From 0622c77a7f51dda93ddce0bbf2f12b2b8cbb925f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 4 May 2021 10:50:13 -0400 Subject: [PATCH 01/59] Add filebeat modules --- salt/filebeat/modules/activemq.yml.disabled | 19 ++ salt/filebeat/modules/apache.yml.disabled | 19 ++ salt/filebeat/modules/auditd.yml.disabled | 10 + salt/filebeat/modules/aws.yml.disabled | 255 ++++++++++++++++++ salt/filebeat/modules/azure.yml.disabled | 45 ++++ salt/filebeat/modules/barracuda.yml.disabled | 41 +++ salt/filebeat/modules/bluecoat.yml.disabled | 22 ++ salt/filebeat/modules/cef.yml.disabled | 17 ++ salt/filebeat/modules/checkpoint.yml.disabled | 24 ++ salt/filebeat/modules/cisco.yml.disabled | 142 ++++++++++ salt/filebeat/modules/coredns.yml.disabled | 11 + .../filebeat/modules/crowdstrike.yml.disabled | 11 + salt/filebeat/modules/cyberark.yml.disabled | 22 ++ salt/filebeat/modules/cylance.yml.disabled | 22 ++ .../modules/elasticsearch.yml.disabled | 35 +++ salt/filebeat/modules/envoyproxy.yml.disabled | 11 + salt/filebeat/modules/f5.yml.disabled | 41 +++ salt/filebeat/modules/fortinet.yml.disabled | 83 ++++++ salt/filebeat/modules/gcp.yml.disabled | 76 ++++++ .../modules/google_workspace.yml.disabled | 53 ++++ .../filebeat/modules/googlecloud.yml.disabled | 58 ++++ salt/filebeat/modules/gsuite.yml.disabled | 53 ++++ salt/filebeat/modules/haproxy.yml.disabled | 14 + salt/filebeat/modules/ibmmq.yml.disabled | 11 + salt/filebeat/modules/icinga.yml.disabled | 27 ++ salt/filebeat/modules/iis.yml.disabled | 20 ++ salt/filebeat/modules/imperva.yml.disabled | 22 ++ salt/filebeat/modules/infoblox.yml.disabled | 22 ++ salt/filebeat/modules/iptables.yml.disabled | 13 + salt/filebeat/modules/juniper.yml.disabled | 54 ++++ salt/filebeat/modules/kafka.yml.disabled | 15 ++ salt/filebeat/modules/kibana.yml.disabled | 19 ++ salt/filebeat/modules/logstash.yml.disabled | 18 ++ salt/filebeat/modules/microsoft.yml.disabled | 49 ++++ salt/filebeat/modules/misp.yml.disabled | 17 ++ salt/filebeat/modules/mongodb.yml.disabled | 11 + salt/filebeat/modules/mssql.yml.disabled | 11 + salt/filebeat/modules/mysql.yml.disabled | 19 ++ .../modules/mysqlenterprise.yml.disabled | 14 + salt/filebeat/modules/nats.yml.disabled | 11 + salt/filebeat/modules/netflow.yml.disabled | 14 + salt/filebeat/modules/netscout.yml.disabled | 22 ++ salt/filebeat/modules/nginx.yml.disabled | 27 ++ salt/filebeat/modules/o365.yml.disabled | 48 ++++ salt/filebeat/modules/okta.yml.disabled | 10 + salt/filebeat/modules/oracle.yml.disabled | 13 + salt/filebeat/modules/osquery.yml.disabled | 15 ++ salt/filebeat/modules/panw.yml.disabled | 22 ++ salt/filebeat/modules/pensando.yml.disabled | 13 + salt/filebeat/modules/postgresql.yml.disabled | 11 + salt/filebeat/modules/proofpoint.yml.disabled | 22 ++ salt/filebeat/modules/rabbitmq.yml.disabled | 11 + salt/filebeat/modules/radware.yml.disabled | 22 ++ salt/filebeat/modules/redis.yml.disabled | 21 ++ salt/filebeat/modules/santa.yml.disabled | 9 + salt/filebeat/modules/snort.yml.disabled | 22 ++ salt/filebeat/modules/snyk.yml.disabled | 112 ++++++++ salt/filebeat/modules/sonicwall.yml.disabled | 22 ++ salt/filebeat/modules/sophos.yml.disabled | 46 ++++ salt/filebeat/modules/squid.yml.disabled | 22 ++ salt/filebeat/modules/suricata.yml.disabled | 11 + salt/filebeat/modules/system.yml.disabled | 19 ++ .../filebeat/modules/threatintel.yml.disabled | 105 ++++++++ salt/filebeat/modules/tomcat.yml.disabled | 22 ++ salt/filebeat/modules/traefik.yml.disabled | 11 + salt/filebeat/modules/zeek.yml.disabled | 84 ++++++ salt/filebeat/modules/zoom.yml.disabled | 22 ++ salt/filebeat/modules/zscaler.yml.disabled | 22 ++ 68 files changed, 2237 insertions(+) create mode 100644 salt/filebeat/modules/activemq.yml.disabled create mode 100644 salt/filebeat/modules/apache.yml.disabled create mode 100644 salt/filebeat/modules/auditd.yml.disabled create mode 100644 salt/filebeat/modules/aws.yml.disabled create mode 100644 salt/filebeat/modules/azure.yml.disabled create mode 100644 salt/filebeat/modules/barracuda.yml.disabled create mode 100644 salt/filebeat/modules/bluecoat.yml.disabled create mode 100644 salt/filebeat/modules/cef.yml.disabled create mode 100644 salt/filebeat/modules/checkpoint.yml.disabled create mode 100644 salt/filebeat/modules/cisco.yml.disabled create mode 100644 salt/filebeat/modules/coredns.yml.disabled create mode 100644 salt/filebeat/modules/crowdstrike.yml.disabled create mode 100644 salt/filebeat/modules/cyberark.yml.disabled create mode 100644 salt/filebeat/modules/cylance.yml.disabled create mode 100644 salt/filebeat/modules/elasticsearch.yml.disabled create mode 100644 salt/filebeat/modules/envoyproxy.yml.disabled create mode 100644 salt/filebeat/modules/f5.yml.disabled create mode 100644 salt/filebeat/modules/fortinet.yml.disabled create mode 100644 salt/filebeat/modules/gcp.yml.disabled create mode 100644 salt/filebeat/modules/google_workspace.yml.disabled create mode 100644 salt/filebeat/modules/googlecloud.yml.disabled create mode 100644 salt/filebeat/modules/gsuite.yml.disabled create mode 100644 salt/filebeat/modules/haproxy.yml.disabled create mode 100644 salt/filebeat/modules/ibmmq.yml.disabled create mode 100644 salt/filebeat/modules/icinga.yml.disabled create mode 100644 salt/filebeat/modules/iis.yml.disabled create mode 100644 salt/filebeat/modules/imperva.yml.disabled create mode 100644 salt/filebeat/modules/infoblox.yml.disabled create mode 100644 salt/filebeat/modules/iptables.yml.disabled create mode 100644 salt/filebeat/modules/juniper.yml.disabled create mode 100644 salt/filebeat/modules/kafka.yml.disabled create mode 100644 salt/filebeat/modules/kibana.yml.disabled create mode 100644 salt/filebeat/modules/logstash.yml.disabled create mode 100644 salt/filebeat/modules/microsoft.yml.disabled create mode 100644 salt/filebeat/modules/misp.yml.disabled create mode 100644 salt/filebeat/modules/mongodb.yml.disabled create mode 100644 salt/filebeat/modules/mssql.yml.disabled create mode 100644 salt/filebeat/modules/mysql.yml.disabled create mode 100644 salt/filebeat/modules/mysqlenterprise.yml.disabled create mode 100644 salt/filebeat/modules/nats.yml.disabled create mode 100644 salt/filebeat/modules/netflow.yml.disabled create mode 100644 salt/filebeat/modules/netscout.yml.disabled create mode 100644 salt/filebeat/modules/nginx.yml.disabled create mode 100644 salt/filebeat/modules/o365.yml.disabled create mode 100644 salt/filebeat/modules/okta.yml.disabled create mode 100644 salt/filebeat/modules/oracle.yml.disabled create mode 100644 salt/filebeat/modules/osquery.yml.disabled create mode 100644 salt/filebeat/modules/panw.yml.disabled create mode 100644 salt/filebeat/modules/pensando.yml.disabled create mode 100644 salt/filebeat/modules/postgresql.yml.disabled create mode 100644 salt/filebeat/modules/proofpoint.yml.disabled create mode 100644 salt/filebeat/modules/rabbitmq.yml.disabled create mode 100644 salt/filebeat/modules/radware.yml.disabled create mode 100644 salt/filebeat/modules/redis.yml.disabled create mode 100644 salt/filebeat/modules/santa.yml.disabled create mode 100644 salt/filebeat/modules/snort.yml.disabled create mode 100644 salt/filebeat/modules/snyk.yml.disabled create mode 100644 salt/filebeat/modules/sonicwall.yml.disabled create mode 100644 salt/filebeat/modules/sophos.yml.disabled create mode 100644 salt/filebeat/modules/squid.yml.disabled create mode 100644 salt/filebeat/modules/suricata.yml.disabled create mode 100644 salt/filebeat/modules/system.yml.disabled create mode 100644 salt/filebeat/modules/threatintel.yml.disabled create mode 100644 salt/filebeat/modules/tomcat.yml.disabled create mode 100644 salt/filebeat/modules/traefik.yml.disabled create mode 100644 salt/filebeat/modules/zeek.yml.disabled create mode 100644 salt/filebeat/modules/zoom.yml.disabled create mode 100644 salt/filebeat/modules/zscaler.yml.disabled diff --git a/salt/filebeat/modules/activemq.yml.disabled b/salt/filebeat/modules/activemq.yml.disabled new file mode 100644 index 000000000..43536ecbc --- /dev/null +++ b/salt/filebeat/modules/activemq.yml.disabled @@ -0,0 +1,19 @@ +# Module: activemq +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-activemq.html + +- module: activemq + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Application logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/apache.yml.disabled b/salt/filebeat/modules/apache.yml.disabled new file mode 100644 index 000000000..b923dd581 --- /dev/null +++ b/salt/filebeat/modules/apache.yml.disabled @@ -0,0 +1,19 @@ +# Module: apache +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-apache.html + +- module: apache + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/auditd.yml.disabled b/salt/filebeat/modules/auditd.yml.disabled new file mode 100644 index 000000000..76296ec85 --- /dev/null +++ b/salt/filebeat/modules/auditd.yml.disabled @@ -0,0 +1,10 @@ +# Module: auditd +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-auditd.html + +- module: auditd + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/aws.yml.disabled b/salt/filebeat/modules/aws.yml.disabled new file mode 100644 index 000000000..904bd976c --- /dev/null +++ b/salt/filebeat/modules/aws.yml.disabled @@ -0,0 +1,255 @@ +# Module: aws +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-aws.html + +- module: aws + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Process CloudTrail logs + # default is true, set to false to skip Cloudtrail logs + # var.process_cloudtrail_logs: false + + # Process CloudTrail Digest logs + # default true, set to false to skip CloudTrail Digest logs + # var.process_digest_logs: false + + # Process CloudTrail Insight logs + # default true, set to false to skip CloudTrail Insight logs + # var.process_insight_logs: false + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + cloudwatch: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + ec2: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + elb: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + s3access: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 + + vpcflow: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + #var.fips_enabled: false + + # The maximum number of messages to return from SQS. Valid values: 1 to 10. + #var.max_number_of_messages: 5 diff --git a/salt/filebeat/modules/azure.yml.disabled b/salt/filebeat/modules/azure.yml.disabled new file mode 100644 index 000000000..3b2bc1ecf --- /dev/null +++ b/salt/filebeat/modules/azure.yml.disabled @@ -0,0 +1,45 @@ +# Module: azure +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-azure.html + +- module: azure + # All logs + activitylogs: + enabled: true + var: + # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub + eventhub: "insights-operational-logs" + # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module + consumer_group: "$Default" + # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string + connection_string: "" + # the name of the storage account the state/offsets will be stored and updated + storage_account: "" + # the storage account key, this key will be used to authorize access to data in your storage account + storage_account_key: "" + + platformlogs: + enabled: false + # var: + # eventhub: "" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" + + + auditlogs: + enabled: false + # var: + # eventhub: "insights-logs-auditlogs" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" + signinlogs: + enabled: false + # var: + # eventhub: "insights-logs-signinlogs" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" diff --git a/salt/filebeat/modules/barracuda.yml.disabled b/salt/filebeat/modules/barracuda.yml.disabled new file mode 100644 index 000000000..99ff85036 --- /dev/null +++ b/salt/filebeat/modules/barracuda.yml.disabled @@ -0,0 +1,41 @@ +# Module: barracuda +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-barracuda.html + +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + spamfirewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9524 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/bluecoat.yml.disabled b/salt/filebeat/modules/bluecoat.yml.disabled new file mode 100644 index 000000000..6550c8eed --- /dev/null +++ b/salt/filebeat/modules/bluecoat.yml.disabled @@ -0,0 +1,22 @@ +# Module: bluecoat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-bluecoat.html + +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/cef.yml.disabled b/salt/filebeat/modules/cef.yml.disabled new file mode 100644 index 000000000..2de22edcc --- /dev/null +++ b/salt/filebeat/modules/cef.yml.disabled @@ -0,0 +1,17 @@ +# Module: cef +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cef.html + +- module: cef + log: + enabled: true + var: + syslog_host: localhost + syslog_port: 9003 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/checkpoint.yml.disabled b/salt/filebeat/modules/checkpoint.yml.disabled new file mode 100644 index 000000000..9d34b8d72 --- /dev/null +++ b/salt/filebeat/modules/checkpoint.yml.disabled @@ -0,0 +1,24 @@ +# Module: checkpoint +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-checkpoint.html + +- module: checkpoint + firewall: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9001. + #var.syslog_port: 9001 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/cisco.yml.disabled b/salt/filebeat/modules/cisco.yml.disabled new file mode 100644 index 000000000..9e4658045 --- /dev/null +++ b/salt/filebeat/modules/cisco.yml.disabled @@ -0,0 +1,142 @@ +# Module: cisco +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cisco.html + +- module: cisco + asa: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9001. + #var.syslog_port: 9001 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html + #var.log_level: 7 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + + ios: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9002. + #var.syslog_port: 9002 + + # Set custom paths for the log files when using file input. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + meraki: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9525 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + umbrella: + enabled: true + + #var.input: aws-s3 + # AWS SQS queue url + #var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue + # Access ID to authenticate with the S3 input + #var.access_key_id: 123456 + # Access key to authenticate with the S3 input + #var.secret_access_key: PASSWORD + # The duration that the received messages are hidden from ReceiveMessage request + #var.visibility_timeout: 300s + # Maximum duration before AWS API request will be interrupted + #var.api_timeout: 120s + + amp: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + + # The API URL + #var.url: https://api.amp.cisco.com/v1/events + # The client ID used as a username for the API requests. + #var.client_id: + # The API key related to the client ID. + #var.api_key: + # How far to look back the first time the module is started. Expects an amount of hours. + #var.first_interval: 24h + # Overriding the default request timeout, optional. + #var.request_timeout: 60s diff --git a/salt/filebeat/modules/coredns.yml.disabled b/salt/filebeat/modules/coredns.yml.disabled new file mode 100644 index 000000000..46e9e55c1 --- /dev/null +++ b/salt/filebeat/modules/coredns.yml.disabled @@ -0,0 +1,11 @@ +# Module: coredns +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-coredns.html + +- module: coredns + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/crowdstrike.yml.disabled b/salt/filebeat/modules/crowdstrike.yml.disabled new file mode 100644 index 000000000..8d2c8531d --- /dev/null +++ b/salt/filebeat/modules/crowdstrike.yml.disabled @@ -0,0 +1,11 @@ +# Module: crowdstrike +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-crowdstrike.html + +- module: crowdstrike + + falcon: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/cyberark.yml.disabled b/salt/filebeat/modules/cyberark.yml.disabled new file mode 100644 index 000000000..e97955adf --- /dev/null +++ b/salt/filebeat/modules/cyberark.yml.disabled @@ -0,0 +1,22 @@ +# Module: cyberark +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberark.html + +- module: cyberark + corepas: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9527 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/cylance.yml.disabled b/salt/filebeat/modules/cylance.yml.disabled new file mode 100644 index 000000000..342d654d2 --- /dev/null +++ b/salt/filebeat/modules/cylance.yml.disabled @@ -0,0 +1,22 @@ +# Module: cylance +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cylance.html + +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/elasticsearch.yml.disabled b/salt/filebeat/modules/elasticsearch.yml.disabled new file mode 100644 index 000000000..e6074c05e --- /dev/null +++ b/salt/filebeat/modules/elasticsearch.yml.disabled @@ -0,0 +1,35 @@ +# Module: elasticsearch +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-elasticsearch.html + +- module: elasticsearch + # Server log + server: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + gc: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + audit: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + slowlog: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + deprecation: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/envoyproxy.yml.disabled b/salt/filebeat/modules/envoyproxy.yml.disabled new file mode 100644 index 000000000..543b17be5 --- /dev/null +++ b/salt/filebeat/modules/envoyproxy.yml.disabled @@ -0,0 +1,11 @@ +# Module: envoyproxy +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-envoyproxy.html + +- module: envoyproxy + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/f5.yml.disabled b/salt/filebeat/modules/f5.yml.disabled new file mode 100644 index 000000000..959842174 --- /dev/null +++ b/salt/filebeat/modules/f5.yml.disabled @@ -0,0 +1,41 @@ +# Module: f5 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-f5.html + +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + bigipafm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9528 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/fortinet.yml.disabled b/salt/filebeat/modules/fortinet.yml.disabled new file mode 100644 index 000000000..281b7d788 --- /dev/null +++ b/salt/filebeat/modules/fortinet.yml.disabled @@ -0,0 +1,83 @@ +# Module: fortinet +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-fortinet.html + +- module: fortinet + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9004 + + # Set internal interfaces. used to override parsed network.direction + # based on a tagged interface. Both internal and external interfaces must be + # set to leverage this functionality. + #var.internal_interfaces: [ "LAN" ] + + # Set external interfaces. used to override parsed network.direction + # based on a tagged interface. Both internal and external interfaces must be + # set to leverage this functionality. + #var.external_interfaces: [ "WAN" ] + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + fortimail: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9529 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + fortimanager: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9530 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/gcp.yml.disabled b/salt/filebeat/modules/gcp.yml.disabled new file mode 100644 index 000000000..a09d0fe36 --- /dev/null +++ b/salt/filebeat/modules/gcp.yml.disabled @@ -0,0 +1,76 @@ +# Module: gcp +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gcp.html + +- module: gcp + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: gcp-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + # Set internal networks. This is used to classify network.direction based + # off of what networks are considered "internal" either base off of a CIDR + # block or named network conditions. If this is not specified, then traffic + # direction is determined by whether it is between source and destination + # instance information rather than IP. + # + # For a full list of network conditions see: + # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network + #var.internal_networks: [ "private" ] + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + # Set internal networks. This is used to classify network.direction based + # off of what networks are considered "internal" either base off of a CIDR + # block or named network conditions. If this is not specified, then traffic + # is taken from the direction data in the rule_details event payload. + # + # For a full list of network conditions see: + # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network + #var.internal_networks: [ "private" ] + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-audit + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/google_workspace.yml.disabled b/salt/filebeat/modules/google_workspace.yml.disabled new file mode 100644 index 000000000..6d364af98 --- /dev/null +++ b/salt/filebeat/modules/google_workspace.yml.disabled @@ -0,0 +1,53 @@ +# Module: google_workspace +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-google_workspace.html + +- module: google_workspace + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + diff --git a/salt/filebeat/modules/googlecloud.yml.disabled b/salt/filebeat/modules/googlecloud.yml.disabled new file mode 100644 index 000000000..9a28dc036 --- /dev/null +++ b/salt/filebeat/modules/googlecloud.yml.disabled @@ -0,0 +1,58 @@ +# Module: googlecloud +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-googlecloud.html + +# googlecloud module is deprecated, please use gcp instead +- module: gcp + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: gcp-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-audit + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/gsuite.yml.disabled b/salt/filebeat/modules/gsuite.yml.disabled new file mode 100644 index 000000000..6aec3b65d --- /dev/null +++ b/salt/filebeat/modules/gsuite.yml.disabled @@ -0,0 +1,53 @@ +# Module: gsuite +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gsuite.html + +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. +- module: gsuite + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/salt/filebeat/modules/haproxy.yml.disabled b/salt/filebeat/modules/haproxy.yml.disabled new file mode 100644 index 000000000..b2615dbb8 --- /dev/null +++ b/salt/filebeat/modules/haproxy.yml.disabled @@ -0,0 +1,14 @@ +# Module: haproxy +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-haproxy.html + +- module: haproxy + # All logs + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/ibmmq.yml.disabled b/salt/filebeat/modules/ibmmq.yml.disabled new file mode 100644 index 000000000..bfaf3792d --- /dev/null +++ b/salt/filebeat/modules/ibmmq.yml.disabled @@ -0,0 +1,11 @@ +# Module: ibmmq +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-ibmmq.html + +- module: ibmmq + # All logs + errorlog: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/icinga.yml.disabled b/salt/filebeat/modules/icinga.yml.disabled new file mode 100644 index 000000000..a7c3ac6e1 --- /dev/null +++ b/salt/filebeat/modules/icinga.yml.disabled @@ -0,0 +1,27 @@ +# Module: icinga +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-icinga.html + +- module: icinga + # Main logs + main: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Debug logs + debug: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Startup logs + startup: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/iis.yml.disabled b/salt/filebeat/modules/iis.yml.disabled new file mode 100644 index 000000000..44c200ba1 --- /dev/null +++ b/salt/filebeat/modules/iis.yml.disabled @@ -0,0 +1,20 @@ +# Module: iis +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iis.html + +- module: iis + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + \ No newline at end of file diff --git a/salt/filebeat/modules/imperva.yml.disabled b/salt/filebeat/modules/imperva.yml.disabled new file mode 100644 index 000000000..8e53deaa6 --- /dev/null +++ b/salt/filebeat/modules/imperva.yml.disabled @@ -0,0 +1,22 @@ +# Module: imperva +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-imperva.html + +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/infoblox.yml.disabled b/salt/filebeat/modules/infoblox.yml.disabled new file mode 100644 index 000000000..9e82f8340 --- /dev/null +++ b/salt/filebeat/modules/infoblox.yml.disabled @@ -0,0 +1,22 @@ +# Module: infoblox +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-infoblox.html + +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/iptables.yml.disabled b/salt/filebeat/modules/iptables.yml.disabled new file mode 100644 index 000000000..1147e14dd --- /dev/null +++ b/salt/filebeat/modules/iptables.yml.disabled @@ -0,0 +1,13 @@ +# Module: iptables +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iptables.html + +- module: iptables + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/juniper.yml.disabled b/salt/filebeat/modules/juniper.yml.disabled new file mode 100644 index 000000000..71112679d --- /dev/null +++ b/salt/filebeat/modules/juniper.yml.disabled @@ -0,0 +1,54 @@ +# Module: