- defaults:
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
- makedirs: True
{% endif %}
yara_update_scripts:
file.recurse:
- name: /usr/sbin/
- source: salt://manager/tools/sbin_jinja/
- user: socore
- group: socore
- file_mode: 755
- template: jinja
- defaults:
EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
rules_dir:
file.directory:
- name: /nsm/rules/yara
- user: socore
- group: socore
- makedirs: True
{% if GLOBALS.airgap %}
remove_strelka-yara-download:
cron.absent:
- user: socore
- identifier: strelka-yara-download
strelka-yara-update:
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- user: socore
- name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1'
- name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1'
- identifier: strelka-yara-update
- hour: '7'
- minute: '1'
strelka-yara-download:
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- user: socore
- name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1'
- identifier: strelka-yara-download
- hour: '7'
- minute: '1'
{% if not GLOBALS.airgap %}
update_yara_rules:
cmd.run:
- name: /usr/sbin/so-yara-update
- onchanges:
- file: yara_update_scripts
{% else %}
remove_strelka-yara-update:
cron.absent:
- user: socore
- identifier: strelka-yara-update
strelka-yara-download:
cron.present:
- user: socore
- name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1'
- identifier: strelka-yara-download
- hour: '7'
- minute: '1'
download_yara_rules:
cmd.run:
- name: /usr/sbin/so-yara-download
- onchanges:
- file: yara_update_scripts
{% endif %}
{% endif %}
{% endif %}
{% else %}
{{sls}}_state_not_allowed:

21
salt/manager/tools/sbin/so-minion
View File

@@ -187,15 +187,9 @@ function add_logstash_to_minion() {
# Security Onion Desktop
function add_desktop_to_minion() {
printf '%s\n'\
"host:"\
" mainint: '$MNIC'"\
"desktop:"\
" gui:"\
" enabled: true"\
"sensoroni:"\
" enabled: True"\
" config:"\
" node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE
" enabled: true"\ >> $PILLARFILE
}
# Add basic host info to the minion file
@@ -245,6 +239,10 @@ function add_sensor_to_minion() {
echo " threads: '$CORECOUNT'" >> $PILLARFILE
echo "pcap:" >> $PILLARFILE
echo " enabled: True" >> $PILLARFILE
if [[ $is_pcaplimit ]]; then
echo " config:" >> $PILLARFILE
echo " diskfreepercentage: 60" >> $PILLARFILE
fi
echo " " >> $PILLARFILE
}
@@ -415,6 +413,7 @@ function apply_ES_state() {
salt-call state.apply elasticsearch concurrent=True
}
function createEVAL() {
is_pcaplimit=true
add_elasticsearch_to_minion
add_sensor_to_minion
add_strelka_to_minion
@@ -435,6 +434,7 @@ function createEVAL() {
}
function createSTANDALONE() {
is_pcaplimit=true
add_elasticsearch_to_minion
add_logstash_to_minion
add_sensor_to_minion
@@ -526,8 +526,9 @@ function createIDH() {
}
function createHEAVYNODE() {
is_pcaplimit=true
add_elasticsearch_to_minion
add_elastic_agent_to_minion
add_elastic_agent_to_minion
add_logstash_to_minion
add_sensor_to_minion
add_strelka_to_minion
@@ -556,6 +557,10 @@ function createRECEIVER() {
add_telegraf_to_minion
}
function createDESKTOP() {
add_desktop_to_minion
add_telegraf_to_minion
}
function testConnection() {
retry 15 3 "salt '$MINION_ID' test.ping" True

4
salt/manager/tools/sbin/so-repo-sync
View File

@@ -11,6 +11,8 @@ set_version
set_os
salt_minion_count
set -e
curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
createrepo /nsm/repo
createrepo /nsm/repo

