mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
401 lines
12 KiB
YAML
401 lines
12 KiB
YAML
{%- if grains.role == 'so-heavynode' %}
|
|
{%- set MASTER = salt['pillar.get']('sensor:mainip' '') %}
|
|
{%- else %}
|
|
{%- set MASTER = grains['master'] %}
|
|
{%- endif %}
|
|
|
|
|
|
{%- set HOSTNAME = salt['grains.get']('host', '') %}
|
|
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
|
|
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
|
|
{%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %}
|
|
{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
|
|
|
|
name: {{ HOSTNAME }}
|
|
|
|
#================================ Logging ======================================
|
|
# There are four options for the log output: file, stderr, syslog, eventlog
|
|
# The file output is the default.
|
|
|
|
# Sets log level. The default log level is info.
|
|
# Available log levels are: error, warning, info, debug
|
|
logging.level: error
|
|
|
|
# Enable debug output for selected components. To enable all selectors use ["*"]
|
|
# Other available selectors are "beat", "publish", "service"
|
|
# Multiple selectors can be chained.
|
|
#logging.selectors: [ ]
|
|
|
|
# Send all logging output to syslog. The default is false.
|
|
#logging.to_syslog: false
|
|
|
|
# Send all logging output to Windows Event Logs. The default is false.
|
|
#logging.to_eventlog: false
|
|
|
|
# If enabled, filebeat periodically logs its internal metrics that have changed
|
|
# in the last period. For each metric that changed, the delta from the value at
|
|
# the beginning of the period is logged. Also, the total values for
|
|
# all non-zero internal metrics are logged on shutdown. The default is true.
|
|
#logging.metrics.enabled: true
|
|
|
|
# The period after which to log the internal metrics. The default is 30s.
|
|
#logging.metrics.period: 30s
|
|
|
|
# Logging to rotating files. Set logging.to_files to false to disable logging to
|
|
# files.
|
|
logging.to_files: true
|
|
logging.files:
|
|
# Configure the path where the logs are written. The default is the logs directory
|
|
# under the home path (the binary location).
|
|
path: /usr/share/filebeat/logs
|
|
|
|
# The name of the files where the logs are written to.
|
|
name: filebeat.log
|
|
|
|
# Configure log file size limit. If limit is reached, log file will be
|
|
# automatically rotated
|
|
rotateeverybytes: 10485760 # = 10MB
|
|
|
|
# Number of rotated log files to keep. Oldest files will be deleted first.
|
|
keepfiles: 7
|
|
|
|
# The permissions mask to apply when rotating log files. The default value is 0600.
|
|
# Must be a valid Unix-style file permissions mask expressed in octal notation.
|
|
#permissions: 0600
|
|
|
|
# Set to true to log messages in json format.
|
|
#logging.json: false
|
|
|
|
#========================== Modules configuration ============================
|
|
filebeat.modules:
|
|
#=========================== Filebeat prospectors =============================
|
|
|
|
# List of prospectors to fetch data.
|
|
filebeat.inputs:
|
|
#------------------------------ Log prospector --------------------------------
|
|
{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" %}
|
|
{%- if BROVER != 'SURICATA' %}
|
|
{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}
|
|
- type: log
|
|
paths:
|
|
- /nsm/zeek/logs/current/{{ LOGNAME }}.log
|
|
fields:
|
|
module: zeek
|
|
dataset: {{ LOGNAME }}
|
|
processors:
|
|
- drop_fields:
|
|
fields: ["source", "prospector", "input", "offset", "beat"]
|
|
|
|
fields_under_root: true
|
|
clean_removed: false
|
|
close_removed: false
|
|
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
|
|
- type: log
|
|
paths:
|
|
- /suricata/eve.json
|
|
fields:
|
|
module: suricata
|
|
dataset: alert
|
|
|
|
processors:
|
|
- drop_fields:
|
|
fields: ["source", "prospector", "input", "offset", "beat"]
|
|
|
|
fields_under_root: true
|
|
clean_removed: false
|
|
close_removed: false
|
|
{%- endif %}
|
|
|
|
{%- if WAZUHENABLED == '1' %}
|
|
|
|