juniper +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-juniper.html + +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + netscreen: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9523 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 diff --git a/salt/filebeat/modules/kafka.yml.disabled b/salt/filebeat/modules/kafka.yml.disabled new file mode 100644 index 000000000..23362c8a1 --- /dev/null +++ b/salt/filebeat/modules/kafka.yml.disabled @@ -0,0 +1,15 @@ +# Module: kafka +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kafka.html + +- module: kafka + # All logs + log: + enabled: true + + # Set custom paths for Kafka. If left empty, + # Filebeat will look under /opt. + #var.kafka_home: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/kibana.yml.disabled b/salt/filebeat/modules/kibana.yml.disabled new file mode 100644 index 000000000..a4956c4b6 --- /dev/null +++ b/salt/filebeat/modules/kibana.yml.disabled @@ -0,0 +1,19 @@ +# Module: kibana +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kibana.html + +- module: kibana + # Server logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/logstash.yml.disabled b/salt/filebeat/modules/logstash.yml.disabled new file mode 100644 index 000000000..f14229409 --- /dev/null +++ b/salt/filebeat/modules/logstash.yml.disabled @@ -0,0 +1,18 @@ +# Module: logstash +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-logstash.html + +- module: logstash + # logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Slow logs + slowlog: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/microsoft.yml.disabled b/salt/filebeat/modules/microsoft.yml.disabled new file mode 100644 index 000000000..b0a1b10c6 --- /dev/null +++ b/salt/filebeat/modules/microsoft.yml.disabled @@ -0,0 +1,49 @@ +# Module: microsoft +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-microsoft.html + +- module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/misp.yml.disabled b/salt/filebeat/modules/misp.yml.disabled new file mode 100644 index 000000000..9a489fa0f --- /dev/null +++ b/salt/filebeat/modules/misp.yml.disabled @@ -0,0 +1,17 @@ +# Module: misp +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-misp.html + +- module: misp + threat: + enabled: true + # API key to access MISP + #var.api_key + + # Array object in MISP response + #var.http_request_body.limit: 1000 + + # URL of the MISP REST API + #var.url + + # You can also pass SSL options. For example: + #var.ssl.verification_mode: none diff --git a/salt/filebeat/modules/mongodb.yml.disabled b/salt/filebeat/modules/mongodb.yml.disabled new file mode 100644 index 000000000..266d2e4e8 --- /dev/null +++ b/salt/filebeat/modules/mongodb.yml.disabled @@ -0,0 +1,11 @@ +# Module: mongodb +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mongodb.html + +- module: mongodb + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/mssql.yml.disabled b/salt/filebeat/modules/mssql.yml.disabled new file mode 100644 index 000000000..bfe4c6e64 --- /dev/null +++ b/salt/filebeat/modules/mssql.yml.disabled @@ -0,0 +1,11 @@ +# Module: mssql +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mssql.html + +- module: mssql + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*'] diff --git a/salt/filebeat/modules/mysql.yml.disabled b/salt/filebeat/modules/mysql.yml.disabled new file mode 100644 index 000000000..e6be4045b --- /dev/null +++ b/salt/filebeat/modules/mysql.yml.disabled @@ -0,0 +1,19 @@ +# Module: mysql +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysql.html + +- module: mysql + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Slow logs + slowlog: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/mysqlenterprise.yml.disabled b/salt/filebeat/modules/mysqlenterprise.yml.disabled new file mode 100644 index 000000000..37e10d0eb --- /dev/null +++ b/salt/filebeat/modules/mysqlenterprise.yml.disabled @@ -0,0 +1,14 @@ +# Module: mysqlenterprise +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysqlenterprise.html + +- module: mysqlenterprise + audit: + enabled: true + + # Sets the input type. Currently only supports file + #var.input: file + + # Set paths for the log files when file input is used. + # Should only be used together with file input + # var.paths: + # - /home/user/mysqlauditlogs/audit.*.log diff --git a/salt/filebeat/modules/nats.yml.disabled b/salt/filebeat/modules/nats.yml.disabled new file mode 100644 index 000000000..65e44962d --- /dev/null +++ b/salt/filebeat/modules/nats.yml.disabled @@ -0,0 +1,11 @@ +# Module: nats +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nats.html + +- module: nats + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/netflow.yml.disabled b/salt/filebeat/modules/netflow.yml.disabled new file mode 100644 index 000000000..781748b00 --- /dev/null +++ b/salt/filebeat/modules/netflow.yml.disabled @@ -0,0 +1,14 @@ +# Module: netflow +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netflow.html + +- module: netflow + log: + enabled: true + var: + netflow_host: localhost + netflow_port: 2055 + # internal_networks specifies which networks are considered internal or private + # you can specify either a CIDR block or any of the special named ranges listed + # at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network + internal_networks: + - private diff --git a/salt/filebeat/modules/netscout.yml.disabled b/salt/filebeat/modules/netscout.yml.disabled new file mode 100644 index 000000000..215349046 --- /dev/null +++ b/salt/filebeat/modules/netscout.yml.disabled @@ -0,0 +1,22 @@ +# Module: netscout +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netscout.html + +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/nginx.yml.disabled b/salt/filebeat/modules/nginx.yml.disabled new file mode 100644 index 000000000..e2fa44a78 --- /dev/null +++ b/salt/filebeat/modules/nginx.yml.disabled @@ -0,0 +1,27 @@ +# Module: nginx +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nginx.html + +- module: nginx + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Error logs + error: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs + ingress_controller: + enabled: false + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/o365.yml.disabled b/salt/filebeat/modules/o365.yml.disabled new file mode 100644 index 000000000..578ff365d --- /dev/null +++ b/salt/filebeat/modules/o365.yml.disabled @@ -0,0 +1,48 @@ +# Module: o365 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-o365.html + +- module: o365 + audit: + enabled: true + + # Set the application_id (also known as client ID): + var.application_id: "" + + # Configure the tenants to monitor: + # Use the tenant ID (also known as directory ID) and the domain name. + # var.tenants: + # - id: "tenant_id_1" + # name: "mydomain.onmicrosoft.com" + # - id: "tenant_id_2" + # name: "mycompany.com" + var.tenants: + - id: "" + name: "mytenant.onmicrosoft.com" + + # List of content-types to fetch. By default all known content-types + # are retrieved: + # var.content_type: + # - "Audit.AzureActiveDirectory" + # - "Audit.Exchange" + # - "Audit.SharePoint" + # - "Audit.General" + # - "DLP.All" + + # Use the following settings to enable certificate-based authentication: + # var.certificate: "/path/to/certificate.pem" + # var.key: "/path/to/private_key.pem" + # var.key_passphrase: "myPrivateKeyPassword" + + # Client-secret based authentication: + # Comment the following line if using certificate authentication. + var.client_secret: "" + + # Advanced settings, use with care: + # var.api: + # # Settings for custom endpoints: + # authentication_endpoint: "https://login.microsoftonline.us/" + # resource: "https://manage.office365.us" + # + # max_retention: 168h + # max_requests_per_minute: 2000 + # poll_interval: 3m diff --git a/salt/filebeat/modules/okta.yml.disabled b/salt/filebeat/modules/okta.yml.disabled new file mode 100644 index 000000000..4fc943592 --- /dev/null +++ b/salt/filebeat/modules/okta.yml.disabled @@ -0,0 +1,10 @@ +# Module: okta +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-okta.html + +- module: okta + system: + enabled: true + # You must configure the URL with your Okta domain and provide an + # API token to access the logs API. + #var.url: https://yourOktaDomain/api/v1/logs + #var.api_key: 'yourApiTokenHere' diff --git a/salt/filebeat/modules/oracle.yml.disabled b/salt/filebeat/modules/oracle.yml.disabled new file mode 100644 index 000000000..3bd576ee1 --- /dev/null +++ b/salt/filebeat/modules/oracle.yml.disabled @@ -0,0 +1,13 @@ +# Module: oracle +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-oracle.html + +- module: oracle + database_audit: + enabled: true + + # Set which input to use between syslog or file (default). + #var.input: file + + # Set paths for the log files when file input is used. + # Should only be used together with file input + # var.paths: /home/user/oracleauditlogs/*.aud diff --git a/salt/filebeat/modules/osquery.yml.disabled b/salt/filebeat/modules/osquery.yml.disabled new file mode 100644 index 000000000..7a9a09dd8 --- /dev/null +++ b/salt/filebeat/modules/osquery.yml.disabled @@ -0,0 +1,15 @@ +# Module: osquery +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-osquery.html + +- module: osquery + result: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # If true, all fields created by this module are prefixed with + # `osquery.result`. Set to false to copy the fields in the root + # of the document. The default is true. + #var.use_namespace: true diff --git a/salt/filebeat/modules/panw.yml.disabled b/salt/filebeat/modules/panw.yml.disabled new file mode 100644 index 000000000..eb094a25a --- /dev/null +++ b/salt/filebeat/modules/panw.yml.disabled @@ -0,0 +1,22 @@ +# Module: panw +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-panw.html + +- module: panw + panos: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Set internal security zones. used to determine network.direction + # default "trust" + #var.internal_zones: + + # Set external security zones. used to determine network.direction + # default "untrust" + #var.external_zones: + diff --git a/salt/filebeat/modules/pensando.yml.disabled b/salt/filebeat/modules/pensando.yml.disabled new file mode 100644 index 000000000..66bd60d76 --- /dev/null +++ b/salt/filebeat/modules/pensando.yml.disabled @@ -0,0 +1,13 @@ +# Module: pensando +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-pensando.html + +- module: pensando +# Firewall logs + dfw: + enabled: true + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + # var.paths: diff --git a/salt/filebeat/modules/postgresql.yml.disabled b/salt/filebeat/modules/postgresql.yml.disabled new file mode 100644 index 000000000..804b7f34f --- /dev/null +++ b/salt/filebeat/modules/postgresql.yml.disabled @@ -0,0 +1,11 @@ +# Module: postgresql +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-postgresql.html + +- module: postgresql + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/proofpoint.yml.disabled b/salt/filebeat/modules/proofpoint.yml.disabled new file mode 100644 index 000000000..9aeebd5fe --- /dev/null +++ b/salt/filebeat/modules/proofpoint.yml.disabled @@ -0,0 +1,22 @@ +# Module: proofpoint +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-proofpoint.html + +- module: proofpoint + emailsecurity: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9531 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/rabbitmq.yml.disabled b/salt/filebeat/modules/rabbitmq.yml.disabled new file mode 100644 index 000000000..e61a0a0c9 --- /dev/null +++ b/salt/filebeat/modules/rabbitmq.yml.disabled @@ -0,0 +1,11 @@ +# Module: rabbitmq +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-rabbitmq.html + +- module: rabbitmq + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] diff --git a/salt/filebeat/modules/radware.yml.disabled b/salt/filebeat/modules/radware.yml.disabled new file mode 100644 index 000000000..f9ab3e519 --- /dev/null +++ b/salt/filebeat/modules/radware.yml.disabled @@ -0,0 +1,22 @@ +# Module: radware +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-radware.html + +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/redis.yml.disabled b/salt/filebeat/modules/redis.yml.disabled new file mode 100644 index 000000000..9b621dc2d --- /dev/null +++ b/salt/filebeat/modules/redis.yml.disabled @@ -0,0 +1,21 @@ +# Module: redis +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-redis.html + +- module: redis + # Main logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/redis/redis-server.log*"] + + # Slow logs, retrieved via the Redis API (SLOWLOG) + slowlog: + enabled: true + + # The Redis hosts to connect to. + #var.hosts: ["localhost:6379"] + + # Optional, the password to use when connecting to Redis. + #var.password: diff --git a/salt/filebeat/modules/santa.yml.disabled b/salt/filebeat/modules/santa.yml.disabled new file mode 100644 index 000000000..1a7363547 --- /dev/null +++ b/salt/filebeat/modules/santa.yml.disabled @@ -0,0 +1,9 @@ +# Module: santa +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-santa.html + +- module: santa + log: + enabled: true + # Set custom paths for the log files. If left empty, + # Filebeat will choose the the default path. + #var.paths: diff --git a/salt/filebeat/modules/snort.yml.disabled b/salt/filebeat/modules/snort.yml.disabled new file mode 100644 index 000000000..8c9bcc471 --- /dev/null +++ b/salt/filebeat/modules/snort.yml.disabled @@ -0,0 +1,22 @@ +# Module: snort +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snort.html + +- module: snort + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9532 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/snyk.yml.disabled b/salt/filebeat/modules/snyk.yml.disabled new file mode 100644 index 000000000..0b13f8155 --- /dev/null +++ b/salt/filebeat/modules/snyk.yml.disabled @@ -0,0 +1,112 @@ +# Module: snyk +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snyk.html + +- module: snyk + audit: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + # + # What audit type to collect, can be either "group" or "organization". + #var.audit_type: organization + # + # The ID related to the audit_type. If audit type is group, then this value should be + # the group ID and if it is organization it should be the organization ID to collect from. + #var.audit_id: 1235432-asdfdf-2341234-asdgjhg + + # How often the API should be polled, defaults to 1 hour. + #var.interval: 1h + # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). + #var.first_interval: 24h + + # The API token that is created for a specific user, found in the Snyk management dashboard. + #var.api_token: + + # Event filtering. + # All configuration items below is OPTIONAL and the default options will be overwritten + # for each entry that is not commented out. + + # Will return only logs for this specific project. + #var.project_id: "" + # User public ID. Will fetch only audit logs originated from this user's actions. + #var.user_id: "" + # Will return only logs for this specific event. + #var.event: "" + # User email address. Will fetch only audit logs originated from this user's actions. + #var.email_address: "" + + vulnerabilities: + enabled: true + + # Set which input to use between httpjson (default) or file. + #var.input: httpjson + + # How often the API should be polled. Data from the Snyk API is automatically updated + # once per day, so the default interval is 24 hours. + #var.interval: 24h + + # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). + #var.first_interval: 24h + + # The API token that is created for a specific user, found in the Snyk management dashboard. + #var.api_token: + + # The list of org IDs to filter the results by. + # One organization ID per line, starting with a - sign + #var.orgs: + # - 12354-asdfdf-123543-asdsdfg + # - 76554-jhggfd-654342-hgrfasd + + + # Event filtering. + # All configuration items below is OPTIONAL and the default options will be overwritten + # for each entry that is not commented out. + + # The severity levels of issues to filter the results by. + #var.included_severity: + # - high + # - medium + # - low + # + # The exploit maturity levels of issues to filter the results by. + #var.exploit_maturity: + # - mature + # - proof-of-concept + # - no-known-exploit + # - no-data + # + # The type of issues to filter the results by. + #var.types: + # - vuln + # - license + # + # The type of languages to filter the results by. + #var.languages: + # - javascript + # - ruby + # - java + # - scala + # - python + # - golang + # - php + # - dotnet + # - swift + # - docker + # + # Search term to filter issue name by, or an exact CVE or CWE. + #var.identifier: + # - "" + # + # If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored. + #var.ignored: false + #var.patched: false + #var.fixable: false + #var.is_fixed: false + #var.is_patchable: false + #var.is_pinnable: false + # + # The priority score ranging between 0-1000 + #var.min_priority_score: 0 + #var.max_priority_score: 1000 + diff --git a/salt/filebeat/modules/sonicwall.yml.disabled b/salt/filebeat/modules/sonicwall.yml.disabled new file mode 100644 index 000000000..de457109d --- /dev/null +++ b/salt/filebeat/modules/sonicwall.yml.disabled @@ -0,0 +1,22 @@ +# Module: sonicwall +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sonicwall.html + +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/sophos.yml.disabled b/salt/filebeat/modules/sophos.yml.disabled new file mode 100644 index 000000000..8fc346540 --- /dev/null +++ b/salt/filebeat/modules/sophos.yml.disabled @@ -0,0 +1,46 @@ +# Module: sophos +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sophos.html + +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + + + utm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9533 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/squid.yml.disabled b/salt/filebeat/modules/squid.yml.disabled new file mode 100644 index 000000000..a47807253 --- /dev/null +++ b/salt/filebeat/modules/squid.yml.disabled @@ -0,0 +1,22 @@ +# Module: squid +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-squid.html + +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/suricata.yml.disabled b/salt/filebeat/modules/suricata.yml.disabled new file mode 100644 index 000000000..1edd3f832 --- /dev/null +++ b/salt/filebeat/modules/suricata.yml.disabled @@ -0,0 +1,11 @@ +# Module: suricata +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html + +- module: suricata + # All logs + eve: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/system.yml.disabled b/salt/filebeat/modules/system.yml.disabled new file mode 100644 index 000000000..d633bac04 --- /dev/null +++ b/salt/filebeat/modules/system.yml.disabled @@ -0,0 +1,19 @@ +# Module: system +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-system.html + +- module: system + # Syslog + syslog: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Authorization logs + auth: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/threatintel.yml.disabled b/salt/filebeat/modules/threatintel.yml.disabled new file mode 100644 index 000000000..b461d91e2 --- /dev/null +++ b/salt/filebeat/modules/threatintel.yml.disabled @@ -0,0 +1,105 @@ +# Module: threatintel +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-threatintel.html + +- module: threatintel + abuseurl: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ + + # The interval to poll the API for updates. + var.interval: 10m + + abusemalware: + enabled: true + + # Input used for ingesting threat intel data. + var.input: httpjson + + # The URL used for Threat Intel API calls. + var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + + # The interval to poll the API for updates. + var.interval: 10m + + misp: + enabled: true + + # Input used for ingesting threat intel data, defaults to JSON. + var.input: httpjson + + # The URL of the MISP instance, should end with "/events/restSearch". + var.url: https://SERVER/events/restSearch + + # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. + var.api_token: API_KEY + + # Configures the type of SSL verification done, if MISP is running on self signed certificates + # then the certificate would either need to be trusted, or verification_mode set to none. + #var.ssl.verification_mode: none + + # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. + # For examples please reference the filebeat module documentation. + #var.filters: + # - threat_level: [4, 5] + # - to_ids: true + + # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer + # than the last event that was already ingested. + var.first_interval: 300h + + # The interval to poll the API for updates. + var.interval: 5m + + otx: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for OTX Threat Intel API calls. + var.url: https://otx.alienvault.com/api/v1/indicators/export + + # The authentication token used to contact the OTX API, can be found on the OTX UI. + var.api_token: API_KEY + + # Optional filters that can be applied to retrieve only specific indicators. + #var.types: "domain,IPv4,hostname,url,FileHash-SHA256" + + # The timeout of the HTTP client connecting to the OTX API + #var.http_client_timeout: 120s + + # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module. + var.lookback_range: 1h + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 400h + + # The interval to poll the API for updates + var.interval: 5m + + anomali: + enabled: true + + # Input used for ingesting threat intel data + var.input: httpjson + + # The URL used for Threat Intel API calls. Limo has multiple different possibilities for URL's depending + # on the type of threat intel source that is needed. + var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects + + # The Username used by anomali Limo, defaults to guest. + #var.username: guest + + # The password used by anomali Limo, defaults to guest. + #var.password: guest + + # How far back to look once the beat starts up for the first time, the value has to be in hours. + var.first_interval: 400h + + # The interval to poll the API for updates + var.interval: 5m diff --git a/salt/filebeat/modules/tomcat.yml.disabled b/salt/filebeat/modules/tomcat.yml.disabled new file mode 100644 index 000000000..84f4619d5 --- /dev/null +++ b/salt/filebeat/modules/tomcat.yml.disabled @@ -0,0 +1,22 @@ +# Module: tomcat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-tomcat.html + +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/salt/filebeat/modules/traefik.yml.disabled b/salt/filebeat/modules/traefik.yml.disabled new file mode 100644 index 000000000..657d5ccd9 --- /dev/null +++ b/salt/filebeat/modules/traefik.yml.disabled @@ -0,0 +1,11 @@ +# Module: traefik +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-traefik.html + +- module: traefik + # Access logs + access: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/zeek.yml.disabled b/salt/filebeat/modules/zeek.yml.disabled new file mode 100644 index 000000000..0667c6e35 --- /dev/null +++ b/salt/filebeat/modules/zeek.yml.disabled @@ -0,0 +1,84 @@ +# Module: zeek +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html + +- module: zeek + capture_loss: + enabled: true + connection: + enabled: true + dce_rpc: + enabled: true + dhcp: + enabled: true + dnp3: + enabled: true + dns: + enabled: true + dpd: + enabled: true + files: + enabled: true + ftp: + enabled: true + http: + enabled: true + intel: + enabled: true + irc: + enabled: true + kerberos: + enabled: true + modbus: + enabled: true + mysql: + enabled: true + notice: + enabled: true + ntlm: + enabled: true + ocsp: + enabled: true + pe: + enabled: true + radius: + enabled: true + rdp: + enabled: true + rfb: + enabled: true + signature: + enabled: true + sip: + enabled: true + smb_cmd: + enabled: true + smb_files: + enabled: true + smb_mapping: + enabled: true + smtp: + enabled: true + snmp: + enabled: true + socks: + enabled: true + ssh: + enabled: true + ssl: + enabled: true + stats: + enabled: true + syslog: + enabled: true + traceroute: + enabled: true + tunnel: + enabled: true + weird: + enabled: true + x509: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/zoom.yml.disabled b/salt/filebeat/modules/zoom.yml.disabled new file mode 100644 index 000000000..15fa9d4b2 --- /dev/null +++ b/salt/filebeat/modules/zoom.yml.disabled @@ -0,0 +1,22 @@ +# Module: zoom +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zoom.html + +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN diff --git a/salt/filebeat/modules/zscaler.yml.disabled b/salt/filebeat/modules/zscaler.yml.disabled new file mode 100644 index 000000000..accdec9ea --- /dev/null +++ b/salt/filebeat/modules/zscaler.yml.disabled @@ -0,0 +1,22 @@ +# Module: zscaler +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zscaler.html + +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local From 37929dbd7d09d0da03919541c792eb0cefa25fde Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 6 May 2021 13:54:28 +0000 Subject: [PATCH 02/59] Add additional config for Filebeat modules --- pillar/zeek/init.sls | 3 +- salt/filebeat/etc/filebeat.yml | 78 ----------------- salt/filebeat/init.sls | 23 +++++ salt/filebeat/modules/suricata.yml.disabled | 11 --- salt/filebeat/modules/zeek.yml.disabled | 84 ------------------- .../config/so/9000_output_zeek.conf.jinja | 27 +++--- .../config/so/9400_output_suricata.conf.jinja | 6 +- 7 files changed, 41 insertions(+), 191 deletions(-) delete mode 100644 salt/filebeat/modules/suricata.yml.disabled delete mode 100644 salt/filebeat/modules/zeek.yml.disabled diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 30a59284a..5eeb273b9 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -52,5 +52,4 @@ zeek: - frameworks/signatures/detect-windows-shells redef: - LogAscii::use_json = T; - - LogAscii::json_timestamps = JSON::TS_ISO8601; - - CaptureLoss::watch_interval = 5 mins; \ No newline at end of file + - CaptureLoss::watch_interval = 5 mins; diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 0f7c9c778..bd72bc583 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -105,84 +105,6 @@ filebeat.inputs: fields_under_root: true {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} - {%- if ZEEKVER != 'SURICATA' %} - {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} -- type: log - paths: - - /nsm/zeek/logs/current/{{ LOGNAME }}.log - fields: - module: zeek - dataset: {{ LOGNAME }} - category: network - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: true - close_removed: false - -- type: log - paths: - - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log - fields: - module: zeek - dataset: {{ LOGNAME }} - category: network - imported: true - processors: - - add_tags: - tags: ["import"] - - dissect: - tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" - field: "log.file.path" - target_prefix: "" - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - {%- endfor %} - {%- endif %} - -- type: log - paths: - - /nsm/suricata/eve*.json - fields: - module: suricata - dataset: common - category: network - - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - -- type: log - paths: - - /nsm/import/*/suricata/eve*.json - fields: - module: suricata - dataset: common - category: network - imported: true - processors: - - add_tags: - tags: ["import"] - - dissect: - tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" - field: "log.file.path" - target_prefix: "" - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false {%- if STRELKAENABLED == 1 %} - type: log diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 64cdc47fc..8ab200276 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -26,6 +26,12 @@ filebeatetcdir: - user: 939 - group: 939 - makedirs: True +filebeatmoduledir: + file.directory: + - name: /opt/so/conf/filebeat/modules + - user: root + - group: root + - makedirs: True filebeatlogdir: file.directory: - name: /opt/so/log/filebeat @@ -55,6 +61,21 @@ filebeatconfsync: - defaults: INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }} OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} +# Filebeat module config file +filebeatmoduleconfsync: + file.managed: + - name: /opt/so/conf/filebeat/etc/module-setup.yml + - source: salt://filebeat/etc/module-setup.yml + - user: root + - group: root + - template: jinja +# Sync Filebeat modules +filebeatmodules: + file.recurse: + - name: /opt/so/conf/filebeat/modules + - source: salt://filebeat/modules + - user: root + - group: root so-filebeat: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }} @@ -65,8 +86,10 @@ so-filebeat: - /nsm:/nsm:ro - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro + - /opt/so/conf/filebeat/etc/module-setup.yml:/usr/share/filebeat/module-setup.yml:ro - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro - /nsm/wazuh/logs/archives:/wazuh/archives:ro + - /opt/so/conf/filebeat/modules:/usr/share/filebeat/modules.d - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /opt/so/conf/filebeat/registry:/usr/share/filebeat/data/registry:rw diff --git a/salt/filebeat/modules/suricata.yml.disabled b/salt/filebeat/modules/suricata.yml.disabled deleted file mode 100644 index 1edd3f832..000000000 --- a/salt/filebeat/modules/suricata.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: suricata -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html - -- module: suricata - # All logs - eve: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/zeek.yml.disabled b/salt/filebeat/modules/zeek.yml.disabled deleted file mode 100644 index 0667c6e35..000000000 --- a/salt/filebeat/modules/zeek.yml.disabled +++ /dev/null @@ -1,84 +0,0 @@ -# Module: zeek -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html - -- module: zeek - capture_loss: - enabled: true - connection: - enabled: true - dce_rpc: - enabled: true - dhcp: - enabled: true - dnp3: - enabled: true - dns: - enabled: true - dpd: - enabled: true - files: - enabled: true - ftp: - enabled: true - http: - enabled: true - intel: - enabled: true - irc: - enabled: true - kerberos: - enabled: true - modbus: - enabled: true - mysql: - enabled: true - notice: - enabled: true - ntlm: - enabled: true - ocsp: - enabled: true - pe: - enabled: true - radius: - enabled: true - rdp: - enabled: true - rfb: - enabled: true - signature: - enabled: true - sip: - enabled: true - smb_cmd: - enabled: true - smb_files: - enabled: true - smb_mapping: - enabled: true - smtp: - enabled: true - snmp: - enabled: true - socks: - enabled: true - ssh: - enabled: true - ssl: - enabled: true - stats: - enabled: true - syslog: - enabled: true - traceroute: - enabled: true - tunnel: - enabled: true - weird: - enabled: true - x509: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index d17dc2b22..da798a79d 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,19 +1,20 @@ -{%- if grains['role'] == 'so-eval' -%} +%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [module] =~ "zeek" and "import" not in [tags] { - elasticsearch { - pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" - index => "so-zeek" - template_name => "so-zeek" - template => "/templates/so-zeek-template.json" - template_overwrite => true - ssl => true - ssl_certificate_verification => false - } - } + if [event][module] == 'zeek' { + elasticsearch { + id => "zeek_logs" + pipeline => "filebeat-%{[agent][version]}-zeek-%{[fileset][name]}-pipeline" + hosts => "{{ ES }}" + index => "so-zeek-%{+YYYY.MM.dd}" + template_name => "so-common" + template => "/templates/so-common-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } + } } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 5013bafc1..258781f29 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -4,12 +4,12 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [module] =~ "suricata" and "import" not in [tags] { + if [event][module] =~ "suricata" and "import" not in [tags] { elasticsearch { - pipeline => "%{module}.%{dataset}" + pipeline => "filebeat-%{[agent][version]}-suricata-%{[fileset][name]}-pipeline" hosts => "{{ ES }}" index => "so-ids" - template_name => "so-ids" + template_name => "so-ids" template => "/templates/so-ids-template.json" ssl => true ssl_certificate_verification => false From 1b749cf004979b6cd8fc25959ea4d937b9b656fd Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 6 May 2021 13:55:07 +0000 Subject: [PATCH 03/59] Additional config --- .../tools/sbin/so-filebeat-module-setup | 56 +++++++++++++++++++ salt/filebeat/etc/module-setup.yml | 10 ++++ 2 files changed, 66 insertions(+) create mode 100755 salt/common/tools/sbin/so-filebeat-module-setup create mode 100644 salt/filebeat/etc/module-setup.yml diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup new file mode 100755 index 000000000..a42b0ac80 --- /dev/null +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -0,0 +1,56 @@ +{%- set mainint = salt['pillar.get']('host:mainint') %} +{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} + +#!/bin/bash +# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +default_conf_dir=/opt/so/conf +ELASTICSEARCH_HOST="{{ MYIP }}" +ELASTICSEARCH_PORT=9200 +#ELASTICSEARCH_AUTH="" + +# Define a default directory to load pipelines from +FB_MODULE_YML="/usr/share/filebeat/module-setup.yml" + +if [ "$1" == "" ]; then + echo "No module supplied. Exiting..." +else + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + fi + + echo "Setting up ingest pipeline(s) for $1..." + docker exec -it so-filebeat filebeat setup modules -pipelines -modules $1 -c $FB_MODULE_YML +fi + diff --git a/salt/filebeat/etc/module-setup.yml b/salt/filebeat/etc/module-setup.yml new file mode 100644 index 000000000..431e432b3 --- /dev/null +++ b/salt/filebeat/etc/module-setup.yml @@ -0,0 +1,10 @@ +{%- if grains['role'] in ['so-managersearch', 'so-heavynode', 'so-node'] %} +{%- set MANAGER = salt['grains.get']('host' '') %} +{%- else %} +{%- set MANAGER = salt['grains.get']('master') %} +{%- endif %} + +output.elasticsearch: + enabled: true + hosts: ["https://{{ MANAGER }}:9200"] + ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] From ee92ba20b04a025eb4e75d49000930724bd772c0 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 6 May 2021 13:56:39 +0000 Subject: [PATCH 04/59] Add modules path reference --- salt/filebeat/etc/filebeat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index bd72bc583..46a59f772 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -71,7 +71,13 @@ logging.files: # Set to true to log messages in json format. #logging.json: false + + #========================== Modules configuration ============================ +filebeat.config.modules: + enabled: true + path: ${path.config}/modules.d/*.yml + filebeat.modules: #=========================== Filebeat prospectors ============================= From 728d1f75406be60b5acda5a8eeb6a0b038a8950a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 6 May 2021 14:06:17 +0000 Subject: [PATCH 05/59] Make Zeek and Suricata great again --- salt/filebeat/modules/suricata.yml | 12 +++ salt/filebeat/modules/zeek.yml | 122 +++++++++++++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 salt/filebeat/modules/suricata.yml create mode 100644 salt/filebeat/modules/zeek.yml diff --git a/salt/filebeat/modules/suricata.yml b/salt/filebeat/modules/suricata.yml new file mode 100644 index 000000000..b7cc11e85 --- /dev/null +++ b/salt/filebeat/modules/suricata.yml @@ -0,0 +1,12 @@ +# Module: suricata +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html + +- module: suricata + # All logs + eve: + enabled: true + var.paths: ["/nsm/suricata/eve*.json"] + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/salt/filebeat/modules/zeek.yml b/salt/filebeat/modules/zeek.yml new file mode 100644 index 000000000..9fd61c448 --- /dev/null +++ b/salt/filebeat/modules/zeek.yml @@ -0,0 +1,122 @@ +# Module: zeek +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html + +- module: zeek + capture_loss: + enabled: false + var.paths: ["/nsm/zeek/logs/current/capture_loss.log"] + connection: + enabled: true + var.paths: ["/nsm/zeek/logs/current/conn.log"] + dce_rpc: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dce_rpc.log"] + dhcp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dhcp.log"] + dnp3: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dnp3.log"] + dns: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dns.log"] + dpd: + enabled: true + var.paths: ["/nsm/zeek/logs/current/dpd.log"] + files: + enabled: true + var.paths: ["/nsm/zeek/logs/current/files.log"] + ftp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ftp.log"] + http: + enabled: true + var.paths: ["/nsm/zeek/logs/current/http.log"] + intel: + enabled: true + var.paths: ["/nsm/zeek/logs/current/intel.log"] + irc: + enabled: true + var.paths: ["/nsm/zeek/logs/current/irc.log"] + kerberos: + enabled: true + var.paths: ["/nsm/zeek/logs/current/kerberos.log"] + modbus: + enabled: true + var.paths: ["/nsm/zeek/logs/current/modbus.log"] + mysql: + enabled: true + var.paths: ["/nsm/zeek/logs/current/mysql.log"] + notice: + enabled: true + var.paths: ["/nsm/zeek/logs/current/notice.log"] + ntlm: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ntlm.log"] + ocsp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/oscp.log"] + pe: + enabled: true + var.paths: ["/nsm/zeek/logs/current/pe.log"] + radius: + enabled: true + var.paths: ["/nsm/zeek/logs/current/radius.log"] + rdp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/rdp.log"] + rfb: + enabled: true + var.paths: ["/nsm/zeek/logs/current/rfb.log"] + signature: + enabled: true + var.paths: ["/nsm/zeek/logs/current/signature.log"] + sip: + enabled: true + var.paths: ["/nsm/zeek/logs/current/sip.log"] + smb_cmd: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smb_cmd.log"] + smb_files: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smb_files.log"] + smb_mapping: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smb_mapping.log"] + smtp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/smtp.log"] + snmp: + enabled: true + var.paths: ["/nsm/zeek/logs/current/snmp.log"] + socks: + enabled: true + var.paths: ["/nsm/zeek/logs/current/socks.log"] + ssh: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ssh.log"] + ssl: + enabled: true + var.paths: ["/nsm/zeek/logs/current/ssl.log"] + stats: + enabled: false + var.paths: ["/nsm/zeek/logs/current/stats.log"] + syslog: + enabled: false + var.paths: ["/nsm/zeek/logs/current/syslog.log"] + traceroute: + enabled: false + var.paths: ["/nsm/zeek/logs/current/traceroute.log.log"] + tunnel: + enabled: true + var.paths: ["/nsm/zeek/logs/current/tunnel.log"] + weird: + enabled: true + var.paths: ["/nsm/zeek/logs/current/weird.log"] + x509: + enabled: true + var.paths: ["/nsm/zeek/logs/current/x509.log"] + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: From 01a121e0298243dc664be36caa2661b13b9bc020 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 10 May 2021 15:29:50 -0400 Subject: [PATCH 06/59] Add defaults.yml --- salt/filebeat/thirdpartydefaults.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 salt/filebeat/thirdpartydefaults.yml diff --git a/salt/filebeat/thirdpartydefaults.yml b/salt/filebeat/thirdpartydefaults.yml new file mode 100644 index 000000000..9e5fef988 --- /dev/null +++ b/salt/filebeat/thirdpartydefaults.yml @@ -0,0 +1,17 @@ +thirtd_party_filebeat: + modules: + fortinet: + firewall: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9004 + clientendpoint: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9510 + fortimail: + enabled: false + var.input: udp + var.syslog_port: 9350 \ No newline at end of file From efc028d0a55b39a39ea484cb9c1a5cd425e63dd6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 May 2021 18:08:47 -0400 Subject: [PATCH 07/59] handle the docker port bindings for filebeat modules --- salt/filebeat/init.sls | 9 +++++++++ salt/filebeat/map.jinja | 2 ++ salt/filebeat/thirdpartydefaults.yml | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 salt/filebeat/map.jinja diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 8ab200276..eb4dc116a 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -20,6 +20,8 @@ {% set LOCALHOSTIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} +{% from 'filebeat/map.jinja' import THIRDPARTY with context %} + filebeatetcdir: file.directory: - name: /opt/so/conf/filebeat/etc @@ -98,6 +100,13 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp +{% for module in THIRDPARTY.modules.keys() %} + {% for submodule in THIRDPARTY.modules[module] %} + {% if THIRDPARTY.modules[module][submodule].enabled %} + - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/{{ THIRDPARTY.modules[module][submodule]["var.input"] }} + {% endif %} + {% endfor %} +{% endfor %} - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja new file mode 100644 index 000000000..668889227 --- /dev/null +++ b/salt/filebeat/map.jinja @@ -0,0 +1,2 @@ +{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} +{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} \ No newline at end of file diff --git a/salt/filebeat/thirdpartydefaults.yml b/salt/filebeat/thirdpartydefaults.yml index 9e5fef988..1e2eb8c23 100644 --- a/salt/filebeat/thirdpartydefaults.yml +++ b/salt/filebeat/thirdpartydefaults.yml @@ -1,4 +1,4 @@ -thirtd_party_filebeat: +third_party_filebeat: modules: fortinet: firewall: From 4012a8276c93e3b6dcf9ff3c22e3085910c5d249 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 11 May 2021 12:22:25 -0400 Subject: [PATCH 08/59] add template for module .yml file --- salt/filebeat/etc/thirdparty.yml.jinja | 16 ++++++++++++++++ salt/filebeat/init.sls | 16 ++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 salt/filebeat/etc/thirdparty.yml.jinja diff --git a/salt/filebeat/etc/thirdparty.yml.jinja b/salt/filebeat/etc/thirdparty.yml.jinja new file mode 100644 index 000000000..8c081828e --- /dev/null +++ b/salt/filebeat/etc/thirdparty.yml.jinja @@ -0,0 +1,16 @@ +# DO NOT EDIT THIS FILE +{% for module in THIRDPARTY.modules.keys() -%} +- module: {{ module }} + {%- for fileset in THIRDPARTY.modules[module] %} + {{ fileset }}: + enabled: {{ THIRDPARTY.modules[module][fileset].enabled }} + {#- only manage the settings if the fileset is enabled #} + {%- if THIRDPARTY.modules[module][fileset].enabled %} + {%- for var, value in THIRDPARTY.modules[module][fileset].items() %} + {%- if var|lower != 'enabled' %} + {{ var }}: {{ value }} + {%- endif %} + {%- endfor %} + {%- endif %} + {%- endfor %} +{% endfor %} \ No newline at end of file diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index eb4dc116a..b3bce806c 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -22,24 +22,28 @@ {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% from 'filebeat/map.jinja' import THIRDPARTY with context %} + filebeatetcdir: file.directory: - name: /opt/so/conf/filebeat/etc - user: 939 - group: 939 - makedirs: True + filebeatmoduledir: file.directory: - name: /opt/so/conf/filebeat/modules - user: root - group: root - makedirs: True + filebeatlogdir: file.directory: - name: /opt/so/log/filebeat - user: 939 - group: 939 - makedirs: True + filebeatpkidir: file.directory: - name: /opt/so/conf/filebeat/etc/pki @@ -52,6 +56,7 @@ fileregistrydir: - user: 939 - group: 939 - makedirs: True + # This needs to be owned by root filebeatconfsync: file.managed: @@ -63,6 +68,7 @@ filebeatconfsync: - defaults: INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }} OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} + # Filebeat module config file filebeatmoduleconfsync: file.managed: @@ -71,6 +77,7 @@ filebeatmoduleconfsync: - user: root - group: root - template: jinja + # Sync Filebeat modules filebeatmodules: file.recurse: @@ -78,6 +85,15 @@ filebeatmodules: - source: salt://filebeat/modules - user: root - group: root + +thirdparty_module_conf: + file.managed: + - name: /opt/so/conf/filebeat/etc/thirdparty.yml + - source: salt://filebeat/etc/thirdparty.yml.jinja + - template: jinja + - defaults: + THIRDPARTY: {{ THIRDPARTY }} + so-filebeat: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }} From ad67167e9778908534b921c38f27b3bdbc88d162 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 11 May 2021 12:58:21 -0400 Subject: [PATCH 09/59] remove whitespace control --- salt/filebeat/etc/thirdparty.yml.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/etc/thirdparty.yml.jinja b/salt/filebeat/etc/thirdparty.yml.jinja index 8c081828e..186115af4 100644 --- a/salt/filebeat/etc/thirdparty.yml.jinja +++ b/salt/filebeat/etc/thirdparty.yml.jinja @@ -1,5 +1,5 @@ # DO NOT EDIT THIS FILE -{% for module in THIRDPARTY.modules.keys() -%} +{% for module in THIRDPARTY.modules.keys() %} - module: {{ module }} {%- for fileset in THIRDPARTY.modules[module] %} {{ fileset }}: From 68a667ee7cb6de7c8e829939f9e4042c5cc63890 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 12 May 2021 15:31:19 -0400 Subject: [PATCH 10/59] Add thirfpartydefaults.yml --- ...efaults.yml => securityoniondefaults.yaml} | 0 salt/filebeat/thirdpartydefaults.yaml | 275 ++++++++++++++++++ 2 files changed, 275 insertions(+) rename salt/filebeat/{thirdpartydefaults.yml => securityoniondefaults.yaml} (100%) create mode 100644 salt/filebeat/thirdpartydefaults.yaml diff --git a/salt/filebeat/thirdpartydefaults.yml b/salt/filebeat/securityoniondefaults.yaml similarity index 100% rename from salt/filebeat/thirdpartydefaults.yml rename to salt/filebeat/securityoniondefaults.yaml diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml new file mode 100644 index 000000000..027ec4595 --- /dev/null +++ b/salt/filebeat/thirdpartydefaults.yaml @@ -0,0 +1,275 @@ +third_party_filebeat: + modules: + aws: + cloudtrail: + enabled: false + cloudwatch: + enabled: false + ec2: + enabled: false + elb: + enabled: false + s3access: + enabled: false + vpcflow: + enabled: false + azure: + activitylogs: + enabled: false + platformlogs: + enabled: false + auditlogs: + enabled: false + signinlogs: + enabled: false + barracuda: + waf: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9503 + spamfirewall: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9524 + bluecoat: + director: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9505 + cef: + log: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9003 + checkpoint: + firewall: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9505 + cisco: + asa: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + ftd: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9003 + ios: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9002 + nexus: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9506 + meraki: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9525 + umbrella: + enabled: false + amp: + enabled: false + cyberark: + corepas: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9527 + cylance: + protect: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9508 + f5: + bigipapm: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9504 + bigipafm: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9528 + fortinet: + firewall: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9004 + clientendpoint: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9510 + fortimail: + enabled: false + var.input: udp + var.syslog_port: 9350 + gcp: + vpcflow: + enabled: false + firewall: + enabled: false + audit: + enabled: false + google_workspace: + saml: + enabled: false + user_accounts: + enabled: false + login: + enabled: false + admin: + enabled: false + drive: + enabled: false + groups: + enabled: false + imperva: + securesphere: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9511 + infoblox: + nios: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9512 + juniper: + junos: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9513 + netscreen: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9523 + srx: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 + microsoft: + defender_atp: + enabled: false + m365_defender: + enabled: false + dhcp: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9515 + misp: + threat: + enabled: false + netflow: + log: + enabled: false + var.netflow_host: 0.0.0.0 + var.netflow_port: 2055 + var.internal_networks: + - private + netscout: + sightline: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9502 + o365: + audit: + enabled: false + okta: + enabled: false + pesando: + dfw: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9001 + proofpoint: + emailsecurity: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9531 + radware: + defensepro: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9518 + snort: + log: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9532 + snyk: + audit: + enabled: false + vulnerabilities: + enabled: false + sonicwall: + firewall: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9519 + sophos: + xg: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + utm: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9533 + squid: + log: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9520 + threatintel: + abuseurl: + enabled: false + abusemalware: + enabled: false + misp: + enabled: false + otx: + enabled: false + anomali: + enabled: false + tomcat: + log: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9501 + zscaler: + zia: + enabled: false + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9521 From 71a74a665653f209c31354eed53ee345007b213d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 13 May 2021 13:07:16 -0400 Subject: [PATCH 11/59] Added updated script and core modules --- .../tools/sbin/so-filebeat-module-setup | 50 +++++++++---------- salt/filebeat/securityoniondefaults.yaml | 45 +++++++++++------ 2 files changed, 54 insertions(+), 41 deletions(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index a42b0ac80..6616854eb 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -25,32 +25,30 @@ ELASTICSEARCH_PORT=9200 # Define a default directory to load pipelines from FB_MODULE_YML="/usr/share/filebeat/module-setup.yml" -if [ "$1" == "" ]; then - echo "No module supplied. Exiting..." -else - # Wait for ElasticSearch to initialize - echo -n "Waiting for ElasticSearch..." - COUNT=0 - ELASTICSEARCH_CONNECTED="no" - while [[ "$COUNT" -le 240 ]]; do - curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo - fi - echo "Setting up ingest pipeline(s) for $1..." - docker exec -it so-filebeat filebeat setup modules -pipelines -modules $1 -c $FB_MODULE_YML +# Wait for ElasticSearch to initialize +echo -n "Waiting for ElasticSearch..." +COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 240 ]]; do + curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo fi +echo "Setting up ingest pipeline(s)" +docker exec -it so-filebeat filebeat setup modules -pipelines -modules activemq,apache,auditd,aws,azure,barracuda,bluecoat,cef,checkpoint,cisco,coredns,crowdstrike,cyberark,cylance,elasticsearch,envoyproxy,f5,fortinet,gcp,google_workspace,googlecloud,gsuite,haproxy,ibmmq,icinga,iis,imperva,infoblox,iptables,juniper,kafka,kibana,logstash,microsoft,misp,mondogb,mssql,mysql,mysqlenterprise,nats,netflow,netscout,nginx,o365,okta,osquery,panw,pensando,postgresql,rabbitmq,radware,redis,santa,snort,snyk,sonicwall,sophos,squid,suricata,system,threatintel,tomcat,traefik,zeek,zoom,zscaler -c $FB_MODULE_YML + + diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index 1e2eb8c23..e6406af8c 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -1,17 +1,32 @@ -third_party_filebeat: +securityonion_filebeat: modules: - fortinet: - firewall: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9004 - clientendpoint: + elasticsearch: + server: + enabled: true + var.paths: ["/logs/elasticsearch/*.log"] + kibana: + log: + enabled: true + var.paths: ["/logs/kibana/kibana.log"] + logstash: + log: + enabled: true + var.paths: ["/logs/logstash.log"] + redis: + log: + enabled: true + var.paths: ["/logs/redis.log"] + suricata: + eve: + enabled: true + var.paths: ["/nsm/suricata/eve*.json"] + {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} + {%- if ZEEKVER != 'SURICATA' %} + zeek: + {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} + {{ LOGNAME }}: enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9510 - fortimail: - enabled: false - var.input: udp - var.syslog_port: 9350 \ No newline at end of file + var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"] + {%- endfor %} + {%- endif %} + {%- endif %} \ No newline at end of file From 5e5d30a3774a49b2e2128e2c554b5eb6a7a4f53b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 25 May 2021 08:26:25 -0400 Subject: [PATCH 12/59] Fix 3rd party modules --- salt/filebeat/thirdpartydefaults.