46
salt/manager/tools/sbin/soup
View File

@@ -171,6 +171,13 @@ airgap_update_dockers() {
fi
}
backup_old_states_pillars() {
tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_default_states_pillars.tar.gz /opt/so/saltstack/default/
tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_local_states_pillars.tar.gz /opt/so/saltstack/local/
}
update_registry() {
docker stop so-dockerregistry
docker rm so-dockerregistry
@@ -303,6 +310,7 @@ check_log_size_limit() {
check_os_updates() {
# Check to see if there are OS updates
echo "Checking for OS updates."
NEEDUPDATES="We have detected missing operating system (OS) updates. Do you want to install these OS updates now? This could take a while depending on the size of your grid and how many packages are missing, but it is recommended to keep your system updated."
OSUPDATES=$(dnf -q list updates | grep -v docker | grep -v containerd | grep -v salt | grep -v Available | wc -l)
if [[ "$OSUPDATES" -gt 0 ]]; then
@@ -394,6 +402,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4
[[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5
[[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10
[[ "$INSTALLEDVERSION" == 2.4.10 ]] && up_to_2.4.20
true
}
@@ -405,6 +414,7 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4
[[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5
[[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10
[[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20
true
}
@@ -430,6 +440,17 @@ post_to_2.4.10() {
POSTVERSION=2.4.10
}
post_to_2.4.20() {
echo "Pruning unused docker volumes on all nodes - This process will run in the background."
salt --async \* cmd.run "docker volume prune -f"
POSTVERSION=2.4.20
}
repo_sync() {
echo "Sync the local repo."
su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
}
stop_salt_master() {
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
set +e
@@ -496,6 +517,12 @@ up_to_2.4.10() {
INSTALLEDVERSION=2.4.10
}
up_to_2.4.20() {
echo "Nothing to do for 2.4.20"
INSTALLEDVERSION=2.4.20
}
determine_elastic_agent_upgrade() {
if [[ $is_airgap -eq 0 ]]; then
update_elastic_agent_airgap
@@ -749,9 +776,7 @@ main() {
fi
echo "Verifying we have the latest soup script."
verify_latest_update_script
echo "Checking for OS updates."
check_os_updates
echo "Let's see if we need to update Security Onion."
upgrade_check
upgrade_space
@@ -763,10 +788,18 @@ main() {
if [[ $is_airgap -eq 0 ]]; then
yum clean all
check_os_updates
elif [[ $OS == 'oel' ]]; then
# sync remote repo down to local if not airgap
repo_sync
check_os_updates
fi
if [ "$is_hotfix" == "true" ]; then
echo "Applying $HOTFIXVERSION hotfix"
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
if [[ ! "$MINIONID" =~ "_import" ]]; then
backup_old_states_pillars
fi
copy_new_files
apply_hotfix
echo "Hotfix applied"
@@ -823,6 +856,13 @@ main() {
update_centos_repo
fi
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
if [[ ! "$MINIONID" =~ "_import" ]]; then
echo ""
echo "Creating snapshots of default and local Salt states and pillars and saving to /nsm/backup/"
backup_old_states_pillars
fi
echo ""
echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
copy_new_files

2
salt/mysql/config.sls
View File

@@ -9,7 +9,7 @@
# MySQL Setup
mysqlpkgs:
pkg.installed:
pkg.removed:
- skip_suggestions: False
- pkgs:
{% if grains['os_family'] != 'RedHat' %}

16
salt/nginx/etc/nginx.conf
View File

@@ -8,6 +8,7 @@
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
user nobody;
include /usr/share/nginx/modules/*.conf;
@@ -230,7 +231,20 @@ http {
proxy_cookie_path /api/ /influxdb/api/;
}
location /kibana/ {
location /app/dashboards/ {
auth_request /auth/sessions/whoami;
rewrite /app/dashboards/(.*) /app/dashboards/$1 break;
proxy_pass http://{{ GLOBALS.manager }}:5601/app/;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header X-Forwarded-Proto $scheme;
}
location /kibana/ {
auth_request /auth/sessions/whoami;
rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ GLOBALS.manager }}:5601/;

18
salt/pcap/soc_pcap.yaml
View File

@@ -1,35 +1,35 @@
pcap:
enabled:
description: You can enable or disable Stenographer on all sensors or a single sensor.
helpLink: pcap.html
helpLink: stenographer.html
config:
maxdirectoryfiles:
description: The maximum number of packet/index files to create before deleting old files.
helpLink: pcap.html
helpLink: stenographer.html
diskfreepercentage:
description: The disk space percent to always keep free for PCAP
helpLink: pcap.html
helpLink: stenographer.html
blocks:
description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this.
advanced: True
helpLink: pcap.html
helpLink: stenographer.html
preallocate_file_mb:
description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this.
advanced: True
helpLink: pcap.html
helpLink: stenographer.html
aiops:
description: The max number of async writes to allow at once.
advanced: True
helpLink: pcap.html
helpLink: stenographer.html
pin_to_cpu:
description: Enable CPU pinning for PCAP.
advanced: True
helpLink: pcap.html
helpLink: stenographer.html
cpus_to_pin_to:
description: CPU to pin PCAP to. Currently only a single CPU is supported.
advanced: True
helpLink: pcap.html
helpLink: stenographer.html
disks:
description: List of disks to use for PCAP. This is currently not used.
advanced: True
helpLink: pcap.html
helpLink: stenographer.html

