Merge branch 'dev' into kilo

2026-04-27 15:07:51 +02:00 · 2021-06-14 10:40:04 -04:00
parent 7205c5cb7b 0de7e71fa0
commit fca1c6e957
26 changed files with 533 additions and 48 deletions
@@ -73,7 +73,13 @@ logging.files:
 # Set to true to log messages in json format.
 #logging.json: false

+
+
 #==========================  Modules configuration ============================
+filebeat.config.modules:
+  enabled: true
+  path: ${path.config}/modules.d/*.yml
+
 filebeat.modules:
 #=========================== Filebeat prospectors =============================

@@ -185,7 +191,6 @@ filebeat.inputs:
  fields_under_root: true
  clean_removed: false
  close_removed: false
-
  {%- if STRELKAENABLED == 1 %}
 - type: log
  paths:
@@ -0,0 +1,10 @@
+{%- if grains['role'] in ['so-managersearch', 'so-heavynode', 'so-node'] %}
+{%- set MANAGER = salt['grains.get']('host' '') %}
+{%- else %}
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- endif %}
+
+output.elasticsearch:
+  enabled: true
+  hosts: ["https://{{ MANAGER }}:9200"]
+  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
@@ -0,0 +1,18 @@
+# DO NOT EDIT THIS FILE
+{%- if MODULES.modules is iterable and MODULES.modules is not string and MODULES.modules|length > 0%}
+  {%- for module in MODULES.modules.keys() %}
+- module: {{ module }}
+    {%- for fileset in MODULES.modules[module] %}
+  {{ fileset }}:
+    enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }}
+      {#- only manage the settings if the fileset is enabled #}
+      {%- if MODULES.modules[module][fileset].enabled %}
+        {%- for var, value in MODULES.modules[module][fileset].items() %}
+          {%- if var|lower != 'enabled' %}
+    {{ var }}: {{ value }}
+          {%- endif %}
+        {%- endfor %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endfor %}
+{% endif %}
@@ -20,18 +20,37 @@
 {% set LOCALHOSTIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
+{% from 'filebeat/map.jinja' import THIRDPARTY with context %}
+{% from 'filebeat/map.jinja' import SO with context %}
+{% set ES_INCLUDED_NODES = ['so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}
+
+#only include elastic state for certain nodes
+{% if grains.role in ES_INCLUDED_NODES %}
+include:
+  - elasticsearch
+{% endif %}
+
 filebeatetcdir:
  file.directory:
    - name: /opt/so/conf/filebeat/etc
    - user: 939
    - group: 939
    - makedirs: True
+
+filebeatmoduledir:
+  file.directory:
+    - name: /opt/so/conf/filebeat/modules
+    - user: root
+    - group: root
+    - makedirs: True
+
 filebeatlogdir:
  file.directory:
    - name: /opt/so/log/filebeat
    - user: 939
    - group: 939
    - makedirs: True
+
 filebeatpkidir:
  file.directory:
    - name: /opt/so/conf/filebeat/etc/pki
@@ -44,6 +63,7 @@ fileregistrydir:
    - user: 939
    - group: 939
    - makedirs: True
+
 # This needs to be owned by root
 filebeatconfsync:
  file.managed:
@@ -55,6 +75,32 @@ filebeatconfsync:
    - defaults:
        INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }}
        OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
+
+# Filebeat module config file
+filebeatmoduleconfsync:
+  file.managed:
+    - name: /opt/so/conf/filebeat/etc/module-setup.yml
+    - source: salt://filebeat/etc/module-setup.yml
+    - user: root
+    - group: root
+    - template: jinja
+
+sodefaults_module_conf:
+  file.managed:
+    - name: /opt/so/conf/filebeat/modules/securityonion.yml
+    - source: salt://filebeat/etc/module_config.yml.jinja
+    - template: jinja
+    - defaults:
+        MODULES: {{ SO }}
+
+thirdparty_module_conf:
+  file.managed:
+    - name: /opt/so/conf/filebeat/modules/thirdparty.yml
+    - source: salt://filebeat/etc/module_config.yml.jinja
+    - template: jinja
+    - defaults:
+        MODULES: {{ THIRDPARTY }}
+    
 so-filebeat:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}
@@ -65,19 +111,40 @@ so-filebeat:
      - /nsm:/nsm:ro
      - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
      - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
+      - /opt/so/conf/filebeat/etc/module-setup.yml:/usr/share/filebeat/module-setup.yml:ro
      - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro
      - /nsm/wazuh/logs/archives:/wazuh/archives:ro
+      - /opt/so/conf/filebeat/modules:/usr/share/filebeat/modules.d
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
      - /opt/so/conf/filebeat/registry:/usr/share/filebeat/data/registry:rw
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
+      - /opt/so/log:/logs:ro
    - port_bindings:
        - 0.0.0.0:514:514/udp
        - 0.0.0.0:514:514/tcp
        - 0.0.0.0:5066:5066/tcp
+{% for module in THIRDPARTY.modules.keys() %}
+  {% for submodule in THIRDPARTY.modules[module] %}
+    {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %}
+        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/{{ THIRDPARTY.modules[module][submodule]["var.input"] }}
+    {% endif %}
+  {% endfor %}
+{% endfor %}
    - watch:
      - file: /opt/so/conf/filebeat/etc/filebeat.yml