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml index 027ec4595..cfb8d10d9 100644 --- a/salt/filebeat/thirdpartydefaults.yaml +++ b/salt/filebeat/thirdpartydefaults.yaml @@ -195,9 +195,10 @@ third_party_filebeat: var.syslog_port: 9502 o365: audit: - enabled: false + enabled: false okta: - enabled: false + system: + enabled: false pesando: dfw: enabled: false From 1e564c2140d0f53e3b5c90ba89bd3ec8b7e3471b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 25 May 2021 10:22:36 -0400 Subject: [PATCH 13/59] Fix zeek jinja --- salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index da798a79d..486d22bfe 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,4 +1,4 @@ -%- if grains['role'] == 'so-eval' -%} +{%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} From 2aacd5b9b6cf339052d674595531f515c3842fff Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 16:40:50 -0400 Subject: [PATCH 14/59] so defaults filebeat modules --- salt/filebeat/etc/module_config.yml.jinja | 16 ++++++++++++++++ salt/filebeat/etc/thirdparty.yml.jinja | 16 ---------------- salt/filebeat/init.sls | 19 ++++++++++--------- salt/filebeat/map.jinja | 5 ++++- 4 files changed, 30 insertions(+), 26 deletions(-) create mode 100644 salt/filebeat/etc/module_config.yml.jinja delete mode 100644 salt/filebeat/etc/thirdparty.yml.jinja diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja new file mode 100644 index 000000000..7cd624895 --- /dev/null +++ b/salt/filebeat/etc/module_config.yml.jinja @@ -0,0 +1,16 @@ +# DO NOT EDIT THIS FILE +{% for module in MODULES.modules.keys() %} +- module: {{ module }} + {%- for fileset in MODULES.modules[module] %} + {{ fileset }}: + enabled: {{ MODULES.modules[module][fileset].enabled }} + {#- only manage the settings if the fileset is enabled #} + {%- if MODULES.modules[module][fileset].enabled %} + {%- for var, value in MODULES.modules[module][fileset].items() %} + {%- if var|lower != 'enabled' %} + {{ var }}: {{ value }} + {%- endif %} + {%- endfor %} + {%- endif %} + {%- endfor %} +{% endfor %} diff --git a/salt/filebeat/etc/thirdparty.yml.jinja b/salt/filebeat/etc/thirdparty.yml.jinja deleted file mode 100644 index 186115af4..000000000 --- a/salt/filebeat/etc/thirdparty.yml.jinja +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT THIS FILE -{% for module in THIRDPARTY.modules.keys() %} -- module: {{ module }} - {%- for fileset in THIRDPARTY.modules[module] %} - {{ fileset }}: - enabled: {{ THIRDPARTY.modules[module][fileset].enabled }} - {#- only manage the settings if the fileset is enabled #} - {%- if THIRDPARTY.modules[module][fileset].enabled %} - {%- for var, value in THIRDPARTY.modules[module][fileset].items() %} - {%- if var|lower != 'enabled' %} - {{ var }}: {{ value }} - {%- endif %} - {%- endfor %} - {%- endif %} - {%- endfor %} -{% endfor %} \ No newline at end of file diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index b3bce806c..b1a91b133 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -21,6 +21,7 @@ {% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% from 'filebeat/map.jinja' import THIRDPARTY with context %} +{% from 'filebeat/map.jinja' import SO with context %} filebeatetcdir: @@ -78,21 +79,21 @@ filebeatmoduleconfsync: - group: root - template: jinja -# Sync Filebeat modules -filebeatmodules: - file.recurse: - - name: /opt/so/conf/filebeat/modules - - source: salt://filebeat/modules - - user: root - - group: root +sodefaults_module_conf: + file.managed: + - name: /opt/so/conf/filebeat/etc/securityonion.yml + - source: salt://filebeat/etc/module_config.yml.jinja + - template: jinja + - defaults: + MODULES: {{ SO }} thirdparty_module_conf: file.managed: - name: /opt/so/conf/filebeat/etc/thirdparty.yml - - source: salt://filebeat/etc/thirdparty.yml.jinja + - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: - THIRDPARTY: {{ THIRDPARTY }} + MODULES: {{ THIRDPARTY }} so-filebeat: docker_container.running: diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index 668889227..aaae60f31 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,2 +1,5 @@ {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} -{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} \ No newline at end of file +{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} + +{% import_yaml 'filebeat/securityoniondefaults.yaml' as SO %} +{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#} From 9363fc153c3c7b45bdf1c82530530e7c8b92398f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 25 May 2021 16:44:13 -0400 Subject: [PATCH 15/59] Fix pillar for module --- salt/filebeat/securityoniondefaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index e6406af8c..8bcecd618 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -1,3 +1,4 @@ +{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} securityonion_filebeat: modules: elasticsearch: From 0de5c6f204186342d90b928fca5b1019b22b26cb Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 16:52:02 -0400 Subject: [PATCH 16/59] fix sodefault modules --- salt/filebeat/map.jinja | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index aaae60f31..6ae6e7cff 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,5 +1,6 @@ {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} {% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} -{% import_yaml 'filebeat/securityoniondefaults.yaml' as SO %} +{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} +{% set SO = SODEFAULTS.securityonion_filebeat %} {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#} From cd3e355f848536e2c7d7241c498f9c51315d8ebe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 25 May 2021 16:54:20 -0400 Subject: [PATCH 17/59] Fix zeek depth --- salt/zeek/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 02c1cc1ba..4e597f597 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -76,9 +76,9 @@ zeekpolicysync: # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: file.directory: - - name: /nsm/zeek/spool + - name: /nsm/zeek - user: 937 - - max_depth: 0 + - max_depth: 1 - recurse: - user From 543154f037453377c0780d4375dc4b52613b14db Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 25 May 2021 16:58:18 -0400 Subject: [PATCH 18/59] Remove old modules --- salt/filebeat/init.sls | 4 +- salt/filebeat/modules/activemq.yml.disabled | 19 -- salt/filebeat/modules/apache.yml.disabled | 19 -- salt/filebeat/modules/auditd.yml.disabled | 10 - salt/filebeat/modules/aws.yml.disabled | 255 ------------------ salt/filebeat/modules/azure.yml.disabled | 45 ---- salt/filebeat/modules/barracuda.yml.disabled | 41 --- salt/filebeat/modules/bluecoat.yml.disabled | 22 -- salt/filebeat/modules/cef.yml.disabled | 17 -- salt/filebeat/modules/checkpoint.yml.disabled | 24 -- salt/filebeat/modules/cisco.yml.disabled | 142 ---------- salt/filebeat/modules/coredns.yml.disabled | 11 - .../filebeat/modules/crowdstrike.yml.disabled | 11 - salt/filebeat/modules/cyberark.yml.disabled | 22 -- salt/filebeat/modules/cylance.yml.disabled | 22 -- .../modules/elasticsearch.yml.disabled | 35 --- salt/filebeat/modules/envoyproxy.yml.disabled | 11 - salt/filebeat/modules/f5.yml.disabled | 41 --- salt/filebeat/modules/fortinet.yml.disabled | 83 ------ salt/filebeat/modules/gcp.yml.disabled | 76 ------ .../modules/google_workspace.yml.disabled | 53 ---- .../filebeat/modules/googlecloud.yml.disabled | 58 ---- salt/filebeat/modules/gsuite.yml.disabled | 53 ---- salt/filebeat/modules/haproxy.yml.disabled | 14 - salt/filebeat/modules/ibmmq.yml.disabled | 11 - salt/filebeat/modules/icinga.yml.disabled | 27 -- salt/filebeat/modules/iis.yml.disabled | 20 -- salt/filebeat/modules/imperva.yml.disabled | 22 -- salt/filebeat/modules/infoblox.yml.disabled | 22 -- salt/filebeat/modules/iptables.yml.disabled | 13 - salt/filebeat/modules/juniper.yml.disabled | 54 ---- salt/filebeat/modules/kafka.yml.disabled | 15 -- salt/filebeat/modules/kibana.yml.disabled | 19 -- salt/filebeat/modules/logstash.yml.disabled | 18 -- salt/filebeat/modules/microsoft.yml.disabled | 49 ---- salt/filebeat/modules/misp.yml.disabled | 17 -- salt/filebeat/modules/mongodb.yml.disabled | 11 - salt/filebeat/modules/mssql.yml.disabled | 11 - salt/filebeat/modules/mysql.yml.disabled | 19 -- .../modules/mysqlenterprise.yml.disabled | 14 - salt/filebeat/modules/nats.yml.disabled | 11 - salt/filebeat/modules/netflow.yml.disabled | 14 - salt/filebeat/modules/netscout.yml.disabled | 22 -- salt/filebeat/modules/nginx.yml.disabled | 27 -- salt/filebeat/modules/o365.yml.disabled | 48 ---- salt/filebeat/modules/okta.yml.disabled | 10 - salt/filebeat/modules/oracle.yml.disabled | 13 - salt/filebeat/modules/osquery.yml.disabled | 15 -- salt/filebeat/modules/panw.yml.disabled | 22 -- salt/filebeat/modules/pensando.yml.disabled | 13 - salt/filebeat/modules/postgresql.yml.disabled | 11 - salt/filebeat/modules/proofpoint.yml.disabled | 22 -- salt/filebeat/modules/rabbitmq.yml.disabled | 11 - salt/filebeat/modules/radware.yml.disabled | 22 -- salt/filebeat/modules/redis.yml.disabled | 21 -- salt/filebeat/modules/santa.yml.disabled | 9 - salt/filebeat/modules/snort.yml.disabled | 22 -- salt/filebeat/modules/snyk.yml.disabled | 112 -------- salt/filebeat/modules/sonicwall.yml.disabled | 22 -- salt/filebeat/modules/sophos.yml.disabled | 46 ---- salt/filebeat/modules/squid.yml.disabled | 22 -- salt/filebeat/modules/suricata.yml | 12 - salt/filebeat/modules/system.yml.disabled | 19 -- .../filebeat/modules/threatintel.yml.disabled | 105 -------- salt/filebeat/modules/tomcat.yml.disabled | 22 -- salt/filebeat/modules/traefik.yml.disabled | 11 - salt/filebeat/modules/zeek.yml | 122 --------- salt/filebeat/modules/zoom.yml.disabled | 22 -- salt/filebeat/modules/zscaler.yml.disabled | 22 -- salt/filebeat/securityoniondefaults.yaml | 2 +- 70 files changed, 3 insertions(+), 2279 deletions(-) delete mode 100644 salt/filebeat/modules/activemq.yml.disabled delete mode 100644 salt/filebeat/modules/apache.yml.disabled delete mode 100644 salt/filebeat/modules/auditd.yml.disabled delete mode 100644 salt/filebeat/modules/aws.yml.disabled delete mode 100644 salt/filebeat/modules/azure.yml.disabled delete mode 100644 salt/filebeat/modules/barracuda.yml.disabled delete mode 100644 salt/filebeat/modules/bluecoat.yml.disabled delete mode 100644 salt/filebeat/modules/cef.yml.disabled delete mode 100644 salt/filebeat/modules/checkpoint.yml.disabled delete mode 100644 salt/filebeat/modules/cisco.yml.disabled delete mode 100644 salt/filebeat/modules/coredns.yml.disabled delete mode 100644 salt/filebeat/modules/crowdstrike.yml.disabled delete mode 100644 salt/filebeat/modules/cyberark.yml.disabled delete mode 100644 salt/filebeat/modules/cylance.yml.disabled delete mode 100644 salt/filebeat/modules/elasticsearch.yml.disabled delete mode 100644 salt/filebeat/modules/envoyproxy.yml.disabled delete mode 100644 salt/filebeat/modules/f5.yml.disabled delete mode 100644 salt/filebeat/modules/fortinet.yml.disabled delete mode 100644 salt/filebeat/modules/gcp.yml.disabled delete mode 100644 salt/filebeat/modules/google_workspace.yml.disabled delete mode 100644 salt/filebeat/modules/googlecloud.yml.disabled delete mode 100644 salt/filebeat/modules/gsuite.yml.disabled delete mode 100644 salt/filebeat/modules/haproxy.yml.disabled delete mode 100644 salt/filebeat/modules/ibmmq.yml.disabled delete mode 100644 salt/filebeat/modules/icinga.yml.disabled delete mode 100644 salt/filebeat/modules/iis.yml.disabled delete mode 100644 salt/filebeat/modules/imperva.yml.disabled delete mode 100644 salt/filebeat/modules/infoblox.yml.disabled delete mode 100644 salt/filebeat/modules/iptables.yml.disabled delete mode 100644 salt/filebeat/modules/juniper.yml.disabled delete mode 100644 salt/filebeat/modules/kafka.yml.disabled delete mode 100644 salt/filebeat/modules/kibana.yml.disabled delete mode 100644 salt/filebeat/modules/logstash.yml.disabled delete mode 100644 salt/filebeat/modules/microsoft.yml.disabled delete mode 100644 salt/filebeat/modules/misp.yml.disabled delete mode 100644 salt/filebeat/modules/mongodb.yml.disabled delete mode 100644 salt/filebeat/modules/mssql.yml.disabled delete mode 100644 salt/filebeat/modules/mysql.yml.disabled delete mode 100644 salt/filebeat/modules/mysqlenterprise.yml.disabled delete mode 100644 salt/filebeat/modules/nats.yml.disabled delete mode 100644 salt/filebeat/modules/netflow.yml.disabled delete mode 100644 salt/filebeat/modules/netscout.yml.disabled delete mode 100644 salt/filebeat/modules/nginx.yml.disabled delete mode 100644 salt/filebeat/modules/o365.yml.disabled delete mode 100644 salt/filebeat/modules/okta.yml.disabled delete mode 100644 salt/filebeat/modules/oracle.yml.disabled delete mode 100644 salt/filebeat/modules/osquery.yml.disabled delete mode 100644 salt/filebeat/modules/panw.yml.disabled delete mode 100644 salt/filebeat/modules/pensando.yml.disabled delete mode 100644 salt/filebeat/modules/postgresql.yml.disabled delete mode 100644 salt/filebeat/modules/proofpoint.yml.disabled delete mode 100644 salt/filebeat/modules/rabbitmq.yml.disabled delete mode 100644 salt/filebeat/modules/radware.yml.disabled delete mode 100644 salt/filebeat/modules/redis.yml.disabled delete mode 100644 salt/filebeat/modules/santa.yml.disabled delete mode 100644 salt/filebeat/modules/snort.yml.disabled delete mode 100644 salt/filebeat/modules/snyk.yml.disabled delete mode 100644 salt/filebeat/modules/sonicwall.yml.disabled delete mode 100644 salt/filebeat/modules/sophos.yml.disabled delete mode 100644 salt/filebeat/modules/squid.yml.disabled delete mode 100644 salt/filebeat/modules/suricata.yml delete mode 100644 salt/filebeat/modules/system.yml.disabled delete mode 100644 salt/filebeat/modules/threatintel.yml.disabled delete mode 100644 salt/filebeat/modules/tomcat.yml.disabled delete mode 100644 salt/filebeat/modules/traefik.yml.disabled delete mode 100644 salt/filebeat/modules/zeek.yml delete mode 100644 salt/filebeat/modules/zoom.yml.disabled delete mode 100644 salt/filebeat/modules/zscaler.yml.disabled diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index b1a91b133..18ca9b8c1 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -81,7 +81,7 @@ filebeatmoduleconfsync: sodefaults_module_conf: file.managed: - - name: /opt/so/conf/filebeat/etc/securityonion.yml + - name: /opt/so/conf/filebeat/modules/securityonion.yml - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: @@ -89,7 +89,7 @@ sodefaults_module_conf: thirdparty_module_conf: file.managed: - - name: /opt/so/conf/filebeat/etc/thirdparty.yml + - name: /opt/so/conf/filebeat/modules/thirdparty.yml - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: diff --git a/salt/filebeat/modules/activemq.yml.disabled b/salt/filebeat/modules/activemq.yml.disabled deleted file mode 100644 index 43536ecbc..000000000 --- a/salt/filebeat/modules/activemq.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: activemq -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-activemq.html - -- module: activemq - # Audit logs - audit: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Application logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/apache.yml.disabled b/salt/filebeat/modules/apache.yml.disabled deleted file mode 100644 index b923dd581..000000000 --- a/salt/filebeat/modules/apache.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: apache -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-apache.html - -- module: apache - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/auditd.yml.disabled b/salt/filebeat/modules/auditd.yml.disabled deleted file mode 100644 index 76296ec85..000000000 --- a/salt/filebeat/modules/auditd.yml.disabled +++ /dev/null @@ -1,10 +0,0 @@ -# Module: auditd -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-auditd.html - -- module: auditd - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/aws.yml.disabled b/salt/filebeat/modules/aws.yml.disabled deleted file mode 100644 index 904bd976c..000000000 --- a/salt/filebeat/modules/aws.yml.disabled +++ /dev/null @@ -1,255 +0,0 @@ -# Module: aws -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-aws.html - -- module: aws - cloudtrail: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Process CloudTrail logs - # default is true, set to false to skip Cloudtrail logs - # var.process_cloudtrail_logs: false - - # Process CloudTrail Digest logs - # default true, set to false to skip CloudTrail Digest logs - # var.process_digest_logs: false - - # Process CloudTrail Insight logs - # default true, set to false to skip CloudTrail Insight logs - # var.process_insight_logs: false - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - cloudwatch: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - ec2: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - elb: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - s3access: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 - - vpcflow: - enabled: false - - # AWS SQS queue url - #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue - - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - #var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - #var.credential_profile_name: fb-aws - - # Use access_key_id, secret_access_key and/or session_token instead of shared credential file - #var.access_key_id: access_key_id - #var.secret_access_key: secret_access_key - #var.session_token: session_token - - # The duration that the received messages are hidden from ReceiveMessage request - # Default to be 300s - #var.visibility_timeout: 300s - - # Maximum duration before AWS API request will be interrupted - # Default to be 120s - #var.api_timeout: 120s - - # Custom endpoint used to access AWS APIs - #var.endpoint: amazonaws.com - - # AWS IAM Role to assume - #var.role_arn: arn:aws:iam::123456789012:role/test-mb - - # Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - #var.fips_enabled: false - - # The maximum number of messages to return from SQS. Valid values: 1 to 10. - #var.max_number_of_messages: 5 diff --git a/salt/filebeat/modules/azure.yml.disabled b/salt/filebeat/modules/azure.yml.disabled deleted file mode 100644 index 3b2bc1ecf..000000000 --- a/salt/filebeat/modules/azure.yml.disabled +++ /dev/null @@ -1,45 +0,0 @@ -# Module: azure -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-azure.html - -- module: azure - # All logs - activitylogs: - enabled: true - var: - # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub - eventhub: "insights-operational-logs" - # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module - consumer_group: "$Default" - # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string - connection_string: "" - # the name of the storage account the state/offsets will be stored and updated - storage_account: "" - # the storage account key, this key will be used to authorize access to data in your storage account - storage_account_key: "" - - platformlogs: - enabled: false - # var: - # eventhub: "" - # consumer_group: "$Default" - # connection_string: "" - # storage_account: "" - # storage_account_key: "" - - - auditlogs: - enabled: false - # var: - # eventhub: "insights-logs-auditlogs" - # consumer_group: "$Default" - # connection_string: "" - # storage_account: "" - # storage_account_key: "" - signinlogs: - enabled: false - # var: - # eventhub: "insights-logs-signinlogs" - # consumer_group: "$Default" - # connection_string: "" - # storage_account: "" - # storage_account_key: "" diff --git a/salt/filebeat/modules/barracuda.yml.disabled b/salt/filebeat/modules/barracuda.yml.disabled deleted file mode 100644 index 99ff85036..000000000 --- a/salt/filebeat/modules/barracuda.yml.disabled +++ /dev/null @@ -1,41 +0,0 @@ -# Module: barracuda -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-barracuda.html - -- module: barracuda - waf: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9503 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - spamfirewall: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9524 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/bluecoat.yml.disabled b/salt/filebeat/modules/bluecoat.yml.disabled deleted file mode 100644 index 6550c8eed..000000000 --- a/salt/filebeat/modules/bluecoat.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: bluecoat -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-bluecoat.html - -- module: bluecoat - director: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9505 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/cef.yml.disabled b/salt/filebeat/modules/cef.yml.disabled deleted file mode 100644 index 2de22edcc..000000000 --- a/salt/filebeat/modules/cef.yml.disabled +++ /dev/null @@ -1,17 +0,0 @@ -# Module: cef -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cef.html - -- module: cef - log: - enabled: true - var: - syslog_host: localhost - syslog_port: 9003 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/checkpoint.yml.disabled b/salt/filebeat/modules/checkpoint.yml.disabled deleted file mode 100644 index 9d34b8d72..000000000 --- a/salt/filebeat/modules/checkpoint.yml.disabled +++ /dev/null @@ -1,24 +0,0 @@ -# Module: checkpoint -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-checkpoint.html - -- module: checkpoint - firewall: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9001. - #var.syslog_port: 9001 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] diff --git a/salt/filebeat/modules/cisco.yml.disabled b/salt/filebeat/modules/cisco.yml.disabled deleted file mode 100644 index 9e4658045..000000000 --- a/salt/filebeat/modules/cisco.yml.disabled +++ /dev/null @@ -1,142 +0,0 @@ -# Module: cisco -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cisco.html - -- module: cisco - asa: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9001. - #var.syslog_port: 9001 - - # Set the log level from 1 (alerts only) to 7 (include all messages). - # Messages with a log level higher than the specified will be dropped. - # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html - #var.log_level: 7 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] - - ftd: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9003. - #var.syslog_port: 9003 - - # Set the log level from 1 (alerts only) to 7 (include all messages). - # Messages with a log level higher than the specified will be dropped. - # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html - #var.log_level: 7 - - # Set internal security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.internal_zones: [ "Internal" ] - - # Set external security zones. used to override parsed network.direction - # based on zone egress and ingress - #var.external_zones: [ "External" ] - - ios: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: syslog - - # The interface to listen to UDP based syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The UDP port to listen for syslog traffic. Defaults to 9002. - #var.syslog_port: 9002 - - # Set custom paths for the log files when using file input. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - nexus: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9506 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - meraki: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9525 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - umbrella: - enabled: true - - #var.input: aws-s3 - # AWS SQS queue url - #var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue - # Access ID to authenticate with the S3 input - #var.access_key_id: 123456 - # Access key to authenticate with the S3 input - #var.secret_access_key: PASSWORD - # The duration that the received messages are hidden from ReceiveMessage request - #var.visibility_timeout: 300s - # Maximum duration before AWS API request will be interrupted - #var.api_timeout: 120s - - amp: - enabled: true - - # Set which input to use between httpjson (default) or file. - #var.input: httpjson - - # The API URL - #var.url: https://api.amp.cisco.com/v1/events - # The client ID used as a username for the API requests. - #var.client_id: - # The API key related to the client ID. - #var.api_key: - # How far to look back the first time the module is started. Expects an amount of hours. - #var.first_interval: 24h - # Overriding the default request timeout, optional. - #var.request_timeout: 60s diff --git a/salt/filebeat/modules/coredns.yml.disabled b/salt/filebeat/modules/coredns.yml.disabled deleted file mode 100644 index 46e9e55c1..000000000 --- a/salt/filebeat/modules/coredns.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: coredns -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-coredns.html - -- module: coredns - # Fileset for native deployment - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/crowdstrike.yml.disabled b/salt/filebeat/modules/crowdstrike.yml.disabled deleted file mode 100644 index 8d2c8531d..000000000 --- a/salt/filebeat/modules/crowdstrike.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: crowdstrike -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-crowdstrike.html - -- module: crowdstrike - - falcon: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/cyberark.yml.disabled b/salt/filebeat/modules/cyberark.yml.disabled deleted file mode 100644 index e97955adf..000000000 --- a/salt/filebeat/modules/cyberark.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: cyberark -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberark.html - -- module: cyberark - corepas: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/cylance.yml.disabled b/salt/filebeat/modules/cylance.yml.disabled deleted file mode 100644 index 342d654d2..000000000 --- a/salt/filebeat/modules/cylance.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: cylance -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cylance.html - -- module: cylance - protect: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9508 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/elasticsearch.yml.disabled b/salt/filebeat/modules/elasticsearch.yml.disabled deleted file mode 100644 index e6074c05e..000000000 --- a/salt/filebeat/modules/elasticsearch.yml.disabled +++ /dev/null @@ -1,35 +0,0 @@ -# Module: elasticsearch -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-elasticsearch.html - -- module: elasticsearch - # Server log - server: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - gc: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - audit: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - slowlog: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - deprecation: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/envoyproxy.yml.disabled b/salt/filebeat/modules/envoyproxy.yml.disabled deleted file mode 100644 index 543b17be5..000000000 --- a/salt/filebeat/modules/envoyproxy.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: envoyproxy -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-envoyproxy.html - -- module: envoyproxy - # Fileset for native deployment - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/f5.yml.disabled b/salt/filebeat/modules/f5.yml.disabled deleted file mode 100644 index 959842174..000000000 --- a/salt/filebeat/modules/f5.yml.disabled +++ /dev/null @@ -1,41 +0,0 @@ -# Module: f5 -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-f5.html - -- module: f5 - bigipapm: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9504 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - bigipafm: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9528 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/fortinet.yml.disabled b/salt/filebeat/modules/fortinet.yml.disabled deleted file mode 100644 index 281b7d788..000000000 --- a/salt/filebeat/modules/fortinet.yml.disabled +++ /dev/null @@ -1,83 +0,0 @@ -# Module: fortinet -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-fortinet.html - -- module: fortinet - firewall: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9004. - #var.syslog_port: 9004 - - # Set internal interfaces. used to override parsed network.direction - # based on a tagged interface. Both internal and external interfaces must be - # set to leverage this functionality. - #var.internal_interfaces: [ "LAN" ] - - # Set external interfaces. used to override parsed network.direction - # based on a tagged interface. Both internal and external interfaces must be - # set to leverage this functionality. - #var.external_interfaces: [ "WAN" ] - - clientendpoint: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9510 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimail: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9529 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimanager: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9530 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/gcp.yml.disabled b/salt/filebeat/modules/gcp.yml.disabled deleted file mode 100644 index a09d0fe36..000000000 --- a/salt/filebeat/modules/gcp.yml.disabled +++ /dev/null @@ -1,76 +0,0 @@ -# Module: gcp -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gcp.html - -- module: gcp - vpcflow: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be - # configured to use this topic as a sink for VPC flow logs. - var.topic: gcp-vpc-flowlogs - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-vpc-flowlogs-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - # Set internal networks. This is used to classify network.direction based - # off of what networks are considered "internal" either base off of a CIDR - # block or named network conditions. If this is not specified, then traffic - # direction is determined by whether it is between source and destination - # instance information rather than IP. - # - # For a full list of network conditions see: - # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network - #var.internal_networks: [ "private" ] - - firewall: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-firewall - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-firewall-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - # Set internal networks. This is used to classify network.direction based - # off of what networks are considered "internal" either base off of a CIDR - # block or named network conditions. If this is not specified, then traffic - # is taken from the direction data in the rule_details event payload. - # - # For a full list of network conditions see: - # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network - #var.internal_networks: [ "private" ] - - audit: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-audit - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-audit - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/google_workspace.yml.disabled b/salt/filebeat/modules/google_workspace.yml.disabled deleted file mode 100644 index 6d364af98..000000000 --- a/salt/filebeat/modules/google_workspace.yml.disabled +++ /dev/null @@ -1,53 +0,0 @@ -# Module: google_workspace -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-google_workspace.html - -- module: google_workspace - saml: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - diff --git a/salt/filebeat/modules/googlecloud.yml.disabled b/salt/filebeat/modules/googlecloud.yml.disabled deleted file mode 100644 index 9a28dc036..000000000 --- a/salt/filebeat/modules/googlecloud.yml.disabled +++ /dev/null @@ -1,58 +0,0 @@ -# Module: googlecloud -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-googlecloud.html - -# googlecloud module is deprecated, please use gcp instead -- module: gcp - vpcflow: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be - # configured to use this topic as a sink for VPC flow logs. - var.topic: gcp-vpc-flowlogs - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-vpc-flowlogs-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - firewall: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-firewall - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-firewall-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - audit: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-audit - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-audit - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/salt/filebeat/modules/gsuite.yml.disabled b/salt/filebeat/modules/gsuite.yml.disabled deleted file mode 100644 index 6aec3b65d..000000000 --- a/salt/filebeat/modules/gsuite.yml.disabled +++ /dev/null @@ -1,53 +0,0 @@ -# Module: gsuite -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gsuite.html - -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h diff --git a/salt/filebeat/modules/haproxy.yml.disabled b/salt/filebeat/modules/haproxy.yml.disabled deleted file mode 100644 index b2615dbb8..000000000 --- a/salt/filebeat/modules/haproxy.yml.disabled +++ /dev/null @@ -1,14 +0,0 @@ -# Module: haproxy -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-haproxy.html - -- module: haproxy - # All logs - log: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/ibmmq.yml.disabled b/salt/filebeat/modules/ibmmq.yml.disabled deleted file mode 100644 index bfaf3792d..000000000 --- a/salt/filebeat/modules/ibmmq.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: ibmmq -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-ibmmq.html - -- module: ibmmq - # All logs - errorlog: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/icinga.yml.disabled b/salt/filebeat/modules/icinga.yml.disabled deleted file mode 100644 index a7c3ac6e1..000000000 --- a/salt/filebeat/modules/icinga.yml.disabled +++ /dev/null @@ -1,27 +0,0 @@ -# Module: icinga -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-icinga.html - -- module: icinga - # Main logs - main: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Debug logs - debug: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Startup logs - startup: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/iis.yml.disabled b/salt/filebeat/modules/iis.yml.disabled deleted file mode 100644 index 44c200ba1..000000000 --- a/salt/filebeat/modules/iis.yml.disabled +++ /dev/null @@ -1,20 +0,0 @@ -# Module: iis -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iis.html - -- module: iis - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - \ No newline at end of file diff --git a/salt/filebeat/modules/imperva.yml.disabled b/salt/filebeat/modules/imperva.yml.disabled deleted file mode 100644 index 8e53deaa6..000000000 --- a/salt/filebeat/modules/imperva.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: imperva -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-imperva.html - -- module: imperva - securesphere: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9511 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/infoblox.yml.disabled b/salt/filebeat/modules/infoblox.yml.disabled deleted file mode 100644 index 9e82f8340..000000000 --- a/salt/filebeat/modules/infoblox.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: infoblox -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-infoblox.html - -- module: infoblox - nios: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9512 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/iptables.yml.disabled b/salt/filebeat/modules/iptables.yml.disabled deleted file mode 100644 index 1147e14dd..000000000 --- a/salt/filebeat/modules/iptables.yml.disabled +++ /dev/null @@ -1,13 +0,0 @@ -# Module: iptables -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-iptables.html - -- module: iptables - log: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/juniper.yml.disabled b/salt/filebeat/modules/juniper.yml.disabled deleted file mode 100644 index 71112679d..000000000 --- a/salt/filebeat/modules/juniper.yml.disabled +++ /dev/null @@ -1,54 +0,0 @@ -# Module: juniper -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-juniper.html - -- module: juniper - junos: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9513 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - netscreen: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9523 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - srx: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9006. - #var.syslog_port: 9006 diff --git a/salt/filebeat/modules/kafka.yml.disabled b/salt/filebeat/modules/kafka.yml.disabled deleted file mode 100644 index 23362c8a1..000000000 --- a/salt/filebeat/modules/kafka.yml.disabled +++ /dev/null @@ -1,15 +0,0 @@ -# Module: kafka -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kafka.html - -- module: kafka - # All logs - log: - enabled: true - - # Set custom paths for Kafka. If left empty, - # Filebeat will look under /opt. - #var.kafka_home: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/kibana.yml.disabled b/salt/filebeat/modules/kibana.yml.disabled deleted file mode 100644 index a4956c4b6..000000000 --- a/salt/filebeat/modules/kibana.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: kibana -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-kibana.html - -- module: kibana - # Server logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Audit logs - audit: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/logstash.yml.disabled b/salt/filebeat/modules/logstash.yml.disabled deleted file mode 100644 index f14229409..000000000 --- a/salt/filebeat/modules/logstash.yml.disabled +++ /dev/null @@ -1,18 +0,0 @@ -# Module: logstash -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-logstash.html - -- module: logstash - # logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Slow logs - slowlog: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/microsoft.yml.disabled b/salt/filebeat/modules/microsoft.yml.disabled deleted file mode 100644 index b0a1b10c6..000000000 --- a/salt/filebeat/modules/microsoft.yml.disabled +++ /dev/null @@ -1,49 +0,0 @@ -# Module: microsoft -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-microsoft.html - -- module: microsoft - # ATP configuration - defender_atp: - enabled: true - # How often the API should be polled - #var.interval: 5m - - # Oauth Client ID - #var.oauth2.client.id: "" - - # Oauth Client Secret - #var.oauth2.client.secret: "" - - # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" - m365_defender: - enabled: true - # How often the API should be polled - #var.interval: 5m - - # Oauth Client ID - #var.oauth2.client.id: "" - - # Oauth Client Secret - #var.oauth2.client.secret: "" - - # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" - dhcp: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9515 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/misp.yml.disabled b/salt/filebeat/modules/misp.yml.disabled deleted file mode 100644 index 9a489fa0f..000000000 --- a/salt/filebeat/modules/misp.yml.disabled +++ /dev/null @@ -1,17 +0,0 @@ -# Module: misp -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-misp.html - -- module: misp - threat: - enabled: true - # API key to access MISP - #var.api_key - - # Array object in MISP response - #var.http_request_body.limit: 1000 - - # URL of the MISP REST API - #var.url - - # You can also pass SSL options. For example: - #var.ssl.verification_mode: none diff --git a/salt/filebeat/modules/mongodb.yml.disabled b/salt/filebeat/modules/mongodb.yml.disabled deleted file mode 100644 index 266d2e4e8..000000000 --- a/salt/filebeat/modules/mongodb.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: mongodb -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mongodb.html - -- module: mongodb - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/mssql.yml.disabled b/salt/filebeat/modules/mssql.yml.disabled deleted file mode 100644 index bfe4c6e64..000000000 --- a/salt/filebeat/modules/mssql.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: mssql -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mssql.html - -- module: mssql - # Fileset for native deployment - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: ['C:\Program Files\Microsoft SQL Server\MSSQL.150\MSSQL\LOG\ERRORLOG*'] diff --git a/salt/filebeat/modules/mysql.yml.disabled b/salt/filebeat/modules/mysql.yml.disabled deleted file mode 100644 index e6be4045b..000000000 --- a/salt/filebeat/modules/mysql.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: mysql -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysql.html - -- module: mysql - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Slow logs - slowlog: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/mysqlenterprise.yml.disabled b/salt/filebeat/modules/mysqlenterprise.yml.disabled deleted file mode 100644 index 37e10d0eb..000000000 --- a/salt/filebeat/modules/mysqlenterprise.yml.disabled +++ /dev/null @@ -1,14 +0,0 @@ -# Module: mysqlenterprise -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-mysqlenterprise.html - -- module: mysqlenterprise - audit: - enabled: true - - # Sets the input type. Currently only supports file - #var.input: file - - # Set paths for the log files when file input is used. - # Should only be used together with file input - # var.paths: - # - /home/user/mysqlauditlogs/audit.*.log diff --git a/salt/filebeat/modules/nats.yml.disabled b/salt/filebeat/modules/nats.yml.disabled deleted file mode 100644 index 65e44962d..000000000 --- a/salt/filebeat/modules/nats.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: nats -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nats.html - -- module: nats - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/netflow.yml.disabled b/salt/filebeat/modules/netflow.yml.disabled deleted file mode 100644 index 781748b00..000000000 --- a/salt/filebeat/modules/netflow.yml.disabled +++ /dev/null @@ -1,14 +0,0 @@ -# Module: netflow -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netflow.html - -- module: netflow - log: - enabled: true - var: - netflow_host: localhost - netflow_port: 2055 - # internal_networks specifies which networks are considered internal or private - # you can specify either a CIDR block or any of the special named ranges listed - # at: https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network - internal_networks: - - private diff --git a/salt/filebeat/modules/netscout.yml.disabled b/salt/filebeat/modules/netscout.yml.disabled deleted file mode 100644 index 215349046..000000000 --- a/salt/filebeat/modules/netscout.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: netscout -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-netscout.html - -- module: netscout - sightline: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9502 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/nginx.yml.disabled b/salt/filebeat/modules/nginx.yml.disabled deleted file mode 100644 index e2fa44a78..000000000 --- a/salt/filebeat/modules/nginx.yml.disabled +++ /dev/null @@ -1,27 +0,0 @@ -# Module: nginx -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-nginx.html - -- module: nginx - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Error logs - error: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs - ingress_controller: - enabled: false - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/o365.yml.disabled b/salt/filebeat/modules/o365.yml.disabled deleted file mode 100644 index 578ff365d..000000000 --- a/salt/filebeat/modules/o365.yml.disabled +++ /dev/null @@ -1,48 +0,0 @@ -# Module: o365 -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-o365.html - -- module: o365 - audit: - enabled: true - - # Set the application_id (also known as client ID): - var.application_id: "" - - # Configure the tenants to monitor: - # Use the tenant ID (also known as directory ID) and the domain name. - # var.tenants: - # - id: "tenant_id_1" - # name: "mydomain.onmicrosoft.com" - # - id: "tenant_id_2" - # name: "mycompany.com" - var.tenants: - - id: "" - name: "mytenant.onmicrosoft.com" - - # List of content-types to fetch. By default all known content-types - # are retrieved: - # var.content_type: - # - "Audit.AzureActiveDirectory" - # - "Audit.Exchange" - # - "Audit.SharePoint" - # - "Audit.General" - # - "DLP.All" - - # Use the following settings to enable certificate-based authentication: - # var.certificate: "/path/to/certificate.pem" - # var.key: "/path/to/private_key.pem" - # var.key_passphrase: "myPrivateKeyPassword" - - # Client-secret based authentication: - # Comment the following line if using certificate authentication. - var.client_secret: "" - - # Advanced settings, use with care: - # var.api: - # # Settings for custom endpoints: - # authentication_endpoint: "https://login.microsoftonline.us/" - # resource: "https://manage.office365.us" - # - # max_retention: 168h - # max_requests_per_minute: 2000 - # poll_interval: 3m diff --git a/salt/filebeat/modules/okta.yml.disabled b/salt/filebeat/modules/okta.yml.disabled deleted file mode 100644 index 4fc943592..000000000 --- a/salt/filebeat/modules/okta.yml.disabled +++ /dev/null @@ -1,10 +0,0 @@ -# Module: okta -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-okta.html - -- module: okta - system: - enabled: true - # You must configure the URL with your Okta domain and provide an - # API token to access the logs API. - #var.url: https://yourOktaDomain/api/v1/logs - #var.api_key: 'yourApiTokenHere' diff --git a/salt/filebeat/modules/oracle.yml.disabled b/salt/filebeat/modules/oracle.yml.disabled deleted file mode 100644 index 3bd576ee1..000000000 --- a/salt/filebeat/modules/oracle.yml.disabled +++ /dev/null @@ -1,13 +0,0 @@ -# Module: oracle -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-oracle.html - -- module: oracle - database_audit: - enabled: true - - # Set which input to use between syslog or file (default). - #var.input: file - - # Set paths for the log files when file input is used. - # Should only be used together with file input - # var.paths: /home/user/oracleauditlogs/*.aud diff --git a/salt/filebeat/modules/osquery.yml.disabled b/salt/filebeat/modules/osquery.yml.disabled deleted file mode 100644 index 7a9a09dd8..000000000 --- a/salt/filebeat/modules/osquery.yml.disabled +++ /dev/null @@ -1,15 +0,0 @@ -# Module: osquery -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-osquery.html - -- module: osquery - result: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # If true, all fields created by this module are prefixed with - # `osquery.result`. Set to false to copy the fields in the root - # of the document. The default is true. - #var.use_namespace: true diff --git a/salt/filebeat/modules/panw.yml.disabled b/salt/filebeat/modules/panw.yml.disabled deleted file mode 100644 index eb094a25a..000000000 --- a/salt/filebeat/modules/panw.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: panw -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-panw.html - -- module: panw - panos: - enabled: true - - # Set which input to use between syslog (default) or file. - #var.input: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Set internal security zones. used to determine network.direction - # default "trust" - #var.internal_zones: - - # Set external security zones. used to determine network.direction - # default "untrust" - #var.external_zones: - diff --git a/salt/filebeat/modules/pensando.yml.disabled b/salt/filebeat/modules/pensando.yml.disabled deleted file mode 100644 index 66bd60d76..000000000 --- a/salt/filebeat/modules/pensando.yml.disabled +++ /dev/null @@ -1,13 +0,0 @@ -# Module: pensando -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-pensando.html - -- module: pensando -# Firewall logs - dfw: - enabled: true - var.syslog_host: 0.0.0.0 - var.syslog_port: 9001 - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - # var.paths: diff --git a/salt/filebeat/modules/postgresql.yml.disabled b/salt/filebeat/modules/postgresql.yml.disabled deleted file mode 100644 index 804b7f34f..000000000 --- a/salt/filebeat/modules/postgresql.