- type: log
|
|
paths:
|
|
- /wazuh/alerts/alerts.json
|
|
fields:
|
|
module: ossec
|
|
dataset: alert
|
|
|
|
processors:
|
|
- drop_fields:
|
|
fields: ["source", "prospector", "input", "offset", "beat"]
|
|
|
|
fields_under_root: true
|
|
clean_removed: false
|
|
close_removed: false
|
|
|
|
# - type: log
|
|
# paths:
|
|
# - /wazuh/archives/archives.json
|
|
# fields:
|
|
# type: ossec_archive
|
|
# fields_under_root: true
|
|
# clean_removed: false
|
|
# close_removed: false
|
|
|
|
{%- endif %}
|
|
|
|
{%- if FLEETENABLED == '1' %}
|
|
|
|
- type: log
|
|
paths:
|
|
- /osquery/logs/result.log
|
|
fields:
|
|
type: osquery
|
|
|
|
processors:
|
|
- drop_fields:
|
|
fields: ["source", "prospector", "input", "offset", "beat"]
|
|
|
|
fields_under_root: true
|
|
clean_removed: false
|
|
close_removed: false
|
|
|
|
{%- endif %}
|
|
|
|
{%- if STRELKAENABLED == '1' %}
|
|
|
|
- type: log
|
|
paths:
|
|
- /opt/so/log/strelka/strelka.log
|
|
fields:
|
|
module: strelka
|
|
dataset: file
|
|
|
|
processors:
|
|
- drop_fields:
|
|
fields: ["source", "prospector", "input", "offset", "beat"]
|
|
|
|
fields_under_root: true
|
|
clean_removed: false
|
|
close_removed: false
|
|
|
|
{%- endif %}
|
|
#----------------------------- Logstash output ---------------------------------
|
|
output.elasticsearch:
|
|
enabled: true
|
|
hosts: ["{{ MASTER }}:9200"]
|
|
pipelines:
|
|
- pipeline: "%{[module]}.%{[dataset]}"
|
|
indices:
|
|
- index: "so-zeek-%{+yyyy.MM.dd}"
|
|
when.contains:
|
|
module: "zeek"
|
|
- index: "so-ids-%{+yyyy.MM.dd}"
|
|
when.contains:
|
|
module: "suricata"
|
|
- index: "so-ossec-%{+yyyy.MM.dd}"
|
|
when.contains:
|
|
module: "ossec"
|
|
|
|
#output.logstash:
|
|
# Boolean flag to enable or disable the output module.
|
|
#enabled: true
|
|
|
|
# The Logstash hosts
|
|
#hosts: ["{{ MASTER }}:5644"]
|
|
|
|
# Number of workers per Logstash host.
|
|
#worker: 1
|
|
|
|
# Set gzip compression level.
|
|
#compression_level: 3
|
|
|
|
# Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
|
|
#ssl.enabled: true
|
|
|
|
# Configure SSL verification mode. If `none` is configured, all server hosts
|
|
# and certificates will be accepted. In this mode, SSL based connections are
|
|
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
|
|
# `full`.
|
|
#ssl.verification_mode: full
|
|
|
|
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
|
|
# 1.2 are enabled.
|
|
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
|
|
|
|
# Optional SSL configuration options. SSL is off by default.
|
|
# List of root certificates for HTTPS server verifications
|
|
#ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
|
|
|
|
# Certificate for SSL client authentication
|
|
#ssl.certificate: "/usr/share/filebeat/filebeat.crt"
|
|
|
|
# Client Certificate Key
|
|
#ssl.key: "/usr/share/filebeat/filebeat.key"
|
|
|
|
setup.template.enabled: false
|
|
# A dictionary of settings to place into the settings.index dictionary
|
|
# of the Elasticsearch template. For more details, please check
|
|
# https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
|
|
#index:
|
|
#number_of_shards: 1
|
|
#codec: best_compression
|
|
#number_of_routing_shards: 30
|
|
|
|
# A dictionary of settings for the _source field. For more details, please check
|
|
# https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
|
|
#_source:
|
|
#enabled: false
|
|
|
|
#============================== Kibana =====================================
|
|
|
|
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
|
|
# This requires a Kibana endpoint configuration.
|
|
#setup.kibana:
|
|
|
|
# Kibana Host
|
|
# Scheme and port can be left out and will be set to the default (http and 5601)
|
|
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
|
|
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
|
|
#host: "localhost:5601"
|
|
|
|
# Optional protocol and basic auth credentials.
|
|
#protocol: "https"
|
|
#username: "elastic"
|
|
#password: "changeme"
|
|
|
|
# Optional HTTP Path
|
|
#path: ""
