CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 11:12:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Elastic Fleet Certs Refactor

Browse Source
This commit is contained in:
Josh Brower
2023-07-07 16:44:16 -04:00
parent 35e7659904
commit ff3bb11fbb
6 changed files with 169 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/logstash/enabled.sls
View File

@@ -59,8 +59,10 @@ so-logstash:
- /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
{% endif %}
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-eval','so-fleet', 'so-heavynode', 'so-receiver'] %}
- /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro
- /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro
- /etc/pki/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro
- /etc/pki/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro
- /etc/pki/elasticfleet-lumberjack.crt:/usr/share/logstash/elasticfleet-lumberjack.crt:ro
- /etc/pki/elasticfleet-lumberjack.p8:/usr/share/logstash/elasticfleet-lumberjack.key:ro
{% endif %}
{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
- /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro

23
salt/logstash/pipelines/config/so/0013_input_http_fleet.conf
View File

@@ -1,21 +1,18 @@
input {
http {
additional_codecs => { "application/json" => "json_lines" }
elastic_agent {
port => 5056
tags => [ "elastic-agent" ]
ssl => true
ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
ssl_certificate => "/usr/share/logstash/filebeat.crt"
ssl_key => "/usr/share/logstash/filebeat.key"
ssl_verify_mode => "peer"
ssl_certificate => "/usr/share/logstash/elasticfleet-lumberjack.crt"
ssl_key => "/usr/share/logstash/elasticfleet-lumberjack.key"
ecs_compatibility => v8
id => "fleet-lumberjack-in"
codec => "json"
}
}
filter {
mutate {
rename => {"@metadata" => "metadata"}
}
}
filter {
if "elastic-agent" in [tags] {
mutate {
remove_field => ["http","[metadata][input]","url","user_agent"]
}
}
}

24
salt/logstash/pipelines/config/so/9806_output_http_fleet.conf.jinja
View File

@@ -1,11 +1,15 @@
output {
http {
url => 'https://{{ GLOBALS.manager }}:5056'
cacert => ["/usr/share/filebeat/ca.crt"]
http_method => post
retry_non_idempotent => true
format => json_batch
http_compression => true
ecs_compatibility => v8
filter {
mutate {
add_tag => "fleet-lumberjack-{{ GLOBALS.hostname }}"
}
}
}
output {
lumberjack {
codec => json
hosts => "{{ GLOBALS.manager }}"
ssl_certificate => "/usr/share/filebeat/ca.crt"
port => 5056
id => "fleet-lumberjack-{{ GLOBALS.hostname }}"
}
}