{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
{%- set ip = salt['pillar.get']('global:managerip', '') %}
{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
{%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %}
{%- elif grains['role'] == 'so-sensor' %}
{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
{%- endif %}
{{ip}}
1514
udp
{%- if grains['os'] == 'Ubuntu' %}
ubuntu, ubuntu16, ubuntu16.04
{%- else %}
centos, centos7
{%- endif %}
10
60
yes
aes
no
5000
500
no
yes
yes
yes
yes
yes
yes
yes
yes
43200
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
yes
yes
1800
1d
yes
yes
1800
1d
yes
wodles/java
wodles/ciscat
yes
yes
/var/log/osquery/osqueryd.results.log
/etc/osquery/osquery.conf
yes
no
1h
yes
yes
yes
yes
yes
yes
yes
no
43200
yes
/etc,/usr/bin,/usr/sbin
/bin,/sbin,/boot
/etc/mtab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/random.seed
/etc/adjtime
/etc/httpd/logs
/etc/utmpx
/etc/wtmpx
/etc/cups/certs
/etc/dumpdates
/etc/svc/volatile
/sys/kernel/security
/sys/kernel/debug
/etc/ssl/private.key
yes
yes
yes
command
df -P
360
full_command
netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
netstat listening ports
360
full_command
last -n 20
360
no
/var/ossec/etc/wpk_root.pem
yes
plain
syslog
/var/ossec/logs/active-responses.log
{%- if grains['os'] == 'Ubuntu' %}
syslog
/var/log/auth.log
{%- else %}
syslog
/var/log/secure
{%- endif %}
syslog
/var/log/syslog
syslog
/var/log/dpkg.log
syslog
/var/log/kern.log