|
|
|
|
# Use SSL settings for HTTPS. Default is true.
|
|
#ssl.enabled: true
|
|
|
|
# Configure SSL verification mode. If `none` is configured, all server hosts
|
|
# and certificates will be accepted. In this mode, SSL based connections are
|
|
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
|
|
# `full`.
|
|
#ssl.verification_mode: full
|
|
|
|
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
|
|
# 1.2 are enabled.
|
|
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
|
|
|
|
# SSL configuration. By default is off.
|
|
# List of root certificates for HTTPS server verifications
|
|
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
|
|
|
|
# Certificate for SSL client authentication
|
|
#ssl.certificate: "/etc/pki/client/cert.pem"
|
|
|
|
# Client Certificate Key
|
|
#ssl.key: "/etc/pki/client/cert.key"
|
|
|
|
# Optional passphrase for decrypting the Certificate Key.
|
|
#ssl.key_passphrase: ''
|
|
|
|
# Configure cipher suites to be used for SSL connections
|
|
#ssl.cipher_suites: []
|
|
|
|
# Configure curve types for ECDHE based cipher suites
|
|
#ssl.curve_types: []
|
|
|
|
|
|
|
|
|
|
|
|
#============================== Xpack Monitoring =====================================
|
|
# filebeat can export internal metrics to a central Elasticsearch monitoring cluster.
|
|
# This requires xpack monitoring to be enabled in Elasticsearch.
|
|
# The reporting is disabled by default.
|
|
|
|
# Set to true to enable the monitoring reporter.
|
|
#xpack.monitoring.enabled: false
|
|
|
|
# Uncomment to send the metrics to Elasticsearch. Most settings from the
|
|
# Elasticsearch output are accepted here as well. Any setting that is not set is
|
|
# automatically inherited from the Elasticsearch output configuration, so if you
|
|
# have the Elasticsearch output configured, you can simply uncomment the
|
|
# following line, and leave the rest commented out.
|
|
#xpack.monitoring.elasticsearch:
|
|
|
|
# Array of hosts to connect to.
|
|
# Scheme and port can be left out and will be set to the default (http and 9200)
|
|
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
|
|
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
|
|
#hosts: ["localhost:9200"]
|
|
|
|
# Set gzip compression level.
|
|
#compression_level: 0
|
|
|
|
# Optional protocol and basic auth credentials.
|
|
#protocol: "https"
|
|
#username: "beats_system"
|
|
#password: "changeme"
|
|
|
|
# Dictionary of HTTP parameters to pass within the url with index operations.
|
|
#parameters:
|
|
#param1: value1
|
|
#param2: value2
|
|
|
|
# Custom HTTP headers to add to each request
|
|
#headers:
|
|
# X-My-Header: Contents of the header
|
|
|
|
# Proxy server url
|
|
#proxy_url: http://proxy:3128
|
|
|
|
# The number of times a particular Elasticsearch index operation is attempted. If
|
|
# the indexing operation doesn't succeed after this many retries, the events are
|
|
# dropped. The default is 3.
|
|
#max_retries: 3
|
|
|
|
# The maximum number of events to bulk in a single Elasticsearch bulk API index request.
|
|
# The default is 50.
|
|
#bulk_max_size: 50
|
|
|
|
# Configure http request timeout before failing an request to Elasticsearch.
|
|
#timeout: 90
|
|
|
|
# Use SSL settings for HTTPS.
|
|
#ssl.enabled: true
|
|
|
|
# Configure SSL verification mode. If `none` is configured, all server hosts
|
|
# and certificates will be accepted. In this mode, SSL based connections are
|
|
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
|
|
# `full`.
|
|
#ssl.verification_mode: full
|
|
|
|
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
|
|
# 1.2 are enabled.
|
|
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
|
|
|
|
# SSL configuration. By default is off.
|
|
# List of root certificates for HTTPS server verifications
|
|
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
|
|
|
|
# Certificate for SSL client authentication
|
|
#ssl.certificate: "/etc/pki/client/cert.pem"
|
|
|
|
# Client Certificate Key
|
|
#ssl.key: "/etc/pki/client/cert.key"
|
|
|
|
# Optional passphrase for decrypting the Certificate Key.
|
|
#ssl.key_passphrase: ''
|
|
|
|
# Configure cipher suites to be used for SSL connections
|
|
#ssl.cipher_suites: []
|
|
|
|
# Configure curve types for ECDHE based cipher suites
|
|
#ssl.curve_types: []
|
|
|
|
# Configure what types of renegotiation are supported. Valid options are
|
|
# never, once, and freely. Default is never.
|
|
#ssl.renegotiation: never
|
|
|
|
#================================ HTTP Endpoint ======================================
|
|
# Each beat can expose internal metrics through a HTTP endpoint. For security
|
|
# reasons the endpoint is disabled by default. This feature is currently experimental.
|
|
# Stats can be access through http://localhost:5066/stats . For pretty JSON output
|
|
# append ?pretty to the URL.
|
|
|
|
# Defines if the HTTP endpoint is enabled.
|
|
#http.enabled: false
|
|
|
|
# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
|
|
#http.host: localhost
|
|
|
|
# Port on which the HTTP endpoint will bind. Default is 5066.
|