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: postgresql -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-postgresql.html - -- module: postgresql - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/proofpoint.yml.disabled b/salt/filebeat/modules/proofpoint.yml.disabled deleted file mode 100644 index 9aeebd5fe..000000000 --- a/salt/filebeat/modules/proofpoint.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: proofpoint -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-proofpoint.html - -- module: proofpoint - emailsecurity: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9531 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/rabbitmq.yml.disabled b/salt/filebeat/modules/rabbitmq.yml.disabled deleted file mode 100644 index e61a0a0c9..000000000 --- a/salt/filebeat/modules/rabbitmq.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: rabbitmq -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-rabbitmq.html - -- module: rabbitmq - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] diff --git a/salt/filebeat/modules/radware.yml.disabled b/salt/filebeat/modules/radware.yml.disabled deleted file mode 100644 index f9ab3e519..000000000 --- a/salt/filebeat/modules/radware.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: radware -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-radware.html - -- module: radware - defensepro: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9518 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/redis.yml.disabled b/salt/filebeat/modules/redis.yml.disabled deleted file mode 100644 index 9b621dc2d..000000000 --- a/salt/filebeat/modules/redis.yml.disabled +++ /dev/null @@ -1,21 +0,0 @@ -# Module: redis -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-redis.html - -- module: redis - # Main logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: ["/var/log/redis/redis-server.log*"] - - # Slow logs, retrieved via the Redis API (SLOWLOG) - slowlog: - enabled: true - - # The Redis hosts to connect to. - #var.hosts: ["localhost:6379"] - - # Optional, the password to use when connecting to Redis. - #var.password: diff --git a/salt/filebeat/modules/santa.yml.disabled b/salt/filebeat/modules/santa.yml.disabled deleted file mode 100644 index 1a7363547..000000000 --- a/salt/filebeat/modules/santa.yml.disabled +++ /dev/null @@ -1,9 +0,0 @@ -# Module: santa -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-santa.html - -- module: santa - log: - enabled: true - # Set custom paths for the log files. If left empty, - # Filebeat will choose the the default path. - #var.paths: diff --git a/salt/filebeat/modules/snort.yml.disabled b/salt/filebeat/modules/snort.yml.disabled deleted file mode 100644 index 8c9bcc471..000000000 --- a/salt/filebeat/modules/snort.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: snort -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snort.html - -- module: snort - log: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9532 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/snyk.yml.disabled b/salt/filebeat/modules/snyk.yml.disabled deleted file mode 100644 index 0b13f8155..000000000 --- a/salt/filebeat/modules/snyk.yml.disabled +++ /dev/null @@ -1,112 +0,0 @@ -# Module: snyk -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-snyk.html - -- module: snyk - audit: - enabled: true - - # Set which input to use between httpjson (default) or file. - #var.input: httpjson - # - # What audit type to collect, can be either "group" or "organization". - #var.audit_type: organization - # - # The ID related to the audit_type. If audit type is group, then this value should be - # the group ID and if it is organization it should be the organization ID to collect from. - #var.audit_id: 1235432-asdfdf-2341234-asdgjhg - - # How often the API should be polled, defaults to 1 hour. - #var.interval: 1h - # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). - #var.first_interval: 24h - - # The API token that is created for a specific user, found in the Snyk management dashboard. - #var.api_token: - - # Event filtering. - # All configuration items below is OPTIONAL and the default options will be overwritten - # for each entry that is not commented out. - - # Will return only logs for this specific project. - #var.project_id: "" - # User public ID. Will fetch only audit logs originated from this user's actions. - #var.user_id: "" - # Will return only logs for this specific event. - #var.event: "" - # User email address. Will fetch only audit logs originated from this user's actions. - #var.email_address: "" - - vulnerabilities: - enabled: true - - # Set which input to use between httpjson (default) or file. - #var.input: httpjson - - # How often the API should be polled. Data from the Snyk API is automatically updated - # once per day, so the default interval is 24 hours. - #var.interval: 24h - - # How far to look back the first time the module starts up. (Only works with full days, 24 hours, 48 hours etc). - #var.first_interval: 24h - - # The API token that is created for a specific user, found in the Snyk management dashboard. - #var.api_token: - - # The list of org IDs to filter the results by. - # One organization ID per line, starting with a - sign - #var.orgs: - # - 12354-asdfdf-123543-asdsdfg - # - 76554-jhggfd-654342-hgrfasd - - - # Event filtering. - # All configuration items below is OPTIONAL and the default options will be overwritten - # for each entry that is not commented out. - - # The severity levels of issues to filter the results by. - #var.included_severity: - # - high - # - medium - # - low - # - # The exploit maturity levels of issues to filter the results by. - #var.exploit_maturity: - # - mature - # - proof-of-concept - # - no-known-exploit - # - no-data - # - # The type of issues to filter the results by. - #var.types: - # - vuln - # - license - # - # The type of languages to filter the results by. - #var.languages: - # - javascript - # - ruby - # - java - # - scala - # - python - # - golang - # - php - # - dotnet - # - swift - # - docker - # - # Search term to filter issue name by, or an exact CVE or CWE. - #var.identifier: - # - "" - # - # If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored. - #var.ignored: false - #var.patched: false - #var.fixable: false - #var.is_fixed: false - #var.is_patchable: false - #var.is_pinnable: false - # - # The priority score ranging between 0-1000 - #var.min_priority_score: 0 - #var.max_priority_score: 1000 - diff --git a/salt/filebeat/modules/sonicwall.yml.disabled b/salt/filebeat/modules/sonicwall.yml.disabled deleted file mode 100644 index de457109d..000000000 --- a/salt/filebeat/modules/sonicwall.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: sonicwall -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sonicwall.html - -- module: sonicwall - firewall: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9519 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/sophos.yml.disabled b/salt/filebeat/modules/sophos.yml.disabled deleted file mode 100644 index 8fc346540..000000000 --- a/salt/filebeat/modules/sophos.yml.disabled +++ /dev/null @@ -1,46 +0,0 @@ -# Module: sophos -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-sophos.html - -- module: sophos - xg: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9004. - #var.syslog_port: 9005 - - # firewall default hostname - #var.default_host_name: firewall.localgroup.local - - # known firewalls - #var.known_devices: - #- serial_number: "1234567890123457" - # hostname: "a.host.local" - #- serial_number: "1234234590678557" - # hostname: "b.host.local" - - - utm: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9533 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/squid.yml.disabled b/salt/filebeat/modules/squid.yml.disabled deleted file mode 100644 index a47807253..000000000 --- a/salt/filebeat/modules/squid.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: squid -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-squid.html - -- module: squid - log: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9520 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/suricata.yml b/salt/filebeat/modules/suricata.yml deleted file mode 100644 index b7cc11e85..000000000 --- a/salt/filebeat/modules/suricata.yml +++ /dev/null @@ -1,12 +0,0 @@ -# Module: suricata -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html - -- module: suricata - # All logs - eve: - enabled: true - var.paths: ["/nsm/suricata/eve*.json"] - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/system.yml.disabled b/salt/filebeat/modules/system.yml.disabled deleted file mode 100644 index d633bac04..000000000 --- a/salt/filebeat/modules/system.yml.disabled +++ /dev/null @@ -1,19 +0,0 @@ -# Module: system -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-system.html - -- module: system - # Syslog - syslog: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - - # Authorization logs - auth: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/threatintel.yml.disabled b/salt/filebeat/modules/threatintel.yml.disabled deleted file mode 100644 index b461d91e2..000000000 --- a/salt/filebeat/modules/threatintel.yml.disabled +++ /dev/null @@ -1,105 +0,0 @@ -# Module: threatintel -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-threatintel.html - -- module: threatintel - abuseurl: - enabled: true - - # Input used for ingesting threat intel data. - var.input: httpjson - - # The URL used for Threat Intel API calls. - var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ - - # The interval to poll the API for updates. - var.interval: 10m - - abusemalware: - enabled: true - - # Input used for ingesting threat intel data. - var.input: httpjson - - # The URL used for Threat Intel API calls. - var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ - - # The interval to poll the API for updates. - var.interval: 10m - - misp: - enabled: true - - # Input used for ingesting threat intel data, defaults to JSON. - var.input: httpjson - - # The URL of the MISP instance, should end with "/events/restSearch". - var.url: https://SERVER/events/restSearch - - # The authentication token used to contact the MISP API. Found when looking at user account in the MISP UI. - var.api_token: API_KEY - - # Configures the type of SSL verification done, if MISP is running on self signed certificates - # then the certificate would either need to be trusted, or verification_mode set to none. - #var.ssl.verification_mode: none - - # Optional filters that can be applied to the API for filtering out results. This should support the majority of fields in a MISP context. - # For examples please reference the filebeat module documentation. - #var.filters: - # - threat_level: [4, 5] - # - to_ids: true - - # How far back to look once the beat starts up for the first time, the value has to be in hours. Each request afterwards will filter on any event newer - # than the last event that was already ingested. - var.first_interval: 300h - - # The interval to poll the API for updates. - var.interval: 5m - - otx: - enabled: true - - # Input used for ingesting threat intel data - var.input: httpjson - - # The URL used for OTX Threat Intel API calls. - var.url: https://otx.alienvault.com/api/v1/indicators/export - - # The authentication token used to contact the OTX API, can be found on the OTX UI. - var.api_token: API_KEY - - # Optional filters that can be applied to retrieve only specific indicators. - #var.types: "domain,IPv4,hostname,url,FileHash-SHA256" - - # The timeout of the HTTP client connecting to the OTX API - #var.http_client_timeout: 120s - - # How many hours to look back for each request, should be close to the configured interval. Deduplication of events is handled by the module. - var.lookback_range: 1h - - # How far back to look once the beat starts up for the first time, the value has to be in hours. - var.first_interval: 400h - - # The interval to poll the API for updates - var.interval: 5m - - anomali: - enabled: true - - # Input used for ingesting threat intel data - var.input: httpjson - - # The URL used for Threat Intel API calls. Limo has multiple different possibilities for URL's depending - # on the type of threat intel source that is needed. - var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects - - # The Username used by anomali Limo, defaults to guest. - #var.username: guest - - # The password used by anomali Limo, defaults to guest. - #var.password: guest - - # How far back to look once the beat starts up for the first time, the value has to be in hours. - var.first_interval: 400h - - # The interval to poll the API for updates - var.interval: 5m diff --git a/salt/filebeat/modules/tomcat.yml.disabled b/salt/filebeat/modules/tomcat.yml.disabled deleted file mode 100644 index 84f4619d5..000000000 --- a/salt/filebeat/modules/tomcat.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: tomcat -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-tomcat.html - -- module: tomcat - log: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9501 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/modules/traefik.yml.disabled b/salt/filebeat/modules/traefik.yml.disabled deleted file mode 100644 index 657d5ccd9..000000000 --- a/salt/filebeat/modules/traefik.yml.disabled +++ /dev/null @@ -1,11 +0,0 @@ -# Module: traefik -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-traefik.html - -- module: traefik - # Access logs - access: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/zeek.yml b/salt/filebeat/modules/zeek.yml deleted file mode 100644 index 9fd61c448..000000000 --- a/salt/filebeat/modules/zeek.yml +++ /dev/null @@ -1,122 +0,0 @@ -# Module: zeek -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html - -- module: zeek - capture_loss: - enabled: false - var.paths: ["/nsm/zeek/logs/current/capture_loss.log"] - connection: - enabled: true - var.paths: ["/nsm/zeek/logs/current/conn.log"] - dce_rpc: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dce_rpc.log"] - dhcp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dhcp.log"] - dnp3: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dnp3.log"] - dns: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dns.log"] - dpd: - enabled: true - var.paths: ["/nsm/zeek/logs/current/dpd.log"] - files: - enabled: true - var.paths: ["/nsm/zeek/logs/current/files.log"] - ftp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ftp.log"] - http: - enabled: true - var.paths: ["/nsm/zeek/logs/current/http.log"] - intel: - enabled: true - var.paths: ["/nsm/zeek/logs/current/intel.log"] - irc: - enabled: true - var.paths: ["/nsm/zeek/logs/current/irc.log"] - kerberos: - enabled: true - var.paths: ["/nsm/zeek/logs/current/kerberos.log"] - modbus: - enabled: true - var.paths: ["/nsm/zeek/logs/current/modbus.log"] - mysql: - enabled: true - var.paths: ["/nsm/zeek/logs/current/mysql.log"] - notice: - enabled: true - var.paths: ["/nsm/zeek/logs/current/notice.log"] - ntlm: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ntlm.log"] - ocsp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/oscp.log"] - pe: - enabled: true - var.paths: ["/nsm/zeek/logs/current/pe.log"] - radius: - enabled: true - var.paths: ["/nsm/zeek/logs/current/radius.log"] - rdp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/rdp.log"] - rfb: - enabled: true - var.paths: ["/nsm/zeek/logs/current/rfb.log"] - signature: - enabled: true - var.paths: ["/nsm/zeek/logs/current/signature.log"] - sip: - enabled: true - var.paths: ["/nsm/zeek/logs/current/sip.log"] - smb_cmd: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smb_cmd.log"] - smb_files: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smb_files.log"] - smb_mapping: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smb_mapping.log"] - smtp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/smtp.log"] - snmp: - enabled: true - var.paths: ["/nsm/zeek/logs/current/snmp.log"] - socks: - enabled: true - var.paths: ["/nsm/zeek/logs/current/socks.log"] - ssh: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ssh.log"] - ssl: - enabled: true - var.paths: ["/nsm/zeek/logs/current/ssl.log"] - stats: - enabled: false - var.paths: ["/nsm/zeek/logs/current/stats.log"] - syslog: - enabled: false - var.paths: ["/nsm/zeek/logs/current/syslog.log"] - traceroute: - enabled: false - var.paths: ["/nsm/zeek/logs/current/traceroute.log.log"] - tunnel: - enabled: true - var.paths: ["/nsm/zeek/logs/current/tunnel.log"] - weird: - enabled: true - var.paths: ["/nsm/zeek/logs/current/weird.log"] - x509: - enabled: true - var.paths: ["/nsm/zeek/logs/current/x509.log"] - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: diff --git a/salt/filebeat/modules/zoom.yml.disabled b/salt/filebeat/modules/zoom.yml.disabled deleted file mode 100644 index 15fa9d4b2..000000000 --- a/salt/filebeat/modules/zoom.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: zoom -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zoom.html - -- module: zoom - webhook: - enabled: true - - # The type of input to use - #var.input: http_endpoint - - # The interface to listen for incoming HTTP requests. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.listen_address: localhost - - # The port to bind to - #var.listen_port: 80 - - # The header Zoom uses to send its secret token, defaults to "Authorization" - #secret.header: Authorization - - # The secret token value created by Zoom - #secret.value: ZOOMTOKEN diff --git a/salt/filebeat/modules/zscaler.yml.disabled b/salt/filebeat/modules/zscaler.yml.disabled deleted file mode 100644 index accdec9ea..000000000 --- a/salt/filebeat/modules/zscaler.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: zscaler -# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zscaler.html - -- module: zscaler - zia: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9521 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index 8bcecd618..19826a708 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -26,7 +26,7 @@ securityonion_filebeat: zeek: {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} {{ LOGNAME }}: - enabled: false + enabled: true var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"] {%- endfor %} {%- endif %} From dfaf40f58359ab0896c84a47dc85c4b5d5d27280 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 17:14:26 -0400 Subject: [PATCH 19/59] add zeekloglookup to translate zeeklogs to filebeat filesets --- salt/filebeat/init.sls | 1 - salt/filebeat/map.jinja | 4 ++++ salt/filebeat/securityoniondefaults.yaml | 11 +++++++++-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index b1a91b133..7850f4eb6 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -23,7 +23,6 @@ {% from 'filebeat/map.jinja' import THIRDPARTY with context %} {% from 'filebeat/map.jinja' import SO with context %} - filebeatetcdir: file.directory: - name: /opt/so/conf/filebeat/etc diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index 6ae6e7cff..b5df8fea5 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -4,3 +4,7 @@ {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} {% set SO = SODEFAULTS.securityonion_filebeat %} {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#} + +{% set ZEEKLOGLOOKUP = { + 'conn': 'connection', +} %} diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index 8bcecd618..300e7f42f 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -1,4 +1,6 @@ {%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} +{% from 'filebeat/map.jinja' import ZEEKLOGLOOKUP with context %} + securityonion_filebeat: modules: elasticsearch: @@ -25,9 +27,14 @@ securityonion_filebeat: {%- if ZEEKVER != 'SURICATA' %} zeek: {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - {{ LOGNAME }}: + {% if LOGNAME in ZEEKLOGLOOKUP.keys() %} + {% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %} + {% else %} + {% set FILESET = LOGNAME %} + {% endif %} + {{ FILESET }}: enabled: false var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"] {%- endfor %} {%- endif %} - {%- endif %} \ No newline at end of file + {%- endif %} From 525d4325c7530e4e137b956a954c523c868651d9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 17:18:58 -0400 Subject: [PATCH 20/59] define ZEEKLOGLOOKUP in the yaml --- salt/filebeat/map.jinja | 4 ---- salt/filebeat/securityoniondefaults.yaml | 4 +++- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index b5df8fea5..6ae6e7cff 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -4,7 +4,3 @@ {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} {% set SO = SODEFAULTS.securityonion_filebeat %} {#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#} - -{% set ZEEKLOGLOOKUP = { - 'conn': 'connection', -} %} diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index 58eef8361..0a1459d6b 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -1,5 +1,7 @@ {%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} -{% from 'filebeat/map.jinja' import ZEEKLOGLOOKUP with context %} +{% set ZEEKLOGLOOKUP = { + 'conn': 'connection', +} %} securityonion_filebeat: modules: From 34d4eedf672cb523942c14f16c8a57ef1036fbe9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 May 2021 10:11:47 -0400 Subject: [PATCH 21/59] Remove old modules --- salt/common/tools/sbin/so-filebeat-module-setup | 8 +++++++- salt/common/tools/sbin/so-zeek-logs | 6 ------ salt/filebeat/etc/module_config.yml.jinja | 2 +- salt/filebeat/securityoniondefaults.yaml | 2 ++ salt/filebeat/thirdpartydefaults.yaml | 17 ----------------- salt/zeek/init.sls | 2 ++ setup/so-functions | 6 ------ setup/so-whiptail | 6 ------ 8 files changed, 12 insertions(+), 37 deletions(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index 6616854eb..5aefe3ac2 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -49,6 +49,12 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Setting up ingest pipeline(s)" -docker exec -it so-filebeat filebeat setup modules -pipelines -modules activemq,apache,auditd,aws,azure,barracuda,bluecoat,cef,checkpoint,cisco,coredns,crowdstrike,cyberark,cylance,elasticsearch,envoyproxy,f5,fortinet,gcp,google_workspace,googlecloud,gsuite,haproxy,ibmmq,icinga,iis,imperva,infoblox,iptables,juniper,kafka,kibana,logstash,microsoft,misp,mondogb,mssql,mysql,mysqlenterprise,nats,netflow,netscout,nginx,o365,okta,osquery,panw,pensando,postgresql,rabbitmq,radware,redis,santa,snort,snyk,sonicwall,sophos,squid,suricata,system,threatintel,tomcat,traefik,zeek,zoom,zscaler -c $FB_MODULE_YML + +for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler +do + echo "Loading $MODULE" + docker exec -it so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML + sleep 2 +done diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index 551213580..521f7c9dc 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -14,7 +14,6 @@ whiptail_manager_adv_service_zeeklogs() { "conn" "Connection Logging" ON \ "dce_rpc" "RPC Logs" ON \ "dhcp" "DHCP Logs" ON \ - "dhcpv6" "DHCP IPv6 Logs" ON \ "dnp3" "DNP3 Logs" ON \ "dns" "DNS Logs" ON \ "dpd" "DPD Logs" ON \ @@ -25,25 +24,20 @@ whiptail_manager_adv_service_zeeklogs() { "irc" "IRC Chat Logs" ON \ "kerberos" "Kerberos Logs" ON \ "modbus" "MODBUS Logs" ON \ - "mqtt" "MQTT Logs" ON \ "notice" "Zeek Notice Logs" ON \ "ntlm" "NTLM Logs" ON \ - "openvpn" "OPENVPN Logs" ON \ "pe" "PE Logs" ON \ "radius" "Radius Logs" ON \ "rfb" "RFB Logs" ON \ "rdp" "RDP Logs" ON \ - "signatures" "Signatures Logs" ON \ "sip" "SIP Logs" ON \ "smb_files" "SMB Files Logs" ON \ "smb_mapping" "SMB Mapping Logs" ON \ "smtp" "SMTP Logs" ON \ "snmp" "SNMP Logs" ON \ - "software" "Software Logs" ON \ "ssh" "SSH Logs" ON \ "ssl" "SSL Logs" ON \ "syslog" "Syslog Logs" ON \ - "telnet" "Telnet Logs" ON \ "tunnel" "Tunnel Logs" ON \ "weird" "Zeek Weird Logs" ON \ "mysql" "MySQL Logs" ON \ diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja index 7cd624895..8f4fbd7bf 100644 --- a/salt/filebeat/etc/module_config.yml.jinja +++ b/salt/filebeat/etc/module_config.yml.jinja @@ -3,7 +3,7 @@ - module: {{ module }} {%- for fileset in MODULES.modules[module] %} {{ fileset }}: - enabled: {{ MODULES.modules[module][fileset].enabled }} + enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }} {#- only manage the settings if the fileset is enabled #} {%- if MODULES.modules[module][fileset].enabled %} {%- for var, value in MODULES.modules[module][fileset].items() %} diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index 0a1459d6b..f503e5de1 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -21,6 +21,8 @@ securityonion_filebeat: log: enabled: true var.paths: ["/logs/redis.log"] + slowlog: + enabled: false suricata: eve: enabled: true diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml index cfb8d10d9..1b378f84b 100644 --- a/salt/filebeat/thirdpartydefaults.yaml +++ b/salt/filebeat/thirdpartydefaults.yaml @@ -199,12 +199,6 @@ third_party_filebeat: okta: system: enabled: false - pesando: - dfw: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9001 proofpoint: emailsecurity: enabled: false @@ -251,17 +245,6 @@ third_party_filebeat: var.input: udp var.syslog_host: 0.0.0.0 var.syslog_port: 9520 - threatintel: - abuseurl: - enabled: false - abusemalware: - enabled: false - misp: - enabled: false - otx: - enabled: false - anomali: - enabled: false tomcat: log: enabled: false diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 4e597f597..ce0d6dccd 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -183,6 +183,8 @@ so-zeek: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} - start: {{ START }} - privileged: True + - ulimits: + - core=0 - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw - /nsm/zeek/spool:/nsm/zeek/spool:rw diff --git a/setup/so-functions b/setup/so-functions index 5ce3d6dee..aefaa2cd5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2827,7 +2827,6 @@ zeek_logs_enabled() { " - conn"\ " - dce_rpc"\ " - dhcp"\ - " - dhcpv6"\ " - dnp3"\ " - dns"\ " - dpd"\ @@ -2838,25 +2837,20 @@ zeek_logs_enabled() { " - irc"\ " - kerberos"\ " - modbus"\ - " - mqtt"\ " - notice"\ " - ntlm"\ - " - openvpn"\ " - pe"\ " - radius"\ " - rfb"\ " - rdp"\ - " - signatures"\ " - sip"\ " - smb_files"\ " - smb_mapping"\ " - smtp"\ " - snmp"\ - " - software"\ " - ssh"\ " - ssl"\ " - syslog"\ - " - telnet"\ " - tunnel"\ " - weird"\ " - mysql"\ diff --git a/setup/so-whiptail b/setup/so-whiptail index 5eca2d39a..fdcc4acc9 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1154,7 +1154,6 @@ whiptail_manager_adv_service_zeeklogs() { "conn" "Connection Logging" ON \ "dce_rpc" "RPC Logs" ON \ "dhcp" "DHCP Logs" ON \ - "dhcpv6" "DHCP IPv6 Logs" ON \ "dnp3" "DNP3 Logs" ON \ "dns" "DNS Logs" ON \ "dpd" "DPD Logs" ON \ @@ -1165,25 +1164,20 @@ whiptail_manager_adv_service_zeeklogs() { "irc" "IRC Chat Logs" ON \ "kerberos" "Kerberos Logs" ON \ "modbus" "MODBUS Logs" ON \ - "mqtt" "MQTT Logs" ON \ "notice" "Zeek Notice Logs" ON \ "ntlm" "NTLM Logs" ON \ - "openvpn" "OPENVPN Logs" ON \ "pe" "PE Logs" ON \ "radius" "Radius Logs" ON \ "rfb" "RFB Logs" ON \ "rdp" "RDP Logs" ON \ - "signatures" "Signatures Logs" ON \ "sip" "SIP Logs" ON \ "smb_files" "SMB Files Logs" ON \ "smb_mapping" "SMB Mapping Logs" ON \ "smtp" "SMTP Logs" ON \ "snmp" "SNMP Logs" ON \ - "software" "Software Logs" ON \ "ssh" "SSH Logs" ON \ "ssl" "SSL Logs" ON \ "syslog" "Syslog Logs" ON \ - "telnet" "Telnet Logs" ON \ "tunnel" "Tunnel Logs" ON \ "weird" "Zeek Weird Logs" ON \ "mysql" "MySQL Logs" ON \ From 842aa97f7e9dd32ea9974e2d0db8bd8e04a08397 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 26 May 2021 11:00:18 -0400 Subject: [PATCH 22/59] load filebeat modules when es container starts and if fb container is running --- salt/filebeat/init.sls | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 372656038..312e815c9 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -22,6 +22,13 @@ {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% from 'filebeat/map.jinja' import THIRDPARTY with context %} {% from 'filebeat/map.jinja' import SO with context %} +{% set ES_INCLUDED_NODES = ['so-standalone'] %} + +#only include elastic state for certain nodes +{% if grains.role in ES_INCLUDED_NODES %} +include: + - elasticsearch +{% endif %} filebeatetcdir: file.directory: @@ -126,6 +133,16 @@ so-filebeat: - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml +{% if grains.role in ES_INCLUDED_NODES %} +run_module_setup: + cmd.run: + - name: /usr/sbin/so-filebeat-module-setup + - require: + - docker_container: so-filebeat + - onchanges_in: + - docker_container: so-elasticsearch +{% endif %} + append_so-filebeat_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf From b525cfc787b6c662f861720e394ec2ca4d72c4b5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 May 2021 11:07:53 -0400 Subject: [PATCH 23/59] Remove old modules --- setup/so-functions | 6 ------ 1 file changed, 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index aefaa2cd5..bef4f384d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2862,7 +2862,6 @@ zeek_logs_enabled() { " - conn"\ " - dce_rpc"\ " - dhcp"\ - " - dhcpv6"\ " - dnp3"\ " - dns"\ " - dpd"\ @@ -2873,24 +2872,19 @@ zeek_logs_enabled() { " - irc"\ " - kerberos"\ " - modbus"\ - " - mqtt"\ " - notice"\ " - ntlm"\ - " - openvpn"\ " - pe"\ " - radius"\ " - rfb"\ " - rdp"\ - " - signatures"\ " - sip"\ " - smb_files"\ " - smb_mapping"\ " - smtp"\ " - snmp"\ - " - software"\ " - ssh"\ " - ssl"\ - " - telnet"\ " - tunnel"\ " - weird"\ " - mysql"\ From bfcde15a24ac0c39d649c2150a3546c1476228f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 May 2021 14:22:14 -0400 Subject: [PATCH 24/59] elastic pipeline test --- .../config/so/9050_output_elasticsearch.jinja | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja diff --git a/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja b/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja new file mode 100644 index 000000000..eb0d8ef0c --- /dev/null +++ b/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja @@ -0,0 +1,20 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- endif %} +output { + if [event][module] == 'elasticsearch' { + elasticsearch { + id => "elastic_logs" + pipeline => "filebeat-%{[agent][version]}-elasticsearch-%{[fileset][name]}-pipeline" + hosts => "{{ ES }}" + index => "so-grid-%{+YYYY.MM.dd}" + template_name => "so-common" + template => "/templates/so-common-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } + } +} From b23ce7462ea8b256eb1ccc9d23e0c055733a23d8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 27 May 2021 11:26:25 -0400 Subject: [PATCH 25/59] add depenency --- salt/filebeat/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 312e815c9..5cabaf828 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -138,6 +138,7 @@ run_module_setup: cmd.run: - name: /usr/sbin/so-filebeat-module-setup - require: + - file: filebeatmoduleconfsync - docker_container: so-filebeat - onchanges_in: - docker_container: so-elasticsearch From 73a0b313805fa116e6ad68d9195bb01d58916215 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Jun 2021 12:12:20 -0400 Subject: [PATCH 26/59] elastic pipeline enable --- salt/pipeline/load.sls | 4 ++++ salt/top.sls | 1 + 2 files changed, 5 insertions(+) create mode 100644 salt/pipeline/load.sls diff --git a/salt/pipeline/load.sls b/salt/pipeline/load.sls new file mode 100644 index 000000000..a43450d0a --- /dev/null +++ b/salt/pipeline/load.sls @@ -0,0 +1,4 @@ +load_elastic_pipelines: + cmd.run: + - name: /usr/sbin/so-filebeat-module-setup + \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index 8a12aaa26..340f83825 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -285,6 +285,7 @@ base: - domainstats {%- endif %} - docker_clean + - pipeline.load '*_searchnode and G@saltversion:{{saltversion}}': - match: compound From fd1de624c815071afb9d25d078ad0452c8bfbb51 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Jun 2021 14:50:21 -0400 Subject: [PATCH 27/59] Disable TTY for filebeat script --- salt/common/tools/sbin/so-filebeat-module-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index 5aefe3ac2..21d94b44f 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -53,7 +53,7 @@ echo "Setting up ingest pipeline(s)" for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler do echo "Loading $MODULE" - docker exec -it so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML + docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML sleep 2 done From 5983eae3a8f7907d2bae84cd44dec295faea443f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Jun 2021 17:47:13 -0400 Subject: [PATCH 28/59] fix filebeat module syntax --- .../tools/sbin/so-filebeat-module-setup | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index 21d94b44f..d7706366e 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -47,14 +47,21 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" echo fi +echo "Testing to see if the pipelines are already applied" +ESVER=$(curl -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") +PIPELINES=$(curl -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c) -echo "Setting up ingest pipeline(s)" +if [[ "$PIPELINES" -lt 5 ]]; then + echo "Setting up ingest pipeline(s)" -for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler -do - echo "Loading $MODULE" - docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML - sleep 2 -done + for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft misp mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system tomcat traefik zeek zscaler + do + echo "Loading $MODULE" + docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML + sleep 2 + done +else + exit 0 +fi From e00fe0a732a111d89bf8eae4a243ebb25ae7f251 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Jun 2021 10:02:11 -0400 Subject: [PATCH 29/59] Enable for all modes --- salt/elasticsearch/files/elasticsearch.yml | 2 +- salt/top.sls | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index fed45bf79..a1d4c836b 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -36,7 +36,7 @@ xpack.security.authc: roles: superuser authz_exception: true node.name: {{ grains.host }} -script.max_compilations_rate: 1000/1m +script.max_compilations_rate: 2000/1m {%- if TRUECLUSTER is sameas true %} {%- if grains.role == 'so-manager' %} {%- if salt['pillar.get']('nodestab', {}) %} diff --git a/salt/top.sls b/salt/top.sls index 340f83825..99388fdcd 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -153,6 +153,7 @@ base: - domainstats {%- endif %} - docker_clean + - pipeline.load '*_manager and G@saltversion:{{saltversion}}': - match: compound @@ -213,6 +214,7 @@ base: - domainstats {%- endif %} - docker_clean + - pipeline.load '*_standalone and G@saltversion:{{saltversion}}': - match: compound @@ -314,6 +316,7 @@ base: {%- endif %} - schedule - docker_clean + - pipeline.load '*_managersearch and G@saltversion:{{saltversion}}': - match: compound @@ -378,6 +381,7 @@ base: - domainstats {%- endif %} - docker_clean + - pipeline.load '*_heavynode and G@saltversion:{{saltversion}}': - match: compound @@ -420,6 +424,7 @@ base: {%- endif %} - schedule - docker_clean + - pipeline.load '*_fleet and G@saltversion:{{saltversion}}': - match: compound @@ -463,3 +468,4 @@ base: - zeek - schedule - docker_clean + - pipeline.load From 7b7111e12c15d107ad5b5ce68fa4e633d84c4210 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Jun 2021 13:53:39 -0400 Subject: [PATCH 30/59] Fix some hunt queries --- salt/elasticsearch/files/elasticsearch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index a1d4c836b..af7cec1fa 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -36,7 +36,7 @@ xpack.security.authc: roles: superuser authz_exception: true node.name: {{ grains.host }} -script.max_compilations_rate: 2000/1m +script.max_compilations_rate: 20000/1m {%- if TRUECLUSTER is sameas true %} {%- if grains.role == 'so-manager' %} {%- if salt['pillar.get']('nodestab', {}) %} From e8cc88174f9918fd6575d20fe2a6feb723853556 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Jun 2021 13:55:05 -0400 Subject: [PATCH 31/59] Fix some hunt queries --- salt/soc/files/soc/hunt.queries.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 93295364d..9d4cd85bd 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -2,8 +2,8 @@ { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, { "name": "Log Type", "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"}, { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name"}, - { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"}, - { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name"}, + { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.kind: alert | groupby event.module"}, + { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.kind: alert | groupby rule.category rule.gid rule.uuid rule.name"}, { "name": "Wazuh/OSSEC Alerts", "description": "Show all Wazuh alerts at Level 5 or higher grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name"}, { "name": "Wazuh/OSSEC Alerts", "description": "Show all Wazuh alerts at Level 4 or lower grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name"}, { "name": "Wazuh/OSSEC Users and Commands", "description": "Show all Wazuh alerts grouped by username and command line", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line"}, @@ -11,11 +11,11 @@ { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"}, { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, { "name": "Strelka", "description": "Show all Strelka logs grouped by file type", "query": "event.module:strelka | groupby file.mime_type"}, - { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"}, - { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, - { "name": "Connections", "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"}, - { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"}, - { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"}, + { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:zeek.notice | groupby notice.note notice.message"}, + { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.dataset:zeek.connection | groupby source.ip destination.ip network.protocol destination.port"}, + { "name": "Connections", "description": "Connections grouped by Service", "query": "event.dataset:zeek.connection | groupby network.protocol destination.port"}, + { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:zeek.connection | groupby destination.geo.country_name"}, + { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:zeek.connection | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"}, { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, From e42db3cd2d1b4719749422dcf9911d3311de80bc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Jun 2021 14:05:02 -0400 Subject: [PATCH 32/59] Fix some hunt queries --- salt/common/tools/sbin/so-filebeat-module-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index d7706366e..7a6ae7446 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -49,7 +49,7 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Testing to see if the pipelines are already applied" ESVER=$(curl -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") -PIPELINES=$(curl -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c) +PIPELINES=$(curl -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c) if [[ "$PIPELINES" -lt 5 ]]; then echo "Setting up ingest pipeline(s)" From 9c9bcac61ba6899f1eb0afa3248c2d0269d6f5a4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Jun 2021 15:01:14 -0400 Subject: [PATCH 33/59] Update DNS queries --- salt/soc/files/soc/hunt.queries.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 9d4cd85bd..c220060dd 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -20,11 +20,11 @@ { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, - { "name": "DNS", "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, - { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"}, - { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, - { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, - { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by port", "query": "_exists_:dns.id | groupby dns.question.name destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by type", "query": "_exists_:dns.id | groupby dns.question.type destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by response code", "query": "_exists_:dns.id | groupby dns.response_code destination.port"}, + { "name": "DNS", "description": "DNS highest registered domain", "query": "_exists_:dns.id | groupby dns.question.top_level_domain destination.port"}, + { "name": "DNS", "description": "DNS grouped by parent domain", "query": "_exists_:dns.id | groupby dns.question.registered_domain destination.port"}, { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"}, { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"}, From a1b34e7a8840b7730817c20e3f812fe5ef9e9c39 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Jun 2021 15:30:14 -0400 Subject: [PATCH 34/59] Fix Suricata index name --- .../pipelines/config/so/9400_output_suricata.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 258781f29..999b270cf 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -9,7 +9,7 @@ output { pipeline => "filebeat-%{[agent][version]}-suricata-%{[fileset][name]}-pipeline" hosts => "{{ ES }}" index => "so-ids" - template_name => "so-ids" + template_name => "so-ids-%{+YYYY.MM.dd}" template => "/templates/so-ids-template.json" ssl => true ssl_certificate_verification => false From db48c15f1d099be45e8178ac94c093159b7eb161 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Jun 2021 15:33:18 -0400 Subject: [PATCH 35/59] Create event.kind field and rename dataset to be module[dot]dataset --- salt/elasticsearch/files/ingest/ossec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec index 868de2798..1c5a0fd42 100644 --- a/salt/elasticsearch/files/ingest/ossec +++ b/salt/elasticsearch/files/ingest/ossec @@ -63,7 +63,8 @@ { "rename": { "field": "fields.module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, - { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "alert", "override": true } }, + { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "ossec.alert", "override": true } }, + { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.kind", "value": "alert", "override": true } }, { "pipeline": { "name": "common" } } ] } From 4c74e7f3089a57fd68cdd04c6a90c145ee5175b0 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Jun 2021 15:35:26 -0400 Subject: [PATCH 36/59] Add event.kind and set name to module[dot]dataset --- salt/elasticsearch/files/ingest/strelka.file | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index e5e8560f8..cf2772305 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -53,7 +53,8 @@ { "set": { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory", "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }}, { "set": { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem", "value": "{{exiftool.Subsystem}}", "ignore_failure": true }}, { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name", "value": "{{scan.yara.matches.0}}" }}, - { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "alert", "override": true }}, + { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "strelka.alert", "override": true }}, + { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "event.kind", "value": "alert", "override": true }}, { "rename": { "field": "file.flavors.mime", "target_field": "file.mime_type", "ignore_missing": true }}, { "set": { "if": "ctx.rule?.name != null && ctx.rule?.score == null", "field": "event.severity", "value": 3, "override": true } }, { "convert" : { "if": "ctx.rule?.score != null", "field" : "rule.score","type": "integer"}}, From 4241bb08b85101673a08ffcdbecfc155d3ca7bc9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Jun 2021 16:37:43 -0400 Subject: [PATCH 37/59] Add suricata/zeek until we migrate templates --- .../templates/so/so-common-template.json | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 214e5c691..919cb521a 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -527,12 +527,20 @@ "version":{ "type":"long" } - } - }, + } + }, "x509":{ "type":"object", "dynamic": true - } + }, + "suricata":{ + "type":"object", + "dynamic": true + }, + "zeek":{ + "type":"object", + "dynamic": true + }, } } } From cba719b3a02b52d75d957612337070446b3ef66d Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Jun 2021 16:42:09 -0400 Subject: [PATCH 38/59] Remove extra comma --- salt/elasticsearch/templates/so/so-common-template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 919cb521a..2d1ef2a21 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -540,7 +540,7 @@ "zeek":{ "type":"object", "dynamic": true - }, + } } } } From 56eb220ed6eedfd25e912beffeaf5a00c2f26f1f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Jun 2021 09:52:05 -0400 Subject: [PATCH 39/59] Revert to SO taxonomy for zeek and suricata --- salt/filebeat/etc/filebeat.yml | 77 ++++++++++++++++++++++++ salt/filebeat/securityoniondefaults.yaml | 20 +----- 2 files changed, 78 insertions(+), 19 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 46a59f772..f933cee2e 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -111,7 +111,84 @@ filebeat.inputs: fields_under_root: true {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} + {%- if ZEEKVER != 'SURICATA' %} + {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} +- type: log + paths: + - /nsm/zeek/logs/current/{{ LOGNAME }}.log + fields: + module: zeek + dataset: {{ LOGNAME }} + category: network + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: true + close_removed: false +- type: log + paths: + - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log + fields: + module: zeek + dataset: {{ LOGNAME }} + category: network + imported: true + processors: + - add_tags: + tags: ["import"] + - dissect: + tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" + field: "log.file.path" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false + {%- endfor %} + {%- endif %} + +- type: log + paths: + - /nsm/suricata/eve*.json + fields: + module: suricata + dataset: common + category: network + + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false + +- type: log + paths: + - /nsm/import/*/suricata/eve*.json + fields: + module: suricata + dataset: common + category: network + imported: true + processors: + - add_tags: + tags: ["import"] + - dissect: + tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" + field: "log.file.path" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false {%- if STRELKAENABLED == 1 %} - type: log paths: diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index f503e5de1..cd215e242 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -23,22 +23,4 @@ securityonion_filebeat: var.paths: ["/logs/redis.log"] slowlog: enabled: false - suricata: - eve: - enabled: true - var.paths: ["/nsm/suricata/eve*.json"] - {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} - {%- if ZEEKVER != 'SURICATA' %} - zeek: - {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - {% if LOGNAME in ZEEKLOGLOOKUP.keys() %} - {% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %} - {% else %} - {% set FILESET = LOGNAME %} - {% endif %} - {{ FILESET }}: - enabled: true - var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"] - {%- endfor %} - {%- endif %} - {%- endif %} + \ No newline at end of file From 3e138cbc6dda28b3de009239f61b0e6c63f6a169 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Jun 2021 13:14:46 -0400 Subject: [PATCH 40/59] Revert to SO taxonomy for zeek and suricata --- .../config/so/9000_output_zeek.conf.jinja | 25 +++++++++---------- .../config/so/9050_output_elasticsearch.jinja | 24 ++++++++---------- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 486d22bfe..d17dc2b22 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -4,17 +4,16 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [event][module] == 'zeek' { - elasticsearch { - id => "zeek_logs" - pipeline => "filebeat-%{[agent][version]}-zeek-%{[fileset][name]}-pipeline" - hosts => "{{ ES }}" - index => "so-zeek-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true - ssl => true - ssl_certificate_verification => false - } - } + if [module] =~ "zeek" and "import" not in [tags] { + elasticsearch { + pipeline => "%{module}.%{dataset}" + hosts => "{{ ES }}" + index => "so-zeek" + template_name => "so-zeek" + template => "/templates/so-zeek-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } + } } diff --git a/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja b/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja index eb0d8ef0c..5013bafc1 100644 --- a/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja @@ -4,17 +4,15 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [event][module] == 'elasticsearch' { - elasticsearch { - id => "elastic_logs" - pipeline => "filebeat-%{[agent][version]}-elasticsearch-%{[fileset][name]}-pipeline" - hosts => "{{ ES }}" - index => "so-grid-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true - ssl => true - ssl_certificate_verification => false - } - } + if [module] =~ "suricata" and "import" not in [tags] { + elasticsearch { + pipeline => "%{module}.%{dataset}" + hosts => "{{ ES }}" + index => "so-ids" + template_name => "so-ids" + template => "/templates/so-ids-template.json" + ssl => true + ssl_certificate_verification => false + } + } } From a959ec1eb1787b736df121c362863e48fb3f11a5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Jun 2021 13:23:31 -0400 Subject: [PATCH 41/59] Revert to SO taxonomy for zeek and suricata --- .../config/so/9050_output_elasticsearch.jinja | 24 ++++++++++--------- .../config/so/9400_output_suricata.conf.jinja | 8 +++---- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja b/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja index 5013bafc1..eb0d8ef0c 100644 --- a/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja @@ -4,15 +4,17 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [module] =~ "suricata" and "import" not in [tags] { - elasticsearch { - pipeline => "%{module}.