+{% if grains.role in ES_INCLUDED_NODES %}
+run_module_setup:
+  cmd.run:
+    - name: /usr/sbin/so-filebeat-module-setup
+    - require:
+      - file: filebeatmoduleconfsync
+      - docker_container: so-filebeat
+    - onchanges:
+      - docker_container: so-elasticsearch
+{% endif %}
+
 append_so-filebeat_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
@@ -0,0 +1,6 @@
+{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %}
+{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
+
+{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
+{% set SO = SODEFAULTS.securityonion_filebeat %}
+{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
@@ -0,0 +1,31 @@
+{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
+{% set ZEEKLOGLOOKUP = {
+    'conn': 'connection',
+} %}
+securityonion_filebeat:
+  modules:
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']   %}
+    elasticsearch:
+      server:
+        enabled: true
+        var.paths: ["/logs/elasticsearch/*.log"]
+    logstash:
+      log:
+        enabled: true
+        var.paths: ["/logs/logstash.log"]
+  {%- endif %}
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
+    kibana:
+      log:
+        enabled: true
+        var.paths: ["/logs/kibana/kibana.log"]
+  {%- endif %}
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode'] %}
+    redis:
+      log:
+        enabled: true
+        var.paths: ["/logs/redis.log"]
+      slowlog:
+        enabled: false
+  {%- endif %}
+        
@@ -0,0 +1,259 @@
+third_party_filebeat:
+  modules:
+    aws:
+      cloudtrail:
+        enabled: false
+      cloudwatch:
+        enabled: false
+      ec2:
+        enabled: false
+      elb:
+        enabled: false
+      s3access:
+        enabled: false
+      vpcflow:
+        enabled: false
+    azure:
+      activitylogs:
+        enabled: false
+      platformlogs:
+        enabled: false
+      auditlogs:
+        enabled: false
+      signinlogs:
+        enabled: false
+    barracuda:
+      waf:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9503
+      spamfirewall:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9524
+    bluecoat:
+      director:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9505
+    cef:
+      log:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9003
+    checkpoint:
+      firewall:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9505
+    cisco:
+      asa:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9001
+      ftd:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9003
+      ios:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9002
+      nexus:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9506
+      meraki:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9525
+      umbrella:
+        enabled: false
+      amp:
+        enabled: false
+    cyberark:
+      corepas:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9527
+    cylance:
+      protect:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9508
+    f5:
+      bigipapm:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9504
+      bigipafm:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9528    
+    fortinet:
+      firewall:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9004
+      clientendpoint:
+        enabled: false
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9510
+      fortimail:
+        enabled: false
+        var.input: udp
+        var.syslog_port: 9350
+    gcp:
+      vpcflow:
+        enabled: false
+      firewall:
+        enabled: false
+      audit:
+        enabled: false
+    google_workspace:
+      saml:
+        enabled: false
+      user_accounts:
+        enabled: false
+      login:
+        enabled: false
+      admin:
+        enabled: false
+      drive:
+        enabled: false
+      groups:
+        enabled: false
+    imperva:
+      securesphere:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9511
+    infoblox:
+      nios:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9512
+    juniper:
+      junos:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9513
+      netscreen:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9523
+      srx:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9006
+    microsoft:
+      defender_atp:
+        enabled: false 
+      m365_defender:
+        enabled: false
+      dhcp:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9515
+    misp:
+      threat:
+        enabled: false
+    netflow:
+      log:
+        enabled: false
+        var.netflow_host: 0.0.0.0
+        var.netflow_port: 2055
+        var.internal_networks:
+          - private
+    netscout:
+      sightline:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9502
+    o365:
+      audit:
+        enabled: false
+    okta:
+      system:
+        enabled: false
+    proofpoint:
+      emailsecurity:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9531
+    radware:
+      defensepro:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9518
+    snort:
+      log:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9532
+    snyk:
+      audit:
+        enabled: false
+      vulnerabilities:
+        enabled: false
+    sonicwall:
+      firewall:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9519
+    sophos:
+      xg:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9005
+      utm:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9533
+    squid:
+      log:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9520
+    tomcat:
+      log:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9501
+    zscaler:
+      zia:
+        enabled: false 
+        var.input: udp
+        var.syslog_host: 0.0.0.0
+        var.syslog_port: 9521