8
salt/playbook/config.sls
View File

@@ -91,6 +91,14 @@ playbooklogdir:
- group: 939
- makedirs: True
playbookfilesdir:
file.directory:
- name: /opt/so/conf/playbook/redmine-files
- dir_mode: 775
- user: 939
- group: 939
- makedirs: True
{% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %}
idh-plays:
file.recurse:

1
salt/playbook/enabled.sls
View File

@@ -33,6 +33,7 @@ so-playbook:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-playbook'].ip }}
- binds:
- /opt/so/conf/playbook/redmine-files:/usr/src/redmine/files:rw
- /opt/so/log/playbook:/playbook/log:rw
{% if DOCKER.containers['so-playbook'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-playbook'].custom_bind_mounts %}

7
salt/redis/config.sls
View File

@@ -25,6 +25,13 @@ redisworkdir:
- group: 939
- makedirs: True
redisdatadir:
file.directory:
- name: /nsm/redis/data
- user: 939
- group: 939
- makedirs: True
redislogdir:
file.directory:
- name: /opt/so/log/redis

3
salt/redis/enabled.sls
View File

@@ -28,12 +28,13 @@ so-redis:
- /opt/so/log/redis:/var/log/redis:rw
- /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro
- /opt/so/conf/redis/working:/redis:rw
- /nsm/redis/data:/data:rw
- /etc/pki/redis.crt:/certs/redis.crt:ro
- /etc/pki/redis.key:/certs/redis.key:ro
{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
- /etc/pki/ca.crt:/certs/ca.crt:ro
{% else %}
- /etc/ssl/certs/intca.crt:/certs/ca.crt:ro
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
{% endif %}
{% if DOCKER.containers['so-redis'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}

12
salt/salt/minion.sls
View File

@@ -47,24 +47,24 @@ hold_salt_packages:
{% endfor %}
{% endif %}
remove_info_log_level_logfile:
remove_error_log_level_logfile:
file.line:
- name: /etc/salt/minion
- match: "log_level_logfile: info"
- match: "log_level_logfile: error"
- mode: delete
remove_info_log_level:
remove_error_log_level:
file.line:
- name: /etc/salt/minion
- match: "log_level: info"
- match: "log_level: error"
- mode: delete
set_log_levels:
file.append:
- name: /etc/salt/minion
- text:
- "log_level: error"
- "log_level_logfile: error"
- "log_level: info"
- "log_level_logfile: info"
salt_minion_service_unit_file:
file.managed:

4
salt/salt/service/salt-minion.service.jinja
View File

@@ -1,6 +1,6 @@
[Unit]
Description=The Salt Minion
Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltproject.io/en/latest/contents.html
After=network.target salt-master.service
[Service]
@@ -12,4 +12,4 @@ ExecStart=/usr/bin/salt-minion
ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target

28
salt/sensoroni/defaults.yaml
View File

@@ -8,3 +8,31 @@ sensoroni:
node_checkin_interval_ms: 10000
sensoronikey:
soc_host:
analyzers:
emailrep:
base_url: https://emailrep.io/
api_key:
greynoise:
base_url: https://api.greynoise.io/
api_key:
api_version: community
localfile:
file_path: []
otx:
base_url: https://otx.alienvault.com/api/v1/
api_key:
pulsedive:
base_url: https://pulsedive.com/api/
api_key:
spamhaus:
lookup_host: zen.spamhaus.org
nameservers: []
urlscan:
base_url: https://urlscan.io/api/v1/
api_key:
enabled: False
visibility: public
timeout: 180
virustotal:
base_url: https://www.virustotal.com/api/v3/search?query=
api_key:

6
salt/sensoroni/files/analyzers/README.md
View File

@@ -154,6 +154,12 @@ The analyzer itself will only run when a user in SOC enqueues an analyzer job, s
python -m urlhaus '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}'
```
To manually test an analyzer outside of the Sensoroni Docker container, use a command similar to the following:
```bash
PYTHONPATH=. python urlhaus/urlhaus.py '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}'
```
It is up to each analyzer to determine whether the provided input is compatible with that analyzer. This is assisted by the analyzer metadata, as described earlier in this document, with the use of the `supportedTypes` list.
Once the analyzer completes its functionality, it must terminate promptly. See the following sections for more details on expected internal behavior of the analyzer.

Some files were not shown because too many files have changed in this diff Show More