%{dataset}" - hosts => "{{ ES }}" - index => "so-ids" - template_name => "so-ids" - template => "/templates/so-ids-template.json" - ssl => true - ssl_certificate_verification => false - } - } + if [event][module] == 'elasticsearch' { + elasticsearch { + id => "elastic_logs" + pipeline => "filebeat-%{[agent][version]}-elasticsearch-%{[fileset][name]}-pipeline" + hosts => "{{ ES }}" + index => "so-grid-%{+YYYY.MM.dd}" + template_name => "so-common" + template => "/templates/so-common-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } + } } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 999b270cf..b56f35a29 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -4,15 +4,15 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [event][module] =~ "suricata" and "import" not in [tags] { + if [module] =~ "suricata" and "import" not in [tags] { elasticsearch { - pipeline => "filebeat-%{[agent][version]}-suricata-%{[fileset][name]}-pipeline" + pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-ids" - template_name => "so-ids-%{+YYYY.MM.dd}" + template_name => "so-ids" template => "/templates/so-ids-template.json" ssl => true ssl_certificate_verification => false } } -} +} \ No newline at end of file From 88eea03f97cf8d87c5b18d9bf343c1b8bd15f810 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Jun 2021 13:36:50 -0400 Subject: [PATCH 42/59] Revert to SO taxonomy for zeek and suricata --- salt/soc/files/soc/hunt.queries.json | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index c220060dd..2aaef8e59 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -2,8 +2,8 @@ { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, { "name": "Log Type", "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"}, { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name"}, - { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.kind: alert | groupby event.module"}, - { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.kind: alert | groupby rule.category rule.gid rule.uuid rule.name"}, + { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"}, + { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name"}, { "name": "Wazuh/OSSEC Alerts", "description": "Show all Wazuh alerts at Level 5 or higher grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name"}, { "name": "Wazuh/OSSEC Alerts", "description": "Show all Wazuh alerts at Level 4 or lower grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name"}, { "name": "Wazuh/OSSEC Users and Commands", "description": "Show all Wazuh alerts grouped by username and command line", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line"}, @@ -11,20 +11,20 @@ { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"}, { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, { "name": "Strelka", "description": "Show all Strelka logs grouped by file type", "query": "event.module:strelka | groupby file.mime_type"}, - { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:zeek.notice | groupby notice.note notice.message"}, - { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.dataset:zeek.connection | groupby source.ip destination.ip network.protocol destination.port"}, - { "name": "Connections", "description": "Connections grouped by Service", "query": "event.dataset:zeek.connection | groupby network.protocol destination.port"}, - { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:zeek.connection | groupby destination.geo.country_name"}, - { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:zeek.connection | groupby source.geo.country_name"}, + { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"}, + { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, + { "name": "Connections", "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"}, + { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"}, + { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"}, { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, - { "name": "DNS", "description": "DNS queries grouped by port", "query": "_exists_:dns.id | groupby dns.question.name destination.port"}, - { "name": "DNS", "description": "DNS queries grouped by type", "query": "_exists_:dns.id | groupby dns.question.type destination.port"}, - { "name": "DNS", "description": "DNS queries grouped by response code", "query": "_exists_:dns.id | groupby dns.response_code destination.port"}, - { "name": "DNS", "description": "DNS highest registered domain", "query": "_exists_:dns.id | groupby dns.question.top_level_domain destination.port"}, - { "name": "DNS", "description": "DNS grouped by parent domain", "query": "_exists_:dns.id | groupby dns.question.registered_domain destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, + { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, + { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"}, { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"}, @@ -63,4 +63,4 @@ { "name": "x509", "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"}, { "name": "x509", "description": "x.509 grouped by name and subject", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.subject"}, { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event.dataset:firewall | groupby rule.action"} - ] + ] \ No newline at end of file From 33db9023eb2334262a0bafaba9bc5780777fb6b4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Jun 2021 13:50:39 -0400 Subject: [PATCH 43/59] Revert to SO taxonomy for zeek and suricata --- pillar/logstash/search.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 2da8e6c59..8306ec58b 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -7,6 +7,7 @@ logstash: - so/9000_output_zeek.conf.jinja - so/9002_output_import.conf.jinja - so/9034_output_syslog.conf.jinja + - so/9050_output_elasticsearch.jinja - so/9100_output_osquery.conf.jinja - so/9400_output_suricata.conf.jinja - so/9500_output_beats.conf.jinja From 264080546c97d0826b6c5576678ef5d205775a43 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Jun 2021 11:37:27 -0400 Subject: [PATCH 44/59] Add log path --- salt/filebeat/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 5cabaf828..175213008 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -119,6 +119,7 @@ so-filebeat: - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /opt/so/conf/filebeat/registry:/usr/share/filebeat/data/registry:rw - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro + - /opt/so/log:/logs:ro - port_bindings: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp From 579ff8c0b41291a369b067e2942a057dd1aa2781 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Jun 2021 11:40:17 -0400 Subject: [PATCH 45/59] Add verbosity to checkin --- salt/common/tools/sbin/so-checkin | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-checkin b/salt/common/tools/sbin/so-checkin index 90eae6b1e..c70701b71 100755 --- a/salt/common/tools/sbin/so-checkin +++ b/salt/common/tools/sbin/so-checkin @@ -17,4 +17,4 @@ . /usr/sbin/so-common -salt-call state.highstate +salt-call state.highstate -linfo From a82b174826adfacc38968e7f1a06833851ca2d84 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Jun 2021 11:53:10 -0400 Subject: [PATCH 46/59] perform the repo changes for any upgrade --- salt/common/tools/sbin/soup | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a3c8e5105..5c2c011f8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -249,9 +249,8 @@ masterunlock() { preupgrade_changes_2.3.50_repo() { # We made repo changes in 2.3.50 and this prepares for that on upgrade - echo "Checking to see if 2.3.50 repo changes are needed." - - [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50_repo + echo "Making repo changes." + up_2.3.3X_to_2.3.50_repo } preupgrade_changes() { @@ -438,7 +437,7 @@ up_2.3.2X_to_2.3.30() { } up_2.3.3X_to_2.3.50_repo() { - echo "Performing 2.3.50 repo actions." + echo "Performing repo changes." if [[ "$OS" == "centos" ]]; then # Import GPG Keys gpg_rpm_import From 4c90a0ed7e02550ec68b48dc2eee479402256c8b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Jun 2021 12:04:32 -0400 Subject: [PATCH 47/59] Add templates for SO logs --- ...ja => 9050_output_elasticsearch_log.jinja} | 0 .../config/so/9050_output_kibana_log.jinja | 20 +++++++++++++++++++ .../config/so/9050_output_logstash_log.jinja | 20 +++++++++++++++++++ .../config/so/9050_output_redis_log.jinja | 20 +++++++++++++++++++ 4 files changed, 60 insertions(+) rename salt/logstash/pipelines/config/so/{9050_output_elasticsearch.jinja => 9050_output_elasticsearch_log.jinja} (100%) create mode 100644 salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja create mode 100644 salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja create mode 100644 salt/logstash/pipelines/config/so/9050_output_redis_log.jinja diff --git a/salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja b/salt/logstash/pipelines/config/so/9050_output_elasticsearch_log.jinja similarity index 100% rename from salt/logstash/pipelines/config/so/9050_output_elasticsearch.jinja rename to salt/logstash/pipelines/config/so/9050_output_elasticsearch_log.jinja diff --git a/salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja b/salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja new file mode 100644 index 000000000..bf79e1073 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja @@ -0,0 +1,20 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- endif %} +output { + if [event][module] == 'kibana' { + elasticsearch { + id => "kibana_logs" + pipeline => "filebeat-%{[agent][version]}-kibana-%{[fileset][name]}-pipeline" + hosts => "{{ ES }}" + index => "so-grid-%{+YYYY.MM.dd}" + template_name => "so-common" + template => "/templates/so-common-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } + } +} diff --git a/salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja b/salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja new file mode 100644 index 000000000..df6fba0e0 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja @@ -0,0 +1,20 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- endif %} +output { + if [event][module] == 'logstash' { + elasticsearch { + id => "logstash_logs" + pipeline => "filebeat-%{[agent][version]}-logstash-%{[fileset][name]}-pipeline" + hosts => "{{ ES }}" + index => "so-grid-%{+YYYY.MM.dd}" + template_name => "so-common" + template => "/templates/so-common-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } + } +} diff --git a/salt/logstash/pipelines/config/so/9050_output_redis_log.jinja b/salt/logstash/pipelines/config/so/9050_output_redis_log.jinja new file mode 100644 index 000000000..9cc37de35 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9050_output_redis_log.jinja @@ -0,0 +1,20 @@ +{%- if grains['role'] == 'so-eval' -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} +{%- else %} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- endif %} +output { + if [event][module] == 'redis' { + elasticsearch { + id => "redis_logs" + pipeline => "filebeat-%{[agent][version]}-redis-%{[fileset][name]}-pipeline" + hosts => "{{ ES }}" + index => "so-grid-%{+YYYY.MM.dd}" + template_name => "so-common" + template => "/templates/so-common-template.json" + template_overwrite => true + ssl => true + ssl_certificate_verification => false + } + } +} From 1c7741fdbe6055ec123c8bd4c28370bb2db5a2b2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Jun 2021 12:38:19 -0400 Subject: [PATCH 48/59] Add templates for SO logs --- salt/elasticsearch/templates/so/so-common-template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 2d1ef2a21..54e786cdc 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -1,5 +1,5 @@ { - "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"], + "index_patterns": ["so-grid-*","so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"], "version":50001, "order":10, "settings":{ From 7fba904f750273d84ea53c7ef2b0c2eb5de8acae Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Jun 2021 15:32:39 -0400 Subject: [PATCH 49/59] Dynamix Pipelines take 1 --- pillar/logstash/search.sls | 2 +- .../pipelines/config/so/0009_input_beats.conf | 5 +++++ .../so/9050_output_elasticsearch_log.jinja | 20 ------------------- ...=> 9050_output_filebeatmodules.conf.jinja} | 10 +++++----- .../config/so/9050_output_kibana_log.jinja | 20 ------------------- .../config/so/9050_output_logstash_log.jinja | 20 ------------------- 6 files changed, 11 insertions(+), 66 deletions(-) delete mode 100644 salt/logstash/pipelines/config/so/9050_output_elasticsearch_log.jinja rename salt/logstash/pipelines/config/so/{9050_output_redis_log.jinja => 9050_output_filebeatmodules.conf.jinja} (70%) delete mode 100644 salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja delete mode 100644 salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 8306ec58b..10fab2ed1 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -7,7 +7,7 @@ logstash: - so/9000_output_zeek.conf.jinja - so/9002_output_import.conf.jinja - so/9034_output_syslog.conf.jinja - - so/9050_output_elasticsearch.jinja + - so/9050_output_filebeatmodules.conf.jinja - so/9100_output_osquery.conf.jinja - so/9400_output_suricata.conf.jinja - so/9500_output_beats.conf.jinja diff --git a/salt/logstash/pipelines/config/so/0009_input_beats.conf b/salt/logstash/pipelines/config/so/0009_input_beats.conf index a5c1d491c..31ba798c9 100644 --- a/salt/logstash/pipelines/config/so/0009_input_beats.conf +++ b/salt/logstash/pipelines/config/so/0009_input_beats.conf @@ -3,4 +3,9 @@ input { port => "5044" tags => [ "beat-ext" ] } +} +filter { + mutate { + rename => {“@metadata” => “metadata”} + } } \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/9050_output_elasticsearch_log.jinja b/salt/logstash/pipelines/config/so/9050_output_elasticsearch_log.jinja deleted file mode 100644 index eb0d8ef0c..000000000 --- a/salt/logstash/pipelines/config/so/9050_output_elasticsearch_log.jinja +++ /dev/null @@ -1,20 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -output { - if [event][module] == 'elasticsearch' { - elasticsearch { - id => "elastic_logs" - pipeline => "filebeat-%{[agent][version]}-elasticsearch-%{[fileset][name]}-pipeline" - hosts => "{{ ES }}" - index => "so-grid-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true - ssl => true - ssl_certificate_verification => false - } - } -} diff --git a/salt/logstash/pipelines/config/so/9050_output_redis_log.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja similarity index 70% rename from salt/logstash/pipelines/config/so/9050_output_redis_log.jinja rename to salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index 9cc37de35..20e9f0c0a 100644 --- a/salt/logstash/pipelines/config/so/9050_output_redis_log.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -4,12 +4,12 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [event][module] == 'redis' { + if [metadata][pipeline] { elasticsearch { - id => "redis_logs" - pipeline => "filebeat-%{[agent][version]}-redis-%{[fileset][name]}-pipeline" + id => "filebeat_modules_metadata_pipeline" + pipeline => "%{[metadata][pipeline]}" hosts => "{{ ES }}" - index => "so-grid-%{+YYYY.MM.dd}" + index => "so-%{[event][module]}-%{+YYYY.MM.dd}" template_name => "so-common" template => "/templates/so-common-template.json" template_overwrite => true @@ -17,4 +17,4 @@ output { ssl_certificate_verification => false } } -} +} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja b/salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja deleted file mode 100644 index bf79e1073..000000000 --- a/salt/logstash/pipelines/config/so/9050_output_kibana_log.jinja +++ /dev/null @@ -1,20 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -output { - if [event][module] == 'kibana' { - elasticsearch { - id => "kibana_logs" - pipeline => "filebeat-%{[agent][version]}-kibana-%{[fileset][name]}-pipeline" - hosts => "{{ ES }}" - index => "so-grid-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true - ssl => true - ssl_certificate_verification => false - } - } -} diff --git a/salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja b/salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja deleted file mode 100644 index df6fba0e0..000000000 --- a/salt/logstash/pipelines/config/so/9050_output_logstash_log.jinja +++ /dev/null @@ -1,20 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -output { - if [event][module] == 'logstash' { - elasticsearch { - id => "logstash_logs" - pipeline => "filebeat-%{[agent][version]}-logstash-%{[fileset][name]}-pipeline" - hosts => "{{ ES }}" - index => "so-grid-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true - ssl => true - ssl_certificate_verification => false - } - } -} From 1bef1d565235d24a21cd62394576616fcc421406 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 10 Jun 2021 08:16:00 -0400 Subject: [PATCH 50/59] Update to apply to any so-prefixed index --- salt/elasticsearch/templates/so/so-common-template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 54e786cdc..3e47fd780 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -1,5 +1,5 @@ { - "index_patterns": ["so-grid-*","so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"], + "index_patterns": ["so-*"], "version":50001, "order":10, "settings":{ From 7c92054f13cebc6949c4fa826dcbac98131fca12 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 10 Jun 2021 09:13:15 -0400 Subject: [PATCH 51/59] soup hotfix to updating repos for earlier versions of SO so salt will isntall --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..12595f2e1 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +SALTYSOUP From 12d4d4a4f757bef7b6287958bba4c0847eb25dd2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 10 Jun 2021 09:19:15 -0400 Subject: [PATCH 52/59] Dynamix Pipelines take 2 --- .../templates/so/so-common-template.json | 2 +- salt/filebeat/securityoniondefaults.yaml | 15 ++++++++++----- .../pipelines/config/so/0009_input_beats.conf | 2 +- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 54e786cdc..3e47fd780 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -1,5 +1,5 @@ { - "index_patterns": ["so-grid-*","so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"], + "index_patterns": ["so-*"], "version":50001, "order":10, "settings":{ diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index cd215e242..be4f81bd1 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -2,25 +2,30 @@ {% set ZEEKLOGLOOKUP = { 'conn': 'connection', } %} - securityonion_filebeat: modules: + {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} elasticsearch: server: enabled: true var.paths: ["/logs/elasticsearch/*.log"] - kibana: - log: - enabled: true - var.paths: ["/logs/kibana/kibana.log"] logstash: log: enabled: true var.paths: ["/logs/logstash.log"] + {%- endif %} + {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} + kibana: + log: + enabled: true + var.paths: ["/logs/kibana/kibana.log"] + {%- endif %} + {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode'] %} redis: log: enabled: true var.paths: ["/logs/redis.log"] slowlog: enabled: false + {%- endif %} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/0009_input_beats.conf b/salt/logstash/pipelines/config/so/0009_input_beats.conf index 31ba798c9..9ca55b184 100644 --- a/salt/logstash/pipelines/config/so/0009_input_beats.conf +++ b/salt/logstash/pipelines/config/so/0009_input_beats.conf @@ -6,6 +6,6 @@ input { } filter { mutate { - rename => {“@metadata” => “metadata”} + rename => {"@metadata" => "metadata"} } } \ No newline at end of file From 46b1de97f50b6f5d3f34ef8ed62dd17811f24169 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 10 Jun 2021 09:30:03 -0400 Subject: [PATCH 53/59] change function name --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5c2c011f8..f31d09fb1 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -250,7 +250,7 @@ masterunlock() { preupgrade_changes_2.3.50_repo() { # We made repo changes in 2.3.50 and this prepares for that on upgrade echo "Making repo changes." - up_2.3.3X_to_2.3.50_repo + upgrade_to_2.3.50_repo } preupgrade_changes() { @@ -436,7 +436,7 @@ up_2.3.2X_to_2.3.30() { INSTALLEDVERSION=2.3.30 } -up_2.3.3X_to_2.3.50_repo() { +upgrade_to_2.3.50_repo() { echo "Performing repo changes." if [[ "$OS" == "centos" ]]; then # Import GPG Keys From e64059bd7b39c9f695cf3c58bdecb4481d711857 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 10 Jun 2021 09:31:10 -0400 Subject: [PATCH 54/59] remove unneeded function --- salt/common/tools/sbin/soup | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index f31d09fb1..f508e8aa8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -247,12 +247,6 @@ masterunlock() { fi } -preupgrade_changes_2.3.50_repo() { - # We made repo changes in 2.3.50 and this prepares for that on upgrade - echo "Making repo changes." - upgrade_to_2.3.50_repo -} - preupgrade_changes() { # This function is to add any new pillar items if needed. echo "Checking to see if changes are needed." @@ -743,7 +737,7 @@ else systemctl stop salt-master echo "" - preupgrade_changes_2.3.50_repo + upgrade_to_2.3.50_repo # Does salt need upgraded. If so update it. if [ "$UPGRADESALT" == "1" ]; then From ff807c9a6f52e31ee879aa9f5c7fb3c38bee36ce Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 10 Jun 2021 14:06:24 -0400 Subject: [PATCH 55/59] empty hotfix file for merge into dev --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 12595f2e1..d3f5a12fa 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -SALTYSOUP + From f7600af89b42c068d809c43233c35ad4c03b7b79 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 11 Jun 2021 13:52:33 -0400 Subject: [PATCH 56/59] dont loop if modules arent defined for the node --- salt/filebeat/etc/module_config.yml.jinja | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja index 8f4fbd7bf..733d47c7e 100644 --- a/salt/filebeat/etc/module_config.yml.jinja +++ b/salt/filebeat/etc/module_config.yml.jinja @@ -1,16 +1,18 @@ # DO NOT EDIT THIS FILE -{% for module in MODULES.modules.keys() %} +{%- if MODULES.modules is iterable and MODULES.modules is not string and MODULES.modules|length > 0%} + {%- for module in MODULES.modules.keys() %} - module: {{ module }} - {%- for fileset in MODULES.modules[module] %} + {%- for fileset in MODULES.modules[module] %} {{ fileset }}: enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }} - {#- only manage the settings if the fileset is enabled #} - {%- if MODULES.modules[module][fileset].enabled %} - {%- for var, value in MODULES.modules[module][fileset].items() %} - {%- if var|lower != 'enabled' %} + {#- only manage the settings if the fileset is enabled #} + {%- if MODULES.modules[module][fileset].enabled %} + {%- for var, value in MODULES.modules[module][fileset].items() %} + {%- if var|lower != 'enabled' %} {{ var }}: {{ value }} - {%- endif %} - {%- endfor %} - {%- endif %} + {%- endif %} + {%- endfor %} + {%- endif %} + {%- endfor %} {%- endfor %} -{% endfor %} +{% endif %} From 5941332d49cb8319490c031701c85fe51d666394 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 14 Jun 2021 08:51:29 -0400 Subject: [PATCH 57/59] fix two bugs --- salt/filebeat/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 175213008..f2a86cd5a 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -126,7 +126,7 @@ so-filebeat: - 0.0.0.0:5066:5066/tcp {% for module in THIRDPARTY.modules.keys() %} {% for submodule in THIRDPARTY.modules[module] %} - {% if THIRDPARTY.modules[module][submodule].enabled %} + {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %} - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/{{ THIRDPARTY.modules[module][submodule]["var.input"] }} {% endif %} {% endfor %} @@ -141,7 +141,7 @@ run_module_setup: - require: - file: filebeatmoduleconfsync - docker_container: so-filebeat - - onchanges_in: + - onchanges: - docker_container: so-elasticsearch {% endif %} From d2069dc5f2039108b6ba7fe8336e59e671e2d6a2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 14 Jun 2021 09:58:50 -0400 Subject: [PATCH 58/59] update roles that include es state --- salt/filebeat/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index f2a86cd5a..0b59fded2 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -22,7 +22,7 @@ {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% from 'filebeat/map.jinja' import THIRDPARTY with context %} {% from 'filebeat/map.jinja' import SO with context %} -{% set ES_INCLUDED_NODES = ['so-standalone'] %} +{% set ES_INCLUDED_NODES = ['so-standalone', 'so-managersearch', 'so-node', 'so-import'] %} #only include elastic state for certain nodes {% if grains.role in ES_INCLUDED_NODES %} From fd5d540c7840fbcab6d88cbfc71b7ccb16e0a100 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 14 Jun 2021 10:00:19 -0400 Subject: [PATCH 59/59] update roles that include es state --- salt/filebeat/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 0b59fded2..c5d859307 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -22,7 +22,7 @@ {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% from 'filebeat/map.jinja' import THIRDPARTY with context %} {% from 'filebeat/map.jinja' import SO with context %} -{% set ES_INCLUDED_NODES = ['so-standalone', 'so-managersearch', 'so-node', 'so-import'] %} +{% set ES_INCLUDED_NODES = ['so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} #only include elastic state for certain nodes {% if grains.role in ES_INCLUDED_NODES %}