#!/bin/bash local_salt_dir=/opt/so/saltstack/local zeek_logs_enabled() { echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls echo " enabled:" >> $local_salt_dir/pillar/zeeklogs.sls for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls done } whiptail_manager_adv_service_zeeklogs() { BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \ "conn" "Connection Logs" ON \ "dce_rpc" "RPC Logs" ON \ "dhcp" "DHCP Logs" ON \ "dnp3" "DNP3 Logs" ON \ "dns" "DNS Logs" ON \ "dpd" "DPD Logs" ON \ "files" "Files Logs" ON \ "ftp" "FTP Logs" ON \ "http" "HTTP Logs" ON \ "intel" "Intel Hits Logs" ON \ "irc" "IRC Chat Logs" ON \ "kerberos" "Kerberos Logs" ON \ "modbus" "MODBUS Logs" ON \ "notice" "Zeek Notice Logs" ON \ "ntlm" "NTLM Logs" ON \ "pe" "PE Logs" ON \ "radius" "Radius Logs" ON \ "rfb" "RFB Logs" ON \ "rdp" "RDP Logs" ON \ "sip" "SIP Logs" ON \ "smb_files" "SMB Files Logs" ON \ "smb_mapping" "SMB Mapping Logs" ON \ "smtp" "SMTP Logs" ON \ "snmp" "SNMP Logs" ON \ "ssh" "SSH Logs" ON \ "ssl" "SSL Logs" ON \ "syslog" "Syslog Logs" ON \ "tunnel" "Tunnel Logs" ON \ "weird" "Zeek Weird Logs" ON \ "mysql" "MySQL Logs" ON \ "socks" "SOCKS Logs" ON \ "x509" "x.509 Logs" ON \ "modbus_detailed" "MODBUS Details" ON \ "modbus_mask_write_register" "MODBUS Ext" ON \ "modbus_read_write_multiple_registers" "MODBUS Ext" ON \ "dnp3_objects" "DNP3 Objects" ON \ "bacnet" "BACnet" ON \ "bacnet_discovery" "BACnet" ON \ "bacnet_property" "BACnet" ON \ "bsap_ip_header" "BSAP IP" ON \ "bsap_ip_rdb" "BSAP IP" ON \ "bsap_ip_unknown" "BSAP IP" ON \ "bsap_serial_header" "BSAP Serial" ON \ "bsap_serial_rdb" "BSAP Serial" ON \ "bsap_serial_rdb_ext" "BSAP Serial" ON \ "bsap_serial_unknown" "BSAP Serial" ON \ "ecat_registers" "Ethercat" ON \ "ecat_log_address" "Ethercat" ON \ "ecat_dev_info" "Ethercat" ON \ "ecat_aoe_info" "Ethercat" ON \ "ecat_coe_info" "Ethercat" ON \ "ecat_foe_info" "Ethercat" ON \ "ecat_soe_info" "Ethercat" ON \ "ecat_arp_info" "Ethercat" ON \ "enip" "ENIP" ON \ "cip" "CIP" ON \ "cip_io" "CIP I/O" ON \ "cip_identity" "CIP Identity" ON \ "opcua_binary.log" "OPC UA" ON \ "opcua_binary_status_code_detail" "OPC UA" ON \ "opcua_binary_diag_info_detail" "OPC UA" ON \ "opcua_binary_get_endpoints" "OPC UA" ON \ "opcua_binary_get_endpoints_discovery" "OPC UA" ON \ "opcua_binary_get_endpoints_user_token" "OPC UA" ON \ "opcua_binary_get_endpoints_description" "OPC UA" ON \ "opcua_binary_get_endpoints_locale_id" "OPC UA" ON \ "opcua_binary_get_endpoints_profile_uri" "OPC UA" ON \ "opcua_binary_create_session" "OPC UA" ON \ "opcua_binary_create_session_user_token" "OPC UA" ON \ "opcua_binary_create_session_endpoints" "OPC UA" ON \ "opcua_binary_create_session_discovery" "OPC UA" ON \ "opcua_binary_activate_session" "OPC UA" ON \ "opcua_binary_activate_session_client_software_cert" "OPC UA" ON \ "opcua_binary_activate_session_locale_id" "OPC UA" ON \ "opcua_binary_activate_session_diagnostic_info" "OPC UA" ON \ "opcua_binary_browse" "OPC UA" ON \ "opcua_binary_browse_description" "OPC UA" ON \ "opcua_binary_browse_request_continuation_point" "OPC UA" ON \ "opcua_binary_browse_result" "OPC UA" ON \ "opcua_binary_browse_response_references" "OPC UA" ON \ "opcua_binary_browse_diagnostic_info" "OPC UA" ON \ "opcua_binary_create_subscription" "OPC UA" ON \ "opcua_binary_read" "OPC UA" ON \ "cotp" "COTP" ON \ "s7comm" "S7COMM" ON \ "s7comm_read_szl" "S7COMM" ON \ "s7comm_upload_download" "S7COMM" ON \ "s7comm_plus" "S7COMM" ON \ "tds" "TDS" ON \ "tds_rpc" "TDS RPC" ON \ "tds_sql_batch" "TDS SQL" ON \ "profinet" "Profinet" ON \ "profinet_dce_rpc" "Profinet" ON \ "profinet_debug" "Profinet" ON \ "stun" "STUN" ON \ "stun_nat" "STUN NAT" ON \ "wireguard" "Wireguard" ON 3>&1 1>&2 2>&3 ) local exitstatus=$? IFS=' ' read -ra BLOGS <<< "$BLOGS" return $exitstatus } whiptail_manager_adv_service_zeeklogs return_code=$? case $return_code in 1) whiptail --title "so-zeek-logs" --msgbox "Cancelling. No changes have been made." 8 75 ;; 255) whiptail --title "so-zeek-logs" --msgbox "Whiptail error occured, exiting." 8 75 ;; *) zeek_logs_enabled ;; esac